AAA vServer removes Authorization Header That Contains Bearer Token
Article ID: CTX319778
Updated On:
Description
Netscaler strips the Authorization header when forwarding the request to the backend. This causes authentication failures as backend is expecting this bearer token.
Resolution
One of the solutions is addressed in CTX225084
However if the above solution which is to disable SSO, does not work, the following rewrite policy can be created and bound to the AAA vserver:
add rewrite action oauth insert_http_header Authorization "Bearer:"+"AAA.USER.ATTRIBUTE(\"accesstoken\")"
add rewrite policy oauth_pol true oauth
bind authentication vserver auth_vs -policy oauth_pol -priority 1 -gotoPriorityExpression END -type AAA_RESPONSE
This rewrite policy will add the bearer token in the authentication response which will be forwarded to backend.
Note: The above config will work only on 13.0 as rewrite feature on AAA vserver is supported from 13.0
However if the above solution which is to disable SSO, does not work, the following rewrite policy can be created and bound to the AAA vserver:
add rewrite action oauth insert_http_header Authorization "Bearer:"+"AAA.USER.ATTRIBUTE(\"accesstoken\")"
add rewrite policy oauth_pol true oauth
bind authentication vserver auth_vs -policy oauth_pol -priority 1 -gotoPriorityExpression END -type AAA_RESPONSE
This rewrite policy will add the bearer token in the authentication response which will be forwarded to backend.
Note: The above config will work only on 13.0 as rewrite feature on AAA vserver is supported from 13.0
Was this article helpful?
Yes
No
Powered by
