Bug ID 1205029: WEBSSO with an OAuth Bearer token and the Cache option enabled cached tokens from a diff per-session context are flowed to the backend application

Last Modified: Jan 20, 2023

Bug Tracker

Affected Product:  See more info
BIG-IP None(all modules)

Known Affected Versions:
16.1.0, 16.1.1, 16.1.2, 16.1.2.1, 16.1.2.2, 16.1.3, 16.1.3.1, 16.1.3.2, 16.1.3.3

Opened: Dec 05, 2022
Severity: 3-Major

Symptoms

In some cases of WEBSSO same token is sent to different sessions in the backend.

Impact

Situations where JWTs (via WEBSSO / OAuth Bearer profile) are being sent downstream for requests which belong to a different user. The problem seems to be related to when these requests share the same client IP address. This is a big problem when clients are using NAT themselves to mask different users/sessions behind the same IP address.

Conditions

WEBSSO with an OAuth Bearer token and the Cache option enabled cached tokens from a diff per-session context are flowed to the backend application

Workaround

None

Fix Information

None

Behavior Change