Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
code share

JSON Web Token (JWT) Parser

Problem this snippet solves:

This feature is now native in v13.1 and it is strongly recommended you implement the native solution instead. This code is left only as an example for future use cases, it should not be used for JWT handling because there is no signature validation.

This code parses a JWT (JSON Web Token) received by a Big-IP acting as an OAuth client and creates session variables for the JSON parameters in the header and payload. Example use cases might include Azure AD B2C or Azure AD Enterprise integration.

This iRule does not perform signature validation.

Code from the "Parse and Set Session Variables" section down could be easily harvested for other JSON parsing use cases that do not need the JWT decoding.

How to use this snippet:

Attach this iRule to the virtual server receiving the JWT that is configured for OAuth. Inside the VPE after the OAuth Client agent add an iRule agent with id jwt-parse.

This iRule will set several variables including: session.oauth.jwt.last.header session.oauth.jwt.last.payload session.oauth.jwt.last.signature

In addition it will create a session variable for each parameter in the header and payload in the following syntax. session.oauth.jwt.header.last.* session.oauth.jwt.payload.last.*

You can then call these session variables elsewhere.

Tested on Version:
13.0
Comments on this Snippet
Comment made 03-Aug-2017 by Walter Kacynski 973

Is there a corresponding JWT generator for SSO to a backend?

0
Comment made 04-Aug-2017 by Graham Alderson

Walter,

I haven't written a custom JWT generator yet, but it could certainly be done and a lot of the code above could be leveraged for it. However, in v13 there is a built-in SSO Config for generating and inserting a JWT!

Also, I believe I recognize your name from Agility, if so, thanks for attending and I hope the OAuth class was useful!

0
Comment made 04-Aug-2017 by Walter Kacynski 973

Yeah, I was looking at V13 and is "OAuth Bearer SSO" considered the JWT token method? If this is the case, I need F5 to act as a client + resource servers as well as authorization server on the same box; which hasn't been GA'ed yet.

0
Comment made 04-Aug-2017 by Graham Alderson

That is correct.

Edit: Added for clarity

You don't need Big-IP to act as an Authorization server to use the OAuth Bearer SSO method. You may want to put those services on the same box for other reasons, but to use the OAuth Bearer SSO method you just need to configure it and have an OAuth Client/Resource server implementation.

0
Comment made 17-Oct-2017 by magnus78 88

Is this id_token possible to extract in LTM module outside APM?

0
Comment made 18-Oct-2017 by Graham Alderson

Sure. The current iRule is written in an APM event and sets APM session variables, but you could change those to standard variables and an LTM event (like when HTTP_REQUEST and then restrict run by URI or something).

0
Comment made 1 week ago by Reshma 1

Hi , I am trying to copy this above code in my iRUle in LTM , but I am getting below error. Can you guide me to use JWT parsing with my LTM iRule

01071912:3: ACCESS_POLICY_AGENT_EVENT event in rule (/Common/Tablet4) requires an associated ACCESS profile on the virtual-server (/Common/tabletfour)

my current iRule code is somehting below, please let me know how can I integrate in current iRule in LTM.

when CLIENTSSL_CLIENTCERT { HTTP::release if { [SSL::cert count] < 1 } { reject } }

when HTTP_REQUEST { if { [SSL::cert count] <= 0 } { HTTP::collect SSL::authenticate always SSL::authenticate depth 9 SSL::cert mode require SSL::renegotiate

} }

when HTTP_REQUEST_SEND { clientside { if { [SSL::cert count] > 0 } {

  HTTP::header insert "ClientCert-Subject"  [X509::subject [SSL::cert 0]]

}

} }

0
Comment made 1 week ago by Walter Kacynski 973

Please heed the warning at the top: This feature is now native in v13.1 and it is strongly recommended you implement the native solution instead. This code is left only as an example for future use cases, it should not be used for JWT handling because there is no signature validation.

What are you trying to accomplish with this functionality and what version are you on?

0
Comment made 1 week ago by Graham Alderson

Reshma,

It is because the iRule has ACCESS commands in it that cannot function without an access profile assigned. The ACCESS commands are there to assign the JWT values into APM session variables.

To resolve this problem you must follow the directions provided by the error message and assign an access profile (enabled by licensing and provisioning APM) onto the virtual server before you can assign this iRule.

It is possible to comment out any ACCESS commands from this iRule and use in LTM only as an alternative. However, as noted at the top and by Walter, this does not verify the signature of the JWT and may have performance problems at large scale. The built-in JWT parsing functionality in APM is highly recommended to be used instead and is the supported method of doing this.

0