Hi - I’ve been unsuccessfully trying to ingrate the tyk JWKS which has been provided to me. The problem I am facing is - tyk is sending me a JWT with someCustomHeader which I think has been added in the tyk admin dashboard by my admin under mTLS authentication mechanism(used by my org currently).
Can anyone please let me understand what additional configuration can help me achieve the validation of that JWT(which is generated as a result of any third calling service making the request to tyk and ultimately tyk calling my sevice) in my spring-boot application?
Any suggestions would be greatly appreciated!
This won’t be possible to reverse engineer. You need to figure out what is signing the JWT that is being passed to Tyk, and then use that signature signing method to validate the JWT on your backend.
In a correct set up, you should be trusting JWTs that come from Tyk. You would configure Tyk to validate the JWT that is being passed by the client, and then after validation, Tyk will forward the JWT to your backend. At which point, your backend shouldn’t have to check the validation of the JWT, it would only check the contents to perform busienss logic.
However, if you are operating in zero-trust scenario then yes, you will need to validate the JWT which is passed by Tyk in someCustomHeader in your backend APIs. But again, you will have to figure out how your organization is signing JWTs in order to publicly validate them.
Do you know what is creating the JWTs? Is it some library in Spring Boot or is it some third party software? You would use the same mechanism to validate the JWT.
@sedky sorry but I may be little confused here, if that’s the scenario then what’s the purpose of JWT which is being sent by tyk to my in-premises service in the mutual authentication using TLS?
Correct me please if I am wrong as I understand, The flow as mentioned in the tyk is →
any outside service calls tyk with an SSL → tyk creates the bearer token based on validation of the SSL and forwards it to → my in-premise service which in turn validates the JWT before processing the request.
You are confusing two things I believe.
mTLS is essentially a network layer authentication. The client and Tyk validate each other using paired certificates.
JWT is an application layer authentication where some party generates a JWT and then sends to the API gateway for authentication/authorization. The API Gateway then forwards it to your back end service.
Is it possible you’re confusing the two?
I am not quite sure @sedky the requirement I’ve been assigned is something like below. Hope that helps you understand my requirement which is to validate/verify the bearer token’s integrity which is being sent to my service using the jwks endpoint given to me
Flow
- Service 1 calls the Service 2 API (my service in this case) through the tyk IAG(Internet API Gateway)
- The IAG authenticates Service 1 using mutual authentication over TLS (MATLS)
- If the mutual authentication is successful, the IAG creates a signed JSON Web Token (JWT), which includes the following claims:
- Issuer (iss): IAG (this will be taken from the IAG signing certificate)
- Subject (sub): Subject DN taken from the Client certificate presented by Service 1 in mutual authentication
- Audience (aud): Service 2 (this will be taken from the URI of the request to Service 2)
- The IAG forwards the request to Service 2, with the token passed in the authorisation header as a Bearer token
- Service 2 retrieves the public signing key for the token by calling the IAG hosted JWKS service and uses the key to verify the integrity of the token
- If the token is valid, Service 2 completes and sends a final response.