cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.

F5 both as oauth provider and F5 resource server JWT introspect issue (JWK)

Marvin
Cirrostratus
Cirrostratus

Dear all,

 

We have a F5 Access policy that is configured for Oauth server and provides the access tokens and / or JWT.

 

We have another Access policy configured as the F5 oauth resource server that acts as the API gateway (which is a pool behind the F5)

 

Everything works when we perform external validation in the F5 resource server Access policy, which basically performs a scope check towards the F5 oauth server using introspect URL. It connects externally, hence the name external. So with this we only use the access token and are not using JWT.

 

So the problem we have is when we change the validation to internal mode for the scope authorization object inside the Access profile. So with this is should validate the JWT payload (access token and claims included in payload). We request the JWT using parameter token_content_type=jwt and we do succesfully receive the JWT from the F5 oauth server. So from here all good, now we use this JWT encoded access token as the authentication bearer and perform a request to the F5 resource server to connect to the API server hosted behind the F5.

 

No matter what we do with this "internal JWT validation method" we always receive Bearer error="invalid_token",error_description="None of the configured JWK keys match the received JWT token" and HTTP 401 not authorized in the response.

 

We have actually succesfully and automatically retrieved the F5 oauth server keys so the F5 oauth resource server should be able to verify the JWT payload, however it fails.

 

Perhaps someone here has some experience with using JWT and F5 as the Oauth server and F5 resource server to perform retroinspect with internal validation mode set in the Access profile for the Scope authorization check with the same problem related to JWKs validation?

1 ACCEPTED SOLUTION

If you already have set up the oauth provider on the F5 then you should already have the JWT key configuration also. When you then configure the F5 as the Oauth resource server in the menu:

 

Access  ››  Federation : OAuth Client / Resource Server : Provider  ››  F5-oauth-server

 

So when you add the F5 oauth provider (link between F5 oauth resource server to F5 oauth provder) then you should NOT select "Use auto JWT" as this will add new keys in the configuration. You just need to select the Token configuration select box as the reference to the already available keys

 

Access  ››  Federation : JSON Web Token : Token Configuration

 

Inside this profile you select the allowed keys to use.

 

The actual keys you can find here:

Access  ››  Federation : JSON Web Token : Key Configuration

View solution in original post

4 REPLIES 4

teoiovine
Cirrus
Cirrus

Hi!

Had you any luck? I'm running against the same issue on my lab environment. Perhaps i'll upgrade it to 15.1, according to https://cdn.f5.com/product/bugtracker/ID759307.html

Hi, actually I had indeed and easily fixed with version 13.1 no need to upgrade. I suppose you use F5 both as the oauth provider and also as the oauth resource server / api gateway? The problem has to do with the keys automatically retrieved from the f5 oauth provider. You shouldnt use that link but manually configure it. Basically share the same keys on both oauth provider and oauth resource server fixed it for me.

Another improvement is to use internal validation instead of external (both work) but it will be faster validating internally on the F5, you can change that in VPE scope settings by changing to internal.

I​ can for sure share with you more details if this is not enough for you.

You mean, I should manually create the key configuration in both devices to be the same?

If you already have set up the oauth provider on the F5 then you should already have the JWT key configuration also. When you then configure the F5 as the Oauth resource server in the menu:

 

Access  ››  Federation : OAuth Client / Resource Server : Provider  ››  F5-oauth-server

 

So when you add the F5 oauth provider (link between F5 oauth resource server to F5 oauth provder) then you should NOT select "Use auto JWT" as this will add new keys in the configuration. You just need to select the Token configuration select box as the reference to the already available keys

 

Access  ››  Federation : JSON Web Token : Token Configuration

 

Inside this profile you select the allowed keys to use.

 

The actual keys you can find here:

Access  ››  Federation : JSON Web Token : Key Configuration