Bug ID 685888: OAuth client stores incorrectly escaped JSON values in session variables

Last Modified: Jul 12, 2023

Affected Product(s):
BIG-IP APM(all modules)

Known Affected Versions:
13.1.0,,,,,,,,, 13.1.1,,,,, 13.1.3,,,,,,, 13.1.4

Fixed In:

Opened: Sep 27, 2017

Severity: 4-Minor


1) The slash (/) is double escaped (\\/). The slash is common in URLs. 2) Unicode escaped characters (\uXXXX) are not correctly un-escaped into UTF-8 characters, ends up unrecognizable.


APM applications who read JSON node session variables may not get the correct values.


Occurs in 13.1 and earlier releases when OAuth servers response in JSON, such as the OIDC User Info.


1) For double escaped slash, workaround is like, session.oauth.client.last.UserInfo.picture = return [string map {{\\/} /} [ mcget {session.oauth.client.last.UserInfo.picture} ]] 2) For incorrect UTF-8 characters, there is no workaround.

Fix Information

Unicode escaped characters are now correctly handled.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips