Bug ID 1311601: JWT is corrupted when the claim value is a custom variable assigned in the Variable assign agent

Last Modified: Apr 26, 2024

Affected Product(s):
BIG-IP APM(all modules)

Known Affected Versions:
15.1.9,, 15.1.10,,,, 16.1.2,,, 16.1.3,,,,,, 16.1.4,,,, 17.1.0,,,, 17.1.1,,,

Opened: Jun 23, 2023

Severity: 3-Major


OAuth bearer SSO is configured with "generate JWT", and the JWT includes claims which take "custom variable" as claim value and string as claim type. The JWT is corrupted where the custom variable is populated in Variable assign agent in the VPE, for some values of custom variable, for example, <'Some long garbage string in the Custom Variable'.>


The JWT token with garbage is added, which later leads to failure of token validation causing failures in accessing applications.


- OAuth bearer SSO configured with Generate JWT. - Add custom variable as claim value, for example, %{session.custom.test} which is populated in Variable assign agent in the VPE.


As insecure custom variable is added and returned to variable assign agent. Add the custom variable as a normal string in claim value and claim type as string instead of adding to the Variable assign agent.

Fix Information


Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips