Thomas Rens Vermeulen Posted November 26 Posted November 26 Can anyone explain me how to confirm OAUTH access tokens via Citrix NetScaler? So when a user already has a bearer token from oauth IDP the NetScaler should only confirm this token with Entra ID App registration (oauth).
Thomas Rens Vermeulen Posted November 29 Author Posted November 29 So, I got a little further on this. Workflow Via postman i'm getting a access token directly via the app registration. When I have the token, i'm sending it via the Authorization Header to the NetScaler. The NetScaler is configured with the same app registration. I get the following Error in NS.LOG and NSTRACE (see screenshot): "AAATM Bearer: No token or Error trying to evaluate username/pwd for bearer auth" "OAUTH: JWT: Failed to verify signature on token, used algorithm is RS256" "OAUTH: failed to verify JWT; action used: AAA-AS-OAUTH_WEBAPP" "NS Oauth: Failed to verify Bearer token with error <1310743>" Configuration add authentication OAuthAction AAA-AS-OAUTH_WEBAPP -authorizationEndpoint "https://login.microsoftonline.com/<tenant>/oauth2/v2.0/authorize" -tokenEndpoint "https://login.microsoftonline.com/<tenant>/oauth2/v2.0/token" -clientID <clientid> -clientSecret <clientsecret> -encrypted -encryptmethod ENCMTHD_3 -kek -suffix 2024_04_05_07_15_01 -OAuthMiscFlags Base64Encode_Authorization_With_Padding -CertEndpoint "https://login.microsoftonline.com/<tenant>/discovery/v2.0/keys" -userNameField OnpremisesSAMaccountname -allowedAlgorithms HS256 RS256 RS512 add authentication Policy ap-azuread-test-oauth -rule true -action AAA-AS-OAUTH_WEBAPP add tm sessionAction spr-oauth-test -defaultAuthorizationAction ALLOW -ssoCredential PRIMARY -ssoDomain domain.local add tm sessionPolicy spo-aaa-oauth-test true spr-oauth-test add authentication vserver vs-aaa-test SSL 0.0.0.0 bind authentication vserver vs-aaa-test -policy ap-azuread-test-oauth -priority 100 -gotoPriorityExpression END bind authentication vserver vs-aaa-test -policy spo-aaa-oauth-test -priority 100 -gotoPriorityExpression NEXT add lb vserver vs-lb-test-oauth SSL 1.2.3.4 443 -persistenceType COOKIEINSERT -timeout 0 -persistenceBackup SOURCEIP -backupPersistenceTimeout 30 -cltTimeout 180 -authn401 ON -authnVsName vs-aaa-test Conclusion so far It look like the aaa vserver is not receiving the Bearer token (access token) at all. I need to extract the access token and pass it on to the aaa vserver. I cannot find any traffic that sends the bearer token to the microsoft app registration.
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now