Forum Discussion

kumar0303's avatar
Icon for Altostratus rankAltostratus
May 13, 2024

F5 APM Oauth2.0 access policy not working for JWT token

Hi Team,

 I am trying to create F5 APM policy for Oauth2.0. Creating two access profile, one is F5 apm authorization server and other one is F5 apm Client application.

I am getting below error

Local Time2024-05-13 06:55:09Log Message/Common/outh2_Client:Common:a08caa4a:/Common/outh2_Client_act_oauth_scope_ag: OAuth Scope: failed for jwt-provider-list '/Common/jwt_provider' , error: None of the configured JWK keys match the received JWT token, JWT Header: ewogICJhbGciOiJSUzI1NiIsCiAgImtpZCI6IjAwMSIsCiAgInR5cCI6IkpXVCIKfQ Can you help

I also no sure what will be in "JWT Refresh Token Encryption Secret" in Oauth profile

BIG-IP APM Objects:

JSON Web Token - Key configuration 

JSON Web Token - Token  Configuration

JSON Web Token Provider

OAuth Authorization server- Scope, Claim, client application, resource server, oauth profile

 Federation : OAuth Client / Resource Server : OAuth Server, provider

2 Replies

  • OAuth can be confusing to set up because it's fairly complicated and APM's implementation has a lot of options to interoperate with various 3rd parties.

    The JWT refresh token encryption secret is the encryption key used to encrypt the JWT refresh token that APM generates and sends to the client. When the client comes back to get a new token from the refresh endpoint, it sends the refresh token. The refresh token (in APM) is an encrypted version of the original token. APM checks the encrypted token for validity, then recreates the original token based off the data provided from the refresh token. Then it encrypts another refresh token. In this way, APM actually does not hold state information about the session so the user could potentially use the refresh token against ANY similarly-configured BIG-IP APM.

    The JWK is used by APM to cryptographically validate the JWT in the case of "internal validation mode" (it doesn't have to go hit the AS's introspect endpoint) of the OAuth Scope agent.