Forum Discussion
NAG
Feb 26, 2020Cirrostratus
Hi
You cannot choose between iRules applied to a Virtual Server as they are executed based on the events.
As you are using the event HTTP_REQUEST event in both the rules, I have combined them into one iRule used if and and else logic. Code in the last else block is run only if first two conditions dint match
when HTTP_REQUEST {
set tid [ACCESS::session data get "session.oauth.jwt.payload.last.tid"]
if { [HTTP::uri] contains "/logout-apm" and $tid contains "xxxxxxx-xxxxxx-xxxx-xxxxxxxxxxxxxx"} {
if { [HTTP::uri] contains "post_logout_redirect_uri" } {
set postLogoutValue [URI::query [HTTP::uri] post_logout_redirect_uri]
# log local0. "Logout Value: $postLogoutValue - Redirect Uri: https://login.microsoftonline.com/common/oauth2/v2.0/logout?post_logout_redirect_uri=https://[HTTP::host]$postLogoutValue"
HTTP::redirect "https://login.microsoftonline.com/common/oauth2/v2.0/logout?post_logout_redirect_uri=https://[HTTP::host]$postLogoutValue"
} else {
# log local0. "logout uri not contains post_logout_redirect_uri parameter"
HTTP::redirect "https://login.microsoftonline.com/common/oauth2/v2.0/logout"
}
} elseif { [HTTP::uri] contains "/logout-apm" and $tid contains "yyyyyyy-yyyyy-yyyy-yyyyyyyyyyyyyyyy"} {
if { [HTTP::uri] contains "post_logout_redirect_uri" } {
set postLogoutValue [URI::query [HTTP::uri] post_logout_redirect_uri]
# log local0. "Logout Value: $postLogoutValue - Redirect Uri: https://login.microsoftonline.com/common/oauth2/v2.0/logout?post_logout_redirect_uri=https://[HTTP::host]$postLogoutValue"
HTTP::redirect "https://login-test.wecenergygroup.com/yyyyyyy-yyyyy-yyyy-yyyyyyyyyyyyyyyy/oauth2/v2.0/logout?p=b2c_1a_ya_signup_signin&&post_logout_redirect_uri=https://[HTTP::host]$postLogoutValue"
} else {
# log local0. "logout uri not contains post_logout_redirect_uri parameter"
HTTP::redirect "https://login.microsoftonline.com/common/oauth2/v2.0/logout"
}
} else {
#If already exists ,consider it malicious attempt and remove the headers
HTTP::header remove F5-auth-User-Id
HTTP::header remove F5-auth-Tenant-Id
#set variables from access policy and insert headers to send to backend
set OID [ACCESS::session data get "session.oauth.jwt.payload.last.oid"]
set TID [ACCESS::session data get "session.oauth.jwt.payload.last.tid"]
set user2 [ACCESS::session data get "session.oauth.scope./Common/pps_act_oauth_scope_1_ag.UserInfo.email"]
set uri [string tolower [HTTP::uri]]
HTTP::header insert "F5-auth-User-Id" $OID
HTTP::header insert "F5-auth-OID" $OID
HTTP::header insert "F5-auth-Tenant-Id" $TID
HTTP::header insert "F5-auth-User-email" $user2
log local0. "$OID: [HTTP::header value $OID]"
log local0. "$TID: [HTTP::header value $TID]"
log local0. "$user2: [HTTP::header value $user2]"
log local0. "LOG INFO: $OID"
log local0. "LOG INFO2: $TID"
log local0. "LOG INFO3: $user2"
}
}
Hope this helps,
Nag