NimbostratusRequest and validate OAuth/OIDC tokens with APM when F5 is behind a web proxy
This question concerns a deployment using OpenID Connect with Okta as the Authorization server and F5 APM as the Resource server. The F5 is running LTM 14.1 and is in non-routeable address space behind a firewall and web proxy.
An F5 "provider" object was configured via Access -> Federation -> OAuth Client/Resource Server -> Provider
Connections to Okta via the "Authentication URI" and other URIs in the provider object occur over the management plane. The F5 must be able to resolve the name and have a route to Okta. There is no provision in the provider object to specify that the connection traverse a web proxy.
For comparison, a similar problem arises when trying to connect to an OCSP server when the F5 is behind a web proxy. A solution for the OCSP connection is outlined in the article ocsp-through-an-outbound-explicit-proxy-29026. This solution uses a "proxy VIP" to direct the traffic through a web proxy. The solution works because the OCSP call is unencrypted http.
However, in the case of F5 OAuth "provider" object, the connection is encrypted HTTPS. If a "proxy VIP" is configured as in the OCSP example, there does not appear to be a way to change the HTTP "GET" to a "CONNECT" in order to perform an encrypted connection through the web proxy.
Is there any other way to configure an F5 as a OAuth Resource server when it is behind a web proxy?