For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

You want Modern Auth … for an app or client that’s stuck in the 2010s

Anyone involved with IT for a considerable time understands that change is inevitable and perpetual. Organizational requirements shift and adapt to emerging technology, security threats, and new me...
Published Oct 04, 2022
Version 1.0
Cybersecurity-Awareness-Month-2022
security
Scheff's avatar
Icon for Employee rankEmployee
🔐 Senior Solutions Architect | API Security Specialist | AI & Post-Quantum Strategist I help organizations make sense of complex security challenges — from securing modern API infrastructures to building zero trust architectures that scale. With deep expertise in F5 technologies, OAuth, and identity standards like FDX, I bridge the gap between technical execution and strategic innovation. Currently focused on: Leading AI security initiatives, including securing Large Language Models (LLMs) from emerging threats Evangelizing post-quantum cryptography (PQC) in real-world deployments Developing gamified Capture-the-Flag challenges to train engineers in offensive/defensive API tactics Advising on infrastructure transformation, security automation, and cloud-native rollouts Outside of work, I stay curious — whether it's road-tripping across North America with a trailer and a plan, writing an upcoming book on AI threat mitigation, or creating unforgettable RPG characters who cast spells with swords. Let’s talk security, strategy, or why your TLS handshake failed at 3 a.m.
View Profile
bowlermj's avatar
Icon for Employee rankEmployee
Joined March 01, 2022
View Profile
Scheff's avatar
Scheff
Icon for Employee rankEmployee
Dec 28, 2022

The iRule is called from the 'iRule Event' item in the PRP Policy.  Each of these items has a different ID that is sent to the iRule and evaluated in the switch statement on line 6 (inside the ACCESS_PER_REQUEST_AGENT_EVENT code).

As for validating the JWT, that's beyond the scope of the requirement, the JWT here was minted by an outside source and then is provided to the BIG-IP based on the Basic Auth Username and Password.