Last Modified: Sep 14, 2023
Affected Product(s):
BIG-IP APM
Known Affected Versions:
14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.5, 14.1.0.6, 14.1.2, 14.1.2.1, 14.1.2.2, 14.1.2.3, 14.1.2.4, 14.1.2.5, 14.1.2.6, 14.1.2.7, 14.1.2.8, 14.1.3, 14.1.3.1, 14.1.4, 14.1.4.1, 14.1.4.2, 14.1.4.3, 14.1.4.4, 14.1.4.5, 14.1.4.6, 14.1.5, 14.1.5.1, 14.1.5.2, 14.1.5.3, 14.1.5.4, 14.1.5.6
Fixed In:
15.0.0
Opened: Feb 28, 2019 Severity: 3-Major
Even though there is no audience value configured in OAuth Bearer SSO configuration, SSO generates a JSON Web Token (JWT) access token with 'aud' claim with empty value. In this case, when another APM runs as the OAuth Resource Server (JWT config audience also set to none) JWT token validation fails with error 'Audience not found'.
JWT access token is generated by SSO has 'aud' claim with empty value, which results in token validation failure.
No audience value configured in OAuth Bearer SSO configuration.
None.
JWT access token generated by SSO would not include 'aud' claim when there is no audience value configured in OAuth Bearer SSO configuration.