F5 APM as OAuth Authorization server and Resource server

Here is the error after sending the GET request by adding OAuth 2.0 token data to 'Request Header'

Mar  6 17:46:20 F5LAB err apmd[4575]: 01490290:3: /Application/APM_ACCESS_POLICY_RESOURCE_SERVER::b8e87a6f/Application/RS_SCOPE_CHECK/YXhzMnN1YnNpZA==:/Application/RS_SCOPE_CHECK_act_oauth_scope_subsession_ag: OAuth Scope: failed for server '/Application/APM_CLIENT_RESOURCE_OAUTH_SERVER' (resource_server_id=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx), error: HTTP error 503, DNS lookup failed

I have exactly the same issue here using F5 APM as oauth client, the oauth authorization code is being retrieved from AzureAD (OpenID) and is send back to the F5, after that we receive the same error message, were you able to solve this?

I found out the the DNSresolver object was configured in route domain 0, as we use route domains and strictly isolated we received that error message. I changed the DNSresolver object to the right route domain and the error disappeared, however I now see timeout issue. In tcpdump I see still that the F5 self IP is trying to reach public DNS servers, but it should resolve using the DNS servers configured on the F5 system via management interface, however this is not happening.

So the issue you are experience most probably has to to with the same DNS connectivity issue, perhaps you also use route domains in your setup?

Marvin, renaming the forward zone profile name with period(.) in the bigip.conf file and loading the config resolved the issue. Sounds crazy but worked.

**Before**
net dns-resolver /Application/oauth_dns {
forward-zones {
    oauth_forward_zone {
        nameservers {
            x.x.x.x:53 { }
        }
    }
}
route-domain /Common/0
use-ipv6 no
}

**After**
net dns-resolver /Application/oauth_dns {
forward-zones {
    . {
        nameservers {
            x.x.x.x:53 { }
        }
    }
}
route-domain /Common/0
use-ipv6 no
}