Bug ID 757782: OAuth Authorization Server returns an invalid 'sub' claim in JWT access token when 'subject' field is configured to be a session variable other than the default

Last Modified: May 29, 2024

Affected Product(s):
BIG-IP APM(all modules)

Known Affected Versions:
13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 13.1.1.5, 13.1.3, 13.1.3.1, 13.1.3.2, 13.1.3.3, 13.1.3.4, 13.1.3.5, 13.1.3.6, 13.1.4, 13.1.4.1, 13.1.5, 13.1.5.1, 14.0.0, 14.0.0.1, 14.0.0.2, 14.0.0.3, 14.0.0.4, 14.0.0.5, 14.0.1, 14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.5, 14.1.0.6, 14.1.2, 14.1.2.1, 14.1.2.2

Fixed In:
15.0.0, 14.1.2.3, 14.0.1.1

Opened: Feb 06, 2019

Severity: 2-Critical

Symptoms

Invalid 'sub' claim in JWT access token that is generated by OAuth Authorization Server.

Impact

Invalid value in 'sub' claim in JWT access token. If OAuth resource server depends on the value of 'sub' claim, then that functionality does not work.

Conditions

-- OAuth Authorization Server is configured to return JWT access token. -- Subject field is configured to be a session variable other than the default '%{session.assigned.uuid}'.

Workaround

Add Variable assign agent after OAuth Authorization agent, and assign session.assigned.oauth.authz.token.subject with the session variable name such as the following: session.logon.last.logonname.

Fix Information

OAuth Authorization Server sends valid value in 'sub' claim in the generated JWT token when subject is configured to use a session variable.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips