Forum Discussion

Kumar_Thota's avatar
Kumar_Thota
Icon for Altocumulus rankAltocumulus
Apr 13, 2020

APM integration with AZURE two open-id endpoints

We are using azure as our AD. When have configured the Openid url (https://login-test.abc.com/ae9bc4d111-2ef0-4c44-b82a-85c8645b04c7/v2.0/.well-known/openid-configuration?p=B2C_1A_YA_signup_signin) for sign in and signup as a provider for calls going out to azure to get the customer authenticated and that part works as expected. There is a another scenario if customer forgets password and attempts to change the password. The call will directly go to azure where the APM policy is not invoked. After customer changes the password he is prompted to go back to accountsummary. When customer hits go to account summary link he will get redirected back to F5 APM and we are getting the below error message error: HTTP error 400, Error: invalid_grant: AADB2C90088: The provided grant has not been issued for this endpoint. Actual Value : B2C_1A_YA_signup_signin and Expected Value : B2C_1A_YA_ForgotPassword Correlation ID: 08292914-d9c6-4382-a6cf-565739167457 Timestamp: 2020-04-13 20:05:22Z . One thing i observed is that the open_id endpoint for forgot password from azure is https://login-test.abc/ae9bc4d111-2ef0-4c44-b82a-85c8645b04c7/v2.0/.well-known/openid-configuration?p=B2C_1A_YA_forgotpassword. When the call from azure is coming back to F5 APM for forgotpassword. APM is validating the open id endpoint and throwing a Oauthclient miss match. Is there is anyway we can intercept the call coming back from azure to redirect the customer to accountsummary without invoking the APM policy. This is the call which is coming back from azure to F5 (and the call from azure to f5 is this URL https://www-abc.com/oauth/client/redirect?state=5_mj2GiWfTfk2cJFDftVNdg&p=forgotpassword). Is there a way we can do it via irule. I have writen an irule but it did not work as expected.

 

when ACCESS_SESSION_STARTED {

 

set forgotpassword [ACCESS::session data get "session.server.landinguri"]

set id [ACCESS::perflow get perflow.irule_agent_id]

 

log local0. "error message is $forgotpassword"

if {

   $forgotpassword contains "/oauth/client/redirect" && [HTTP::query] eq "p=forgotpassword"}{

   HTTP::cookie remove "MRHSession"

   ACCESS::session remove

   HTTP::redirect "https://www-dev.we-energies.com/accountsummary/"

   log local0. "redirected to accountsummary"

   }

   else

   {

   log local1. "do nothing"

   }

 

 

}

Experts please help me in resolving this issue.

 

No RepliesBe the first to reply