Bug ID 756019: OAuth JWT Issuer claim requires URI format

Last Modified: Sep 13, 2023

Affected Product(s):
BIG-IP APM(all modules)

Known Affected Versions:
13.1.1,,,,, 13.1.3,,,,,,, 13.1.4,, 13.1.5,, 14.0.0,,,,,, 14.0.1,, 14.1.0,,,,,, 14.1.2

Fixed In:

Opened: Jan 18, 2019

Severity: 4-Minor


APM currently expects the OAuth JSON web tokens (JWT) Issuer claim to be in the URI format: -- JWT-Config does not allow Issuer setting unless it is in the URI format. -- The issuer value in the incoming token is expected to be in the URI format and should match with the Issuer setting in the JWT-Config.


As per RFC 7519, 'iss' claim value is a case-sensitive string containing a StringOrURI value. To comply with RFC 7519, basically allowing any string value in the Issuer claim, APM should ease this validation.


OAuth JWT Issuer claim in the URI format for JWT access token and ID token.



Fix Information

JWT config issuer Validation is removed to allow a string or URI value for the JWT issuer.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips