Last Modified: Apr 28, 2025
Affected Product(s):
BIG-IP APM
Known Affected Versions:
13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3
Fixed In:
13.1.0, 13.0.1
Opened: Apr 19, 2017 Severity: 3-Major
When the Authorization Server (AS) generates an authorization code which includes URL special character, in order to pass this code safely, AS encodes it with URL encoding. APM does not properly process this, and when OAuth client used it for retrieving an access token for a given code, OAuth client unnecessarily re-encode it, which causes the AS to reject the token request.
OAuth client fails to retrieve the token with the provided code.
AS generates an OAuth Authorization code contains URL encoded characters.
Use the iRule to either decode the authorization code when APM receives it, or when APM sends it out.
URL encoded authorization code now works with APM OAuth client.