matt
April 19, 2018, 5:13pm
1
Hello,
We have an API Key associated with a API Definition by the Keys Access Control list, and Authentication by token turned on.
We can access this API with the Key as expected. HOWEVER, we can also access this API using any Authorization value that has 3 characters or less.
Obviously this is a concern. Including API Def
See the Authorization Header?
The same request with 4 charactors
Here is the Auth section of API dev
"use_keyless": false,
"use_oauth2": false,
"oauth_meta": {
"allowed_access_types": [],
"allowed_authorize_types": [],
"auth_login_redirect": ""
},
"auth": {
"auth_header_name": "Authorization",
"param_name": "",
"cookie_name": "",
"use_param": false,
"use_cookie": false
},
Any help or guidance here?
Hi, thanks for reporting this, which gateway version are you using?
matt
April 19, 2018, 7:06pm
3
We are using 2.3.5 and have 2.6.0 in some environments. We are seeing this in both.
matt
April 19, 2018, 7:09pm
4
If it helps, we are in configured in Hashed Key mode
Hi matt,
Thank you for raising the issue - we believe this is down to our hashing algorithm and we actively working to fix it.
There are a few mitigating factors worth considering:
This does not affect our cloud our hybrid environment
This does not affect environments that are not using key hashing
We believe it only affects environments that are sparsely populated - I.e have few keys issued
For new installations: the workaround is to disable key hashing in the Tyk.conf
Alternatively - generating several dummy keys (doing so with a separate organisation would be better) should also suffice.
We’ll post more information here as we investigate.
Kind regards,
Martin
Josh
June 5, 2018, 1:48pm
6
Hi Matt
Quick update for you that a fix for the 3 character key bug was pushed today with further enhancements and refinements to our key auth system coming in upcoming releases. Please see our release notes here: Gateway 2.6.2, Dashboard 1.6.2, Pump 0.5.3, MDCB 1.5.4 for more details.
Thanks
Josh