For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Marvin's avatar
Marvin
Icon for Cirrocumulus rankCirrocumulus
Apr 30, 2020
Solved

F5 both as oauth provider and F5 resource server JWT introspect issue (JWK)

Dear all,   We have a F5 Access policy that is configured for Oauth server and provides the access tokens and / or JWT.   We have another Access policy configured as the F5 oauth resource ser...
application delivery
BIG-IP Access Policy Manager (APM)
introspect
oauth
teoiovine's avatar
teoiovine
Icon for Cirrus rankCirrus
Jun 29, 2020

Hi!

Had you any luck? I'm running against the same issue on my lab environment. Perhaps i'll upgrade it to 15.1, according to https://cdn.f5.com/product/bugtracker/ID759307.html

Marvin's avatar
Marvin
Icon for Cirrocumulus rankCirrocumulus
Jun 30, 2020

Hi, actually I had indeed and easily fixed with version 13.1 no need to upgrade. I suppose you use F5 both as the oauth provider and also as the oauth resource server / api gateway? The problem has to do with the keys automatically retrieved from the f5 oauth provider. You shouldnt use that link but manually configure it. Basically share the same keys on both oauth provider and oauth resource server fixed it for me.

Another improvement is to use internal validation instead of external (both work) but it will be faster validating internally on the F5, you can change that in VPE scope settings by changing to internal.

I​ can for sure share with you more details if this is not enough for you.

  • teoiovine's avatar
    teoiovine
    Icon for Cirrus rankCirrus
    Jun 30, 2020

    You mean, I should manually create the key configuration in both devices to be the same?

  • Marvin's avatar
    Marvin
    Icon for Cirrocumulus rankCirrocumulus
    Jun 30, 2020

    If you already have set up the oauth provider on the F5 then you should already have the JWT key configuration also. When you then configure the F5 as the Oauth resource server in the menu:

     

    Access  ››  Federation : OAuth Client / Resource Server : Provider  ››  F5-oauth-server

     

    So when you add the F5 oauth provider (link between F5 oauth resource server to F5 oauth provder) then you should NOT select "Use auto JWT" as this will add new keys in the configuration. You just need to select the Token configuration select box as the reference to the already available keys

     

    Access  ››  Federation : JSON Web Token : Token Configuration

     

    Inside this profile you select the allowed keys to use.

     

    The actual keys you can find here:

    Access  ››  Federation : JSON Web Token : Key Configuration