Bug ID 1325721: Oauth not allowed for old tokens after upgrade to 15.1.9

Last Modified: May 29, 2024

Affected Product(s):
BIG-IP APM(all modules)

Known Affected Versions:
17.1.1,,, 17.1.0, 16.1.4,, 15.1.9

Opened: Jul 27, 2023

Severity: 2-Critical


Users are not able to access the Oauth old tokens after the fix for vulnerability that is, removal of hard coded encryption keys in Oauth.


Not able to use old tokens


Oauth feature with Opaque tokens configured and upgrade the version to 15.1.9 from previous versions.


From 15.1.9 the Oauth old tokens that were generated and used in earlier versions will not work. Due to the vulnerability CWE-798 the hard coded key encryption functionality usage has been removed and now the token generation will be dynamic so the old tokens which were used earlier are displayed as inactive when client runs a introspection. Suggestive workaround is to use purge now option in UI. (Access > Overview > OAuth Reports > Tokens) users have to remove the older tokens in oauthDB for every reboot.

Fix Information


Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips