Last Modified: Feb 28, 2025
Affected Product(s):
BIG-IP APM
Fixed In:
17.5.0, 17.1.2
Opened: Nov 05, 2021 Severity: 3-Major
An OAuth client sends a request to the OAuth authorized endpoint with code_challenge_method set to plain. As "use_profile_token_management_settings" is enabled. As per PKCE configuration in the OAuth profile, "allow-plain-code-challenge" is enabled, implying an auth code should be successfully issued to the requesting client if code_challenge_method is plain. However, this behavior is not to be seen. Instead, APM throws an error, "Error Code (invalid_request) Error Description (transform algorithm not supported)"
OAuth Fails, Authentication failed not able to access resources.
1. Configure APM as OAuth AS 2. Under Access ›› Federation : OAuth Authorization Server : Client Application ›› *your_client_app*, enable "Use Profile Token Management Settings" 3. Under Access ›› Federation: OAuth Authorization Server: OAuth Profile ›› *your_oauth_profile*, enable both "Require PKCE" and "Allow Plain Code Challenge" 4. Create an access profile, and attach your OAuth profile. 5. Create a VS, and attach the access profile. 6. Send a request to authorize the endpoint requesting the auth code. Eg: https://10.192.138.174/f5-oauth2/v1/authorize?response_type=code&client_id=71536bb004ee3ac08b0965d6dcd0005056a48a55c7ebb860&scope=email&redirect_uri=https://oauth.pstmn.io/v1/browser-callback&code_challenge=RvA4xtXbOXkZEhvbW0nUgaKydZqogA6eS53rEGohww4&code_challenge_method=plain
None
Fixing a typo that allows the plain code challenge setting not to take effect for the OAuth profile.