Configuration templates/scripts/iRules/sample F5 BIG-IP APM policy to utilise Auth0 via OAuth/OpenID Connect
Head to the wiki which provides detailed instructions on deployment options.
- iApp for F5 BIG-IP v13.1.0+ - it's this file
- NOTE: The iApp will not create or modify a virtual server for you. Create it manually or use the official F5 HTTP Applications iApp and deployment guide to create your virtual server and attach the APM policy created by the iApp from this repo if you choose to use it.
- Sample F5 BIG-IP APM Policies
- A basic policy that initiates auth and completes an OpenID UserInfo request - in this file
- A more complete policy that initiates auth, obtains and validates the access token as being a JWT with valid JWS, completes OpenID Connect UserInfo request and completes external scope validation request - in this file
- Sample iRule for dealing with F5 BIG-IP Bug ID#685888 which causes various characters returned by Auth0 to be escaped, the most annoying which are vertical bars/pipes "|" which BIG-IP converts to "|" any time it sets/copies anything as a session variable. So the subject from your access/ID token etc which should be "auth0|UNIQUE_ID" becomes "auth0\|UNIQUE_ID". Various characters in links to the OpenID headshot/photo will also get escaped renderly the URL useless. BIG-IP APM also can't currently handle tokens returned via POST data and assumes that they will be sent as URI parameters, the iRule has a workaround for this issue also - in this file
- TMSH configuration template to create APM OAuth and SSO objects along with all dependencies - in this file
- Sample shell scripts to quickly turn the TMSH configuration template into something useful for immediate merge into the running TMSH config
There is many. I've moved the description for all of the issues I've encountered into the wiki here
You can create/import certificates into BIGIP direct from a URL. Auth0 provides your instances cert in PEM format via the URL https://%{AUTH0_INSTANCE}%.auth0.com/pem
Example TMSH CLI command,
create sys file ssl-cert routedlogic.auth0.com source-path https://routedlogic.auth0.com/pem
This is the process that the iApp uses in order to download and install the certificate automatically.
Import this file into BIG-IP APM to build a policy based on this.
NOTE: The policy is not associated with an OAuth Server/Provider/Request configuration objects so they will NOT be created at the same time. Use the configuration template to create a TMSH config script to merge those, then associate the policy agents with it, and apply the policy.
Import this file into BIG-IP APM to build a policy based on this.
NOTE: The policy is not associated with an OAuth Server/Provider/Request configuration objects so they will NOT be created at the same time. Use the configuration template to create a TMSH config script to merge those, then associate the policy agents with it, and apply the policy.