Using OpenID Connect to authenticate users
Hello all, I want to use OpenID Connect to authenticate my users before gaining access to one of my application. I want to use my bigip as OpenID Provider (ie: the entity that authenticate the users) . My issue is the following: The OpendID provider (my bigip) never provides me with a ID Token. All I have is an “Access Token” and a “Refresh Token” but no “ID Token”. Below is a description of my lab: resource owner: ip address 10.10.255.1 bigip OpenID Provider: virtual server ip 10.10.255.221 (see below for the access policy) *The agents are left with their default values. Client: I user openid debugger (https://oidcdebugger.com/) in order to request the authorization code. Then I request the Tokens using an html code. I do the following for testing : I request the authorization code from the authorization server (ie my virtual server) . For this I use openID Connect debugger to construct the request for me. Here is the request that I send : ? client_id=e1111098ccff5f81859f9fc83eaa000c29267803efc0bb5b & redirect_uri=https://oidcdebugger.com/debug & scope=openid myscope & response_type=code & response_mode=form_post & state=toto & nonce=7r8saarltr After sending this request I enter my credentials (in the logon agent), I click on authorize then the virtual server correctly redirects me to: https://oidcdebugger.com/debug code=cae85f6fd33c6b27f56f536b6fd9af2ca0fc78e69ac3d13799533c143b38b4ac&state=toto” I now have a correct authorization code that I can exchange for an “access token” AND a “ID Token” . I then send a POST to get the access and ID Tokens using the following HTML code : *note the presence of the “openid” in the scope parameter. However, this is what I get from the authorization server (see in the comment) : -> I have No “ID TOKEN” ☹ Could you please help me configure my access policy so that it supports OpenID Connect and sends me an “ID Token” ??
APM JWT Multiple Providers NOT WORKING
Dear F5 community, Using F5 APM 16.1.3 (as an oauth resource server) I am trying to implement a per-request policy that will verify the signature of JWT tokens sent by the client. These JWT tokens can be issued from two differents issuer (Azure AD or STS). I am able to verify JWT tokens for each provider seperatly using a dedicated "JWT provider" with only one Provider attached. When using 2 providers as follow I got following error message: WWW-Authenticate:Bearer error="invalid_token",error_description="Issuer Mismatch : Claim issuer= https://sts.windows.net/ Provider issuer=https://login.microsoftonline.com/v2.0" Based on F5 doc below, the built-in object supports having multiple JWT providers https://clouddocs.f5.com/cli/tmsh-reference/v15/modules/apm/apm_oauth_jwt-provider-list.html Configuration is pretty simple: - 1 Access Policy with "Allow" all ending - 1 Per-Request Policy with "OAuth Scope" set to "Internal" with the "jwt-allowed-providers-list" I guess It is most likely a bug. Anyone was able to make it work with multiple JWT providers ? I can workaround this by parsing the JWT payload, then determining the issuer and based on the issuer make two branches in the VPE: - first branch with the "oauth scope A" that will validate the token using JWT-Provider-A - second branch with the "oauth scope B" that will validate the token using JWT-Provider-B Thanks
OAuth SSO like SAML Inline SSO possible?
Hi Folks, I have the following challenge and I am unsure, how it can be solved. F5 APM as OAuth Authorization Server Web Application as OAuth Client + Ressource Server Szenario 1: Internal Access This works like a charme. The user go's to the Web Application, clicks on the OIDC Login Link, is redirected to the Authorization Server, etc. The classic grant flow. Szenario 2: External Access through APM Portal The customer demand is, to publish this web application through a F5 APM Webtop with single sign on. The Web Application does not support getting the JWT from the authorization header, therefore all Bearer SSO methodes are not working. The application must go through the OAuth Grant Flow transparently for the user. This looks like the SAML Inline SSO method, but that is not possible with OAuth or do I miss anything? I have two ideas, how this can be solved. It would be great, If someone knows an even simpler method. Publish the OAuth Server in the internet. Publish the Web Application through a new Virtual Server with an Access Profile attached. Add Portal Link to the Web Application. Span the access session accross both Access Profiles. Opening the Web Application from the Web Top -> works seamless with the same Access Session Clicking on the OIDC Login Link at the Web Application Redirect to the OAuth Server New Access Session begins and the user must login again -> BAD The new access session for the Authorization server is required, because: The Access Policy must be validated to trigger the OAuth Authorization VPE Agent. The Access Policy is closed automatically after OAuth Authorization. First idea: At initial login on the Webtop: Generate a secure domain cookie Set it in the browser Write a mapping table (ltm table) cookie->username At the OAuth Server: Get the cookie Lookup the username in the mapping table If found, set the OAuth username, else prompt for authentication OAuth Authorization works without user login again Second idea: At initial auth-redirect Request from the Web Application: Intercept the auth-redirect request Use a sideband connection to request the authorization code from the authorization server (skip authentication, authorization server is only available on the f5 itself) Use another sideband connection to send the authorization code via the redirect-request back to the Web Application Use the redirect-request response as the response for 1. and deliver it to the browser This are the only two ideas I have, too solve this challenge. However, is it really as complex as I think or is there a really simple method I have overseen?
iRule to Check for Bearer Token in Auth Headers
I have a requirement where I need to be able to check and see if an oauth bearer token exists in the authentication headers before I pass it to the backside server(s). Right now we are running 11 code and even if we upgrade to 13, we have an oauth environment already and do not want to use F5 to handle the authentication piece. We only need to be able to verify that the client has a token and that the client cert is valid. Essentially, I would like to do the following: Check HTTP Authorization headers for Bearer and make sure that Bearer has a value If Bearer has a value then check that the client certificate fingerprint matches a class list of allowed fingerprints. If this passes then allow the traffic to a gateway behind the F5's that will verify the OAUTH token against the authentication source. If either of these fails, reject the traffic and send a generic error back to client. Any help to be able to accomplish this via an iRule would be greatly appreciated.
Basic Auth to OAuth 2.0 Client proxy and vice versa
I am a bit of a dabbler in Big-IP configuration and iRules and not an expert, so please forgive any ignorance on my part. I am wondering whether it is possible to use the F5 Big-IP APM to act as an authentication proxy that (1) receives requests with a Basic Auth header that is validated against either a list of static usernames and password or an Active Directory/LDAP server. After authenticating the request, the Big-IP should (2) request a token from an external OAuth 2.0 authorization server using the client_credentials grant type (or get an existing token from cache). This external authorization server does not support OIDC. After receiving the token it should (3) be added to the downstream request as an "Authorization: Bearer" header. We would also like to have the reverse of the above, where a request is (4) received on the F5 with an OAuth 2.0 Bearer token which is then authenticated and (5) replaced by a Basic Auth header on the downstream request that leaves the F5. From prior experience with a Big-IP appliance and custom iRules, I'm fairly certain that (1) and (5) are possible. Regarding (2), when configured as an OAuth client, Access Policy Manager®(APM®) supports authorization code and resource owner password credentials grant types. https://techdocs.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-sso-13-0-0/37.html However, it would seem that there is a workaround available to use a client_credentials grant type. But I'm not sure if the external authorization server not supporting OIDC, is going to be a problem. https://devcentral.f5.com/s/articles/allow-support-of-grant-type-client-credentials-1161 Most of the use cases I have read up on seem to cover the Big-IP performing the OAuth 2.0 authentication on the incoming request/acting as a resource server instead of adding the token to the outgoing request as is required in (3). There are some articles which almost seem to cover the topics I need, but not exactly: https://devcentral.f5.com/s/feed/0D51T00006i7jtFSAQ https://clouddocs.f5.com/training/community/iam/html/class2/module2/module2.html This iRule function also seems to provide a mechanism for caching OAuth 2.0 tokens, but where exactly the originate from is not completely clear to me: https://clouddocs.f5.com/api/irules/ACCESS__oauth.html In (3) it is certainly possible to add the "Authorization: Bearer" header in an iRule once it has been obtained, but I'm kind of stuck on how to obtain it in an iRule or link to the APM configuration elements. Firstly, can someone please let me know if what I am asking is it all possible and secondly if you could provide some details on the murky/missing parts of my solution.oauth server generated jwt token problem
Hi all, We have a customer try to do oauth with a dovecot server, they have the following problems using the f5 as a oauth server: The "typ" jwt header is missing, this should be set to "JWT". F5 set the JWT token nbf (not valid before) to some minutes in the past, this breaks dovecot auth. Customer want to use the following oauth features, are these supported? https://openid.net/specs/openid-connect-frontchannel-1_0.html https://openid.net/specs/openid-connect-backchannel-1_0.html Do you know how the above could be customized in f5 to set to values the dovecot would accept? Thank you for any hint. PeterERR_CONN_RESET - VS - OAuth Client
Hello everyone, I'm a newbie with F5, for a client I have to configure an OpenID Connect authentication, so I followed the F5 documentation and everything if working fine, except one thing. The process : The user go to the Virtual Server apptest.example.com (On the first F5) (Access profile just with OAuth Client), he is directly redirect to the virtual Server (On the second F5) appauth.example.com (Access Profile with OAuth Authorization), the user authenticate itself, if the authentication succeed he passed trough OAuth Authorization and he is redirected to the apptest.example.com, after that he is finally redirect to my website with the id_token. The problem is : If the user go back to apptest.example.com, the Virtual Server stuck and after maybe 1 minute the user got the error : ERR_CONN_RESET (Chrome). But if I delete the active session of the user (With the first F5), it works, and the user can access apptest.example.com and do the all process. What I was expecting is : When the user go back to apptest.example.com after successful process (authentication), he is directly redirected to my website with the id_token. Thank you in advance.
