Key not found in storage engine

alexandre_sydorenko · August 25, 2022, 12:55pm

What ever I have done, no changes in validation JWT token.
To validate jwt token I’m using keycloack: http://10.5.1.1:8080/auth/realms/midchains-krakend/protocol/openid-connect/certs

and by this link there is needed public key, but tyk always telling that key not found

this is my config
“enable_jwt”: true,
“jwt_identity_base_field”: “sub”,
“jwt_signing_method”: “rsa”,
“jwt_source”: “http://10.5.1.1:8080/auth/realms/my-realm/protocol/openid-connect/certs”,
“jwt_policy_field_name”: “pol”,
“jwt_scope_to_policy_mapping”: {
“profile”: “policy_profile”
},
“jwt_scope_claim_name”: “scope”,

Please can you help me with this issue?
Should I create key for policy or add policy to token payload?

Olu · August 25, 2022, 2:34pm

Hello @alexandre_sydorenko and welcome to the community.

Did it work previously? If it did what exactly did you change?

Also can you perform the following actions:

Check that another auth method is not enabled?
Share the gateway logs in debug mode

alexandre_sydorenko · August 25, 2022, 3:05pm

Hi, thanks for reply.
I just integrate Tyk to my project, it hasn’t been working yet. I have this error for 2 days.

This is my debug:

time="Aug 25 15:15:32" level=warning msg="Reconnecting storage: Redis is either down or ws not configured" prefix=pub-sub

time="Aug 25 15:15:42" level=debug msg=Started api_id=41433797848f41a558c1573d3e55a410 api_name="Authorization service" mw=VersionCheck org_id=54de205930c55e15bd000001 origin=10.5.0.1 path="/api/v1/auth/otp/verify" ts=1661440542689291000

time="Aug 25 15:15:42" level=debug msg=Finished api_id=41433797848f41a558c1573d3e55a410 api_name="Authorization service" code=200 mw=VersionCheck ns=3306000 org_id=54de205930c55e15bd000001 origin=10.5.0.1 path="/api/v1/auth/otp/verify"

time="Aug 25 15:15:42" level=debug msg=Started api_id=41433797848f41a558c1573d3e55a410 api_name="Authorization service" mw=RateCheckMW org_id=54de205930c55e15bd000001 origin=10.5.0.1 path="/api/v1/auth/otp/verify" ts=1661440542693463000

time="Aug 25 15:15:42" level=debug msg=Finished api_id=41433797848f41a558c1573d3e55a410 api_name="Authorization service" code=200 mw=RateCheckMW ns=3821000 org_id=54de205930c55e15bd000001 origin=10.5.0.1 path="/api/v1/auth/otp/verify"

time="Aug 25 15:15:42" level=debug msg=Started api_id=41433797848f41a558c1573d3e55a410 api_name="Authorization service" mw=JWTMiddleware org_id=54de205930c55e15bd000001 origin=10.5.0.1 path="/api/v1/auth/otp/verify" ts=1661440542699398000

time="Aug 25 15:15:42" level=debug msg="Creating JWK Cache" api_id=41433797848f41a558c1573d3e55a410 api_name="Authorization service" mw=JWTMiddleware org_id=54de205930c55e15bd000001 origin=10.5.0.1 path="/api/v1/auth/otp/verify"

time="Aug 25 15:15:42" level=debug msg="Pulling JWK" api_id=41433797848f41a558c1573d3e55a410 api_name="Authorization service" mw=JWTMiddleware org_id=54de205930c55e15bd000001 origin=10.5.0.1 path="/api/v1/auth/otp/verify"

time="Aug 25 15:15:42" level=debug msg="Caching JWK" api_id=41433797848f41a558c1573d3e55a410 api_name="Authorization service" mw=JWTMiddleware org_id=54de205930c55e15bd000001 origin=10.5.0.1 path="/api/v1/auth/otp/verify"

time="Aug 25 15:15:42" level=debug msg="Checking JWKs..." api_id=41433797848f41a558c1573d3e55a410 api_name="Authorization service" mw=JWTMiddleware org_id=54de205930c55e15bd000001 origin=10.5.0.1 path="/api/v1/auth/otp/verify"

time="Aug 25 15:15:42" level=debug msg="JWT authority is centralised" api_id=41433797848f41a558c1573d3e55a410 api_name="Authorization service" mw=JWTMiddleware org_id=54de205930c55e15bd000001 origin=10.5.0.1 path="/api/v1/auth/otp/verify"

time="Aug 25 15:15:42" level=debug msg="Found User Id in Base Field" api_id=41433797848f41a558c1573d3e55a410 api_name="Authorization service" mw=JWTMiddleware org_id=54de205930c55e15bd000001 origin=10.5.0.1 path="/api/v1/auth/otp/verify" userId=3bff4d0d-c4ed-4d64-82ec-782ebc368f87

time="Aug 25 15:15:42" level=debug msg="Primary instance set, I am master" prefix=host-check-mgr

time="Aug 25 15:15:42" level=debug msg="JWT Temporary session ID is: 54de205930c55e15bd000001c0f2d06a6cdf295ac942a3c46cd81699" api_id=41433797848f41a558c1573d3e55a410 api_name="Authorization service" mw=JWTMiddleware org_id=54de205930c55e15bd000001 origin=10.5.0.1 path="/api/v1/auth/otp/verify"

time="Aug 25 15:15:42" level=debug msg="Querying local cache" api_id=41433797848f41a558c1573d3e55a410 api_name="Authorization service" mw=JWTMiddleware org_id=54de205930c55e15bd000001 origin=10.5.0.1 path="/api/v1/auth/otp/verify"

time="Aug 25 15:15:42" level=debug msg="Querying keystore" api_id=41433797848f41a558c1573d3e55a410 api_name="Authorization service" mw=JWTMiddleware org_id=54de205930c55e15bd000001 origin=10.5.0.1 path="/api/v1/auth/otp/verify"

time="Aug 25 15:15:42" level=debug msg="Error trying to get value:redis: nil"

time="Aug 25 15:15:42" level=debug msg="Could not get session detail, key not found" err="key not found" inbound-key="****1699" prefix=auth-mgr

time="Aug 25 15:15:42" level=debug msg="Querying authstore" api_id=41433797848f41a558c1573d3e55a410 api_name="Authorization service" mw=JWTMiddleware org_id=54de205930c55e15bd000001 origin=10.5.0.1 path="/api/v1/auth/otp/verify"
time="Aug 25 15:15:42" level=debug msg="Error trying to get value:redis: nil"

time="Aug 25 15:15:42" level=warning msg="Key not found in storage engine" err="key not found" inbound-key="****1699" prefix=auth-mgr

time="Aug 25 15:15:42" level=debug msg="Key does not exist, creating" api_id=41433797848f41a558c1573d3e55a410 api_name="Authorization service" mw=JWTMiddleware org_id=54de205930c55e15bd000001 origin=10.5.0.1 path="/api/v1/auth/otp/verify"

time="Aug 25 15:15:42" level=debug msg="Could not identify a policy to apply to this token from field: pol" api_id=41433797848f41a558c1573d3e55a410 api_name="Authorization service" mw=JWTMiddleware org_id=54de205930c55e15bd000001 origin=10.5.0.1 path="/api/v1/auth/otp/verify"

time="Aug 25 15:15:42" level=debug msg="EVENT FIRED: AuthFailure"

time="Aug 25 15:15:42" level=debug msg=Finished api_id=41433797848f41a558c1573d3e55a410 api_name="Authorization service" code=403 error="key not authorized: no matching policy found" mw=JWTMiddleware ns=79950000 org_id=54de205930c55e15bd000001 origin=10.5.0.1 path="/api/v1/auth/otp/verify"

ahmet · August 25, 2022, 6:13pm

Hi @alexandre_sydorenko - I thought I would record a quick and dirty video to show you how to do it.

alexandre_sydorenko · August 26, 2022, 9:32am

Thanks for answering but it doesn’t work for me.
The same issue: Key not found

I’m authorized to keycloak by password grant_type.
My token’s payload is next:

{
  "exp": 1661540478,
  "iat": 1661504478,
  "jti": "d1ecd40a-8ed1-4628-8488-c95df061c87b",
  "iss": "http://10.5.1.1:8080/auth/realms/my-realm",
  "aud": "account",
  "sub": "3bff4d0d-c4ed-4d64-82ec-782ebc368f87",
  "typ": "Bearer",
  "azp": "authorization-client",
  "session_state": "fa0878f6-44d3-4855-9946-eb1224450e34",
  "acr": "1",
  "realm_access": {
    "roles": [
      "offline_access",
      "uma_authorization",
      "default-roles-my-realm"
    ]
  },
  "resource_access": {
    "account": {
      "roles": [
        "manage-account",
        "manage-account-links",
        "view-profile"
      ]
    }
  },
  "scope": "openid 2fa email",
  "sid": "fa0878f6-44d3-4855-9946-eb1224450e34",
  "email_verified": true,
  "email": "[email protected]"
}

I thought maybe it because I need to set field jwt_identity_base_field as azp
because this field in payload contain my client’s name, but it doesn’t work

Any suggestions why it doesn’t work?
I’m working without Tyk Dashboard, I wanna write correct json config

alexandre_sydorenko · August 26, 2022, 9:39am

Maybe you know how tyk detects needed public key which comes in the response?:
/auth/realms/midchains-krakend/protocol/openid-connect/certs

I think maybe issue with it

ahmet · August 26, 2022, 11:19am

Maybe you know how tyk detects needed public key which comes in the response?:
/auth/realms/midchains-krakend/protocol/openid-connect/certs

If you take a look at your JWT access token header and decode that - you will see a kid claim. This is the key ID. When Tyk queries the JWKS URI, It looks for a matching kid. And that’s the public key it will use for signature verification.

From your error logs - it looks like potentially the JWT auth has passed. But the security policy check has failed:

"Could not identify a policy to apply to this token from field: pol" api_id=41433797848f41a558c1573d3e55a410 api_name="Authorization service" mw=JWTMiddleware org_id=54de205930c55e15bd000001 origin=10.5.0.1 path="/api/v1/auth/otp/verify"

Have you created a security policy - and set it up as the default policy to apply as per the video?

alexandre_sydorenko · August 26, 2022, 12:57pm

Thanks a lot, it works when set default policies, I just can’t find name of it:
“jwt_default_policies”: [
“default”
],

Can someone add it to this documentation?:
https://tyk.io/docs/tyk-apis/tyk-gateway-api/api-definition-objects/jwt/

alexandre_sydorenko · August 26, 2022, 1:03pm

Can you also help, as I see when I use 2 policies with different scopes for one api, it doesn’t work in right way, for example:
2fa => 2fa_policy
allowed_urls: /2fa/send

profile => profile_policy
allowed_urls: /profile

when my token has scope 2fa it doesn’t has access to /profile, it’s ok
but when my token has scope profile it has access to both url: /2fa/send and /profile,

I’m waiting that token with scope profile will have access only to /profile

It looks as these 2 policies are conflicting between each other

Maybe you know why is it happening?

alexandre_sydorenko · August 26, 2022, 2:18pm

My scopes → policy matching doesn’t work.
Can you help me?

I’ve added new endpoint to profile, but it is available by access token with scope 2fa