Sorry, I forgot to answer the last question.
It's not essential to do any connection mirroring. The worse case is the client connects without an external session token and the F5 just proxies the flow as if it was a token-less flow.
The workflow for a new connection should be as follows:-
-1: Client connects without external session token --> F5 --> proxies connection to API server
-2: API server responds with JWS token --> F5 populates table with JWS and generates an external session token. This is mapped against the original JWS in a reference table --> JWS is replaced by external session token in response to client (Client side connections should not contain JWS)
The workflow for a existing connections should be as follows:-
-1: Client connects with external token --> F5 checks if the external token still exists in the reference table (depending on token validity). If the token exists then it should be mapped to an internal JWS token which is rewritten in the header of the server side flow --> proxies connection to API server
If the above flow contains an external token which has expired then it should have been removed from the reference table, thereby the F5 will proxy the flow to the API server without a JWS. The API server will redirect the client to restart the authentication chain.
I hope this clarifies the requirement. Many thanks in advance for your support.