Forum Discussion

Marvin's avatar
Marvin
Icon for Cirrocumulus rankCirrocumulus
Apr 30, 2020

F5 both as oauth provider and F5 resource server JWT introspect issue (JWK)

Dear all,

 

We have a F5 Access policy that is configured for Oauth server and provides the access tokens and / or JWT.

 

We have another Access policy configured as the F5 oauth resource server that acts as the API gateway (which is a pool behind the F5)

 

Everything works when we perform external validation in the F5 resource server Access policy, which basically performs a scope check towards the F5 oauth server using introspect URL. It connects externally, hence the name external. So with this we only use the access token and are not using JWT.

 

So the problem we have is when we change the validation to internal mode for the scope authorization object inside the Access profile. So with this is should validate the JWT payload (access token and claims included in payload). We request the JWT using parameter token_content_type=jwt and we do succesfully receive the JWT from the F5 oauth server. So from here all good, now we use this JWT encoded access token as the authentication bearer and perform a request to the F5 resource server to connect to the API server hosted behind the F5.

 

No matter what we do with this "internal JWT validation method" we always receive Bearer error="invalid_token",error_description="None of the configured JWK keys match the received JWT token" and HTTP 401 not authorized in the response.

 

We have actually succesfully and automatically retrieved the F5 oauth server keys so the F5 oauth resource server should be able to verify the JWT payload, however it fails.

 

Perhaps someone here has some experience with using JWT and F5 as the Oauth server and F5 resource server to perform retroinspect with internal validation mode set in the Access profile for the Scope authorization check with the same problem related to JWKs validation?

  • Hi!

    Had you any luck? I'm running against the same issue on my lab environment. Perhaps i'll upgrade it to 15.1, according to https://cdn.f5.com/product/bugtracker/ID759307.html

    • Marvin's avatar
      Marvin
      Icon for Cirrocumulus rankCirrocumulus

      Hi, actually I had indeed and easily fixed with version 13.1 no need to upgrade. I suppose you use F5 both as the oauth provider and also as the oauth resource server / api gateway? The problem has to do with the keys automatically retrieved from the f5 oauth provider. You shouldnt use that link but manually configure it. Basically share the same keys on both oauth provider and oauth resource server fixed it for me.

      Another improvement is to use internal validation instead of external (both work) but it will be faster validating internally on the F5, you can change that in VPE scope settings by changing to internal.

      I​ can for sure share with you more details if this is not enough for you.

      • teoiovine's avatar
        teoiovine
        Icon for Cirrus rankCirrus

        You mean, I should manually create the key configuration in both devices to be the same?