Last Modified: May 29, 2024
Affected Product(s):
BIG-IP APM
Known Affected Versions:
13.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 13.1.1.5, 13.1.3, 13.1.3.1, 13.1.3.2, 13.1.3.3, 13.1.3.4, 13.1.3.5, 13.1.3.6, 13.1.4, 13.1.4.1, 13.1.5, 13.1.5.1, 14.0.0, 14.0.0.1, 14.0.0.2, 14.0.0.3, 14.0.0.4, 14.0.0.5, 14.0.1, 14.0.1.1, 14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.5, 14.1.0.6, 14.1.2
Fixed In:
15.0.0, 14.1.2.1
Opened: Jan 18, 2019 Severity: 4-Minor
APM currently expects the OAuth JSON web tokens (JWT) Issuer claim to be in the URI format: -- JWT-Config does not allow Issuer setting unless it is in the URI format. -- The issuer value in the incoming token is expected to be in the URI format and should match with the Issuer setting in the JWT-Config.
As per RFC 7519, 'iss' claim value is a case-sensitive string containing a StringOrURI value. To comply with RFC 7519, basically allowing any string value in the Issuer claim, APM should ease this validation.
OAuth JWT Issuer claim in the URI format for JWT access token and ID token.
None.
JWT config issuer Validation is removed to allow a string or URI value for the JWT issuer.