Jump to content
Welcome to our new Citrix community!

Authentication based on Header with WebAuth

Recommended Posts


we have an intranet application we want to publish via Ctirx ADC to the internet with a special pre authentication.


The application is using self created jwt tokens (but not openID/oAuth) for authentication. There is a web endpoint to validate such tokens.


My plan was to extract the jwt token from the Header (preferably "Authorization Bearer ey123456") and sent this via WebAuth to the seperate enpoint for validation (webservice/validate?token=ey123456). If the validation succeeds (http 200 and/or content=true)  allow the request. Is this possible without a redirection for login or a special form based login page so that i can directly sent a request to the ressource url with the correct header and receiving the backend answer?


I think i get the WebAuth part to work but it won't be invoked because something before isn't setup correctly. Do you have some hints what to check?

Link to comment
Share on other sites


I already setup a Content Switich with the LB and AAA bound to but i'm not sure how this would help me.


My problems/thoughts:

1.Since i want to be able to do a curl and get the response directly i need 401 Based Authentication?!

curl --request GET 'https://domain.com/request' \
--header 'User-Agent: TokenAuthClient' \
--header 'Authorization: Bearer ey123456'


2. When i use the default Header "Authorization: Bearer ey123456"  the ADC tries to understand that Header but since i can't add a normal oauth config hence the special validation i only get the error:

nFactor: Could not find matching negotiate/oauth policy while processing authorization header vserver: vip LB_vServer, authentication vserver AAA_vServer


3. I tried to change the headers via rewrite policies but it seems that they are all evaluated after the AAA login process. My plan was to add a new header "x-temp-Authorization" with the value of the original or even encapsulate the jwt token in the basic auth password field so that i can use it later in the webauth request.


4. If i use no authentication on the lb itself is there any other method i can use to do the jwt check?

Link to comment
Share on other sites

i almost got it to work.


VS ist configured to use 401 based authentication

On the AAA i configured NO_Auth as first Factor and the Webauth as second factor, in the Webauth i can use variables defined as expressions before without any problem. Like that the Authentication process is starting and the Webauth request is successfully validating.


One last problem i'm facing is the login session. i think at the moment he wants to establish a session for the request but this should be stateless. If i sent a curl to the website im in a endless loop and only see a lot of messages like
default AAATM LOGIN 43716 0 : Context anonymous@ip - SessionId: 3226 - User anonymous - Client_ip ip - Nat_ip "Mapped Ip" - Vserver adcip:443 - Browser_type "xxx" - Group(s) "N/A"


counting sessionId up until the whole adc reboots.


Is there a way to disable the sessions for this special aaa or something like that?

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...