Basic JWT validation


#1

I’m still new to Tyk. I finally got Tyk running in a Kubernetes cluster, but now I’m having trouble configuring it. I created multiple APIs, including one for the admin frontend and one for the public frontend. Each frontend is able to log in using the authentication microservice, which generates an RSA JWT. My understanding is that Tyk is able to validate the JWT’s using the public key, but I haven’t been able to get that to work. The debug tool at https://jwt.io/ verifies that the authentication service is generating valid JWTs.

Eventually I’d like to find a way to integrate the application’s authentication and authorization logic into access to the different APIs, but for now I just want to get JWTs validated.

I started by editing the API and changing the authentication mode from ‘open’ to ‘jwt’, set the signing method to RSA, and pasted the same public key used in the jwt.io tool. I set the identity source to ‘sub’, which is the email field in the JWT payload. After doing all of this, the gateway always responds with {"error": "Key not authorized"}. I tried adding a policy id to the payload, and adding that field name below the identity source, but it doesn’t seem to have an effect, and I have no idea if I’m generating policies correctly anyway. I’ve searched looked through all kinds of documentation, but haven’t found what I’m looking for. Is there a guide to set this up?


#2

Hi Reesew,

The following documentation should help you to set up JWT in Tyk:
https://tyk.io/tyk-documentation/integrate/json-web-tokens/

Please let us know if you’re unsure of anything or have any further questions.

Kind regards,

Jess @ Tyk


#3

That is the guide I followed to get as far as I am and ask this question…


#4

Hi Reesew,

Could you please provide the API Definition that you’re using so that I can look into the matter?

Many thanks,

Jess @ Tyk


#5

By uploading the file resulting from the ‘export’ button, or what? Would I need to redact anything?


#6

Hi,

What header did you use to access the API? Did you add the Bearer component to the Authorization header before the actual JWT?

M


#7

Yes, “Authorization: Bearer eyJh…”


#8

@reesew Cna you share the API Definition? You can anonymise any target servers etc. Also, you might wan to exclude your public key.

M.


#9

like this?

{
    "id": "580e56c3a7efa90001000008",
    "name": "Admin",
    "slug": "admin-api",
    "api_id": "d9f91aaa9e234f3b731e0a69f877bf82",
    "org_id": "58094960a7efa90001000001",
    "use_keyless": false,
    "use_oauth2": false,
    "use_openid": false,
    "openid_options": {
        "providers": [],
        "segregate_by_client": false
    },
    "oauth_meta": {
        "allowed_access_types": [],
        "allowed_authorize_types": [],
        "auth_login_redirect": ""
    },
    "auth": {
        "use_param": false,
        "param_name": "",
        "use_cookie": false,
        "cookie_name": "",
        "auth_header_name": "Authorization"
    },
    "use_basic_auth": false,
    "enable_jwt": true,
    "jwt_signing_method": "rsa",
    "jwt_source": "LS0t...LS0t",
    "jwt_identity_base_field": "",
    "jwt_client_base_field": "",
    "jwt_policy_field_name": "policy",
    "notifications": {
        "shared_secret": "",
        "oauth_on_keychange_url": ""
    },
    "enable_signature_checking": false,
    "hmac_allowed_clock_skew": -1,
    "definition": {
        "location": "header",
        "key": "x-api-version"
    },
    "version_data": {
        "not_versioned": true,
        "versions": {
            "Default": {
                "name": "Default",
                "expires": "",
                "paths": {
                    "ignored": [],
                    "white_list": [],
                    "black_list": []
                },
                "use_extended_paths": true,
                "extended_paths": {
                    "ignored": [],
                    "white_list": [],
                    "black_list": [],
                    "cache": [],
                    "transform": [],
                    "transform_response": [],
                    "transform_headers": [],
                    "transform_response_headers": [],
                    "hard_timeouts": [],
                    "circuit_breakers": [],
                    "url_rewrites": [],
                    "virtual": [],
                    "size_limits": [],
                    "method_transforms": []
                },
                "global_headers": {},
                "global_headers_remove": [],
                "global_size_limit": 0,
                "override_target": ""
            }
        }
    },
    "uptime_tests": {
        "check_list": [],
        "config": {
            "expire_utime_after": 0,
            "service_discovery": {
                "use_discovery_service": false,
                "query_endpoint": "",
                "use_nested_query": false,
                "parent_data_path": "",
                "data_path": "",
                "port_data_path": "",
                "target_path": "",
                "use_target_list": false,
                "cache_timeout": 60,
                "endpoint_returns_list": false
            },
            "recheck_wait": 0
        }
    },
    "proxy": {
        "preserve_host_header": false,
        "listen_path": "/admin",
        "target_url": "http://api-adapter",
        "strip_listen_path": true,
        "enable_load_balancing": false,
        "target_list": [],
        "check_host_against_uptime_tests": false,
        "service_discovery": {
            "use_discovery_service": false,
            "query_endpoint": "",
            "use_nested_query": false,
            "parent_data_path": "",
            "data_path": "hostname",
            "port_data_path": "port",
            "target_path": "/api-slug",
            "use_target_list": false,
            "cache_timeout": 60,
            "endpoint_returns_list": false
        }
    },
    "custom_middleware": {
        "pre": [],
        "post": [],
        "response": []
    },
    "cache_options": {
        "cache_timeout": 60,
        "enable_cache": true,
        "cache_all_safe_requests": false,
        "cache_response_codes": [],
        "enable_upstream_cache_control": false
    },
    "session_lifetime": 0,
    "active": true,
    "auth_provider": {
        "name": "",
        "storage_engine": "",
        "meta": {}
    },
    "session_provider": {
        "name": "",
        "storage_engine": "",
        "meta": null
    },
    "event_handlers": {
        "events": {}
    },
    "enable_batch_request_support": false,
    "enable_ip_whitelisting": false,
    "allowed_ips": [
        "my.public.ip",
        "10.0.0.0/8"
    ],
    "dont_set_quota_on_create": false,
    "expire_analytics_after": 0,
    "response_processors": [],
    "CORS": {
        "enable": true,
        "allowed_origins": [
            "admin.example.com"
        ],
        "allowed_methods": [],
        "allowed_headers": [
            "Content-Type"
        ],
        "exposed_headers": [
            "Access-Token"
        ],
        "allow_credentials": false,
        "max_age": 24,
        "options_passthrough": false,
        "debug": false
    },
    "domain": "admin-api.example.com:3000",
    "do_not_track": false,
    "tags": [],
    "enable_context_vars": false
}

#10

Hi I have same issue…there are any news ?


#11

Have you followed the guide on our site for JWT?


#12

Hi, I am having the same issue. I am using postman to call my tyk API and getting this response:

{
“error”: “Key not authorized: no matching policy found”
}

Can you please provide any link which clearly explains how to set up JWT with TYK or you can suggest anything i am missing. I found tyk documentation is not sufficient for beginner in JWT.
Thanks.!


#13

Have you followed this guide?


#14

Yes, I have.
I have created a separate ticket for my issue here