(beginner - tyk cloud) keycloak kid header

neterium · March 18, 2018, 9:53am

Hi !

I’m trying to use the tokens generated by my keycloak server in Tyk. The token is valid (checked in jwt.io) and I have added a mapper to set the (sub) claim value to the tyk key id.
My problem is that tyk keeps saying that the “Key not authorized”…
If I go into the “Log Browser” I can see the 403 errors and it looks like it cannot find the key (00000000).

I suspect that the problem can come from the KID header field, already used by keycloak to store its own id (but the tyk key is in the sub, anyway). It says that tyk checks both, but I don’t know how it works if the kid is already used for other purposes. Does it consider sub as a fallback?

As I did not find a way to prevent keycloak adding its kid field, how can I make this work?

Luan · March 20, 2018, 12:18pm

Hi!

Yes indeed this problem is due to the kid header as it is used by Tyk for individual key signing: //tyk.io/docs/basic-config-and-security/security/authentication-authorization/json-web-tokens/

It only checks the sub header if the kid header is empty so at present this would not be possible on Cloud. I will create a ticket for this and suggest it be added to the backlog

neterium · March 20, 2018, 12:25pm

Hi Luan,

Many thanks for confirming this!
I will keep an eye on this ticket as it’s a blocking issue for me.

Luan · March 20, 2018, 12:33pm

You can track this issue here: Add option to ignore kid header in JWT validation · Issue #1551 · TykTechnologies/tyk · GitHub