Mapping our API tokens to Tyk's tokens (SOLVED)

FraCet · August 10, 2017, 1:15pm

Hi
we currently offer a service via an API that relies on auth-token in the URL for authentication, like:

https:/ /myapi.com/?authtoken=your-api-key&q=helloworld

We are looking at Tyk to add better quota management and a few other things, and I have a few questions about authentication/token management.

Technically, we can import API-keys generated by Tyk into our system, so that the 2 would match. However, that would also mean that a user could connect both to the Tyk gateway and directly to our end-point with the same credentials, thus escaping Tyk’s quota controls in the latter case (in the short term, we need to keep our end-point directly accessible as we have existing clients using it and we don’t want to migrate them to Tyk until we are satisfied everything works as we want).

In an ideal scenario, I’d like to map our own tokens to the ones generated by the Tyk, so that users going through the Tyk gateway would seamlessly authenticate against our own system, but their Tyk-generated key would not work directly with our own end-point.

Basically, accessing this:

https://mycompany.cloud.tyk.io/my-service/?authtoken=tyk-token&q=helloworld

would be passed on as

https://myapi.com/?authtoken=our-api-key&q=helloworld

Is this possible? Any pointers on the right way to set this up?

thanks

leon · August 10, 2017, 1:38pm

Hello!

There are 2 ways to achieve what you want.

First is to import your existing keys to Tyk, this is not really documented, but you can “import” key with your ID using Gateway API like this: `POST /tyk/keys/ with key data as body (for the key data see https://tyk.io/docs/get-started/with-tyk-hybrid/tutorials/create-api-token/)

Another option will be using middleware, and define “pre” middleware, which do the token mapping, by querying some service/kv storage provided by you.

Hope it makes sense!

Leon, Tyk Team

FraCet · August 10, 2017, 1:51pm

Thanks Leon!
It seems option 1 would the easiest way to do it. If I understand correctly, I need to specify our key in the JSON I submit to POST /tyk/keys/ … Where exactly would I put that in the JSON?

BR
F

leon · August 10, 2017, 2:20pm

Right, I confused you a bit by sending wrong example

Key id should be included into URL: POST /tyk/keys/, so ID is not included into JSON payload only to URL path.

FraCet · August 10, 2017, 2:26pm

so if I understand you correctly, I should send this:

    curl -X POST -H "authorization: 1238b7e0e2ff4c2957321724409ee2eb" \
     -s \
     -H "Content-Type: application/json" \
     -X POST \
     -d '{
        "allowance": 1000,
        "rate": 1000,
        "per": 1,
        "expires": -1,
        "quota_max": -1,
        "quota_renews": 1449051461,
        "quota_remaining": -1,
        "quota_renewal_rate": 60,
        "access_rights": {
            "ad5004d961a147d4649fd3216694ebe2": {
                "api_id": "ad5004d961a147d4649fd3216694ebe2",
                "api_name": "test-api",
                "versions": ["Default"]
            }
        },
        "meta_data": {}
     }' http://admin.cloud.tyk.io/api/keys/abcde1234567 | python -mjson.tool

Where ‘abcde1234567’ is the auth-key that account is in our system, right?

Martin · August 11, 2017, 12:07am

You will need to use a PUT I believe

FraCet · August 11, 2017, 8:02am

Ok, so I tried submitting the following (obviously replacing the authorization key with the one for my own user - which I also set as admin, and also putting the correct API key for the API I have created in the system).

 curl -X POST -H "authorization: 1238b7e0e2ff4c2957321724409ee2eb" \
     -s \
     -H "Content-Type: application/json" \
     -X PUT \
     -d '{
        "allowance": 1000,
        "rate": 1000,
        "per": 1,
        "expires": -1,
        "quota_max": -1,
        "quota_renews": 1449051461,
        "quota_remaining": -1,
        "quota_renewal_rate": 60,
        "access_rights": {
            "ad5004d961a147d4649fd3216694ebe2": {
                "api_id": "ad5004d961a147d4649fd3216694ebe2",
                "api_name": "test-api",
                "versions": ["Default"]
            }
        },
        "meta_data": {}
     }' http://admin.cloud.tyk.io/api/keys/abcde1234567 | python -mjson.tool

However, I am getting the following error:

{
    "Message": "Attempted access to non-owned key",
    "Meta": null,
    "Status": "Error"
}

What am I doing wrong?

FraCet · August 11, 2017, 8:17am

BTW, just to be clear, I am trying to perform all this on Tyk Cloud (at least in the beginning for testing purposes). However, I noticed now that Leon’s link pointed to the Tyk Hybrid documentation, so I thought I’d mention this to avoid confusion.
TBH, I saw the exact method described in the documentation to create keys via API on Tyk Cloud and I have using the cloud end-point, so I am assuming they should both work the same… right?

Martin · August 11, 2017, 10:23am

Ah, well no wonder it isn’t working - Tyk Cloud does not allow custom tokens to be injected into the gateway. For that you have to use an on-premise gateway like hybrid.

The only third-party tokens that are supported in tyk cloud are JWT and OpenID Connect ID Tokens. Otherwise everything’s needs to be generated by our cloud.

Should have asked that first really! Sorry for the frustration :-/

FraCet · August 28, 2017, 1:52pm

Sorry for the late follow-up… I finally managed to find some time to install Tyk on-premise… But I still get the error “Attempted access to non-owned key” when I try to add a custom key with this command:

 curl -X POST -H "authorization: 1238b7e0e2ff4c2957321724409ee2eb" \
     -s \
     -H "Content-Type: application/json" \
     -X PUT \
     -d '{
        "allowance": 1000,
        "rate": 1000,
        "per": 1,
        "expires": -1,
        "quota_max": -1,
        "quota_renews": 1449051461,
        "quota_remaining": -1,
        "quota_renewal_rate": 60,
        "access_rights": {
            "ad5004d961a147d4649fd3216694ebe2": {
                "api_id": "ad5004d961a147d4649fd3216694ebe2",
                "api_name": "test-api",
                "versions": ["Default"]
            }
        },
        "meta_data": {}
     }' http://mytykserver/api/keys/abcde1234567 | python -mjson.tool

Is there something else I need to configure to enable this feature?

Thanks
BR
F

Martin · August 28, 2017, 8:22pm

You will need to add an org_id to this record, and that org_id needs to match the one in your API Definitions.

FraCet · August 29, 2017, 9:42am

Thanks Martin… I did have the org_id, turns out the problem was that I missed that Tyk comes with 2 APIs, and I was trying to add the key using the one at api/keys with my admin user’s secret.

I have now figured out that there is a different entry point (tyk/keys), running on a different port (8080 instead of 3000) and that requires the “secret id” from the tyk.conf file.

Having made the necessary changes, I have now moved on to a new error message

"error": "Failed to create key, ensure security settings are correct.",

Any idea what security settings should I check?

BTW, this command instead works fine with the same token.json file

curl -X POST http://localhost:8080/tyk/keys/create -H 'x-tyk-authorization: mysecretkey' -H 'Content-Type: application/json'  -d @token.json

What still fails with the error message I mentioned above is this:

curl -X PUT http://localhost:8080/tyk/keys/abcde123456 -H 'x-tyk-authorization: mysecretkey' -H 'Content-Type: application/json' -d @token.json

Thanks!

Martin · August 29, 2017, 10:01am

So Porto 3000 is the dashboard API and port 8080 is the gateway API.

If you are injecting keys (ones not created by tyk) you must use the gateway api.

Both of these apis are documented on our site - theybhave slightky different semantics.

What exactly are you trying to achieve?

FraCet · August 29, 2017, 10:09am

Yes, I got that far too now

I want to use my own keys (generated by my own system) instead of letting Tyk generate them for me, as described here https://tyk.io/docs/tyk-rest-api/token-management/ (Add/Update Keys).

I have created my API in the system to use Auth-token and enabled “Allow query parameter as well as header”, which in my understanding would mean that Tyk would first check if the token provided is enabled in the Tyk DB, and if yes pass on the request with the token to my own API (which in turn will authorize the token, as it originally comes from it) and respond to the request. Did I get this right?

Also, when I try to get the list of keys I get the message that Tyk is running in hashed mode, can that have something to do with the error message I am getting when I try to add my own custom key?

Thanks
F

FraCet · August 29, 2017, 10:34am

I now looked at the server logs and this other error message pops us next to my request:

Could not add key for this API ID, API doesn't exist.

However, I am using the API-ID provided in the dashboard for this API, and if I query the GW API for details I do get a response…

FraCet · August 29, 2017, 10:59am

FIXED IT!!

Turns out the dashboard was not seeing the Gateway (no Nodes listed as active). I just restarted the GW service, the Node has appeared and I can now add my keys

Thanks for all your support and patience!