JWT scope to policy mapping not working: no matching policy found

hannahlindblad · April 18, 2023, 7:30am

I’m using Tyk OSS gateway and I’m trying to set up JWT scope to policy mapping but it is not working with the error

{
“error”: “key not authorized: no matching policy found”
}

API definition:
{
“name”: “test”,
“api_id”: “1”,
“org_id”: “”,
“auth”: {
“auth_header_name”: “Authorization”
},
“enable_jwt”: true,
“jwt_signing_method”: “rsa”,
“jwt_source”: “jwks url”,
“jwt_identity_base_field”: “sub”,
“jwt_scope_claim_name”: “scope”,
“jwt_scope_to_policy_mapping”: {
“test/read”: “test”
},
“jwt_default_policies”: [],

Policy definition:

"id": "test",
"name": "test",
"allowance": 1,
"rate": 1,
"per": 5,
"access_rights": {
  "1": {
    "api_name": "<name>",
    "api_id": "1",
    "versions": ["Default"]
  }
},
"active": true

Partial logs:

tyk-gateway_1 | time=“Apr 18 07:27:50” level=debug msg=“Querying authstore” api_id=1 api_name=“” mw=JWTMiddleware org_id= origin=192.168.144.1 path=/graphql
tyk-gateway_1 | time=“Apr 18 07:27:50” level=debug msg=“Could not get session detail, key not found” err=“key not found” inbound-key=“****1071” prefix=auth-mgr
tyk-gateway_1 | time=“Apr 18 07:27:50” level=debug msg=“Key does not exist, creating” api_id=1 api_name=“” mw=JWTMiddleware org_id= origin=192.168.144.1 path=/graphql
tyk-gateway_1 | time=“Apr 18 07:27:50” level=debug msg=“EVENT FIRED: AuthFailure”

Ubong · April 18, 2023, 1:34pm

Hi @hannahlindblad

I think the complete logs would show some info about the missing policy.

However, you may be experiencing this because you haven’t defined any default policy in jwt_default_policies. A default policy, even if unused, needs to be set here.

Additionally, might be because you have not defined "jwt_policy_field_name": "pol". This is a required entry (mustn’t necessarily be ‘pol’) if using the Dashboard UI.

Are you able to check these and revert? Also, please confirm your Gateway version

hannahlindblad · April 19, 2023, 11:03am

Yes, it was because I was missing jwt_default_policies but I also figured out that the jwt_scope_to_policy_mapping was deprecated in the version of the gateway I was using (4.3.3). Working now with


  "jwt_default_policies": ["default"],
  "scopes": {
    "jwt": {
      "jwt_scope_claim_name": "scope",
      "scope_to_policy": {
        "test/read": "test"
      }
    }
  },

Thanks for your reply

andersbloch · September 21, 2023, 12:39pm

Just a small correction in the json snippet:

"jwt_default_policies": ["default"],
  "scopes": {
    "jwt": {
      "scope_claim_name": "scope",
      "scope_to_policy": {
        "test/read": "test"
      }
    }
  },

scope_claim_name mustn’t be prefixed with “jwt_”.