Bug ID 1217365: OIDC: larger id_token encoded incorrectly by APM

Last Modified: Apr 17, 2024

Affected Product(s):
BIG-IP APM(all modules)

Known Affected Versions:
15.1.0,,,,,, 15.1.1, 15.1.2,, 15.1.3,, 15.1.4,, 15.1.5,, 15.1.6,, 15.1.7, 15.1.8,,, 15.1.9,, 15.1.10,,,

Opened: Jan 09, 2023

Severity: 3-Major


APM Websso decrypts id_token incorrectly when OIDC id_token is larger than ~5mb. The generated token size can be larger when the user belongs to many groups.


Access to applications will fail due to incorrect processing of the access token.


1) configure BIG-IP as oauth client and Resource server and Authorization server as Azure AD 2) configure Azure AD such that it sends a large token. )access policy start -> oauth client ->scope ->allow 3)create a oauth bearer sso in "passthrough" mode and send token on 4xx response 4)attach sso to access policy 5)attach the access policy to the virtual server



Fix Information


Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips