Multiple auth schemes for single API definition

Martin · July 12, 2017, 1:57am

This conversation is being had twice, either have it here, or on GH (for reference, the GH issue is here):

Multiple auth schemes for single API definition with JWK

opened 08:21AM - 11 Jul 17 UTC

closed 03:10AM - 12 Jul 17 UTC

**Do you want to request a *feature* or report a *bug*?** bug may be. **What i…s the current behavior?** As suggested from community https://community.tyk.io/t/multiple-auth-schemes-for-single-api-definition/694/4, I put the so called `custom JWK URL`(http://localhost/files/idp_jwks.json, and it was verified the json can be accessed ) to the secret field, , but tyk cannot pick up the url of json to parse the JWT. **What is the expected behavior?** The API request can pass the authentication. **If the current behavior is a bug, please provide the steps to reproduce and if possible a minimal demo of the problem** Below attached the api definition ```json { "id": "5964544ae595230001212bf1", "name": "test", "slug": "test", "api_id": "9a83a146c3d341e376aebe945a92070e", "org_id": "59635dd4e5952300019e3fb8", "use_keyless": false, "use_oauth2": false, "use_openid": false, "openid_options": { "providers": [], "segregate_by_client": false }, "oauth_meta": { "allowed_access_types": [], "allowed_authorize_types": [], "auth_login_redirect": "" }, "auth": { "use_param": false, "param_name": "", "use_cookie": false, "cookie_name": "", "auth_header_name": "Authorization" }, "use_basic_auth": false, "enable_jwt": true, "use_standard_auth": false, "enable_coprocess_auth": false, "jwt_signing_method": "rsa", "jwt_source": "aHR0cDovL2xvY2FsaG9zdC9maWxlcy9pZHBfandrcy5qc29u", "jwt_identity_base_field": "sub", "jwt_client_base_field": "", "jwt_policy_field_name": "kid", "notifications": { "shared_secret": "", "oauth_on_keychange_url": "" }, "enable_signature_checking": false, "hmac_allowed_clock_skew": -1, "base_identity_provided_by": "", "definition": { "location": "header", "key": "x-api-version" }, "version_data": { "not_versioned": true, "versions": { "Default": { "name": "Default", "expires": "", "paths": { "ignored": [], "white_list": [], "black_list": [] }, "use_extended_paths": true, "extended_paths": {}, "global_headers": {}, "global_headers_remove": [], "global_size_limit": 0, "override_target": "" } } }, "uptime_tests": { "check_list": [], "config": { "expire_utime_after": 0, "service_discovery": { "use_discovery_service": false, "query_endpoint": "", "use_nested_query": false, "parent_data_path": "", "data_path": "", "port_data_path": "", "target_path": "", "use_target_list": false, "cache_timeout": 60, "endpoint_returns_list": false }, "recheck_wait": 0 } }, "proxy": { "preserve_host_header": false, "listen_path": "/test/", "target_url": "http://httpbin.org/", "strip_listen_path": true, "enable_load_balancing": false, "target_list": [], "check_host_against_uptime_tests": false, "service_discovery": { "use_discovery_service": false, "query_endpoint": "", "use_nested_query": false, "parent_data_path": "", "data_path": "hostname", "port_data_path": "port", "target_path": "/api-slug", "use_target_list": false, "cache_timeout": 60, "endpoint_returns_list": false } }, "disable_rate_limit": false, "disable_quota": false, "custom_middleware": { "pre": [], "post": [], "post_key_auth": [], "auth_check": { "name": "", "path": "", "require_session": false }, "response": [], "driver": "", "id_extractor": { "extract_from": "", "extract_with": "", "extractor_config": {} } }, "custom_middleware_bundle": "", "cache_options": { "cache_timeout": 60, "enable_cache": true, "cache_all_safe_requests": false, "cache_response_codes": [], "enable_upstream_cache_control": false }, "session_lifetime": 0, "active": true, "auth_provider": { "name": "", "storage_engine": "", "meta": {} }, "session_provider": { "name": "", "storage_engine": "", "meta": null }, "event_handlers": { "events": {} }, "enable_batch_request_support": false, "enable_ip_whitelisting": false, "allowed_ips": [], "dont_set_quota_on_create": false, "expire_analytics_after": 0, "response_processors": [], "CORS": { "enable": false, "allowed_origins": [], "allowed_methods": [], "allowed_headers": [], "exposed_headers": [], "allow_credentials": false, "max_age": 24, "options_passthrough": false, "debug": false }, "domain": "", "do_not_track": false, "tags": [], "enable_context_vars": false } ``` The access token(The token can be passed via the normal JWT authentication method with public key): ```Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJzdWIiOiIwIiwiYXpwIjoiaVBob25lLUFwcCIsImlhdCI6MTQ4MjA3MTYzNiwiZXhwIjoyMTUwMDAzOTk1LCJraWQiOiI1OTY0NTVjNGU1OTUyMzAwMDEyMTJiZjIifQ.c1N1hPooRGXnK53lUOYVywmnX6vklpL9MayvoFeX1uANcigThXJjrM0WhwDFUKlwy37gn3Aef-cFJhpnJ52QwA``` The jwks json file: ```json { "keys": [ { "alg": "RS256", "kty": "RSA", "use": "sig", "x5c": [ "MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAJ4AhQ6FGspvMAnBmclAzydVB35i/MJeDq+OB5di7YLy3VcH66MJ0NSnEy/s55hgcQQ+IozJK4UTyAyGwRGVxn8CAwEAAQ==" ], "kid": "596455c4e595230001212bf2" } ] } ``` Attaches the RSA public / private key for your reference. ``` -----BEGIN PUBLIC KEY----- MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAJ4AhQ6FGspvMAnBmclAzydVB35i/MJe Dq+OB5di7YLy3VcH66MJ0NSnEy/s55hgcQQ+IozJK4UTyAyGwRGVxn8CAwEAAQ== -----END PUBLIC KEY----- ``` ``` -----BEGIN RSA PRIVATE KEY----- MIIBOgIBAAJBAJ4AhQ6FGspvMAnBmclAzydVB35i/MJeDq+OB5di7YLy3VcH66MJ 0NSnEy/s55hgcQQ+IozJK4UTyAyGwRGVxn8CAwEAAQJBAI6yn3kGo7SSiMs266KE gtLeC3+M/QS6F/9bgeWqtiGdtRnRXyR50qesjPoD9q0Wmy9u0AkdX6Q6Zft+PMhR LEkCIQDKbYgVSAze6wtXprtH/s4hiXKuydNVGb4N9en8D5klwwIhAMfRJHyJQQ1c qhxdS0bwWYQac9g+RbKiiC/wnGENOUSVAiBpwlAWzk3rKWIDqVivhLCtVOJV75w6 Gfjx0kktJ/kbgQIgVpSDt8aNPmnxd7rg/Er2rqv7mC5bauzMD+G1EMR3FQUCIFrx /GzNTSq7dvJzUh47kSO6HI2w+OYdXiYKZF29colc -----END RSA PRIVATE KEY----- ``` **Which versions of Tyk affected by this issue? Did this work in previous versions of Tyk?** Latest version from docker image.