Bug ID 1552705: New subsession reads access_token from per-session policy instead of per-request policy.

Last Modified: Dec 19, 2024

Affected Product(s):
BIG-IP APM(all modules)

Known Affected Versions:
16.1.3, 16.1.3.1, 16.1.3.2, 16.1.3.3, 16.1.3.4, 16.1.3.5, 16.1.4, 16.1.4.1, 16.1.4.2, 16.1.4.3, 16.1.5, 16.1.5.1, 17.1.1, 17.1.1.1, 17.1.1.2, 17.1.1.3, 17.1.1.4, 17.1.2

Opened: Feb 27, 2024

Severity: 2-Critical

Symptoms

When BIG-IP is configured with OAuth Agents both in per-session policy and per-request policy, OAuth Flow fails to execute successfully.

Impact

BIG-IP Administrator will not be able to configure BIG-IP as OAuth Client & RS with both per-session policy and per-request policy.

Conditions

When new subsessions are created TMM fails to read the access token from subsession variables. Therefore, gets the old token from the main session, i.e. per-session policy.

Workaround

Use OAuth Agents only in the per-request policy, configure per-session policy with just empty allow.

Fix Information

None

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips