Forum Discussion
kumar0303
Altostratus
AltostratusF5 APM Oauth2.0 access policy not working for JWT token
Hi Team,
I am trying to create F5 APM policy for Oauth2.0. Creating two access profile, one is F5 apm authorization server and other one is F5 apm Client application.
I am getting below error
Local Time2024-05-13 06:55:09Log Message/Common/outh2_Client:Common:a08caa4a:/Common/outh2_Client_act_oauth_scope_ag: OAuth Scope: failed for jwt-provider-list '/Common/jwt_provider' , error: None of the configured JWK keys match the received JWT token, JWT Header: ewogICJhbGciOiJSUzI1NiIsCiAgImtpZCI6IjAwMSIsCiAgInR5cCI6IkpXVCIKfQ Can you help
I also no sure what will be in "JWT Refresh Token Encryption Secret" in Oauth profile
BIG-IP APM Objects:
JSON Web Token - Key configuration
JSON Web Token - Token Configuration
JSON Web Token Provider
OAuth Authorization server- Scope, Claim, client application, resource server, oauth profile
Federation : OAuth Client / Resource Server : OAuth Server, provider
- whisperer
MVP
If running auto discovery, you may be hitting a bug: https://cdn.f5.com/product/bugtracker/ID995029.html. What version of BIG-IP code are you running? Also, generally these settings are configured in concert with a 3rd party provider, or when you have access to the 3rd party configuration for OAuth.
- Lucas_Thompson
Employee
OAuth can be confusing to set up because it's fairly complicated and APM's implementation has a lot of options to interoperate with various 3rd parties.
The JWT refresh token encryption secret is the encryption key used to encrypt the JWT refresh token that APM generates and sends to the client. When the client comes back to get a new token from the refresh endpoint, it sends the refresh token. The refresh token (in APM) is an encrypted version of the original token. APM checks the encrypted token for validity, then recreates the original token based off the data provided from the refresh token. Then it encrypts another refresh token. In this way, APM actually does not hold state information about the session so the user could potentially use the refresh token against ANY similarly-configured BIG-IP APM.
The JWK is used by APM to cryptographically validate the JWT in the case of "internal validation mode" (it doesn't have to go hit the AS's introspect endpoint) of the OAuth Scope agent.
