Bug ID 1217365: OIDC: larger id_token encoded incorrectly by APM

Last Modified: Sep 24, 2024

Affected Product(s):
BIG-IP APM(all modules)

Known Affected Versions:
15.1.0, 15.1.0.1, 15.1.0.2, 15.1.0.3, 15.1.0.4, 15.1.0.5, 15.1.1, 15.1.2, 15.1.2.1, 15.1.3, 15.1.3.1, 15.1.4, 15.1.4.1, 15.1.5, 15.1.5.1, 15.1.6, 15.1.6.1, 15.1.7, 15.1.8, 15.1.8.1, 15.1.8.2, 15.1.9, 15.1.9.1, 15.1.10, 15.1.10.2, 15.1.10.3, 15.1.10.4, 15.1.10.5

Opened: Jan 09, 2023

Severity: 3-Major

Symptoms

APM Websso decrypts id_token incorrectly when OIDC id_token is larger than ~5mb. The generated token size can be larger when the user belongs to many groups.

Impact

Access to applications will fail due to incorrect processing of the access token.

Conditions

1) configure BIG-IP as oauth client and Resource server and Authorization server as Azure AD 2) configure Azure AD such that it sends a large token. )access policy start -> oauth client ->scope ->allow 3)create a oauth bearer sso in "passthrough" mode and send token on 4xx response 4)attach sso to access policy 5)attach the access policy to the virtual server

Workaround

None

Fix Information

None

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips