Forum Discussion

Jad_Tabbara__J1's avatar
Jad_Tabbara__J1
Icon for Cirrostratus rankCirrostratus
Jul 14, 2022

APM JWT Multiple Providers NOT WORKING

Dear F5 community,

Using F5 APM 16.1.3 (as an oauth resource server) I am trying to implement a per-request policy that will verify the signature of JWT tokens sent by the client. These JWT tokens can be issued from two differents issuer (Azure AD or STS). 

I am able to verify JWT tokens for each provider seperatly using a dedicated "JWT provider" with only one Provider attached. 

When using 2 providers as follow



I got following error message:

WWW-AuthenticateBearer error="invalid_token",error_description="Issuer Mismatch : Claim issuer= https://sts.windows.net/ Provider issuer=https://login.microsoftonline.com/v2.0"

Based on F5 doc below, the built-in object supports having multiple JWT providers
https://clouddocs.f5.com/cli/tmsh-reference/v15/modules/apm/apm_oauth_jwt-provider-list.html 

Configuration is pretty simple:
- 1 Access Policy with "Allow" all ending
- 1 Per-Request Policy with "OAuth Scope" set to "Internal"  with the "jwt-allowed-providers-list"

I guess It is most likely a bug.

Anyone was able to make it work with multiple JWT providers ?

I can workaround this by parsing the JWT payload, then determining the issuer and based on the issuer make two branches in the VPE:
- first branch with the "oauth scope A" that will validate the token using JWT-Provider-A
- second branch with the "oauth scope B" that will validate the token using JWT-Provider-B

Thanks

5 Replies

    • Jad_Tabbara__J1's avatar
      Jad_Tabbara__J1
      Icon for Cirrostratus rankCirrostratus

      Dear Yoann 🙂

      Hope you are doing well.

      Yes each provider has its own JWK & JWT objects that are auto-generated using the "Discovery" job.

      • Yoann_Le_Corvi1's avatar
        Yoann_Le_Corvi1
        Icon for Cumulonimbus rankCumulonimbus

        Yes fine 🙂

        Would be interesting to see what is autodiscovered. I made a quick test with :

        - 2 OAUTH Server configured in JWT + Openid connect + autodiscovery on F5 with different Issuers
        - 1 OAUTH Resource with the same policy as yours (with a provide list that include the 2 OAUTH Servers) and it seems to work 😕

        Can you provide the 2 autodiscovery URLs used for Microsoft ?

        Thanks