Bug ID 1713569

Bug Tracker
ID 1713569

Bug ID 1713569: OAuth PRP and web SSO fails to deliver correct token to server

Last Modified: Dec 31, 2024

Affected Product(s):
BIG-IP APM(all modules)

Known Affected Versions:
15.1.8, 15.1.8.1, 15.1.8.2, 15.1.9, 15.1.9.1, 15.1.10, 15.1.10.2, 15.1.10.3, 15.1.10.4, 15.1.10.5, 15.1.10.6

Opened: Nov 08, 2024

Severity: 2-Critical

Symptoms

In Per-request Policy (PRP), when BIG-IP is configured for OAuth Resource Server with SSO the wrong token is relayed to server if a token is resent after another request.

Impact

Fail to deliver correct token to server.

Conditions

As the subroutine of the old token is skipped, the subsession variables are not updated and web SSO fails to read the correct token.

Workaround

Assign the token value from request to session variables before the subroutine execution. apm policy agent variable-assign /Common/prp_oauth-scope-internal_bearer_sso_act_variable_assign_ag { variables { { expression "mcget {session.custom.bearer_token}" secure true varname session.oauth.client./Common/oauth-aad-server.access_token } { expression "mcget {session.custom.bearer_token}" varname perflow.scratchpad } } }

Fix Information

None

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips