Forum Discussion

thecarrionkind's avatar
thecarrionkind
Icon for Altostratus rankAltostratus
Jul 26, 2024

Not active oauth tokens after reboot

Hi,

I have an oauth profile what generates opaque oauth tokens with long lifetimes.

I originally thought the tokens where invalidated after an upgrade or even a failover. Now after testing they are indentified as "Not active" in the APM log. The tokens work just right after generating them.

Also, despite the long lifetime setup in the oauth profile, the tmsh commands lists the tokens with same dates on issue and expiry, for both access and refresh tokens. So the tokens seem to be generated with wrong expiry dates.

 

I've noticed this in the production cluster, and am able to test in a standalone non-production device.

 

I have several cases escalated with F5 support but I have no real significant replies and tests to do since weeks. So I am unfortunately asking here to see if anybody has ideas to test or troubleshoot.

 

Thanks.

Lloyd

 

 

 

 

  • The oauth code in APM has mechanisms for syncing the token DB over to an HA peer, so it should survive a failover.

    If the tokens aren't being generated with the right dates, then nothing will work right. I'd begin troubleshooting that before anything else because it's fairly basic. It seems unlikely that APM OAuth AS is completely broken with the default or default-ish settings. Can you share information about the "long lifetime" set up in your oauth profile so we can try it in a basic lab setup?