Last Modified: Jul 12, 2023
Affected Product(s):
BIG-IP APM
Known Affected Versions:
13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 13.1.1.5, 13.1.3, 13.1.3.1, 13.1.3.2, 13.1.3.3, 13.1.3.4, 13.1.3.5, 13.1.3.6, 13.1.4, 13.1.4.1, 13.1.5, 13.1.5.1
Fixed In:
14.0.0
Opened: Dec 15, 2017 Severity: 2-Critical
APM offers OpenID Connect Client / Resource Server starting in BIG-IP 13.1. The configuration is composed of many objects necessary for the configuration to work correctly. One of the objects specifies the request data included in the authorization requests to 3rd party OpenID Connect Authorization Servers.
It is not possible to create a valid configuration using the GUI. If attempted, an error will occur from the 3rd party as a result of the invalid request. The error may be similar to: "Some requested scopes were invalid."
Administrator uses the GUI: Access => Federation => OAuth Client / Resource Server => Request to modify the request objects.
Use TMSH to create the request object configuration, with a command such as: create apm aaa oauth-request my_custom_GoogleAuthRedirectRequest description customized method get parameters replace-all-with { access_type { value offline } client_id { type client-id } include_granted_scopes { value true } redirect_uri { type redirect-uri } response_type { type response-type } scope { type scope } } type auth-redirect-request
Using the GUI to create, copy, and modify APM OAuth Client / Resource Server Request objects will now result in a configuration that can function properly.