Group based authorization + OAuth 2.0 client setup with APM
Hi all,
I am trying to configure an APM access policy to authenticate users using an oauth flow, integrated with Azure AD, with APM acting as client/RS as described in K42333110. So far so good, only users within my tenant can access the VS, but I am hitting a wall when trying to limit access to users within a specific AD group.
The AD App the APM is using to authenticate users is configured to include the groups the user requesting the token belongs to in the group calims field of the JWT, but I can´t see any field for "groups" or similar under the session variables, so I have nothing to base the authorization on. Now my questions would be:
- Is there a way to see the value of the access token requested by the APM as client application? when I do a session dump, the value of the token is obfuscated, just as in the session variables table
- Once I get (hopefully) a session variable with the value of the groups, can I use an oauth scope step, or do I need to use an irule and evaluate to make an access/deny decission in the per session policy?
TIA
> is there a way I can access the raw value of the access token for debugging purposes?
I have done this always with the described message box.