Forum Discussion
Dmitriy_Sysoev
Nimbostratus
NimbostratusRefresh token introspect
Hi All!
Use APM Oauth2.
Is there any way to find out when the refresh token was generated?
introspect or smth else?
Thank you!
- Nikoolayy1
MVP
Dmitriy_Sysoev I had some time to play with this.
As the tokens are encrypted you will need to use a variable assign agent to decrypt them and then you can display them with sessiondump or in the GUI with a ''message box'' agent or in the logs with a "Logging" agent etc. You can use even API as the session dump is a linux command:
https://community.f5.com/t5/technical-forum/running-bash-commands-via-rest-api/td-p/272516
https://clouddocs.f5.com/products/orchestration/ansible/devel/modules/bigip_command_module.html
This article will give you the idea and by adding the refresh token in the logs, even after the session is over you can see the token in the /var/log/apm or in a SIEM if you are sending the logs to a syslog server but be carefull with the security concerns ! :
https://my.f5.com/manage/s/article/K07645403
https://my.f5.com/manage/s/article/K11123
[root@bigip3:Active:Standalone] config # sessiondump --allkeys | grep token
e233abe6.session.oauth.client./Common/AS-Opaque-Test.access_token 10 **********
e233abe6.session.oauth.client./Common/AS-Opaque-Test.refresh_token 10 **********
e233abe6.session.oauth.client./Common/AS-Opaque-Test.token_type 6 Bearer
e233abe6.session.oauth.client./Common/access-oauth-client-res_act_oauth_client_ag.access_token 10 **********
e233abe6.session.oauth.client./Common/access-oauth-client-res_act_oauth_client_ag.refresh_token 10 **********
e233abe6.session.oauth.client./Common/access-oauth-client-res_act_oauth_client_ag.token_type 6 Bearer
e233abe6.session.oauth.client.last.access_token 10 **********
e233abe6.session.oauth.client.last.refresh_token 10 **********
e233abe6.session.oauth.client.last.token_type 6 Bearer
[root@bigip3:Active:Standalone] config # sessiondump --allkeys | grep custom
e233abe6.session.client.browscap_info 103 uimode=0&ctype=Mozilla&cversion=5&cjs=1&cactivex=0&cplugin=0&cplatform=Win10&cpu=x64&ccustom_protocol=1
e233abe6.session.client.custom_protocol 1 1
e233abe6.session.custom.refresh 64 68bee27f2978728636b7a680063216b40df3c0fc2ce0773ca1ef677e8c4e2169
[root@bigip3:Active:Standalone] config # - LiefZimmerman
Admin
Dmitriy_Sysoev - If your post was solved it would be helpful to the community to select *Accept As Solution*.
This helps future readers find answers more quickly and confirms the efforts of those who helped.
Thanks for being part of our community.
Lief - Nikoolayy1
I have only used JWT tokens but opaque tokens should be saved to the local database.
Have you tried reviewing it from the GUI or CLI?
https://clouddocs.f5.com/cli/tmsh-reference/v15/modules/apm/apm_oauth_db-instance.html
Outside of that you may generate report OAuth Reports >> Tokens.
Dmitriy_SysoevNikoolay, thank you for reply, but i mean how i can get the resfresh token issued date from access policy
- Nikoolayy1
As I mentioned better to open the local apm database for oauth from th gui or cli. Outside of that as I mentioned I am using JWT, so I can't say without testing but you can see what session variables are available for oauth (they should start with session.oauth) and extract the info if it is there:
https://my.f5.com/manage/s/article/K000130351
https://clouddocs.f5.com/api/irules/ACCESS__session.html
- Dmitriy_Sysoev
deleted
