Verify JWT token with NetScaler unauthenticated

-
So lets say you have tried the wonderful feature with 401 based oauth action to verify JWT tokens.
It works great when it works, but there could also be other situations where it does not fulfil the need.

Sometimes tokens are not passed in the standard authorization header, correct attributes might not be there or there could be challenges with cookies at client side.

JWT_VERIFY_CERTKEY can be used to verify signature with locally installed certs. This is an example of how you can verify multiple cert keys.

HTTP.REQ.HEADER("Authorization").AFTER_STR("Bearer ").JWT_VERIFY_CERTKEY("cert-1").NOT && HTTP.REQ.HEADER("Authorization").AFTER_STR("Bearer ").JWT_VERIFY_CERTKEY("cert-2").NOT && HTTP.REQ.HEADER("Authorization").AFTER_STR("Bearer ").JWT_VERIFY_CERTKEY("cert-3).NOT

How will you know if these tokens are not too old and expired? This is an example which you can use where the NS would verify that the tokens expire time is not older than 24 hours. 

 HTTP.REQ.HEADER("Authorization").AFTER_STR("Bearer ").AFTER_STR(".").BEFORE_STR(".").B64DECODE.AFTER_STR("exp\":").BEFORE_STR(",\"aio").TYPECAST_NUM_T(DECIMAL) < SYS.NANO_TIME.DIV(1000000000).SUB(86400)

Can be used together with a respondwith action:

"HTTP/1.1 401 Unauthorized "

So lets say you can use the built-in 401 oauth action working successfully, but you are struggling with getting the samesite attribute set to NONE in NSC_TMAS cookie?

For version 13.1 you can set this in the system wide AAA settings, then it works.
In 14.1 it seems to be fixed, it can be set on AAA server level.
Location: Stockholm, Sweden

Comments

Post a Comment

Popular posts from this blog

F5 to NetScaler Migration

-
Image
I recently had the opportunity to participate from start to finish as the primary technical resource in a project with the goal of completely phasing out a physical F5 solution, migrating the entire configuration and all applications to a NetScaler solution. I was also expected to design and implement the solution and to improve and modernize the configuration. The customer requested a fully virtual solution that they could implement in their global VMware-based hypervisor environment. A much more flexible deployment of load balancers could be easily achieved, since the customer had recently acquired a Universal Hybrid Multi Cloud (UHMC) license which entitled them to 1000 units of NetScaler and a terabit of bandwidth throughput. There were approximately 300 unique applications that needed to be managed in some way in the project. In the F5 solution, there was an externally accessible instance and a completely internal instance to be able to distinguish between external traffic from th...
Read more

Universal Hybrid Multi Cloud License – Unlimited NetScaler’s

-
There is a new license model from Citrix  that will  let you run NetScaler and Citrix in both cloud  and  on-premises  environments using the same license. In this license there  is a generous  entitlement to 1000 software instances of NetScaler in  the  form factors  of  VPX, CPX  and  BLX . I n other words ,  all the virtual  NetScaler’s .   You will need a NetScaler Console setup where you can then distribute 1 terabit of bandwidth throughput , granularly configured,   the way you need it,  to these appliances .   Which is  very good  since  NetScaler is  now  supported on all major delivery platforms: On-premises :  VMware ,  Nutanix,   XenServer ,  Hyper-V   Cloud:  Azure, AWS, Google  C loud, Oracle Cloud, IBM Cloud What can we do with all this capacity suddenly offered to us?   I have identified  a few   common s...
Read more