Module 3 - Protect Arcadia API with Adv. Waf and APM (Bearer SSO)¶
In this lab we will deploy a BIG-IP security policy based on Adv. WAF and APM, in front of the NGINX+ API GW. In order to make life better and simple for DevOps, we will delegate all the Authentication layer to APM. APM will authenticate JWT tokens coming from different providers with different keys, and we will use APM Bearer SSO in order to share a unique JWT key with the API gateways.
Note
APM will download keys from external providers automatically (by using OIDC discovery process) and will use another an unique key for internal SSO with NGINX API Gateways. This will allow DevOps to know only one key for all their deployments. And SecOps will manage the external providers.
Configure NGINX Controller with a new Identity Provider¶
In the left menu, click on
Identity Provider
iconCreate a new Identity Provider as below. Use the JSON code below for the JWK
{ "keys": [ { "k": "aWxvdmVuZ2lueA", "kid": "9876543210", "kty": "oct" } ] }
Note
I invite you to decode the “k” value to know what is the
key
. As you can notice, we don’t use a RSA key, but a secret (just to simplify the lab). This secret is BASE64 encoded.Assign this
Identity Provider
with your API DefinitionMake a quick test with
Postman
by sending a request to the Arcadia API likeLast Transactions
orBuy stocks
Note
As you don’t insert any JWT token in your request, the API GW rejected the request. It is time to configure APM to inject this JWT Bearer SSO
Configure Adv. WAF and APM¶
Note
In this lab we will use Access Guided Configuration and we will do some custom tuning in the policies. There are several ways to protect API with BIG-IP, but at the moment, we will focus on AGC so that you can understand how it works. GSA team is working on a dedicated UDF Blueprint for API Declarative WAF policy with v16.0
Connect to the Jumhost (user / user)
Open
Chrome
and connect to the BIG-IP (admin / admin)Delete the existing
vs-arcadia-api
Virtual Server in the BIG-IP. We are going to create a new one from the Guided Configuration.Create a JWK Bearer SSO key. If you remember below, the key (encoded64) was
aWxvdmVuZ2lueA
, and decoded64ilovenginx
In
Access
, click onGuided Configuration
and select the templateAPI Protection Proxy
inAPI Protection
groupConfigure the template as below.
Warning
The AGC template does not support yet OpenAPI spec file Version 3. But only Version 2. We will use another version of the OAS file.
Note
The OAS file is located in
Downloads
directory and its name isswaggerArcadia2.json
Check the boxes
Use Rate Limiting
andOAuth 2.0
Select the default Servrer at the bottom of the screen
Note
You can notice the URI and the back server have been imported from the OAS2 file
Select
AzureAD
AAD-F5Sales
as providerWarning
Due to a bug in AGC, we can’t add more providers here. We will modify the list later on directly in the APM configuraiton (ID 835509)
Configure
Signle Sign-On Settings
as belowNote
We will focus on Claims later on
Configure
Rate Limiting
as below. We will limit request per user based on their Email address extracted from the JWT token. The value used for theUser ID Key
issubsession.oauth.scope.last.jwt.Email
Configure the
Virtual Server
as belowVS : 10.1.10.18
Log All Requests
Client SSL arcadia_client_ssl
Click
Deploy
Now we have to add manually the 2 more providers in the APM configuration (due to the BUGID in AGC 6.0)
Note
Congratulation, Arcadia API is protected by an Advanced WAF (you can check the policy) and APM in order to authenticate requests from 3 providers.
Note
I invite you to check the Access > API Protection configuration
Warning
In order to use Oauth with Azure AD, you have to force an update of the Azure JWT keys. In Federation
> Oauth Client / Resource Server
> Provider
, click on Start
button to force APM to download the new keys.
Test your protected API with Authentication, WAF and Rate Limiting¶
Open
Postman
and select theArcadia API
collectionSelect one call, the one you want.
F5ers only - For F5 partners and customers, please jump to the next bullet point.
Inauthentication
selectOauth 2.0
. We will start with an Azure AD provider - similating a partner having an AAD subcription and wanting to use it.Click
Get New Token
I have already set the values for the Oauth Client. As a reminder, here, Postman is the Oauth Agent - it is requesting the Access Token
Authenticate with your Corporate F5 account. If it fails, it means you are not part of the F5 Sales Azure tenant (Open an IT Ticket)
When done, click
Use token
and send your request.
Note
It passes. Token is approved by APM, and a new token is generated by APM and sent to the NGINX API GW (Bearer SSO)
Available for F5ers, partners and customers
. Now, try with the 2 other providers (partner1 and partner2)You can find the tokens on the desktop in the file
JWT tokens.txt
Don’t use
Oauth 2.0
, as we already have the tokens. But useBearer Token
instead. I generated these tokens from the website http://jwtbuilder.jamiekurtz.com/
Partner 1: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJwYXJ0bmVyMSIsImlhdCI6MTU5MzQ1NTk4NSwiZXhwIjoxNjg4MDYzOTg1LCJhdWQiOiJhcGkuYXJjYWRpYS1maW5hbmNlLmlvIiwic3ViIjoiYXBpLmFyY2FkaWEtZmluYW5jZS5pbyIsIkdpdmVuTmFtZSI6IkpvaG5ueSIsIlN1cm5hbWUiOiJSb2NrZXQiLCJFbWFpbCI6Impyb2NrZXRAZXhhbXBsZS5jb20iLCJSb2xlIjoiTWFuYWdlciJ9.JRboDfKWvSLVU3md6OULGifoVxJ-ryx7y-0DKrOlPOM
Partner 2: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJwYXJ0bmVyMiIsImlhdCI6MTU5MzQ1NTk4NSwiZXhwIjoxNjg4MDYzOTg1LCJhdWQiOiJhcGkuYXJjYWRpYS1maW5hbmNlLmlvIiwic3ViIjoiYXBpLmFyY2FkaWEtZmluYW5jZS5pbyIsIkdpdmVuTmFtZSI6IkJvYiIsIlN1cm5hbWUiOiJUaGUgU3BvbmdlIiwiRW1haWwiOiJib2JAc3BvbmdlLmNvbSIsIlJvbGUiOiJDb250cmFjdG9yIn0.aqTxd6X4z7EFijJsyiuq8mZAKMLG519Bmjz1ra24L-s
Test the Rate Limiting by sending 4 calls with the same token. The 4th will be block. You can notice the reponse code
429 Too Many Requests
Send an attack
Select the call
POST Buy Stocks XSS attack
Send the request and notice the
200 OK
response. It means the WAF didn’t block the requestCheck why and change your policy accordingly.
Note
Tip : attack signatures are in Staging mode