Last Modified: Oct 15, 2025
Affected Product(s):
BIG-IP APM
Known Affected Versions:
17.1.2, 17.1.2.1, 17.1.2.2, 17.1.3
Opened: Feb 14, 2025 Severity: 3-Major
As per RFC states that, the provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client then should send a 400 Bad Request status code and a error json response {"error": "invalid_grant", ...} currently BIG-IP sending as {"error": "access_denied", ...} with 400 status code.
Returns Invalid error
OAuth configured. using the refresh token to get the access token, when refresh token is expired. (ex: using postman)
None
None