Last Modified: Feb 11, 2025
Affected Product(s):
BIG_IP_NEXT(CM) APM
Known Affected Versions:
20.3.0
Opened: Sep 30, 2024 Severity: 3-Major
The Scope agent validates the received Access Token against a list of JWT providers. Each provider has an associated JWT configuration. A known issue occurs when the OAuth Resource Server agent fails to deploy and shows a pre-deploy error if the user uploads a private key to decrypt the token.
An Access Policy with OAuth Federation will fail for F5 as a Resource Server when using internal validation mode.
The Resource Server does not use the ID token and only requires the Access Token. Its primary function is token verification. Even when the Access Token is attached, the API payload is missing the Access Token key, which results in a pre-deploy error. Steps to Reproduce: 1. Create an Access policy with the OAuth Federation Resource Server, and set the validation mode to internal. 2. Choose JWE encryption and attach the private key for the Access Token. 3. Save and deploy the policy.
Using the API, add the private keys to the allowedKeys field under jwtConfig.
None