Forum Discussion

Daniel_W__13795's avatar
Daniel_W__13795
Icon for Nimbostratus rankNimbostratus
Jan 04, 2019

APM: OAUTH2 JWT Token with groups claim

Hello and happy new year 😉

We use APM as OAuth Authorization Server to create JWT token for apps. One of our customers wants to use the MicroProfile JWT(MP-JWT) for his application, that needs some specific claims: https://github.com/eclipse/microprofile-jwt-auth/blob/master/spec/src/main/asciidoc/interoperability.asciidoc

One requirement is to encode the groups claim in JSON array:

 "groups": ["red-group", "green-group", "admin-group", "admin"]

We now try to set the claim with groups from the Active Directory. With an iRule, I filtered the AD groups (from memberOf) and set a new APM variable (session.custom.groups) with this value:

["red-group", "green-group", "admin-group", "admin"]

When I now add a claim groups with %{session.custom.groups} as value, I see that string in my JWT token:

"groups": "[\"red-group\", \"green-group\", \"admin-group\", \"admin\"]"

So the value is escaped and has is in quotation marks.

Is there any chance to send claims as JSON array?

Any help would be appreciated.

25 Replies

  • Bump! Same question on my side, this is actually a mandatory feature.

     

    Any possibility to do json arrays / lists in a claim?

     

    Thanks!

     

    • Daniel_W_'s avatar
      Daniel_W_
      Icon for Cirrus rankCirrus

      Okay, I now opened a support ticket and let you know about the result.

       

      • Peter_Jacob_Sl1's avatar
        Peter_Jacob_Sl1
        Icon for Nimbostratus rankNimbostratus

        Hej Daniel,

        I have a simular problem,

        Did you get information as a result of your ticket that you can share?

         

        Regards,

        Peter

    • Eric_Chen_12394's avatar
      Eric_Chen_12394
      Historic F5 Account

      I believe this is possible (at least on <= 14.1) if you use an iRule event. Something like:

       

      ...
      set mygroups [ ACCESS::session data get "session.mygroups" ]
      append payload {,"mygroups":} "\[$mygroups\]"
      ...
      

      This is adapted from the example at: https://clouddocs.f5.com/api/irules/ACCESS__oauth.html

       

      In my AP I have a variable assign with an expression of:

       

      return {"group1","group2"}
      
    • Rene_C__129338's avatar
      Rene_C__129338
      Icon for Nimbostratus rankNimbostratus

      Hi,

       

      yes, this is the easy part; but as we are not using the irule commands but the APM features directly to generate a JWT, i probably cant modify the resulting JWT inside an irule event?

       

      Cheers, Rene

       

  • Bump! Same question on my side, this is actually a mandatory feature.

     

    Any possibility to do json arrays / lists in a claim?

     

    Thanks!

     

    • Daniel_W_'s avatar
      Daniel_W_
      Icon for Cirrus rankCirrus

      Okay, I now opened a support ticket and let you know about the result.

       

    • Eric_Chen_12394's avatar
      Eric_Chen_12394
      Historic F5 Account

      I believe this is possible (at least on <= 14.1) if you use an iRule event. Something like:

      ...
      set mygroups [ ACCESS::session data get "session.mygroups" ]
      append payload {,"mygroups":} "\[$mygroups\]"
      ...
      

      This is adapted from the example at: https://devcentral.f5.com/wiki/iRules.ACCESS__oauth.ashx

      In my AP I have a variable assign with an expression of:

      return {"group1","group2"}
      
    • Rene_C_'s avatar
      Rene_C_
      Icon for Nimbostratus rankNimbostratus

      Hi,

       

      yes, this is the easy part; but as we are not using the irule commands but the APM features directly to generate a JWT, i probably cant modify the resulting JWT inside an irule event?

       

      Cheers, Rene

       

  • Marvin's avatar
    Marvin
    Icon for Cirrocumulus rankCirrocumulus

    Hi Daniel, I am looking for something similar as well that F5 should provide JWT wherin we have the claims (attributes) values. I ma new to this but I used the guided config and setup F5 as the authorization server, with Postman I can succesfully retrieve the access token and refresh token. I configured the claims in the application on the F5.

     

    How do I actually retreive those values from F5, do I have to provide the access token to F5 as authorization header to be able to retreive this information or should it already be included shile receiving the access token? How to verify this with Postman (I am lacking oauth test APP). Could you eleborate on this and what about this RFE is this fixed now? Thanks a lot

    • Daniel_W_'s avatar
      Daniel_W_
      Icon for Cirrus rankCirrus

      Hi Marvin,

       

      you can retrieve the claims in the JWT access token.

      You need to add token_content_type=jwt to the request and enable JWT in OAUTH profile and Client ID

      Example:

      https://sso.test.com/f5-oauth2/v1/authorize?redirect_uri=https://localhost&response_type=code&client_id=xyz&token_content_type=jwt

      • Marvin's avatar
        Marvin
        Icon for Cirrocumulus rankCirrocumulus

        Hi Daniel, ok thanks that makes sense so you just use GET method not POST? I just tested and F5 replies to the redirect URL with the Access token appended but I dont see any claims info. Inside the oauth profile and client application JWT checkbox is enabled, any thoughts left?

  • Create Claime `groups` with value, set type `custom`: 

     

    [%{session.user.custom.memberOf}]

     

    Create iRule and assingn it to the VS with your Access Policy:

     

    # memberOf String Example: "| CN=RedGroup_Name,OU=_Groups,DC=example,DC=com | CN=GreenGroup_Name,OU=_Groups,DC=example,DC=com | ..."
    when  ACCESS_POLICY_AGENT_EVENT {
        if {[ACCESS::policy agent_id] eq "memberOfCustomization"} {
            
            set result {}
            set pattern "Any Group's Filter Pattern"
            # Get All User's Groups from the Session Var (String)
            set memberOf [ACCESS::session data get "session.ldap.last.attr.memberOf"]
            # Get List of "canonicalName" Strings
            set groups [regexp -all -inline "CN=.*?(?=,)" $memberOf]
            foreach elem $groups {
                # Get Groups by Pattern
                if {[string first $pattern $elem] != -1} {
                    # Replace 'CN=' to Nothing and Append Group to the 'result' List
                    append result \"[regsub "CN=" $elem ""]\",
                }
            }
            ACCESS::session data set session.user.custom.memberOf $result
        }
    }

     

    Inside your Access Policy add `iRule Event` block with `memberOfCustomization` EventID before your `OAuth Authorization` block.
    APM ver 16.1.0
    Hope it will be helpful 🙂