Bug ID 987341: BIG-IP OpenID Connect Discovery process does not support strong TLS ciphers.

Last Modified: Sep 13, 2023

Affected Product(s):
BIG-IP APM(all modules)

Fixed In:
17.0.0,,, 14.1.5

Opened: Jan 27, 2021

Severity: 2-Critical


BIG-IP discovers and updates JSON Web Keys (JWK) in OpenID Connect (OIDC) deployments using a Java Runtime Environment (JRE). The JRE in BIG-IP does not support strong TLS ciphers, so the discovery/update process can fail against OIDC providers that enforce strong encryption requirements.


This might cause discovery to fail against certain OpenID Connect auth providers that enforce strong cipher requirements. It could lead to JWT validation failure as the JWK expire and cannot be updated by BIG-IP.


Using an OpenID Connect provider that allows only strong TLS ciphers. and using an APM configuration that validates incoming JWTs against a dynamic JWK list in Internal Validation Mode.



Fix Information


Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips