Bug ID 756019: OAuth JWT Issuer claim requires URI format

Last Modified: Aug 08, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP APM(all modules)

Known Affected Versions:
13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 13.1.1.5, 13.1.3, 14.0.0, 14.0.0.1, 14.0.0.2, 14.0.0.3, 14.0.0.4, 14.0.0.5, 14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.4, 14.1.0.5, 14.1.0.6

Fixed In:
15.0.0

Opened: Jan 18, 2019
Severity: 4-Minor

Symptoms

APM currently expects the OAuth JSON web tokens (JWT) Issuer claim to be in the URI format: -- JWT-Config does not allow Issuer setting unless it is in the URI format. -- The issuer value in the incoming token is expected to be in the URI format and should match with the Issuer setting in the JWT-Config.

Impact

As per RFC 7519, 'iss' claim value is a case-sensitive string containing a StringOrURI value. To comply with RFC 7519, basically allowing any string value in the Issuer claim, APM should ease this validation.

Conditions

OAuth JWT Issuer claim in the URI format for JWT access token and ID token.

Workaround

None.

Fix Information

JWT config issuer Validation is removed to allow a string or URI value for the JWT issuer.

Behavior Change