Hi, i have setup keycloak and created the realm and client for my simple app.
{
"name": "Stock Price API Protected",
"api_id": "stocks-protected",
"org_id": "default",
"definition": {
"location": "header",
"key": "version"
},
"use_openid": true,
"openid_options": {
"providers": [
{
"issuer": "http://keycloak:8080/auth/realms/tyk-realm",
"client_ids": {
"dHlrLWdhdGV3YXk=": "default"
}
}
]
},
"version_data": {
"not_versioned": true,
"versions": {
"Default": {
"name": "Default"
}
}
},
"custom_middleware": {},
"proxy": {
"listen_path": "/securestocks",
"target_url": "http://app-web:9091/securestocks",
"strip_listen_path": true
}
}
I feel like this may not be enough, but can’t figure out what else i need, so maybe you can point it to me.
So I get the access token for that client from calling this keycloak endpoint, http://localhost:8080/realms/tyk-realm/protocol/openid-connect/token , which then i use it as a bearer token to access that protected service, but i got back error “Key not authorised”
I am still new on this, so apologize if this is a silly question, but I have no idea what i missed here. Btw, I saw this script JSON Web Tokens (JWT) , do i need this similar script for my case?GitHub - TykTechnologies/tyk-demo: Tyk Docker Demo with full Pro Tyk Installation and more! is not very clear to me. Thanks!
anyone here who can give me pointers?
Hello -
You should try to use regular JWT auth.
In your API Definition, set the signing method, identity source: sub and the public key as the JWKS url.
You can find the jwks url from your OpenID well known endpoint - it’s usually https://KEYCLOAK_HOST/realms/REALM/protocol/openid-connect/certs
You then need to create a security policy, which grants access to that API.
And the default policy on the API definition to be that policy you just created.
Your API Definition snippet will look somehting like the following:
server:
authentication:
enabled: true
stripAuthorizationData: true
securitySchemes:
jwtAuth:
header:
enabled: true
name: Authorization
identityBaseField: sub
policyFieldName: pol
enabled: true
defaultPolicies: []
signingMethod: ecdsa
source: >-
aHR0cDovL2xvY2FsaG9zdDo4MDgxL3JlYWxtcy9mYXBpLWRlbW8vcHJvdG9jb2wvb3BlbmlkLWNvbm5lY3QvY2VydHM= <--------- Base 64 encoded JWKS URL
listenPath:
strip: true
value: /foo
You can then auth via keycloak, using client credentials or authorization code flow - and when you obtain your access token, you should be able to use that to access your APIs via the gateway.
You can find full documentation here JSON Web Tokens (JWT)
Thanks @AhmetSoormally for the pointers. I followed your suggestion and also looking at that docs (apparently i used tyk classic definition, and now switching to using OAS), but the service/endpoint is not seen from tyk gateway, can you see what’s wrong from my API definition below?
{
"components": {
"securitySchemes": {
"jwtAuth": {
"type": "http",
"scheme": "bearer",
"bearerFormat": "JWT",
"description": "JWT authentication for secure access to the stocks API"
}
}
},
"paths": {},
"servers": [
{
"url": "http://localhost:8081/securestocks",
"description": "Local development server for the secure stocks API"
}
],
"x-tyk-api-gateway": {
"info": {
"id": "stocks-secure",
"orgId": "default",
"name": "Secure Stocks API",
"state": {
"active": true,
"internal": false
}
},
"server": {
"authentication": {
"enabled": true,
"stripAuthorizationData": true,
"securitySchemes": {
"jwtAuth": {
"header": {
"enabled": true,
"name": "Authorization"
},
"identityBaseField": "sub",
"policyFieldName": "pol",
"enabled": true,
"defaultPolicies": [],
"signingMethod": "ecdsa",
"source": "aHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy90eWstcmVhbG0vcHJvdG9jb2wvb3BlbmlkLWNvbm5lY3QvY2VydHM="
}
}
},
"listenPath": {
"strip": true,
"value": "/securestocks/"
}
},
"upstream": {
"url": "http://app-web:9091/securestocks"
}
}
}
@AhmetSoormally sorry to bother you, i wonder if you can give me another pointer, or perhaps the issue is pretty obvious. I apologize for my ignorance on this stuff. Thanks and have a great weekend!
Ubong
June 2, 2025, 3:50pm
7
Hi @z11373
Thank you for your patience.
You may need to use host.docker.internal (or a similar alternative) for the jwks_url, as localhost will not work from within the Gateway container if Keycloak is running externally.
It appears that a default policy has not been configured—this is required for proper access control. Please ensure a default policy is set.
The signing method is likely rsa, but any misconfiguration should become apparent once the JWT validation runs.
If the issue persists after making these changes, set the Gateway log level to debug, make a request with a token, and share the resulting logs so we can assist further.
thanks @Ubong for the reply and also pointing me some of those things.
for configuring the policy, i am not using tyk dashboard, can I do it via configuration file?
actually, i have this section in my tyk.conf:
"policies": {
"policy_source": "file",
"policy_path": "/opt/tyk-gateway/policies"
}
and in my docker compose file, i have the volumes mapping:
volumes:
- ${PWD}/tyk.conf:/opt/tyk-gateway/tyk.conf
- ${PWD}/apps:/opt/tyk-gateway/apps
- ${PWD}/middleware:/opt/tyk-gateway/middleware
- ${PWD}/certs:/opt/tyk-gateway/certs
- ${PWD}/policies:/opt/tyk-gateway/policies
will this work? if yes, then the file policy.json that i have may have incorrect configuration.
Ubong
June 3, 2025, 3:06pm
9
Hi @z11373 ,
Yes, this is supposed to work. Please see a sample in the docs .Config ref .
You may share your policy.json
Please review similar posts
Great to hear that you got it working.
policy_record_name : This points to a file and was the only way of managing policies before the introduction of the policy REST APIs. This loads all the policies needed in a single file.
policy_path : This points to a directory/folder and was introduced in version 4.1 when managing policies through REST APIs was added. This is now the recommended way of managing your policies.