Just want to make it work and I can't


#1

Imported Google Group message. Original thread at: https://groups.google.com/forum/#!topic/tyk-community-support/1ZV6VjL6HTM Import Date: 2016-01-19 21:36:28 +0000.
Sender:[email protected].
Date:Tuesday, 15 December 2015 11:23:01 UTC.

Hi,

Tyk Dashboard Version: 0.9.7.0
Tyk Rest API Version: 1.6

I have the following API configured, mentioned below.

I want to use Basic Authentication for the user name and password that the user will enter and I will check this against my database if this user exists and write the correct password.
If the user enter his correct password I want to return JWT token for the other requests.
So, I tried to configure ignored path for the login(Basic Authentication) flow, and it doesn’t work, it always want me to send Authorization header.
Second, I don’t know to to use the JWT token to call to my API, it always get blocked on the gateway with any kind of errors: “Authorization field missing”, “User not authorised”, “Key not authorised” etc…
I tried all the access control examples you wrote on the website, non of them work for me.
In the Dashboard I always see only errors on the graph, none of the request succeed.

So, this is the flow I trying, can someone direct me how work with this?

{
“last_check”: 0,
“allowance”: 1000,
“rate”: 1000,
“per”: 1,
“expires”: 1449783789,
“quota_max”: -1,
“quota_renews”: 1449778050,
“quota_remaining”: -1,
“quota_renewal_rate”: 60,
“access_rights”: {
“1f0ada4290b24825468c5eba574edbfe”: {
“api_name”: “test”,
“api_id”: “1f0ada4290b24825468c5eba574edbfe”,
“versions”: [
“Default”
],
“allowed_urls”: null
}
},
“org_id”: “56648d0556c02c0bcf000001”,
“oauth_client_id”: “”,
“oauth_keys”: null,
“basic_auth_data”: {
“password”: “”,
“hash_type”: “”
},
“jwt_data”: {
“secret”: “-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4w5xhil8YFSLptRxzQsi\nJgQm7DxfVx7nEFAndQDw/7a1VfIfhhzZlUYx6u+57kP4+JPhqLMl9hEPnJh2DMPV\n4wrQAOSe6pDK5UP/xZQx8ygy70lGfJ6MVo7mkXKaofKobOhkFIOhqtLU/6CrzFl+\nKdFIsD7pt+FxV6mMmPbnAvDN+hF5NwU6N61WGAZER8z7SSTgayGpuHdUKCdPwfui\nUIEX3GxhskzV/ROiS+R/NbQZlsfmQqcBJ5FxhOtAVevi9s7x6LLTSQKopuuunSTT\ntu3ys/hs5m6AqNPPkLKqp6R8iXF1Lg0DMeQlFHYwEo3oRweMNhfYRzC3ukioSf+G\nuwIDAQAB\n-----END PUBLIC KEY-----”

},

“hmac_enabled”: false,
“hmac_string”: “”,
“is_inactive”: false,
“apply_policy_id”: “”,
“data_expires”: 0,
“monitor”: {
“trigger_limits”: null
},
“meta_data”: {},
“tags”: []
}

I am trying the following request:
In order to create the user (meir):
curl -X POST http://localhost:8080/tyk/keys/meir -H “x-tyk-authorization: 1f0ada4290b24825468c5eba574edbfe”
Or:
curl -X POST http://localhost:5000/tyk/keys/meir -H “x-tyk-authorization: 1f0ada4290b24825468c5eba574edbfe”
Errors: “error”: “User not authorised”, “error”: “Authorization field missing”

In order to login with the user:
curl -X POST http://localhost:8080/test/token_auth -H “Authorization: Basic bWVpcjp0ZXN0aW5n”
OR
curl http://localhost:8080/test/auth_token -H “Authorization: Basic bWVpcjp0ZXN0aW5n” -H “x-tyk-authorization: 1f0ada4290b24825468c5eba574edbfe”
Errors: “error”: “There was a problem proxying the request” Or, “error”: “Key not authorised”

Call to my API with existing JWT token:
curl -X POST http://localhost:8080/test/hello -H “Authorization: Bearer eyJhbGciOiJSUzUxMiIsImtpZCI6IjFmMGFkYTQyOTBiMjQ4MjU0NjhjNWViYTU3NGVkYmZlIiwidHlwIjoiSldUIn0.eyJleHAiOjE0NTA0MzM1MzIsImlhdCI6MTQ1MDE3NDMzMiwic3ViIjoiIn0.CDIW-eQDRsmAc5e2V5KaXxZP6lvfm0qBgopkzrTxVR2RYklm230KcPT7hba1csAADZhaDZvc70XMMsS2hVmf83aI4Up7439DUjbBpLp6sPjYUjVnuoxj2cNW1Vqol1eyaQzTo4dm6HR9yojbvs7vmFKe8B5Ps8gOOZJEJc1hmEJorl49YwsX7wI4q2bc2IDtFrdaJD4JBSFNDBP1DWYTkfEKUloa_edWbluzR772Pub7Nog3kpqJJL2R_-pZz7ATeM-5b0SdvIg0mt5S-ZbF3sKD1uCc_GTkztxsZCYLSr8_0WuXQu_uWj2u6M09su46KMu_JWF86hfHrG5oEZJHsg”
Errors: “error”: “Key not authorised”

The JWT token is generated with RSA, and I added the “kid” header to the token with the value of the API key (1f0ada4290b24825468c5eba574edbfe).

So, anyone can tell me what am I missing here?

Thanks.


#2

Imported Google Group message.
Sender:Martin Buhr.
Date:Tuesday, 15 December 2015 20:03:21 UTC.

Hi,

When you generate your API in the dashboard, and you set an ignored path (e.g. /login), then Tyk should just bypass that path altogether - remember you will need to add GET and POST entries since your form will be posting the data and the GET will display the challenge.

I assume by basic auth flow you mean basic auth and not OAuth password flow.

If the auth succeeds, your app will need to use the Tyk REST (or advanced) API to generate a new temporary key for this user and give it to them somehow.

The API itself will need to be set up using JWT as the access control method.

If the ignored path is not being ignored, then it is not being matched correctly. I would solve this first

Hope that helps,

Martin

  • show quoted text -

  • show quoted text -


You received this message because you are subscribed to the Google Groups “Tyk Community Support” group.
To unsubscribe from this group and stop receiving emails from it, send an email to [email protected].
To view this discussion on the web, visit https://groups.google.com/d/msgid/tyk-community-support/9541c0ed-aba2-4bb7-8d87-302747ff8651%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


#3

Imported Google Group message.
Sender:[email protected].
Date:Tuesday, 15 December 2015 23:00:05 UTC.

Hi,
Thank you for your answer, but, Can you please tell me how it should work, you said that I need to call to the REST api and then give them the key somehow, so, how? I not quit sure I understand the answer.
Let suppose I want to work with authentication method - JWT, what should look like the api definition?
I tried what you wrote about POST/GET in the ignore path, using the dashboard in the ‘Endpoint Designer’, but, still it’s not working, my api not getting any request from the gateway, and the gateway just throw me errors like I mentioned before.

  1. What is the “kid” header, and what it should contain?
  2. How can I create the temporary key, in order that the gateway will know about it?
  3. If the api called ‘test’ and the ignore path is /login, so, when I am calling http://localhost:8080/test/login, it should be ignored, and get to my api without any authorization/authentication?

Regards,

  • show quoted text -

#4

Imported Google Group message.
Sender:Martin Buhr.
Date:Tuesday, 15 December 2015 23:24:10 UTC.

Hi,

So I can;t really explain how everything in Tyk works in an email, that’s what the docs are for, I’ve added several links below that explain most of the concepts, including Tyks APIs that enable all of this capability, I hope these help.

  1. What is the “kid” header, and what it should contain?

http://self-issued.info/docs/draft-jones-json-web-token-01.html#ReservedHeaderParameterName

https://tyk.io/v1.9/access-control/json-web-tokens/#tyk-json-web-tokens:be256830241f7dc27936f7751ed2a96e

“If Tyk cannot find a kid header, it will try to find an ID in the sub field of the claims section. This is not recommended, but supported as many JWT libraries do not necessarily set the kid header claim (especially publicly available test generators)”

To be clear: this is the key that you generated when you created a JWT token in the dashboard or via the Tyk API.
2. How can I create the temporary key, in order that the gateway will know about it?

Using the Advanced APIs:
https://tyk.io/advanced-api-v0-9/api-keys/

Using the Gateway API:
https://tyk.io/v1.9/rest-api/api-key-management/

  1. If the api called ‘test’ and the ignore path is /login, so, when I am calling http://localhost:8080/test/login, it should be ignored, and get to my api without any authorization/authentication

Yes, but you might want to get rid of the preceding slash in the path you define in the designer.

Thanks,
Martin