Key not authorized: no matching policy found

riteshmeher · December 5, 2017, 10:50am

Hi Team,

I have added a policy and associated with an api. However when i hit the api from postman, it responds as
{
“error”: “Key not authorized: no matching policy found”
}

policies.json
{
“59d23feda75915000131b4d0”: {
“rate”: 1000,
“per”: 1,
“quota_max”: 100,
“quota_renewal_rate”: 60,
“access_rights”: {
“41433797848f41a558c1573d3e55a410”: {
“api_name”: “admin”,
“api_id”: “8272be5b2d0d499968d05bc0c667a175”,
“versions”: [
“Default”
]
}
},
“org_id”: “59b924cf49f9740001ce7586”,
“hmac_enabled”: false,
“key_expires_in”: 0
}
}

tyk.conf
“policies”: {
“policy_source”: “file”,
“policy_record_name”: “/opt/tyk-gateway/policies/policies.json”
},

api - The api is jwt enabled
“jwt_signing_method”: “rsa”,
“jwt_source”: “***”,
“jwt_identity_base_field”: “apisub”,
“jwt_client_base_field”: “”,
“jwt_policy_field_name”: “59d23feda75915000131b4d0”,

Josh · December 5, 2017, 10:58am

Hi Ritesh

Can you share the API definition as well please

Josh

riteshmeher · December 5, 2017, 11:03am

{
“name”: “admin”,
“slug”: “admin”,
“api_id”: “8272be5b2d0d499968d05bc0c667a175”,
“org_id”: “59b924cf49f9740001ce7586”,
“use_keyless”: false,
“use_oauth2”: false,
“use_openid”: false,
“openid_options”: {
“providers”: [],
“segregate_by_client”: false
},
“oauth_meta”: {
“allowed_access_types”: [],
“allowed_authorize_types”: [],
“auth_login_redirect”: “”
},
“auth”: {
“use_param”: false,
“param_name”: “”,
“use_cookie”: false,
“cookie_name”: “”,
“auth_header_name”: “Authorization”
},
“use_basic_auth”: false,
“enable_jwt”: true,
“use_standard_auth”: false,
“enable_coprocess_auth”: false,
“jwt_signing_method”: “rsa”,
“jwt_source”: “*",
“jwt_identity_base_field”: “apisub”,
“jwt_client_base_field”: “”,
“jwt_policy_field_name”: “59d23feda75915000131b4d0”,
“notifications”: {
“shared_secret”: “”,
“oauth_on_keychange_url”: “”
},
“enable_signature_checking”: false,
“hmac_allowed_clock_skew”: -1.0,
“base_identity_provided_by”: “”,
“definition”: {
“location”: “header”,
“key”: “x-api-version”
},
“version_data”: {
“not_versioned”: true,
“versions”: {
“RGVmYXVsdA==”: {
“name”: “RGVmYXVsdA==”,
“expires”: “”,
“paths”: {
“ignored”: [],
“white_list”: [],
“black_list”: []
},
“use_extended_paths”: true,
“extended_paths”: {
“ignored”: [],
“white_list”: [],
“black_list”: [],
“cache”: [],
“transform”: [],
“transform_response”: [],
“transform_headers”: [],
“transform_response_headers”: [],
“hard_timeouts”: [],
“circuit_breakers”: [],
“url_rewrites”: [],
“size_limits”: [],
“method_transforms”: [],
“track_endpoints”: [],
“do_not_track_endpoints”: []
},
“global_headers”: {},
“global_headers_remove”: [],
“override_target”: “”
}
}
},
“uptime_tests”: {
“check_list”: [],
“config”: {
“service_discovery”: {
“use_discovery_service”: false,
“query_endpoint”: “”,
“use_nested_query”: false,
“parent_data_path”: “”,
“data_path”: “”,
“port_data_path”: “”,
“target_path”: “”,
“use_target_list”: false,
“endpoint_returns_list”: false
},
“recheck_wait”: 0
}
},
“proxy”: {
“preserve_host_header”: false,
“listen_path”: “/admin”,
“target_url”: “http://adminsvc/api/admin/customer”,
“strip_listen_path”: true,
“enable_load_balancing”: false,
“target_list”: [],
“check_host_against_uptime_tests”: false,
“service_discovery”: {
“use_discovery_service”: false,
“query_endpoint”: “”,
“use_nested_query”: false,
“parent_data_path”: “”,
“data_path”: “hostname”,
“port_data_path”: “port”,
“target_path”: “/api-slug”,
“use_target_list”: false,
“endpoint_returns_list”: false
}
},
“disable_rate_limit”: false,
“disable_quota”: false,
“custom_middleware”: {
“pre”: [],
“post”: [],
“post_key_auth”: [],
“auth_check”: {
“name”: “”,
“path”: “”,
“require_session”: false
},
“response”: [],
“driver”: “”,
“id_extractor”: {
“extract_from”: “”,
“extract_with”: “”,
“extractor_config”: {}
}
},
“custom_middleware_bundle”: “”,
“cache_options”: {
“enable_cache”: true,
“cache_all_safe_requests”: false,
“cache_response_codes”: [],
“enable_upstream_cache_control”: false
},
“active”: true,
“auth_provider”: {
“name”: “”,
“storage_engine”: “”,
“meta”: {}
},
“session_provider”: {
“name”: “”,
“storage_engine”: “”,
“meta”: null
},
“event_handlers”: {
“events”: {}
},
“enable_batch_request_support”: false,
“enable_ip_whitelisting”: false,
“allowed_ips”: [],
“dont_set_quota_on_create”: false,
“response_processors”: [],
“CORS”: {
“enable”: false,
“allowed_origins”: [
""
],
“allowed_methods”: [
“OPTIONS”,
“GET”
],
“allowed_headers”: [
"”
],
“exposed_headers”: [],
“allow_credentials”: true,
“max_age”: 24,
“options_passthrough”: false,
“debug”: false
},
“domain”: “”,
“do_not_track”: false,
“tags”: [],
“enable_context_vars”: false,
“config_data”: {},
“hook_references”: [],
“is_site”: false,
“sort_by”: 0
}

@Josh Can you please let me know what could be the issue.

Josh · December 5, 2017, 1:28pm

Will replicate and let you know what I come up with

Josh

JohnPhoto · December 5, 2017, 1:38pm

This looks like you try to set the name of the claim to the actual policy id. I think you should change this to something like:
"jwt_policy:field_name":"policy" and then in your JWT send the actual policy.

riteshmeher · December 5, 2017, 2:20pm

Thank @JohnPhoto. It is working now. I kept field name as same as actual policy name.