Bug ID 759937: Empty audience claim added to JWT access token generated by OAuth bearer SSO

Last Modified: Jan 20, 2023

Bug Tracker

Affected Product:  See more info
BIG-IP APM(all modules)

Known Affected Versions:
14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.5, 14.1.0.6, 14.1.2, 14.1.2.1, 14.1.2.2, 14.1.2.3, 14.1.2.4, 14.1.2.5, 14.1.2.6, 14.1.2.7, 14.1.2.8, 14.1.3, 14.1.3.1, 14.1.4, 14.1.4.1, 14.1.4.2, 14.1.4.3, 14.1.4.4, 14.1.4.5, 14.1.4.6, 14.1.5, 14.1.5.1, 14.1.5.2, 14.1.5.3

Fixed In:
15.0.0

Opened: Feb 28, 2019
Severity: 3-Major

Symptoms

Even though there is no audience value configured in OAuth Bearer SSO configuration, SSO generates a JSON Web Token (JWT) access token with 'aud' claim with empty value. In this case, when another APM runs as the OAuth Resource Server (JWT config audience also set to none) JWT token validation fails with error 'Audience not found'.

Impact

JWT access token is generated by SSO has 'aud' claim with empty value, which results in token validation failure.

Conditions

No audience value configured in OAuth Bearer SSO configuration.

Workaround

None.

Fix Information

JWT access token generated by SSO would not include 'aud' claim when there is no audience value configured in OAuth Bearer SSO configuration.

Behavior Change