F5 APM Oauth2.0 access policy not working for JWT token

OAuth can be confusing to set up because it's fairly complicated and APM's implementation has a lot of options to interoperate with various 3rd parties.

The JWT refresh token encryption secret is the encryption key used to encrypt the JWT refresh token that APM generates and sends to the client. When the client comes back to get a new token from the refresh endpoint, it sends the refresh token. The refresh token (in APM) is an encrypted version of the original token. APM checks the encrypted token for validity, then recreates the original token based off the data provided from the refresh token. Then it encrypts another refresh token. In this way, APM actually does not hold state information about the session so the user could potentially use the refresh token against ANY similarly-configured BIG-IP APM.

The JWK is used by APM to cryptographically validate the JWT in the case of "internal validation mode" (it doesn't have to go hit the AS's introspect endpoint) of the OAuth Scope agent.

If running auto discovery, you may be hitting a bug: https://cdn.f5.com/product/bugtracker/ID995029.html. What version of BIG-IP code are you running? Also, generally these settings are configured in concert with a 3rd party provider, or when you have access to the 3rd party configuration for OAuth.