Skip to content

iApp, config templates and useful stuff related to making Auth0 OAuth 2.0/OpenID Connect work with F5 BIG-IP

License

Notifications You must be signed in to change notification settings

colin-stubbs/f5-bigip-auth0-integration

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

60 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

F5 BIG-IP Auth0 Integration via OAuth 2.0/OpenID Connect

Configuration templates/scripts/iRules/sample F5 BIG-IP APM policy to utilise Auth0 via OAuth/OpenID Connect

Using

Head to the wiki which provides detailed instructions on deployment options.

Meh, just tell me what's in this repo?

  1. iApp for F5 BIG-IP v13.1.0+ - it's this file
    1. NOTE: The iApp will not create or modify a virtual server for you. Create it manually or use the official F5 HTTP Applications iApp and deployment guide to create your virtual server and attach the APM policy created by the iApp from this repo if you choose to use it.
  2. Sample F5 BIG-IP APM Policies
    1. A basic policy that initiates auth and completes an OpenID UserInfo request - in this file
    2. A more complete policy that initiates auth, obtains and validates the access token as being a JWT with valid JWS, completes OpenID Connect UserInfo request and completes external scope validation request - in this file
  3. Sample iRule for dealing with F5 BIG-IP Bug ID#685888 which causes various characters returned by Auth0 to be escaped, the most annoying which are vertical bars/pipes "|" which BIG-IP converts to "|" any time it sets/copies anything as a session variable. So the subject from your access/ID token etc which should be "auth0|UNIQUE_ID" becomes "auth0\|UNIQUE_ID". Various characters in links to the OpenID headshot/photo will also get escaped renderly the URL useless. BIG-IP APM also can't currently handle tokens returned via POST data and assumes that they will be sent as URI parameters, the iRule has a workaround for this issue also - in this file
  4. TMSH configuration template to create APM OAuth and SSO objects along with all dependencies - in this file
  5. Sample shell scripts to quickly turn the TMSH configuration template into something useful for immediate merge into the running TMSH config

NOTE: F5 BIG-IP Bugs Related to OAuth and OpenID Connect

There is many. I've moved the description for all of the issues I've encountered into the wiki here

NOTE: Auth0 Instance Certificate Import

You can create/import certificates into BIGIP direct from a URL. Auth0 provides your instances cert in PEM format via the URL https://%{AUTH0_INSTANCE}%.auth0.com/pem

Example TMSH CLI command,

create sys file ssl-cert routedlogic.auth0.com source-path https://routedlogic.auth0.com/pem

This is the process that the iApp uses in order to download and install the certificate automatically.

Simple Auth0 Authentication Policy Flow

Import this file into BIG-IP APM to build a policy based on this.

NOTE: The policy is not associated with an OAuth Server/Provider/Request configuration objects so they will NOT be created at the same time. Use the configuration template to create a TMSH config script to merge those, then associate the policy agents with it, and apply the policy.

Simple Policy Flow

Auth0 Authentication with Access Token/Scope Validation/API Query/SSO Policy Flow

Import this file into BIG-IP APM to build a policy based on this.

NOTE: The policy is not associated with an OAuth Server/Provider/Request configuration objects so they will NOT be created at the same time. Use the configuration template to create a TMSH config script to merge those, then associate the policy agents with it, and apply the policy.

Full Policy Flow

EOF

About

iApp, config templates and useful stuff related to making Auth0 OAuth 2.0/OpenID Connect work with F5 BIG-IP

Topics

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Languages