Rabbit23_116296
Dec 09, 2015Nimbostratus
Oauth and F5 - one thing is unclear
Regarding this article - https://devcentral.f5.com/wiki/iRules.OAuth2-Google-APM.ashxContributed_by:_Adrian_Noblett_0
Very cool by the way, I'm just trying to understand the flow of things here as I'm getting stuck: The oauth virtual I'm sure was intended to be APM enabled. If I hit this virtual though it either creates a new APM session. So what gets logged is this:
Dec 9 11:09:39 lhr4-lb-01 info tmm1[18309]: Rule /Voice/OAuth2-iRule : 10.164.4.9:62066: OAuth uri: /oauth?state=71d3f818&code=4/MHfEKOscrambled3wFgOu5NDZ5e2p1aU
Dec 9 11:09:39 lhr4-lb-01 info tmm1[18309]: Rule /Voice/OAuth2-iRule : 10.164.4.9:62066: OAuth hit. code=4/MHfEKOscrambled3wFgOu5NDZ5e2p1aU
Dec 9 11:09:39 lhr4-lb-01 info tmm1[18309]: Rule /Voice/OAuth2-iRule : 10.164.4.9:62066: state=71d3f818
Dec 9 11:09:39 lhr4-lb-01 info tmm1[18309]: Rule /Voice/OAuth2-iRule : 10.164.4.9:62066: Session state mismatch - Possible cross-site-request-forgery - ACCESS DENIED. The value is:
the [ACCESS::session data get session.user.sessionid] value is ofcourse $null if the oauth virtual is not APM enabled (sure that was not intention), and it also logs null when my session gets deleted when APM enabled:
set apmsession [ACCESS::session data get session.user.sessionid]
if { !( [ACCESS::session data get session.user.sessionid] == $OA2state ) } {
if {$static::oauth_debug} { log local0. "$log_prefix Session state mismatch - Possible cross-site-request-forgery - ACCESS DENIED. The value is:$apmsession" }
No state match, could be cross-site-request-forgery - ACCESS DENIED
ACCESS::session data set session.oauth.result 0
ACCESS::session data set session.oauth.alert "Session state mismatch - Possible cross-site-request-forgery - ACCESS DENIED"
HTTP::respond 302 location "/my.policy"
return
}