Forum Discussion

julienb's avatar
julienb
Icon for Nimbostratus rankNimbostratus
Mar 24, 2021

ERR_CONN_RESET - VS - OAuth Client

Hello everyone,

 

I'm a newbie with F5, for a client I have to configure an OpenID Connect authentication, so I followed the F5 documentation and everything if working fine, except one thing.

 

The process :

The user go to the Virtual Server apptest.example.com (On the first F5) (Access profile just with OAuth Client), he is directly redirect to the virtual Server (On the second F5) appauth.example.com (Access Profile with OAuth Authorization), the user authenticate itself, if the authentication succeed he passed trough OAuth Authorization and he is redirected to the apptest.example.com, after that he is finally redirect to my website with the id_token.

 

The problem is : If the user go back to apptest.example.com, the Virtual Server stuck and after maybe 1 minute the user got the error : ERR_CONN_RESET (Chrome). But if I delete the active session of the user (With the first F5), it works, and the user can access apptest.example.com and do the all process.

 

What I was expecting is : When the user go back to apptest.example.com after successful process (authentication), he is directly redirected to my website with the id_token.

 

Thank you in advance.

  • Hello, thank you for your reply.

     

    Yes at the end of the apptest.example.com policy, it is a Redirect ending to another website (website.example.com)

      • julienb's avatar
        julienb
        Icon for Nimbostratus rankNimbostratus

        Hello,

        No there is just 2 F5 ; One use as a client/resource server and the other as authorization server ; At the end of the Access Profile (Per-Session Policies), when the client passed trough the "OAuth client", the client is redirected to the website : website.example.com/ide_token=****** ;

         

         

        Thank you.

  • Hi,

     

    can you share with us which F5 documentation / guide you followed? Just a link to it.

     

    And can you share how your Resource Server (apptest.example.com (On the first F5)) is configured? Does it have an Access Profile (Per-Session Policy) and additionally a Per-Request Policy? How is it setup?

    The behaviour of "delete the active session and after reload it works" makes me wonder if part of the config on the Resource Server is missing.

     

    KR

    Daniel

    • julienb's avatar
      julienb
      Icon for Nimbostratus rankNimbostratus

      Hello and thank you,

       

      You can find my reply below.

       

      Best regards.

  • Hello,

    This is the doc I followed : https://support.f5.com/csp/article/K14391041 ; But I changed some settings, for example my client want to use OpenID Connect with it. On apptest.example.com there is just one Access Profile (Per-Session Policy). Like this :

    When the user connects for the first time and pass it through, it works, but when he has an active session he can't connect to apptest.example.com, I have an error "Secure Connection Failed" ... An error occured during a connection to apptest.example.com. PR_CONNECT_RESET_ERROR

    The only "workaround" I found for the moment is to delete the active session at the end of the Access Profile (when I redirect the user to the website). But it means that I can't see his session on the F5.

    PS : I see nothing in the Access Profile logs, so it means (I think) that is related to the Virtual Server and not the Access Profile.

     

    Best regards.

    • Hello,

      your answer is quite comprehensive, I will go through it...

      Meanwhile, did you do a traffic capture on the F5 or on the client? On the F5 you can decrypt the SSL and you can also log the reset cause. It's definitely worth to investigate the reason for the connection reason.

       

      KR

      Daniel

      • julienb's avatar
        julienb
        Icon for Nimbostratus rankNimbostratus

        Hello and thank you.

         

        I will investigate.

         

        Best regards.

  • Here is the doc I made, the first one is the Internal WAF, this F5 will act as the Authorization Server :

  • And here the doc about the second F5, acting as the Client.

  • Hi  ,

     

    did you get any further with this? I managed to get it going following strictly https://support.f5.com/csp/article/K14391041.

    I will adjust my setup throughout the weekend to add the configuration required for JWT and will test further.

    Any results from taking a tcpdump or maybe you can change the Log profile to debug level for OAuth?

     

    KR

    Daniel

    • Daniel_Wolf's avatar
      Daniel_Wolf
      Icon for MVP rankMVP

      Just to clarify that I am not missing something important - you want to achieve the following:

       

      Client goes to https://app.example.com (Resource Server).

      Is redirected to https://auth.example.com (Authentication Server), client authenticates with <whatever>, receives token.

      Is redirected back to https://app.example.com and authenticates there once with the token received from the Authentication Server.

      The client then receives the APM cookies and no further token is required.

       

      Is that correct? Because I got this working with your settings from above.

      Only thing I have different is the cookie settings and some minor stuff like username instead of mail.

       

      Anything obvious that might be off in your config? Like mixing http and https or IP and FQDN, or something off with your DNS config in apm-dns-resolver?

       

      • julienb's avatar
        julienb
        Icon for Nimbostratus rankNimbostratus

        Hello,

         

        Sorry for the late reply, I was busy with other projects.

         

        The process (for the moment) is :

        • The user goes to apptest.example.com (RS)
        • He is redirect to appauth.example.com (AS)
          • The client authenticates
        • Then he is redirect to webapp.example.com (the website) with a token
        • And yes he gets an APM cookie

         

        The client is redirected to the IP of the website (webapp.example.com = 10.0.0.4) instead of a FQDN, but everything use HTTPS.

         

        Thank you for your time.

         

        Best regards.