JWT - No matching policy response

Hi,
I have a JWT enabled API, for which I’m generating a JWT and using in the Authorization header as ‘Bearer jwt"’, while making calls to the API. However, I get {“error”: “Key not authorized: no matching policy”} response. Below is the split of the different JWT components I’m using to create the JWT -

Header:
{
“alg”: “HS256”,
“typ”: “JWT”
}

Payload:
{
“sub”: “abcxyz”,
“pid”: “589ae41cabcb24106d7577e4”
}

Verify signature:
HMACSHA256( base64UrlEncode(header) + “.” + base64UrlEncode(payload), hmac shared secret)

Value in the pid claim is the ID I got while creating the policy. The identity source is set to ‘sub’ and the policy field name is set to ‘pid’ in the API JWT configuration. Can you let me know what I’m doing wrong here?

Can you share the log output of the gateway? In particular, when it loads up, you’ll see the policies it is loading into memory, check your policy is in that list, it will look like this:

time="Feb  9 04:34:52" level=info msg="Policies found: 8"
time="Feb  9 04:34:52" level=info msg="--> Processing policy ID: xxxxxxxxxxxxxxxxxxxxxxxxxxx"
time="Feb  9 04:34:52" level=info msg="--> Processing policy ID: xxxxxxxxxxxxxxxxxxxxxxxxxxx"
time="Feb  9 04:34:52" level=info msg="--> Processing policy ID: xxxxxxxxxxxxxxxxxxxxxxxxxxx"
time="Feb  9 04:34:52" level=info msg="--> Processing policy ID: xxxxxxxxxxxxxxxxxxxxxxxxxxx"
time="Feb  9 04:34:52" level=info msg="--> Processing policy ID: xxxxxxxxxxxxxxxxxxxxxxxxxxx"

1 Like

I am trying this in an installation of ubuntu on my machine, which has tyk installed using the apt-get repository. May I know where I can find the logs in this installation?

Hi, you should find them in /var/log or /var/log/upstart.

Thanks Matias.

This is what I see in the log file upon restarting gateway -

[Feb 9 12:34:44] INFO De-registering: ec54691d-2797-4579-4445-4bbc97faf19b
[Feb 9 12:34:44] INFO De-registered.
[Feb 9 12:34:44] INFO Terminating.
[Feb 9 12:34:47] INFO Connection dropped, connecting…
[Feb 9 12:34:47] INFO main: PIDFile location set to: /var/run/tyk-gateway.pid
[Feb 9 12:34:47] ERROR Instrumentation is enabled, but no connectionstring set for statsd
[Feb 9 12:34:47] INFO main: Initialising Tyk REST API Endpoints
[Feb 9 12:34:47] INFO main: → Standard listener (http)
[Feb 9 12:34:47] INFO main: Setting up Server
[Feb 9 12:34:47] INFO main: Registering node.
[Feb 9 12:34:47] INFO dashboard: Node registered id=ec54691d-2797-4579-4445-4bbc97faf19b
[Feb 9 12:34:47] INFO main: Initialising distributed rate limiter
[Feb 9 12:34:47] INFO Starting gateway rate imiter notifications…
[Feb 9 12:34:47] INFO main: Detected 1 APIs
[Feb 9 12:34:47] INFO main: Loading API configurations.
[Feb 9 12:34:47] INFO main: Tracking hostname api_name=test domain=(no host)
[Feb 9 12:34:47] INFO main: Loading API api_name=test
[Feb 9 12:34:47] INFO main: Checking security policy: JWT api_name=test
[Feb 9 12:34:47] INFO gateway: Loaded: test api_id=c13866c1dc5e4e2973767de30e842f2f org_id=584693cdabcb2411b2000010 server_name=-- user_id=-- user_ip=–
[Feb 9 12:34:48] WARN pub-sub: Insecure configuration detected (allowing)!
[Feb 9 12:34:48] INFO main: Processed and listening on: /test/{rest:.*}
[Feb 9 12:34:48] INFO host-check-mgr: Loading uptime tests…
[Feb 9 12:34:48] INFO main: Initialised API Definitions
[Feb 9 12:34:48] INFO main: Loading policies
[Feb 9 12:34:48] INFO main: Using Policies from Dashboard Service
[Feb 9 12:34:48] INFO policy: Mutex lock acquired… calling
[Feb 9 12:34:48] INFO policy: Calling dashboard service for policy list
[Feb 9 12:34:48] ERROR Policy request failed: Get https://localhost:3000/system/policies: http: server gave HTTP response to HTTPS client
[Feb 9 12:34:48] INFO main: Gateway started (v2.3.1.2)
[Feb 9 12:34:48] INFO main: → Listening on address: (open interface)
[Feb 9 12:34:48] INFO main: → Listening on port: 8080
[Feb 9 12:34:48] INFO main: → PID: 3482
[Feb 9 12:34:50] INFO pub-sub: Using /opt/tyk-gateway/tyk.conf for configuration

I don’t see the entries that Martin posted.

Do you have SSL enabled?

What’s the output of this command?

curl -v https://localhost:3000

Yep. That was it. I have configured policy connection string in gateway to use https instead of http. Thanks for leading me to the issue Matias/Martin. Appreciate the help.

2 Likes

Good to know that it’s working.

Best.