Invalid JWT token. Validation error

kunal_sumbly · July 17, 2018, 2:39am

Hi Guys,

We are using Keycloak for IAM and have certain APIs registered with TYK which we want to guard using access tokens.

I am getting the access token during login from keycloak

{
“access_token”: “eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJSRzJxVGUzckM3LUlLZG5hQmJ5Tmszb1Yzel9ZSzBreGxOM254c0R5WGw4In0.eyJqdGkiOiI1YjRiZGZlOC1iMDk0LTQ4ZTktYmM4NS04ZjFlMWRjMzEzOWQiLCJleHAiOjE1MzE3OTExODYsIm5iZiI6MCwiaWF0IjoxNTMxNzkwNTg2LCJpc3MiOiJodHRwczovL25leHQuc29maWNvLmNvbS5hdS9hdXRoL3JlYWxtcy9tYXN0ZXIiLCJhdWQiOiJtaWxlcy13ZWItbW9iaWxpdHktbWFuYWdlciIsInN1YiI6ImY6MjA3OTE1NGMtYzFkZC00ZDE3LWFlMjUtZjgyNDFhZjFjZTlhOjI1MDEzMiIsInR5cCI6IkJlYXJlciIsImF6cCI6Im1pbGVzLXdlYi1tb2JpbGl0eS1tYW5hZ2VyIiwiYXV0aF90aW1lIjowLCJzZXNzaW9uX3N0YXRlIjoiNDc4YTg1MjMtZDBjYy00MDVmLWE5OTYtMTI2NTFhYzUyOTM2IiwiYWNyIjoiMSIsImFsbG93ZWQtb3JpZ2lucyI6W10sInJlc291cmNlX2FjY2VzcyI6e30sIm1pbGVzLWZhYnJpYy1pZGVudGlmaWNhdGlvbiI6IjI1MDEzMiIsIm1pbGVzLWZhYnJpYy1jbGllbnQtdHlwZSI6ImV4dGVybmFsX2NsaWVudCJ9.JZDJI-hcqnGO1uzLWHTzN6V7l8Cipqga7dcWYJs7oFVThx0d_DbXap50oKcxtPEH3xVY7urQ8RWihVCruK4UabcqrHd4nxiXL9BfhnxLtUme5TeSshEXmGxr14H1JsoqLoPL4K9cgjChePKvKyZF_BVaE55m75W7Lb-d63-bduQuzcnGWLG9YS_x1a4TIaULwaNoZgadw-LGLemJ7r-UMs_YKRxWyChjpVVgm0DOVh7tdV1JucqLqfy_csaSPv1e2O529QM7_hw7vFkF10CsqaND-Bwk9AsPAGJaCLbBjcoe4oNlgHJ3hxGQCpT6P7d4vrEyO78m-5b6knCD0jdBng”,
“expires_in”: 600,
“refresh_expires_in”: 1800,
“refresh_token”: “eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJSRzJxVGUzckM3LUlLZG5hQmJ5Tmszb1Yzel9ZSzBreGxOM254c0R5WGw4In0.eyJqdGkiOiIzZGFiZTUwNS05ZmIwLTRmZWEtYjk0My0wNmNmNDdlMWE2MTgiLCJleHAiOjE1MzE3OTIzODYsIm5iZiI6MCwiaWF0IjoxNTMxNzkwNTg2LCJpc3MiOiJodHRwczovL25leHQuc29maWNvLmNvbS5hdS9hdXRoL3JlYWxtcy9tYXN0ZXIiLCJhdWQiOiJtaWxlcy13ZWItbW9iaWxpdHktbWFuYWdlciIsInN1YiI6ImY6MjA3OTE1NGMtYzFkZC00ZDE3LWFlMjUtZjgyNDFhZjFjZTlhOjI1MDEzMiIsInR5cCI6IlJlZnJlc2giLCJhenAiOiJtaWxlcy13ZWItbW9iaWxpdHktbWFuYWdlciIsImF1dGhfdGltZSI6MCwic2Vzc2lvbl9zdGF0ZSI6IjQ3OGE4NTIzLWQwY2MtNDA1Zi1hOTk2LTEyNjUxYWM1MjkzNiIsInJlc291cmNlX2FjY2VzcyI6e319.Mc4lPXGgSzNALXDs5AFruj5Jj0Rj5acrL6CdzcLVo90tzW9GcIz2NnAydPU1IPcB8j9ZK3AVBnZsGfOfpyrRJGDueWOjSpVq8tdIDGSLXps2j8ks781-n7BEPVYlvsbKjERuZsTXNqskikuc8gr3wXrdG8kdgWZVQ_mT8c7lKsn7xoddcd1nwKFYVXBAx44LxSX-Htc_TWvjymWXS3CJrN0VXBecEHJAy-Ng0pLrq6JVJlba4ad65mrgzK3g2z4lmYAKOgkx_j5lLan0o-vwGtiuwNNjgqXYJiabPhdFfurh0zKoWYOP7FEgCJFrysrKbHiXnP7f5-ZEBfsnJpkeEA”,
“token_type”: “bearer”,
“not-before-policy”: 0,
“session_state”: “478a8523-d0cc-405f-a996-12651ac52936”
}

use the access token in step 1) to access API , via TYK which revalidates my token again from keycloak and this is where I am getting - JWT Invalid Error.

time=“Jul 16 09:28:07” level=warning msg="JWT Invalid: Validation error. Validation error. Failure while contacting the configuration endpoint

Have been using postman for my testing so far.
Have uploaded the API gateway logs as well.

Any idea what am I missing?

leon · July 17, 2018, 2:53am

Hi!

Seems like at the moment you configured it as OpenID integration, as based on logs it expects both aud claim with client id, and expects server to support standard OpenID configuration endpoint (".well-known/openid-configuration"). Are you sure that you need OpenID and not just JWT auth?

Thank you.

kunal_sumbly · July 18, 2018, 12:02am

leon, thanks for the reply . The answer is yes indeed we do need OpenId for authentication.
My next step would be to check if the container hosting TYK gateway is able to communicate to the openID integration end point. Will keep you posted. Is there a way to see/capture the token which TYK is actually sending to the openID end point by enabling some logs or something?

sedky · October 6, 2019, 6:05pm

@kunal_sumbly, were you able to find a solution to this problem?

Thanks!