JWT state issue

Ariel_Illouz · November 5, 2019, 7:56am

We have an issue where tyk saves an expired JWT state, and when we are trying to re-auth with a different JWT token, it returns the 401.

Our api definition -

{
“name”: “Linrest API”,
“api_id”: “ce5546caa386429ead660fe9c6049b93”,
“org_id”: “default”,
“enable_context_vars”: true,
“definition”: {
“location”: “header”,
“key”: “version”
},
“auth”: {
“auth_header_name”: “authorization”
},
“session_lifetime”: 0,
“version_data”: {
“not_versioned”: true,
“versions”: {
“Default”: {
“name”: “Default”,
“expires”: “3000-01-02 15:04”,
“use_extended_paths”: true,
“extended_paths”: {
“ignored”: ,
“white_list”: ,
“black_list”: ,
“transform_headers”: [
{
“delete_headers”: ,
“add_headers”: {
“organization_id”: “$tyk_context.jwt_claims_organizationId”,
“id”: “$tyk_context.jwt_claims_id”
},
“method”: “GET”
},
{
“delete_headers”: ,
“add_headers”: {
“organization_id”: “$tyk_context.jwt_claims_organizationId”,
“id”: “$tyk_context.jwt_claims_id”
},
“method”: “POST”
},
{
“delete_headers”: ,
“add_headers”: {
“organization_id”: “$tyk_context.jwt_claims_organizationId”,
“id”: “$tyk_context.jwt_claims_id”
},
“method”: “PUT”
},
{
“delete_headers”: ,
“add_headers”: {
“organization_id”: “$tyk_context.jwt_claims_organizationId”,
“id”: “$tyk_context.jwt_claims_id”
},
“method”: “DELETE”
},
{
“delete_headers”: ,
“add_headers”: {
“organization_id”: “$tyk_context.jwt_claims_organizationId”,
“id”: “$tyk_context.jwt_claims_id”
},
“method”: “PATCH”
}
],
“url_rewrites”: [
{
“path”: “/api/v1/rest”,
“method”: “GET”,
“match_pattern”: “/api/v1/rest/(.)",
“rewrite_to”: “/api/$1”
},
{
“path”: “/api/v1/rest”,
“method”: “POST”,
“match_pattern”: "/api/v1/rest/(.)”,
“rewrite_to”: “/api/$1”
},
{
“path”: “/api/v1/rest”,
“method”: “PUT”,
“match_pattern”: “/api/v1/rest/(.)",
“rewrite_to”: “/api/$1”
},
{
“path”: “/api/v1/rest”,
“method”: “DELETE”,
“match_pattern”: "/api/v1/rest/(.)”,
“rewrite_to”: “/api/$1”
},
{
“path”: “/api/v1/rest”,
“method”: “PATCH”,
“match_pattern”: “/api/v1/rest/(.)",
“rewrite_to”: “/api/$1”
}
]
}
}
}
},
“proxy”: {
“listen_path”: “/api/v1/rest”,
“target_url”: “{LINREST_SERVICE_URL}”,
“strip_listen_path”: false
},
“enable_batch_request_support”: false,
“CORS”: {
“enable”: true,
“allowed_origins”: [
"”
],
“allowed_methods”: [
“GET”
],
“allowed_headers”: [
“"
],
“exposed_headers”: [
"”
],
“allow_credentials”: true,
“options_passthrough”: false,
“debug”: false
},
“enable_jwt”: true,
“jwt_source”: “{BASE64_JWT_SECRET_KEY}”,
“jwt_identity_base_field”: “id”,
“jwt_policy_field_name”: “sub”,
“jwt_signing_method”: “hmac”
}

in redis i can see entries such as -

elasticache.ursl0u.ng.0001.use2.cache.amazonaws.com:6379> get apikey-defaultd42a688986b70cddd226a905a34a682e
“{"last_check":0,"allowance":1000,"rate":1000,"per":1,"throttle_interval":0,"throttle_retry_limit":0,"expires":1572530508,"quota_max":-1,"quota_renews":0,"quota_remaining":0,"quota_renewal_rate":60,"access_rights":{"392660fe4c6b41fa80865277cb1f1d8a":{"api_name":"Pull Requests API","api_id":"392660fe4c6b41fa80865277cb1f1d8a","versions":["Default"],"allowed_urls":[{"url":"/api/v1/pull-requests","methods":["GET","POST"]}],"limit":null},"b28afc95091646a3a456d1464425eca3":{"api_name":"Linrest Public API","api_id":"b28afc95091646a3a456d1464425eca3","versions":["Default"],"allowed_urls":[{"url":"/api/v1/rest/public","methods":["GET","POST","PUT","DELETE","PATCH"]}],"limit":null},"ca6855aabf1041649a3339949539c5f6":{"api_name":"Product Management API","api_id":"ca6855aabf1041649a3339949539c5f6","versions":["Default"],"allowed_urls":[{"url":"/api/v1/pm","methods":["GET"]}],"limit":null},"ce5546caa386429ead660fe9c6049b93":{"api_name":"Linrest API","api_id":"ce5546caa386429ead660fe9c6049b93","versions":["Default"],"allowed_urls":[{"url":"/api/v1/rest","methods":["GET","POST","PUT","DELETE","PATCH"]}],"limit":null},"d55ce80547314b258f46b124785fef4d":{"api_name":"Branches API","api_id":"d55ce80547314b258f46b124785fef4d","versions":["Default"],"allowed_urls":[{"url":"/api/v1/branches","methods":["GET","POST"]}],"limit":null}},"org_id":"default","oauth_client_id":"","oauth_keys":null,"certificate":"","basic_auth_data":{"password":"","hash_type":""},"jwt_data":{"secret":""},"hmac_enabled":false,"hmac_string":"","is_inactive":false,"apply_policy_id":"","apply_policies":["default"],"data_expires":0,"monitor":{"trigger_limits":null},"enable_detail_recording":false,"meta_data":{"TykJWTSessionID":"defaultd42a688986b70cddd226a905a34a682e"},"tags":,"alias":"481763372","last_updated":"","id_extractor_deadline":0,"session_lifetime":0}”

you can see that the expires field holding an old token which already expired.

I’ve tried settings the session_lifetime to be zero - didn’t help.
I’ve tried to set the hash_keys (tyk.conf) to false - didn’t help.

We would like that tyk won’t handle state, is there any option for disabling this ?