JWT token policy not found

dtsek · October 20, 2023, 2:49pm

Hello,

I am creating a Security Policy for JWT for an API Definition but when I contact the endpoint providing the Bearer token, I receive:

{
    "error": "failed to create key: policy not found: \"ZGVmYXVsdC9waG90b25zZWN1cmUtcG9saWN5\""
}

Checking in /mnt/tyk-gateway/policies I can see that the policy exists:

I have no name!@gateway-tyk-dev-tyk-gateway-844494bd4d-q9qmg:/mnt/tyk-gateway/policies$  cat dHlrLW9zcy9waG90b25zZWN1cmUtcG9saWN5.json 
{
  "_id": "",
  "id": "dHlrLW9zcy9waG90b25zZWN1cmUtcG9saWN5",
  "name": "photonsecure-policy",
  "org_id": "",
...

Checking the following links/issues:
https://tyk.io/docs/tyk-stack/tyk-operator/installing-tyk-operator/
https://github.com/TykTechnologies/tyk-operator/issues/257
https://github.com/TykTechnologies/tyk-operator/issues/514
It seems that the solution is to set allow_explicit_policy_id=true in tyk.conf.

According to Tyk Gateway Configuration Options, there is an environmental variable for that, but setting the env variable in the gateway pod changes nothing.

My configuration is tyk-gateway with tyk-operator (0.15.1)

Does anyone had any experience/recommendation regarding this?

Thank you in advance

ahmet · October 20, 2023, 3:06pm

Hello @dtsek - welcome to the community!

There are 2 examples in this github directory:

Could you try them and see if you still have the same error?

If you still have the error - it’s worth perhaps checking the operator controller manager logs for any possible errors. Failing that, please share your API Definition CRD, Policy CRD and logs here.

dtsek · October 20, 2023, 3:15pm

Thank you @ahmet for the reply! My implementation is a copy of the first example of this link. The operator does not show any errors, only the gateway an error that is similar to the reply I am getting.

ahmet · October 20, 2023, 3:22pm

So your security policy is called photonsecure-policy and is in the default namespace.

Please double check the following:

apiVersion: tyk.tyk.io/v1alpha1
kind: SecurityPolicy
metadata:
  name: photonsecure-policy <------------ THIS IS IMPORTANT
spec:
  ...
  ...
  ...
  active: true
  name: photonsecure-policy <----------------- THIS CAN BE ANY NAME
  state: active

And your ApiDefinition looks like this:

apiVersion: tyk.tyk.io/v1alpha1
kind: ApiDefinition
metadata:
  name: httpbin
spec:
  name: httpbin
  ...
  ...
  ...
  jwt_identity_base_field: sub
  jwt_policy_field_name: pol
  jwt_default_policies:
    - default/photonsecure-policy        <------- This should match namespace/name of policy