Bug ID 1473701: Oauth Discovery task is struck at "SAVE_AND_APPLY" state

Last Modified: Jun 13, 2024

Affected Product(s):
BIG-IP APM(all modules)

Known Affected Versions:
15.1.10.3, 15.1.10.4, 16.1.3, 16.1.3.1, 16.1.3.2, 16.1.3.3, 16.1.3.4, 16.1.3.5, 16.1.4, 16.1.4.1, 16.1.4.2, 16.1.4.3

Opened: Jan 04, 2024

Severity: 3-Major

Symptoms

Initial symptoms could be one of the following: - Auto JWT discovery task stops or stalls and no reason is provided - OIDC discovery task stops discovering - Auto update of JWK fails - OAuth token does not renew - Oauth Discovery stuck at "SAVE_AND_APPLY" - OAuth Provider Discovery Task doesn't work anymore Other indications: -> Stale JWK keys will be present in the config and Authentication fails with the following error in /var/log/apm:"OAuth Scope: failed for jwt-provider-list '/Common/VPN_JWT', error: None of the configured JWK keys match the received JWT token, JWT Header: " ->restcurl -X GET tm/access/oidc/discover/ outputs the OIDC discovery task status and status will be in "SAVEANDAPPLY"

Impact

- Config will contain stale JWK keys

Conditions

- jwk keys discovered from the openid well known url should be different from the existing JWK keys in the config - And mcp should fail while applying the config. We can identify that if the /var/log/restjavad does not show the " Applying access policies" log after the "Updating mcp jwt and jwk objects for provide" log

Workaround

- Restart restjavad so that the discovery task starts again

Fix Information

None

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips