APM as Oauth Authorization server
I am trying to figure out how to setup APM as an Authorization server for ESRI portal. Any ideas you could provide would be appreciated. Current F5 Setup: Running version 14.1.4.4 I have configured Oauth using guided configure and OAuth Authorization server Oauth profile: Is not using Opaque Token as I read that can cause issues but I am usingsupport for JWT and OpenID connect enabled. Client Application using OpenID Connect and Secret I have tried different scopes but not exactly sure what I need to define and what should be sent as part of default openID. Single Virtual server that has Access profile tied to it Access profile with Login page, AD auth and Oauth_authorization. Profile has Oauth profile tied to it. ESRI setup: I have populated Client ID and secret from client application created on F5 side I am using default scopes (openid email and profile) Other information: When I try to connect I get did not receive user profile parameter from the provider If I connect ESRI to google as the providor I have no issues so it is something I am missing on my APM config. I have tried a bunch of the configuration guides but not sure what I am missing. Want to be able to use openid via oauth version 2.0 that will use on prem Active directory idenity to login to a cloud application. Questions: Is there something obvious that I am missing in order for the service providor to be able to get user profile information from apm? From what I read you need to defind scopes but do you need to defind scopes for openid or profile? If so what do you use for the value on those scopes? Thanks NolanSolved3.2KViews0likes4CommentsUsing OpenID Connect to authenticate users
Hello all, I want to use OpenID Connect to authenticate my users before gaining access to one of my application. I want to use my bigip as OpenID Provider (ie: the entity that authenticate the users) . My issue is the following: The OpendID provider (my bigip) never provides me with a ID Token. All I have is an “Access Token” and a “Refresh Token” but no “ID Token”. Below is a description of my lab: resource owner: ip address 10.10.255.1 bigip OpenID Provider: virtual server ip 10.10.255.221 (see below for the access policy) *The agents are left with their default values. Client: I user openid debugger (https://oidcdebugger.com/) in order to request the authorization code. Then I request the Tokens using an html code. I do the following for testing : I request the authorization code from the authorization server (ie my virtual server) . For this I use openID Connect debugger to construct the request for me. Here is the request that I send : ? client_id=e1111098ccff5f81859f9fc83eaa000c29267803efc0bb5b & redirect_uri=https://oidcdebugger.com/debug & scope=openid myscope & response_type=code & response_mode=form_post & state=toto & nonce=7r8saarltr After sending this request I enter my credentials (in the logon agent), I click on authorize then the virtual server correctly redirects me to: https://oidcdebugger.com/debug code=cae85f6fd33c6b27f56f536b6fd9af2ca0fc78e69ac3d13799533c143b38b4ac&state=toto” I now have a correct authorization code that I can exchange for an “access token” AND a “ID Token” . I then send a POST to get the access and ID Tokens using the following HTML code : *note the presence of the “openid” in the scope parameter. However, this is what I get from the authorization server (see in the comment) : -> I have No “ID TOKEN” ☹ Could you please help me configure my access policy so that it supports OpenID Connect and sends me an “ID Token” ??2.7KViews0likes8CommentsAPM JWT Multiple Providers NOT WORKING
Dear F5 community, Using F5 APM 16.1.3 (as an oauth resource server) I am trying to implement a per-request policy that will verify the signature of JWT tokens sent by the client. These JWT tokens can be issued from two differents issuer (Azure AD or STS). I am able to verify JWT tokens for each provider seperatly using a dedicated "JWT provider" with only one Provider attached. When using 2 providers as follow I got following error message: WWW-Authenticate:Bearer error="invalid_token",error_description="Issuer Mismatch : Claim issuer= https://sts.windows.net/ Provider issuer=https://login.microsoftonline.com/v2.0" Based on F5 doc below, the built-in object supports having multiple JWT providers https://clouddocs.f5.com/cli/tmsh-reference/v15/modules/apm/apm_oauth_jwt-provider-list.html Configuration is pretty simple: - 1 Access Policy with "Allow" all ending - 1 Per-Request Policy with "OAuth Scope" set to "Internal" with the "jwt-allowed-providers-list" I guess It is most likely a bug. Anyone was able to make it work with multiple JWT providers ? I can workaround this by parsing the JWT payload, then determining the issuer and based on the issuer make two branches in the VPE: - first branch with the "oauth scope A" that will validate the token using JWT-Provider-A - second branch with the "oauth scope B" that will validate the token using JWT-Provider-B Thanks2KViews1like5CommentsF5 both as oauth provider and F5 resource server JWT introspect issue (JWK)
Dear all, We have a F5 Access policy that is configured for Oauth server and provides the access tokens and / or JWT. We have another Access policy configured as the F5 oauth resource server that acts as the API gateway (which is a pool behind the F5) Everything works when we perform external validation in the F5 resource server Access policy, which basically performs a scope check towards the F5 oauth server using introspect URL. It connects externally, hence the name external. So with this we only use the access token and are not using JWT. So the problem we have is when we change the validation to internal mode for the scope authorization object inside the Access profile. So with this is should validate the JWT payload (access token and claims included in payload). We request the JWT using parameter token_content_type=jwt and we do succesfully receive the JWT from the F5 oauth server. So from here all good, now we use this JWT encoded access token as the authentication bearer and perform a request to the F5 resource server to connect to the API server hosted behind the F5. No matter what we do with this "internal JWT validation method" we always receive Bearer error="invalid_token",error_description="None of the configured JWK keys match the received JWT token" and HTTP 401 not authorized in the response. We have actually succesfully and automatically retrieved the F5 oauth server keys so the F5 oauth resource server should be able to verify the JWT payload, however it fails. Perhaps someone here has some experience with using JWT and F5 as the Oauth server and F5 resource server to perform retroinspect with internal validation mode set in the Access profile for the Scope authorization check with the same problem related to JWKs validation?Solved1.5KViews0likes4CommentsOAuth SSO like SAML Inline SSO possible?
Hi Folks, I have the following challenge and I am unsure, how it can be solved. F5 APM as OAuth Authorization Server Web Application as OAuth Client + Ressource Server Szenario 1: Internal Access This works like a charme. The user go's to the Web Application, clicks on the OIDC Login Link, is redirected to the Authorization Server, etc. The classic grant flow. Szenario 2: External Access through APM Portal The customer demand is, to publish this web application through a F5 APM Webtop with single sign on. The Web Application does not support getting the JWT from the authorization header, therefore all Bearer SSO methodes are not working. The application must go through the OAuth Grant Flow transparently for the user. This looks like the SAML Inline SSO method, but that is not possible with OAuth or do I miss anything? I have two ideas, how this can be solved. It would be great, If someone knows an even simpler method. Publish the OAuth Server in the internet. Publish the Web Application through a new Virtual Server with an Access Profile attached. Add Portal Link to the Web Application. Span the access session accross both Access Profiles. Opening the Web Application from the Web Top -> works seamless with the same Access Session Clicking on the OIDC Login Link at the Web Application Redirect to the OAuth Server New Access Session begins and the user must login again -> BAD The new access session for the Authorization server is required, because: The Access Policy must be validated to trigger the OAuth Authorization VPE Agent. The Access Policy is closed automatically after OAuth Authorization. First idea: At initial login on the Webtop: Generate a secure domain cookie Set it in the browser Write a mapping table (ltm table) cookie->username At the OAuth Server: Get the cookie Lookup the username in the mapping table If found, set the OAuth username, else prompt for authentication OAuth Authorization works without user login again Second idea: At initial auth-redirect Request from the Web Application: Intercept the auth-redirect request Use a sideband connection to request the authorization code from the authorization server (skip authentication, authorization server is only available on the f5 itself) Use another sideband connection to send the authorization code via the redirect-request back to the Web Application Use the redirect-request response as the response for 1. and deliver it to the browser This are the only two ideas I have, too solve this challenge. However, is it really as complex as I think or is there a really simple method I have overseen?1.3KViews0likes4CommentsBasic Auth to OAuth 2.0 Client proxy and vice versa
I am a bit of a dabbler in Big-IP configuration and iRules and not an expert, so please forgive any ignorance on my part. I am wondering whether it is possible to use the F5 Big-IP APM to act as an authentication proxy that (1) receives requests with a Basic Auth header that is validated against either a list of static usernames and password or an Active Directory/LDAP server. After authenticating the request, the Big-IP should (2) request a token from an external OAuth 2.0 authorization server using the client_credentials grant type (or get an existing token from cache). This external authorization server does not support OIDC. After receiving the token it should (3) be added to the downstream request as an "Authorization: Bearer" header. We would also like to have the reverse of the above, where a request is (4) received on the F5 with an OAuth 2.0 Bearer token which is then authenticated and (5) replaced by a Basic Auth header on the downstream request that leaves the F5. From prior experience with a Big-IP appliance and custom iRules, I'm fairly certain that (1) and (5) are possible. Regarding (2), when configured as an OAuth client, Access Policy Manager®(APM®) supports authorization code and resource owner password credentials grant types. https://techdocs.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-sso-13-0-0/37.html However, it would seem that there is a workaround available to use a client_credentials grant type. But I'm not sure if the external authorization server not supporting OIDC, is going to be a problem. https://devcentral.f5.com/s/articles/allow-support-of-grant-type-client-credentials-1161 Most of the use cases I have read up on seem to cover the Big-IP performing the OAuth 2.0 authentication on the incoming request/acting as a resource server instead of adding the token to the outgoing request as is required in (3). There are some articles which almost seem to cover the topics I need, but not exactly: https://devcentral.f5.com/s/feed/0D51T00006i7jtFSAQ https://clouddocs.f5.com/training/community/iam/html/class2/module2/module2.html This iRule function also seems to provide a mechanism for caching OAuth 2.0 tokens, but where exactly the originate from is not completely clear to me: https://clouddocs.f5.com/api/irules/ACCESS__oauth.html In (3) it is certainly possible to add the "Authorization: Bearer" header in an iRule once it has been obtained, but I'm kind of stuck on how to obtain it in an iRule or link to the APM configuration elements. Firstly, can someone please let me know if what I am asking is it all possible and secondly if you could provide some details on the murky/missing parts of my solution.1.2KViews0likes0CommentsiRule to Check for Bearer Token in Auth Headers
I have a requirement where I need to be able to check and see if an oauth bearer token exists in the authentication headers before I pass it to the backside server(s). Right now we are running 11 code and even if we upgrade to 13, we have an oauth environment already and do not want to use F5 to handle the authentication piece. We only need to be able to verify that the client has a token and that the client cert is valid. Essentially, I would like to do the following: Check HTTP Authorization headers for Bearer and make sure that Bearer has a value If Bearer has a value then check that the client certificate fingerprint matches a class list of allowed fingerprints. If this passes then allow the traffic to a gateway behind the F5's that will verify the OAUTH token against the authentication source. If either of these fails, reject the traffic and send a generic error back to client. Any help to be able to accomplish this via an iRule would be greatly appreciated.1.2KViews0likes2Commentsoauth server generated jwt token problem
Hi all, We have a customer try to do oauth with a dovecot server, they have the following problems using the f5 as a oauth server: The "typ" jwt header is missing, this should be set to "JWT". F5 set the JWT token nbf (not valid before) to some minutes in the past, this breaks dovecot auth. Customer want to use the following oauth features, are these supported? https://openid.net/specs/openid-connect-frontchannel-1_0.html https://openid.net/specs/openid-connect-backchannel-1_0.html Do you know how the above could be customized in f5 to set to values the dovecot would accept? Thank you for any hint. Peter1.2KViews3likes5CommentsERR_CONN_RESET - VS - OAuth Client
Hello everyone, I'm a newbie with F5, for a client I have to configure an OpenID Connect authentication, so I followed the F5 documentation and everything if working fine, except one thing. The process : The user go to the Virtual Server apptest.example.com (On the first F5) (Access profile just with OAuth Client), he is directly redirect to the virtual Server (On the second F5) appauth.example.com (Access Profile with OAuth Authorization), the user authenticate itself, if the authentication succeed he passed trough OAuth Authorization and he is redirected to the apptest.example.com, after that he is finally redirect to my website with the id_token. The problem is : If the user go back to apptest.example.com, the Virtual Server stuck and after maybe 1 minute the user got the error : ERR_CONN_RESET (Chrome). But if I delete the active session of the user (With the first F5), it works, and the user can access apptest.example.com and do the all process. What I was expecting is : When the user go back to apptest.example.com after successful process (authentication), he is directly redirected to my website with the id_token. Thank you in advance.1.1KViews0likes15CommentsBIGIP OAUTH : Transmit "Application id" to backend server after a successful atuthentication
Hello @ all 🙂 I took over the management of a bigip (15.1.1) on which APM is configured, in particular to do OAUTH for partner applications. I'd like to know if it is possible to transmit used application id (from "Access ›› Federation : OAuth Authorization Server : Client Application " ) to backend server. Here is what I had understood about how it works (currently functionnal): External form, when "Authentication button" is clicked, redirect to a form hosted and managed with APM on our F5. An Access policy is used and when user is authenticated, the brower redirect to the external application using one of the defined url for the current Application ("Access ›› Federation : OAuth Authorization Server : Client Application " : Security settings/Redirect URL(s) ). Then, the next requests are authenticated. I'd like to know if it is possible (and how) add an information that could be transmitted to backend server to identify the used application. Little precision : we can't change the current behavior of the external app : it means that the solution should be on the BigIP. Thank you for your helpSolved1.1KViews0likes10Comments