Bug ID 771905: JWT token rejected due to unknown JOSE header parameters

Last Modified: Nov 07, 2022

Bug Tracker

Affected Product:  See more info
BIG-IP APM(all modules)

Known Affected Versions:
13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1, 13.1.0,,,,,,,,, 13.1.1,,,,, 13.1.3,,,,,,, 13.1.4,, 13.1.5,, 14.0.0,,,,,, 14.0.1,, 14.1.0,,,,,, 14.1.2,,,,, 15.0.0, 15.0.1,,,,

Fixed In:

Opened: Apr 11, 2019
Severity: 3-Major


JWT token rejected and OAuth Scope Agent fails.


Unregistered JOSE header parameters causes JWT access token to be rejected. OAuth Scope Agent fails.


When JWT access token contains unregistered JSON Object Signing and Encryption (JOSE) header parameters (e.g., nonce).



Fix Information

If an unregistered parameter in the JOSE header is present in the JWT token, the system ignores the parameter instead of rejecting the token.

Behavior Change