IBM Verify

IBM Verify

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only
Back to discussions
Expand all | Collapse all

Oauth Authz code flow and webseals behind load balancer

  • 1.  Oauth Authz code flow and webseals behind load balancer

    Posted Tue January 12, 2021 10:05 AM
    Hi group,

    Just wanting to see what kind of approach others are taking with this.

    We have a few webseals behind an F5 load balancer. Users log in using a VIP (http://www.myaccountpage-example.com/). There they login via pksmslogin.form. Then it starts the oauth authz flow by going to http://www.myaccountpage-example.com/mga/sps/oauth/oauth20/authorize?...yada yada yada. The issue here is if they login while on one webseal, and the call to the authz endpoint happens on the other webseal (since they are load balanced), the call to the authz endpoint fails since the call is happening without authentication. 

    To address this issue, I've written an F5 iRule to only allow any /mga or /pkmslogin traffic to only flow to one webseal. This usually works but sometimes the connections will go to the next webseal in the pool, like if the first webseal was marked as down by the F5 for a period of time. Even when the first webseal is available again, some connections keep going to the other webseal due to caching. I could just have one webseal in the pool but then I don't have any failover options when a webseal goes down. 

    Interested to see how others are handling this. 

    Thanks,
    Scott

    ------------------------------
    Scott Reichardt
    Security Verify Access 10.0.0.1
    ------------------------------


  • 2.  RE: Oauth Authz code flow and webseals behind load balancer

    Posted Tue January 12, 2021 12:42 PM
    Do you have DSC configured correctly?

    ------------------------------
    Joao Goncalves
    Pyxis, Lda.
    Sintra
    +351 91 721 4994
    ------------------------------

    Original Message


  • 3.  RE: Oauth Authz code flow and webseals behind load balancer

    Posted Tue January 12, 2021 01:34 PM
    We aren't using DSC. Can DSC even be used with oauth token usage?

    ------------------------------
    Scott Reichardt
    ------------------------------

    Original Message


  • 4.  RE: Oauth Authz code flow and webseals behind load balancer

    Posted Tue January 12, 2021 03:20 PM
    Scott,
     
    If you cannot guarantee stickiness from the load balancer you need a mechanism by which the session information can be shared by all replicated servers.  Verify Access provides two ways to do this.  You can either store the session information in the runtime database, or you can store the session information in the DSC.
     
    I hope that this helps.
     
     
     
     

    Scott A. Exton
    Senior Software Engineer
    Chief Programmer - IBM Security Verify Access
    IBM Master Inventor





    Original Message


  • 5.  RE: Oauth Authz code flow and webseals behind load balancer

    Posted Tue January 12, 2021 04:37 PM
    Edited by Scott Reichardt Tue January 12, 2021 05:53 PM
    Although it's quite old, does this still apply?

    Taken from https://philipnye.com/2016/05/24/commonly-overlooked-isam-settings-for-production-deployments/
     - OAuth Sessions doesn't currently play well with the Distributed Session Cache. Be sure not to enable the DSC on any instance using OAuth-Auth. You'll very quickly overflow your session cache otherwise.

    ------------------------------
    Scott Reichardt
    ------------------------------

    Original Message


  • 6.  RE: Oauth Authz code flow and webseals behind load balancer

    Posted Tue January 12, 2021 05:47 PM
    Hey Scott,

    There is a new setting since v9.0.7, which allows this to work more appropriately with DSC enabled now, see

    Reverse Proxy Sessions

    The reverse proxy can now store non-cookie based sessions in a local session cache when the distributed session cache is enabled. See dsess-support-local-sessions.

    From:
    https://www.ibm.com/support/knowledgecenter/SSPREK_9.0.7/com.ibm.isam.doc/productoverview/concept/whats_new.html

    I've updated the posts with the above information.
    Regards,

    Phil



    ------------------------------
    Philip Nye
    IBM
    Gold Coast
    ------------------------------

    Original Message


  • 7.  RE: Oauth Authz code flow and webseals behind load balancer

    Posted Tue January 12, 2021 05:55 PM
    Thanks. I'll take a look at how to get things working with DSC.

    ------------------------------
    Scott Reichardt
    ------------------------------

    Original Message


  • 8.  RE: Oauth Authz code flow and webseals behind load balancer

    Posted Thu January 14, 2021 11:33 AM
    I should have mentioned, the webseals in question are on two separate appliances. Is there a way to share the DSC session table across multiple appliances? I've found in my testing that if I change the following 127.0.0.1 address in the webseal config on the secondary appliance to the DSC on the primary applaince, the DSC doesn't show the server in the list.

    server = 9,http://127.0.0.1:2035/DSess/services/DSess



    ------------------------------
    Scott Reichardt
    ------------------------------

    Original Message


  • 9.  RE: Oauth Authz code flow and webseals behind load balancer

    Posted Thu January 14, 2021 03:20 PM
    Scott,

    To solve your original problem you need to configure AAC to use the DSC and not WebSEAL (https://www.ibm.com/support/knowledgecenter/SSPREK_10.0.1/com.ibm.isva.doc/config/reference/ref_aac_advcfgprop.htm#aac_advcfgprop__d253e1941).  You can configure multiple servers to use the same DSC through one of two mechanisms:
    1. If both appliances reside within the cluster you can just use the clustering capabilities;
    2. If the appliances do not reside within the cluster you can configure the DSC (through the cluster configuration panel) to expose itself outside of the cluster and then you manually configure the client to use the 'external' DSC.
    I hope that this help.

    ------------------------------
    Scott Exton
    IBM
    Gold Coast
    ------------------------------

    Original Message


  • 10.  RE: Oauth Authz code flow and webseals behind load balancer

    Posted Tue January 19, 2021 02:50 PM
    Thanks, Scott. With this should I be able to share federation grants between the two appliances as well?

    ------------------------------
    Scott Reichardt
    ------------------------------

    Original Message


  • 11.  RE: Oauth Authz code flow and webseals behind load balancer

    Posted Tue January 12, 2021 07:52 PM
    Stickiness does not solve your problem. The behavior just happens less often.

    ------------------------------
    Joao Goncalves
    Pyxis, Lda.
    Sintra
    +351 91 721 4994
    ------------------------------

    Original Message