Key Not Authorized

prashanthviva · March 10, 2016, 7:31pm

I am getting a ‘Key Not Authorized’ for a request with the header 'Authorization: Bearer ’

I have 2 APIs setup with OAuth enable on them.

AuthorizationAPI
DataApi

I use the AuthorizationAPI to get the accesstoken. but the key_rules takecare of the APIs that are accessible.
{“allowance”:1000,“rate”:1000,“per”:60,“expires”:0,“quota_max”:-1,“quota_renews”:1406121006,“quota_remaining”:0,“quota_renewal_rate”:60,“org_id”:“xxxxx”,“oauth_client_id”:“xxxxx”,“hmac_enabled”:false,“hmac_string”:""}

However, when I try to use the accessToken generated using the AuthorizationApi to access the DataApi, I get “Key Not Authorized” error.

Martin · March 10, 2016, 8:38pm

That snippet of a session you’ve sent doesn’t have any access rules set, you will need to add those into the key_rules object, like the one in the Oauth docs:

{
    "allowance": 1000,
    "rate": 1000,
    "per": 60,
    "expires": 0,
    "quota_max": -1,
    "quota_renews": 1406121006,
    "quota_remaining": 0,
    "quota_renewal_rate": 60,
    "access_rights": {
        "APIID1": {
            "api_name": "HMAC API",
            "api_id": "APIID1",
            "versions": [
                "Default"
            ]
        }
    },
    "org_id": "1",
    "oauth_client_id": "client-id-here",
    "hmac_enabled": false,
    "hmac_string": ""
}

prashanthviva · March 10, 2016, 8:55pm

Doesn’t no “access_rights” in key_rules mean granting access to all APIs ?

If I set “allow_master_keys”: true in my Tyk config, do I still need a Policy or “access_rights” specified in my key_rules ?

Martin · March 10, 2016, 9:16pm

If you have enabled master keys, then yes, otherwise, no.

prashanthviva · March 10, 2016, 9:17pm

So, if I enable master keys, then all my accesstokens will access to all Apis ?

Martin · March 10, 2016, 9:52pm

Yes. But it’s really not recommended. Also, I’d suggest using policies, they are more flexible.