Bug ID 1325721: Oauth not allowed for old tokens after upgrade to 15.1.9

Last Modified: Dec 19, 2023

Affected Product(s):
BIG-IP APM(all modules)

Known Affected Versions:
17.1.1, 17.1.0.2, 17.1.0.1, 17.1.0, 16.1.4, 15.1.9.1, 15.1.9

Opened: Jul 27, 2023

Severity: 2-Critical

Symptoms

Users are not able to access the Oauth old tokens after the fix for vulnerability that is, removal of hard coded encryption keys in Oauth.

Impact

Not able to use old tokens

Conditions

Oauth feature with Opaque tokens configured and upgrade the version to 15.1.9 from previous versions.

Workaround

From 15.1.9 the Oauth old tokens that were generated and used in earlier versions will not work. Due to the vulnerability CWE-798 the hard coded key encryption functionality usage has been removed and now the token generation will be dynamic so the old tokens which were used earlier are displayed as inactive when client runs a introspection. Suggestive workaround is to use purge now option in UI. (Access > Overview > OAuth Reports > Tokens) users have to remove the older tokens in oauthDB for every reboot.

Fix Information

None

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips