JWT and policies


#1

Hi !

I’ve setup an API protected by JWT authentication. Though the system starts working well, I’ve noticed the following:

  • It’s required (in the API definition) to specify in which JWT claim Tyk will find the policy ID.
  • However, I can specify all the restrictions and policies I want in the key itself

So, In my opinion, the information is duplicated… I would have expected that the policy claim is optional and that Tyk applies all the policies of the key in that case. The JWT would then be cleaner as well, containing just the tyk key.

What do you think ?


#2

Hi,
Your query makes sense in the case you want to have individual secret per key (by creating a key in tyk in the “Key Management” screen, as shown below, is that correct? (otherwise I don’t really understand your comment “I can specify all the restrictions and policies I want in the key itself” - so please explain again)

And you are right, all the info is in the key and you dont need to set it in the JWT. This is how it works, and the only thing in your way is the UI that is a bit confusing :slight_smile: and we could probably enhance it (if there’s no secret or public key in the api def then we should not display the “pol” requirement). Would you like to create a ticket for that yourself, so you can get an update when this is implemented in the product?

Thanks
Yaara


#3

BTW, this is my api def I use to test:

{
“id”: “5b5aea0ec9d01e00012a75ba”,
“name”: “jwt with kid secret”,
“slug”: “jwt-api”,
“api_id”: “a663e4f681f740c763b52face4c75c7b”,
“org_id”: “5a27d62846337f000197d68a”,
“use_keyless”: false,
“use_oauth2”: false,
“use_openid”: false,
“openid_options”: {
“providers”: [],
“segregate_by_client”: false
},
“oauth_meta”: {
“allowed_access_types”: [],
“allowed_authorize_types”: [],
“auth_login_redirect”: “”
},
“auth”: {
“use_param”: true,
“param_name”: “”,
“use_cookie”: true,
“cookie_name”: “”,
“auth_header_name”: “Authorization”,
“use_certificate”: false,
“validate_signature”: false,
“signature”: {
“algorithm”: “”,
“header”: “”,
“secret”: “”,
“allowed_clock_skew”: 0,
“error_code”: 0,
“error_message”: “”
}
},
“use_basic_auth”: false,
“basic_auth”: {
“disable_caching”: false,
“cache_ttl”: 0,
“extract_from_body”: false,
“body_user_regexp”: “”,
“body_password_regexp”: “”
},
“use_mutual_tls_auth”: false,
“client_certificates”: [],
“upstream_certificates”: {},
“pinned_public_keys”: {},
“enable_jwt”: true,
“use_standard_auth”: false,
“enable_coprocess_auth”: false,
“jwt_signing_method”: “hmac”,
“jwt_source”: “”,
“jwt_identity_base_field”: “sub”,
“jwt_client_base_field”: “”,
“jwt_policy_field_name”: “pol”,
“jwt_issued_at_validation_skew”: 0,
“jwt_expires_at_validation_skew”: 0,
“jwt_not_before_validation_skew”: 0,
“jwt_skip_kid”: false,
“notifications”: {
“shared_secret”: “”,
“oauth_on_keychange_url”: “”
},
“enable_signature_checking”: false,
“hmac_allowed_clock_skew”: -1,
“hmac_allowed_algorithms”: [],
“base_identity_provided_by”: “”,
“definition”: {
“location”: “header”,
“key”: “x-api-version”,
“strip_path”: false
},
“version_data”: {
“not_versioned”: true,
“default_version”: “”,
“versions”: {
“Default”: {
“name”: “Default”,
“expires”: “”,
“paths”: {
“ignored”: [],
“white_list”: [],
“black_list”: []
},
“use_extended_paths”: true,
“extended_paths”: {},
“global_headers”: {},
“global_headers_remove”: [],
“global_size_limit”: 0,
“override_target”: “”
}
}
},
“uptime_tests”: {
“check_list”: [],
“config”: {
“expire_utime_after”: 0,
“service_discovery”: {
“use_discovery_service”: false,
“query_endpoint”: “”,
“use_nested_query”: false,
“parent_data_path”: “”,
“data_path”: “”,
“port_data_path”: “”,
“target_path”: “”,
“use_target_list”: false,
“cache_timeout”: 60,
“endpoint_returns_list”: false
},
“recheck_wait”: 0
}
},
“proxy”: {
“preserve_host_header”: false,
“listen_path”: “/a663e4f681f740c763b52face4c75c7b/”,
“target_url”: “http://httpbin.org/”,
“disable_strip_slash”: false,
“strip_listen_path”: true,
“enable_load_balancing”: false,
“target_list”: [],
“check_host_against_uptime_tests”: false,
“service_discovery”: {
“use_discovery_service”: false,
“query_endpoint”: “”,
“use_nested_query”: false,
“parent_data_path”: “”,
“data_path”: “”,
“port_data_path”: “”,
“target_path”: “”,
“use_target_list”: false,
“cache_timeout”: 0,
“endpoint_returns_list”: false
},
“transport”: {
“ssl_ciphers”: [],
“ssl_min_version”: 0,
“proxy_url”: “”
}
},
“disable_rate_limit”: false,
“disable_quota”: false,
“custom_middleware”: {
“pre”: [],
“post”: [],
“post_key_auth”: [],
“auth_check”: {
“name”: “”,
“path”: “”,
“require_session”: false
},
“response”: [],
“driver”: “”,
“id_extractor”: {
“extract_from”: “”,
“extract_with”: “”,
“extractor_config”: {}
}
},
“custom_middleware_bundle”: “”,
“cache_options”: {
“cache_timeout”: 60,
“enable_cache”: true,
“cache_all_safe_requests”: false,
“cache_response_codes”: [],
“enable_upstream_cache_control”: false,
“cache_control_ttl_header”: “”
},
“session_lifetime”: 0,
“active”: true,
“auth_provider”: {
“name”: “”,
“storage_engine”: “”,
“meta”: {}
},
“session_provider”: {
“name”: “”,
“storage_engine”: “”,
“meta”: {}
},
“event_handlers”: {
“events”: {}
},
“enable_batch_request_support”: false,
“enable_ip_whitelisting”: false,
“allowed_ips”: [],
“enable_ip_blacklisting”: false,
“blacklisted_ips”: [],
“dont_set_quota_on_create”: false,
“expire_analytics_after”: 0,
“response_processors”: [],
“CORS”: {
“enable”: false,
“allowed_origins”: [],
“allowed_methods”: [],
“allowed_headers”: [],
“exposed_headers”: [],
“allow_credentials”: false,
“max_age”: 24,
“options_passthrough”: false,
“debug”: false
},
“domain”: “”,
“certificates”: [],
“do_not_track”: false,
“tags”: [],
“enable_context_vars”: false,
“config_data”: {},
“tag_headers”: [],
“global_rate_limit”: {
“rate”: 0,
“per”: 0
},
“strip_auth_data”: false
}

And ths is my JWT:

curl -X GET
https://tyk-for-demo.cloud.tyk.io/jwt-api/ip
-H ‘Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IjVhMjdkNjI4NDYzMzdmMDAwMTk3ZDY4YTQ3NjAyZTZhN2FhMzQwNzM5ODMxNjkyZjhlYTc5NTg4In0.eyJzdWIiOiJ5YWFyYWxldHoiLCJuYW1lIjoiSm9obiBEb2UiLCJpYXQiOjE1MTYyMzkwMjJ9.EZTj9CyxBmCtkC-w0o6mXoo1GpYe5H_7MA4kW2LwufgeyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IjVhMjdkNjI4NDYzMzdmMDAwMTk3ZDY4YTQ3NjAyZTZhN2FhMzQwNzM5ODMxNjkyZjhlYTc5NTg4In0.eyJzdWIiOiJ5YWFyYWxldHoiLCJuYW1lIjoiSm9obiBEb2UiLCJpYXQiOjE1MTYyMzkwMjJ9.EZTj9CyxBmCtkC-w0o6mXoo1GpYe5H_7MA4kW2Lwufg’

Which has kid in its header with a token I had created in tyk:

{
“alg”: “HS256”,
“typ”: “JWT”,
“kid”: “5a27d62846337f000197d68a47602e6a7aa340739831692f8ea79588”
}