Bug ID 1205029: WEBSSO with an OAuth Bearer token and the Cache option enabled cached tokens from a diff per-session context are flowed to the backend application

Last Modified: May 29, 2024

Affected Product(s):
BIG-IP None(all modules)

Known Affected Versions:
16.1.3, 16.1.3.1, 16.1.3.2, 16.1.3.3, 16.1.3.4, 16.1.3.5

Fixed In:
17.1.1, 16.1.4

Opened: Dec 05, 2022

Severity: 3-Major

Symptoms

In some cases of WEBSSO same token is sent to different sessions in the backend.

Impact

Situations where JWTs (via WEBSSO / OAuth Bearer profile) are being sent downstream for requests which belong to a different user. The problem seems to be related to when these requests share the same client IP address. This is a big problem when clients are using NAT themselves to mask different users/sessions behind the same IP address.

Conditions

WEBSSO with an OAuth Bearer token and the Cache option enabled cached tokens from a diff per-session context are flowed to the backend application

Workaround

None

Fix Information

When sessions are different we are clearing the cache tokens so that new tokens are generated for different sessions.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips