Could not find a valid policy to apply to this token!

Support
,
1

Hi Everyone,

I’m setting up opensource Tyk API Gateway v4.3.3. I do not have any pro tools (Dashboard, Portal, UI etc.) I have used the standard docker-compose file to build Tyk & Redis containers. I have 2 endpoints (1 GET & 1 POST). I want to protect it with JWT.

Observations:

  1. The policies are not getting updated. API call to list all policies returns default pre-built policy.
  2. Error while associating key with policy: Unmarshalling error for Go struct

However, how much ever I try, I’m getting the error: Could not find a valid policy to apply to this token!

I’m a newbie, please explain step by step how to mitigate the issue.
Please need a support to mitigate the persistent issue. I have shared all the configs.

API Configurations
{
“name”: “FMG.Automation.AssetManager.Api”,
“slug”: “”,
“listen_port”: 0,
“protocol”: “”,
“enable_proxy_protocol”: false,
“api_id”: “09441a2a615a46a59e500043697b044a”,
“org_id”: “1”,
“use_keyless”: false,
“use_oauth2”: false,
“external_oauth”: {
“enabled”: false,
“providers”: null
},
“use_openid”: false,
“openid_options”: {
“providers”: null,
“segregate_by_client”: false
},
“oauth_meta”: {
“allowed_access_types”: null,
“allowed_authorize_types”: null,
“auth_login_redirect”: “”
},
“auth”: {
“name”: “”,
“use_param”: false,
“param_name”: “”,
“use_cookie”: false,
“cookie_name”: “”,
“disable_header”: false,
“auth_header_name”: “Authorization”,
“use_certificate”: false,
“validate_signature”: false,
“signature”: {
“algorithm”: “”,
“header”: “”,
“use_param”: false,
“param_name”: “”,
“secret”: “”,
“allowed_clock_skew”: 0,
“error_code”: 0,
“error_message”: “”
}
},
“auth_configs”: {
“authToken”: {
“name”: “”,
“use_param”: false,
“param_name”: “”,
“use_cookie”: false,
“cookie_name”: “”,
“disable_header”: false,
“auth_header_name”: “”,
“use_certificate”: false,
“validate_signature”: false,
“signature”: {
“algorithm”: “”,
“header”: “”,
“use_param”: false,
“param_name”: “”,
“secret”: “”,
“allowed_clock_skew”: 0,
“error_code”: 0,
“error_message”: “”
}
},
“jwt”: {
“name”: “”,
“use_param”: false,
“param_name”: “”,
“use_cookie”: false,
“cookie_name”: “”,
“disable_header”: false,
“auth_header_name”: “”,
“use_certificate”: false,
“validate_signature”: false,
“signature”: {
“algorithm”: “”,
“header”: “”,
“use_param”: false,
“param_name”: “”,
“secret”: “”,
“allowed_clock_skew”: 0,
“error_code”: 0,
“error_message”: “”
}
}
},
“use_basic_auth”: false,
“basic_auth”: {
“disable_caching”: false,
“cache_ttl”: 0,
“extract_from_body”: false,
“body_user_regexp”: “”,
“body_password_regexp”: “”
},
“use_mutual_tls_auth”: false,
“client_certificates”: [],
“upstream_certificates”: {},
“pinned_public_keys”: {},
“enable_jwt”: true,
“use_standard_auth”: false,
“use_go_plugin_auth”: false,
“enable_coprocess_auth”: false,
“jwt_signing_method”: “hmac”,
“jwt_source”: “MTczNjM5ZWU=”,
“jwt_identity_base_field”: “sub”,
“jwt_client_base_field”: “”,
“jwt_policy_field_name”: “pol”,
“jwt_default_policies”: “default”,
“jwt_issued_at_validation_skew”: 0,
“jwt_expires_at_validation_skew”: 0,
“jwt_not_before_validation_skew”: 0,
“jwt_skip_kid”: true,
“scopes”: {
“jwt”: {
“scope_claim_name”: “role”
},
“oidc”: {}
},
“jwt_scope_to_policy_mapping”: {},
“jwt_scope_claim_name”: “role”,
“notifications”: {
“shared_secret”: “”,
“oauth_on_keychange_url”: “”
},
“enable_signature_checking”: false,
“hmac_allowed_clock_skew”: -1,
“hmac_allowed_algorithms”: [],
“request_signing”: {
“is_enabled”: false,
“secret”: “”,
“key_id”: “”,
“algorithm”: “”,
“header_list”: [],
“certificate_id”: “”,
“signature_header”: “”
},
“base_identity_provided_by”: “”,
“definition”: {
“enabled”: false,
“name”: “”,
“default”: “”,
“location”: “header”,
“key”: “x-version”,
“strip_path”: false,
“strip_versioning_data”: false,
“versions”: {}
},
“version_data”: {
“not_versioned”: true,
“default_version”: “”,
“versions”: {
“”: {
“name”: “”,
“expires”: “”,
“paths”: {
“ignored”: [],
“white_list”: [],
“black_list”: []
},
“use_extended_paths”: true,
“extended_paths”: {
“validate_request”: [
{
“enabled”: true,
“path”: “/Asset”,
“method”: “POST”,
“error_response_code”: 422
},
{
“enabled”: true,
“path”: “/Asset/id”,
“method”: “GET”,
“error_response_code”: 422
}
],
“persist_graphql”: null
},
“global_headers”: {
“x-upn”: “$tyk_context.jwt_claims_upn”,
“x-username”: “$tyk_context.jwt_claims_name”,
“x-userrole”: “$tyk_context.jwt_claims_role”
},
“global_headers_remove”: [],
“global_response_headers”: {
“x-upn”: “$tyk_context.jwt_claims_upn”,
“x-username”: “$tyk_context.jwt_claims_name”,
“x-userrole”: “$tyk_context.jwt_claims_role”
},
“global_response_headers_remove”: [],
“ignore_endpoint_case”: false,
“global_size_limit”: 0,
“override_target”: “http://host.docker.internal:7187
}
}
},
“uptime_tests”: {
“check_list”: null,
“config”: {
“expire_utime_after”: 0,
“service_discovery”: {
“use_discovery_service”: false,
“query_endpoint”: “”,
“use_nested_query”: false,
“parent_data_path”: “”,
“data_path”: “”,
“port_data_path”: “”,
“target_path”: “”,
“use_target_list”: false,
“cache_timeout”: 0,
“endpoint_returns_list”: false
},
“recheck_wait”: 0
}
},
“proxy”: {
“preserve_host_header”: false,
“listen_path”: “/”,
“target_url”: “http://host.docker.internal:7187”,
“disable_strip_slash”: false,
“strip_listen_path”: false,
“enable_load_balancing”: false,
“target_list”: null,
“check_host_against_uptime_tests”: false,
“service_discovery”: {
“use_discovery_service”: false,
“query_endpoint”: “”,
“use_nested_query”: false,
“parent_data_path”: “”,
“data_path”: “”,
“port_data_path”: “”,
“target_path”: “”,
“use_target_list”: false,
“cache_timeout”: 0,
“endpoint_returns_list”: false
},
“transport”: {
“ssl_insecure_skip_verify”: false,
“ssl_ciphers”: null,
“ssl_min_version”: 0,
“ssl_max_version”: 0,
“ssl_force_common_name_check”: false,
“proxy_url”: “”
}
},
“disable_rate_limit”: false,
“disable_quota”: false,
“custom_middleware”: {
“pre”: null,
“post”: null,
“post_key_auth”: null,
“auth_check”: {
“name”: “”,
“path”: “”,
“require_session”: false,
“raw_body_only”: false
},
“response”: null,
“driver”: “”,
“id_extractor”: {
“extract_from”: “”,
“extract_with”: “”,
“extractor_config”: null
}
},
“custom_middleware_bundle”: “”,
“cache_options”: {
“cache_timeout”: 0,
“enable_cache”: true,
“cache_all_safe_requests”: false,
“cache_response_codes”: [],
“enable_upstream_cache_control”: false,
“cache_control_ttl_header”: “”,
“cache_by_headers”: []
},
“session_lifetime”: 0,
“active”: true,
“internal”: false,
“auth_provider”: {
“name”: “”,
“storage_engine”: “”,
“meta”: null
},
“session_provider”: {
“name”: “”,
“storage_engine”: “”,
“meta”: null
},
“event_handlers”: {
“events”: null
},
“enable_batch_request_support”: false,
“enable_ip_whitelisting”: false,
“allowed_ips”: null,
“enable_ip_blacklisting”: false,
“blacklisted_ips”: null,
“dont_set_quota_on_create”: false,
“expire_analytics_after”: 0,
“response_processors”: [
{
“name”: “header_injector”,
“options”: {}
}
],
“CORS”: {
“enable”: true,
“allowed_origins”: [],
“allowed_methods”: [],
“allowed_headers”: [],
“exposed_headers”: [],
“allow_credentials”: true,
“max_age”: 0,
“options_passthrough”: true,
“debug”: false
},
“domain”: “”,
“certificates”: null,
“do_not_track”: false,
“enable_context_vars”: true,
“config_data”: null,
“tag_headers”: null,
“global_rate_limit”: {
“rate”: 0,
“per”: 0
},
“strip_auth_data”: false,
“enable_detailed_recording”: false,
“graphql”: {
“enabled”: false,
“execution_mode”: “”,
“version”: “”,
“schema”: “”,
“type_field_configurations”: null,
“playground”: {
“enabled”: false,
“path”: “”
},
“engine”: {
“field_configs”: null,
“data_sources”: null
},
“proxy”: {
“auth_headers”: null
},
“subgraph”: {
“sdl”: “”
},
“supergraph”: {
“subgraphs”: null,
“merged_sdl”: “”,
“global_headers”: null,
“disable_query_batching”: false
}
},
“analytics_plugin”: {},
“tags”: []
}

2

Tyk configuration

{
“log_level”: “info” ,
“listen_port”: 8080,
“secret”: “b65ec7e313c2ebc4df14b6041dcc5c7e”,
“template_path”: “/opt/tyk-gateway/templates”,
“tyk_js_path”: “/opt/tyk-gateway/js/tyk.js”,
“middleware_path”: “/opt/tyk-gateway/middleware”,
“use_db_app_configs”: false,
“app_path”: “/opt/tyk-gateway/apps/”,
“storage”: {
“type”: “redis”,
“host”: “tyk-redis”,
“port”: 6379,
“username”: “”,
“password”: “”,
“database”: 0,
“optimisation_max_idle”: 2000,
“optimisation_max_active”: 4000
},
“enable_analytics”: false,
“analytics_config”: {
“type”: “”,
“ignored_ips”: []
},
“health_check”: {
“enable_health_checks”: false,
“health_check_value_timeouts”: 60
},
“optimisations_use_async_session_write”: false,
“enable_non_transactional_rate_limiter”: true,
“enable_sentinel_rate_limiter”: false,
“enable_redis_rolling_limiter”: false,
“allow_master_keys”: false,
“policies”: {
“policy_source”: “file”,
“policy_record_name”: “/opt/tyk-gateway/policies/policies.json”,
“allow_explicit_policy_id”: true
},
“hash_keys”: true,
“close_connections”: false,
“http_server_options”: {
“enable_websockets”: true,
“ssl_certificates”: [“concat-dockerhost”, “concat”]
},
“allow_insecure_configs”: true,
“coprocess_options”: {
“enable_coprocess”: true,
“coprocess_grpc_server”: “”
},
“enable_bundle_downloader”: true,
“bundle_base_url”: “”,
“global_session_lifetime”: 100,
“force_global_session_lifetime”: false,
“max_idle_connections_per_host”: 500,
“enable_jsvm”: true,
“enable_hashed_keys_listing”:true
}

3

Docker compose file

version: ‘3.3’
services:
tyk-gateway:
image: docker.tyk.io/tyk-gateway/tyk-gateway:v4.3.3
ports:
- 8080:8080
networks:
- fms_network
volumes:
- ./tyk.standalone.conf:/opt/tyk-gateway/tyk.conf
- ./apps:/opt/tyk-gateway/apps
- ./middleware:/opt/tyk-gateway/middleware
- ./certs:/opt/tyk-gateway/certs
environment:
- TYK_GW_SECRET=b65ec7e313c2ebc4df14b6041dcc5c7e
- TYK_GW_VERSIONHEADER=version
- TYK_GW_SUPPRESSREDISSIGNALRELOAD=false
- TYK_GW_POLICIES_ALLOWEXPLICITPOLICYID=true
- TYK_GW_ENABLECUSTOMDOMAINS=true
- TYK_GW_ALLOWINSECURECONFIGS=true
- TYK_GW_ALLOWREMOTECONFIG=true
depends_on:
- tyk-redis

tyk-redis:
image: redis:6.2.7-alpine
networks:
- fms_network
ports:
- 6379:6379

networks:
fms_network:
driver: bridge
attachable: true

4

JWT token:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IjE2YzMyMWY0YzJlMWU0NGE5OGY4MzFlOGFiYzgwNGJhOSJ9.eyJpc3MiOiJmbXMtd2ViIiwicG9sIjoiZGVmYXVsdCIsInN1YiI6ImFueXN1YiIsInJvbGUiOiJkZWZhdWx0IiwidXBuIjoiZGViYXJwYW4uY29vbWFyQGZvby5jb20iLCJuYW1lIjoiRmlyc3RuYW1lIExhc3RuYW1lIiwiZXhwIjo0NzA4NjgzMjA1Ljg5MTkxMn0.43JAAL3drRHPuJV-w4b4yURa5CMqx07chmUc-iDdM8c

HMACSHA256 signature key: 173639ee

5

Hi @debarpan.coomar and welcome to the community.

From the looks of things, I guess you are adding your policies via our REST API. If that’s the case then you might want to be aware of a recent change

So you might want to use policy path in your config to take advantage of the policy REST APIs

Fixing this should at least ensure your policies are showing up correctly

6

About your observations

  1. Feels like an issue with your gateway configuration. I have addressed this. So kindly let us know how this goes

  2. This is a common but very generic error that happens when there is an issue with Tyk trying to create a key from the REST API. Two culprits are usually the cause here

    • Missing policy definition to associate the key with
    • Misconfigured key definition. Maybe there is some issue with the json syntax.

Try doing this again once point one has been fixed.

One more thing might be to fix the value of jwt_default_policies in your API definition. The expected value should be a string of arrays