Bug ID 699117: Editing OAuth Client / Resource Server Request objects in the GUI results in invalid configuration

Last Modified: Jan 29, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP APM(all modules)

Known Affected Versions:
13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4

Fixed In:
14.0.0

Opened: Dec 15, 2017
Severity: 2-Critical

Symptoms

APM offers OpenID Connect Client / Resource Server starting in BIG-IP 13.1. The configuration is composed of many objects necessary for the configuration to work correctly. One of the objects specifies the request data included in the authorization requests to 3rd party OpenID Connect Authorization Servers.

Impact

It is not possible to create a valid configuration using the GUI. If attempted, an error will occur from the 3rd party as a result of the invalid request. The error may be similar to: "Some requested scopes were invalid."

Conditions

Administrator uses the GUI: Access => Federation => OAuth Client / Resource Server => Request to modify the request objects.

Workaround

Use TMSH to create the request object configuration, with a command such as: create apm aaa oauth-request my_custom_GoogleAuthRedirectRequest description customized method get parameters replace-all-with { access_type { value offline } client_id { type client-id } include_granted_scopes { value true } redirect_uri { type redirect-uri } response_type { type response-type } scope { type scope } } type auth-redirect-request

Fix Information

Using the GUI to create, copy, and modify APM OAuth Client / Resource Server Request objects will now result in a configuration that can function properly.

Behavior Change