F5 OAUTH JWT error "failed trust verification with trusted CA bundle"

Hello to All,

 

I tried using F5 as an OAUTH server that generates JWT tokens on 16.1.3.2 but I get the error "01071ca5:3: The JWK config (/Common/F5-CA) associated to OAuth profile (/Common/F5-Oauth-Server-JWT) failed trust verification with trusted CA bundle (/Common/clientCA-cert). " .

 

I generated my own CA cert following   "K14499: Using OpenSSL to create CA and client certificates (11.x - 16.x" https://support.f5.com/csp/article/K14499

 

Maybe I am doing something wrong or it is a bug but I am not certain as I do not have not worked with F5 as an Oauth JWT server.

 

I am checking just really fast with the community as this is not something critical but if someone has seen this I will be happy to get a feedback 🙂

 

 

 

With or without Certificate Chain it is the same error or X5C.

 

 

I am wondering as the certificate is 2048 bits RSA ifit should be 256 but I think this shouldn't matter.

 

 

As a workaround I am using Octed JWT Key with a long shared password generated by a password generator that works. Also I tested with opaque keys as shown in https://support.f5.com/csp/article/K14391041 and it works but with those keys I do not think there is a way the F5 Auth server to return some usefull info like AD groups/emails to to the Oauth Client that is another F5 device as with JWT this is done with Claims. I did not find if F5 as an Oauth Authorization server supports UserInfo Request URI where after the authorization code that the web browsers provide is exchanged for Opaque Access token to configure what info the F5  Oauth Server to provide to the F5 Oauth Client but maybe some knows this.

 

To bad that for OpenID Connect the JWT needs first to be enabled for the Oauth profile and thisagain means using Octed JWT Keys for either Access or ID tokens 😞