API with authencation mode set to OpenID connect not working

I have created an api in tyk portal and set the Authentication mode to OpenID connect and configured the issuer, client and policies as per the documentation.
When I hit the api with the id_token set in the Authorization header, I am getting the error “Access to this API has been disallowed”.
Below is the api configuration json exported from the dashboard

{
“id”: “58bff20f4ef4e20fb24e9025”,
“name”: “apolloservertime”,
“slug”: “apolloservertime”,
“api_id”: “0de2c3b6439c47bb64aa3206eb9f9700”,
“org_id”: “58af0af64ef4e20f80037e52”,
“use_keyless”: false,
“use_oauth2”: false,
“use_openid”: true,
“openid_options”: {
“providers”: [
{
“issuer”: “http://xxx.issuer.com:8080/auth/realms/tyk”,
“client_ids”: {
“YXBvbGxv”: “58bff2994ef4e20fb24e9026”
}
}
],
“segregate_by_client”: false
},
“oauth_meta”: {
“allowed_access_types”: [],
“allowed_authorize_types”: [],
“auth_login_redirect”: “”
},
“auth”: {
“use_param”: false,
“param_name”: “”,
“use_cookie”: false,
“cookie_name”: “”,
“auth_header_name”: “”
},
“use_basic_auth”: false,
“enable_jwt”: false,
“use_standard_auth”: false,
“enable_coprocess_auth”: false,
“jwt_signing_method”: “”,
“jwt_source”: “”,
“jwt_identity_base_field”: “”,
“jwt_client_base_field”: “”,
“jwt_policy_field_name”: “”,
“notifications”: {
“shared_secret”: “”,
“oauth_on_keychange_url”: “”
},
“enable_signature_checking”: false,
“hmac_allowed_clock_skew”: -1,
“base_identity_provided_by”: “”,
“definition”: {
“location”: “header”,
“key”: “x-api-version”
},
“version_data”: {
“not_versioned”: true,
“versions”: {
“Default”: {
“name”: “Default”,
“expires”: “”,
“paths”: {
“ignored”: [],
“white_list”: [],
“black_list”: []
},
“use_extended_paths”: true,
“extended_paths”: {},
“global_headers”: {},
“global_headers_remove”: [],
“global_size_limit”: 0,
“override_target”: “”
}
}
},
“uptime_tests”: {
“check_list”: [],
“config”: {
“expire_utime_after”: 0,
“service_discovery”: {
“use_discovery_service”: false,
“query_endpoint”: “”,
“use_nested_query”: false,
“parent_data_path”: “”,
“data_path”: “”,
“port_data_path”: “”,
“target_path”: “”,
“use_target_list”: false,
“cache_timeout”: 60,
“endpoint_returns_list”: false
},
“recheck_wait”: 0
}
},
“proxy”: {
“preserve_host_header”: false,
“listen_path”: “/apolloservertime/”,
“target_url”: “Asbury Park Press NJ | Jersey Shore & New Jersey News”,
“strip_listen_path”: true,
“enable_load_balancing”: false,
“target_list”: [],
“check_host_against_uptime_tests”: false,
“service_discovery”: {
“use_discovery_service”: false,
“query_endpoint”: “”,
“use_nested_query”: false,
“parent_data_path”: “”,
“data_path”: “hostname”,
“port_data_path”: “port”,
“target_path”: “/api-slug”,
“use_target_list”: false,
“cache_timeout”: 60,
“endpoint_returns_list”: false
}
},
“disable_rate_limit”: false,
“disable_quota”: false,
“custom_middleware”: {
“pre”: [],
“post”: [],
“post_key_auth”: [],
“auth_check”: {
“name”: “”,
“path”: “”,
“require_session”: false
},
“response”: [],
“driver”: “”,
“id_extractor”: {
“extract_from”: “”,
“extract_with”: “”,
“extractor_config”: {}
}
},
“custom_middleware_bundle”: “”,
“cache_options”: {
“cache_timeout”: 60,
“enable_cache”: true,
“cache_all_safe_requests”: false,
“cache_response_codes”: [],
“enable_upstream_cache_control”: false
},
“session_lifetime”: 0,
“active”: true,
“auth_provider”: {
“name”: “”,
“storage_engine”: “”,
“meta”: {}
},
“session_provider”: {
“name”: “”,
“storage_engine”: “”,
“meta”: null
},
“event_handlers”: {
“events”: {}
},
“enable_batch_request_support”: false,
“enable_ip_whitelisting”: false,
“allowed_ips”: [],
“dont_set_quota_on_create”: false,
“expire_analytics_after”: 0,
“response_processors”: [],
“CORS”: {
“enable”: false,
“allowed_origins”: [],
“allowed_methods”: [],
“allowed_headers”: [],
“exposed_headers”: [],
“allow_credentials”: false,
“max_age”: 24,
“options_passthrough”: false,
“debug”: false
},
“domain”: “apollotyk.app.com”,
“do_not_track”: false,
“tags”: [],
“enable_context_vars”: false
}

Hi, do you have a way of inspecting the activity of your OAuth provider and seeing the authentication attempts?

Can you share your gateway log?

Best.

Does the API still work if you set it back to Open? Is there a policy applied? The token should be an access token (JWT). Confirm it’s what you expect by inspecting it at jwt.io.

I haven’t had any problems setting this up - it worked immediately out of the box for me.

Hi , The api works if I set it back to open. I have also applied a policy to the api. I get the Id_token from the OpenID connect provider via postman and used it in the header “Authorization Bearer <id_token>” as per the tyk document. Below is the gateway log

Mar 16 13:45:03 localhost tyk[30978]: time=“Mar 16 13:45:03” level=info msg=“Attempted access to unauthorised API.” api_found=false key=58af0af64ef4e20f80037e52d5ed2e002a9de94e5ca2d64124ef2cf7 origin=10.147.5.61 path=“/servertime/”
Mar 16 13:45:03 localhost tyk[30978]: time=“Mar 16 13:45:03” level=error msg=“request error: Access to this API has been disallowed” api_id=9853012577d84af467e9a652e2afd737 org_id=58af0af64ef4e20f80037e52 path=“/” server_name=“https://..com/v1.0/server-time/” user_id=“****2cf7” user_ip=10.147.5.61

Hi, I believe tyk doesn’t try to authenticate with the OpenID connect provider for this flow. It would just get the public key from the OpenID Connect provider and verify the signature of the given jwt token. Here is the gateway log

Mar 16 13:45:03 localhost tyk[30978]: time=“Mar 16 13:45:03” level=info msg=“Attempted access to unauthorised API.” api_found=false key=58af0af64ef4e20f80037e52d5ed2e002a9de94e5ca2d64124ef2cf7 origin=10.147.5.61 path=“/servertime/”
Mar 16 13:45:03 localhost tyk[30978]: time=“Mar 16 13:45:03” level=error msg=“request error: Access to this API has been disallowed” api_id=9853012577d84af467e9a652e2afd737 org_id=58af0af64ef4e20f80037e52 path=“/” server_name=“https://admin-qa.xome.com/v1.0/server-time/” user_id=“****2cf7” user_ip=10.147.5.61

That is correct text - with Tyk you need to include the ID token, that is what gets validated.