F5 both as oauth provider and F5 resource server JWT introspect issue (JWK)
Dear all,
We have a F5 Access policy that is configured for Oauth server and provides the access tokens and / or JWT.
We have another Access policy configured as the F5 oauth resource server that acts as the API gateway (which is a pool behind the F5)
Everything works when we perform external validation in the F5 resource server Access policy, which basically performs a scope check towards the F5 oauth server using introspect URL. It connects externally, hence the name external. So with this we only use the access token and are not using JWT.
So the problem we have is when we change the validation to internal mode for the scope authorization object inside the Access profile. So with this is should validate the JWT payload (access token and claims included in payload). We request the JWT using parameter token_content_type=jwt and we do succesfully receive the JWT from the F5 oauth server. So from here all good, now we use this JWT encoded access token as the authentication bearer and perform a request to the F5 resource server to connect to the API server hosted behind the F5.
No matter what we do with this "internal JWT validation method" we always receive Bearer error="invalid_token",error_description="None of the configured JWK keys match the received JWT token" and HTTP 401 not authorized in the response.
We have actually succesfully and automatically retrieved the F5 oauth server keys so the F5 oauth resource server should be able to verify the JWT payload, however it fails.
Perhaps someone here has some experience with using JWT and F5 as the Oauth server and F5 resource server to perform retroinspect with internal validation mode set in the Access profile for the Scope authorization check with the same problem related to JWKs validation?
If you already have set up the oauth provider on the F5 then you should already have the JWT key configuration also. When you then configure the F5 as the Oauth resource server in the menu:
Access ›› Federation : OAuth Client / Resource Server : Provider ›› F5-oauth-server
So when you add the F5 oauth provider (link between F5 oauth resource server to F5 oauth provder) then you should NOT select "Use auto JWT" as this will add new keys in the configuration. You just need to select the Token configuration select box as the reference to the already available keys
Access ›› Federation : JSON Web Token : Token Configuration
Inside this profile you select the allowed keys to use.
The actual keys you can find here: