Multiple (Chained) Authentication - Allow Basic Auth and Bearer Token auth

Hello all,

Some time ago I worked with Olu on these threads:
https://community.tyk.io/t/granular-access-for-endpoints-failing-allowed-urls-access-to-this-resource-has-been-disallowed/6130
https://community.tyk.io/t/allow-multiple-authentication-basic-auth-and-bearer-token/6148/5

We want an endpoint/API to allow both Basic Auth and Bearer Token authentication. I was trying to follow instructions contained here https://tyk.io/docs/basic-config-and-security/security/authentication-authorization/multiple-auth/ , but it never works, after many attempts and different configuration.

Is there anyone using multiple authentication with Basic Auth and Bearer Token? I really appreciate any assistance on this.

We are using Tyk Gateway (OSS) 5.1 version.

I’m pasting below my API and Policy definition, this is working fine with Bearer Token (or, if I switch to Basic Auth, it also works…), but not both of them together.

API Definition:

{
    "name": "demoapi",
    "slug": "demoapi",
    "use_keyless": false,
    "use_basic_auth": false,
    "use_standard_auth": true,
    "api_id": "demoapi",
    "org_id": "1",
    "version_data": {
      "not_versioned": true,
      "versions": {
        "Default": {
          "name": "Default",
          "use_extended_paths": true
        }
      }
    },
    "proxy": {
      "listen_path": "/demoapi/",
      "target_url": "http://demoapi.demoapi.svc.cluster.local/",
      "strip_listen_path": true,
      "transport": {
        "ssl_insecure_skip_verify": true
      }
    },
    "active": true
}

Policy Definition:

{
    "id": "demoapi",
    "name": "demoapi",
    "org_id": "1",
    "rate": 0,
    "per": 1,
    "quota_max": 1000,
    "quota_renewal_rate": 60,
    "throttle_interval": 0,
    "throttle_retry_limit": 0,
    "max_query_depth": 0,
    "access_rights": {
        "demoapi": {
            "api_id": "demoapi",
            "api_name": "demoapi",
            "allowed_urls": [
                {
                    "url": "/demoapi/echo(.*)$",
                    "methods": ["GET"]
                }
            ],
            "versions": ["Default"]
        }
    },
    "hmac_enabled": false,
    "enable_http_signature_validation": false,
    "active": false,
    "is_inactive": false,
    "tags": null,
    "key_expires_in": 0,
    "partitions": {
        "quota": false,
        "rate_limit": false,
        "complexity": false,
        "acl": false,
        "per_api": false
    },
    "last_updated": "",
    "meta_data": null,
    "graphql_access_rights": null
}

Authentication header:

image748×280 12.4 KB

Hi @dszortyka. I’m genuinely sorry to learn that this continues to be a persistent problem for you. To further assist on the issue, could you share the output of the logs in debug mode after going through the following steps

1. Set log_level=“debug” (TYK_GW_LOGLEVEL) on the gateway to enable verbose gateway logs.
2. Could you duplicate your API definition, give it unique parameters (name, slug and api_id), copy the the auth_config field value here and enable both use_basic_auth and use_standard_auth
3. Could you duplicate your policy definition, give it unique parameters (name, id, access_rights), copy the auth_type and auth_types field from the definition here
4. Create 2 keys (one auth token and one basic auth) from the policy definition

#########################################################################
# Create an auth token key definition via a policy definition
#########################################################################
POST /tyk/keys HTTP/1.1
Host: {{host}}:{{port}}
x-tyk-authorization: {{gateway_secret}}
Content-Type: application/json

{
  "alias": "Auth Token Key",
  "apply_policies": [
    "63e39307975cce0001ded5ff"
  ]
}


{
  "key": "55e87688520e441aa3e9c051b932d548",
  "status": "ok",
  "action": "added"
}

#########################################################################
# Create a basic authentication key definition via a policy definition
#########################################################################
POST /tyk/keys/[email protected] HTTP/1.1
Host: {{host}}:{{port}}
x-tyk-authorization: {{gateway_secret}}
Content-Type: application/json

{
  "alias": "Basic Auth Key",
  "apply_policies": [
    "63e39307975cce0001ded5ff"
  ],
  "basic_auth_data": {
		"password": "1234567",
		"hash_type": "bcrypt"
	}
}


{
  "key": "[email protected]",
  "status": "ok",
  "action": "added"
}

5. Make a call to the API and share debug log output

####################
# Reverse Proxy call
####################
GET /{{listen_path}}/ HTTP/1.1
Host: {{host}}:{{port}}
Content-Type: application/json
AuthToken: Bearer 55e87688520e441aa3e9c051b932d548
Authorization: Basic am9obkBzbWl0aC5jb206MTIzNDU2Nw==


##############
# Debug Log
#############
time="Aug 22 12:45:40" level=debug msg=Started api_id=c4c2d14d256344687b201d6bd5b15e55 api_name="Sample Standard Token and Basic Multi Authentication" mw=VersionCheck org_id=61fd63e8a35fd4000162ed94 origin=172.26.0.1 path=/multi-auth-basic-and-standard/ ts=1692708340305404000
time="Aug 22 12:45:40" level=debug msg=Finished api_id=c4c2d14d256344687b201d6bd5b15e55 api_name="Sample Standard Token and Basic Multi Authentication" code=200 mw=VersionCheck ns=267100 org_id=61fd63e8a35fd4000162ed94 origin=172.26.0.1 path=/multi-auth-basic-and-standard/
time="Aug 22 12:45:40" level=debug msg=Started api_id=c4c2d14d256344687b201d6bd5b15e55 api_name="Sample Standard Token and Basic Multi Authentication" mw=RateCheckMW org_id=61fd63e8a35fd4000162ed94 origin=172.26.0.1 path=/multi-auth-basic-and-standard/ ts=1692708340305732700
time="Aug 22 12:45:40" level=debug msg=Finished api_id=c4c2d14d256344687b201d6bd5b15e55 api_name="Sample Standard Token and Basic Multi Authentication" code=200 mw=RateCheckMW ns=179700 org_id=61fd63e8a35fd4000162ed94 origin=172.26.0.1 path=/multi-auth-basic-and-standard/
time="Aug 22 12:45:40" level=debug msg=Started api_id=c4c2d14d256344687b201d6bd5b15e55 api_name="Sample Standard Token and Basic Multi Authentication" mw=BasicAuthKeyIsValid org_id=61fd63e8a35fd4000162ed94 origin=172.26.0.1 path=/multi-auth-basic-and-standard/ ts=1692708340306162600
time="Aug 22 12:45:40" level=debug msg="Querying local cache" api_id=c4c2d14d256344687b201d6bd5b15e55 api_name="Sample Standard Token and Basic Multi Authentication" mw=BasicAuthKeyIsValid org_id=61fd63e8a35fd4000162ed94 origin=172.26.0.1 path=/multi-auth-basic-and-standard/
time="Aug 22 12:45:40" level=debug msg="Querying keystore" api_id=c4c2d14d256344687b201d6bd5b15e55 api_name="Sample Standard Token and Basic Multi Authentication" mw=BasicAuthKeyIsValid org_id=61fd63e8a35fd4000162ed94 origin=172.26.0.1 path=/multi-auth-basic-and-standard/
time="Aug 22 12:45:40" level=debug msg="Got key" api_id=c4c2d14d256344687b201d6bd5b15e55 api_name="Sample Standard Token and Basic Multi Authentication" mw=BasicAuthKeyIsValid org_id=61fd63e8a35fd4000162ed94 origin=172.26.0.1 path=/multi-auth-basic-and-standard/
time="Aug 22 12:45:40" level=debug msg="cache enabled: miss: bcrypt" api_id=c4c2d14d256344687b201d6bd5b15e55 api_name="Sample Standard Token and Basic Multi Authentication" key="****.com" mw=BasicAuthKeyIsValid org_id=61fd63e8a35fd4000162ed94 origin=172.26.0.1 path=/multi-auth-basic-and-standard/
time="Aug 22 12:45:40" level=debug msg=Finished api_id=c4c2d14d256344687b201d6bd5b15e55 api_name="Sample Standard Token and Basic Multi Authentication" code=200 mw=BasicAuthKeyIsValid ns=71478100 org_id=61fd63e8a35fd4000162ed94 origin=172.26.0.1 path=/multi-auth-basic-and-standard/
time="Aug 22 12:45:40" level=debug msg=Started api_id=c4c2d14d256344687b201d6bd5b15e55 api_name="Sample Standard Token and Basic Multi Authentication" key="****.com" mw=AuthKey org_id=61fd63e8a35fd4000162ed94 origin=172.26.0.1 path=/multi-auth-basic-and-standard/ ts=1692708340377779900
time="Aug 22 12:45:40" level=debug msg="Querying local cache" api_id=c4c2d14d256344687b201d6bd5b15e55 api_name="Sample Standard Token and Basic Multi Authentication" key="****.com" mw=AuthKey org_id=61fd63e8a35fd4000162ed94 origin=172.26.0.1 path=/multi-auth-basic-and-standard/
time="Aug 22 12:45:40" level=debug msg="Querying keystore" api_id=c4c2d14d256344687b201d6bd5b15e55 api_name="Sample Standard Token and Basic Multi Authentication" key="****.com" mw=AuthKey org_id=61fd63e8a35fd4000162ed94 origin=172.26.0.1 path=/multi-auth-basic-and-standard/
time="Aug 22 12:45:40" level=debug msg="Got key" api_id=c4c2d14d256344687b201d6bd5b15e55 api_name="Sample Standard Token and Basic Multi Authentication" key="****.com" mw=AuthKey org_id=61fd63e8a35fd4000162ed94 origin=172.26.0.1 path=/multi-auth-basic-and-standard/
time="Aug 22 12:45:40" level=debug msg=Finished api_id=c4c2d14d256344687b201d6bd5b15e55 api_name="Sample Standard Token and Basic Multi Authentication" code=200 key="****.com" mw=AuthKey ns=5185900 org_id=61fd63e8a35fd4000162ed94 origin=172.26.0.1 path=/multi-auth-basic-and-standard/
time="Aug 22 12:45:40" level=debug msg=Started api_id=c4c2d14d256344687b201d6bd5b15e55 api_name="Sample Standard Token and Basic Multi Authentication" key="****d548" mw=KeyExpired org_id=61fd63e8a35fd4000162ed94 origin=172.26.0.1 path=/multi-auth-basic-and-standard/ ts=1692708340382997900
time="Aug 22 12:45:40" level=debug msg=Finished api_id=c4c2d14d256344687b201d6bd5b15e55 api_name="Sample Standard Token and Basic Multi Authentication" code=200 key="****d548" mw=KeyExpired ns=23600 org_id=61fd63e8a35fd4000162ed94 origin=172.26.0.1 path=/multi-auth-basic-and-standard/
time="Aug 22 12:45:40" level=debug msg=Started api_id=c4c2d14d256344687b201d6bd5b15e55 api_name="Sample Standard Token and Basic Multi Authentication" key="****d548" mw=AccessRightsCheck org_id=61fd63e8a35fd4000162ed94 origin=172.26.0.1 path=/multi-auth-basic-and-standard/ ts=1692708340383038600
time="Aug 22 12:45:40" level=debug msg=Finished api_id=c4c2d14d256344687b201d6bd5b15e55 api_name="Sample Standard Token and Basic Multi Authentication" code=200 key="****d548" mw=AccessRightsCheck ns=9800 org_id=61fd63e8a35fd4000162ed94 origin=172.26.0.1 path=/multi-auth-basic-and-standard/
time="Aug 22 12:45:40" level=debug msg=Started api_id=c4c2d14d256344687b201d6bd5b15e55 api_name="Sample Standard Token and Basic Multi Authentication" key="****d548" mw=GranularAccessMiddleware org_id=61fd63e8a35fd4000162ed94 origin=172.26.0.1 path=/multi-auth-basic-and-standard/ ts=1692708340383065900
time="Aug 22 12:45:40" level=debug msg=Finished api_id=c4c2d14d256344687b201d6bd5b15e55 api_name="Sample Standard Token and Basic Multi Authentication" code=200 key="****d548" mw=GranularAccessMiddleware ns=11900 org_id=61fd63e8a35fd4000162ed94 origin=172.26.0.1 path=/multi-auth-basic-and-standard/
time="Aug 22 12:45:40" level=debug msg=Started api_id=c4c2d14d256344687b201d6bd5b15e55 api_name="Sample Standard Token and Basic Multi Authentication" key="****d548" mw=RateLimitAndQuotaCheck org_id=61fd63e8a35fd4000162ed94 origin=172.26.0.1 path=/multi-auth-basic-and-standard/ ts=1692708340383095000
time="Aug 22 12:45:40" level=debug msg=Finished api_id=c4c2d14d256344687b201d6bd5b15e55 api_name="Sample Standard Token and Basic Multi Authentication" code=200 key="****d548" mw=RateLimitAndQuotaCheck ns=43000 org_id=61fd63e8a35fd4000162ed94 origin=172.26.0.1 path=/multi-auth-basic-and-standard/
time="Aug 22 12:45:40" level=debug msg="Started proxy"
time="Aug 22 12:45:40" level=debug msg="Stripping proxy listen path: /multi-auth-basic-and-standard/"
time="Aug 22 12:45:40" level=debug msg="Upstream path is: /"
time="Aug 22 12:45:40" level=debug msg=Started api_id=c4c2d14d256344687b201d6bd5b15e55 api_name="Sample Standard Token and Basic Multi Authentication" mw=ReverseProxy org_id=61fd63e8a35fd4000162ed94 ts=1692708340383230400
time="Aug 22 12:45:40" level=debug msg="Upstream request URL: /" api_id=c4c2d14d256344687b201d6bd5b15e55 api_name="Sample Standard Token and Basic Multi Authentication" mw=ReverseProxy org_id=61fd63e8a35fd4000162ed94
time="Aug 22 12:45:40" level=debug msg="Outbound request URL: http://host.docker.internal:80/anything/multi-auth-basic-and-standard" api_id=c4c2d14d256344687b201d6bd5b15e55 api_name="Sample Standard Token and Basic Multi Authentication" mw=ReverseProxy org_id=61fd63e8a35fd4000162ed94
time="Aug 22 12:45:40" level=debug msg=Finished api_id=c4c2d14d256344687b201d6bd5b15e55 api_name="Sample Standard Token and Basic Multi Authentication" mw=ReverseProxy ns=16429300 org_id=61fd63e8a35fd4000162ed94
time="Aug 22 12:45:40" level=debug msg="Upstream request took (ms): 16.5391"
time="Aug 22 12:45:40" level=debug msg="Adding Healthcheck to: c4c2d14d256344687b201d6bd5b15e55.Request"
time="Aug 22 12:45:40" level=debug msg="Val is: 16"
time="Aug 22 12:45:40" level=debug msg="Set value to: 1692708340399909600.16"
time="Aug 22 12:45:40" level=debug msg="Done proxy"
time="Aug 22 12:45:40" level=debug msg="Incrementing raw key: c4c2d14d256344687b201d6bd5b15e55.Request"
time="Aug 22 12:45:40" level=debug msg="keyName is: c4c2d14d256344687b201d6bd5b15e55.Request"
time="Aug 22 12:45:40" level=debug msg="Now is:2023-08-22 12:45:40.4006397 +0000 UTC m=+2447.184650101"
time="Aug 22 12:45:40" level=debug msg="Then is: 2023-08-22 12:45:25.4006397 +0000 UTC m=+2432.184650101"
time="Aug 22 12:45:40" level=debug msg="Returned: 0"

Hi @Olu,

Thanks for your support as always. You guys rock at Tyk Community.
See below manifests for API Definition, Policy and two example keys.
Results are below on this message. Tyk GW (helm chart) was re-deployed with loglevel=debug.

Let me know if something else is needed from my side.

extraEnvs:
    - name: TYK_GW_LOGLEVEL
      value: "debug"

API Definition:

{
    "name": "demoapimultiauth",
    "slug": "demoapimultiauth",
    "use_keyless": false,
    "use_basic_auth": true,
    "use_standard_auth": true,
    "api_id": "demoapimultiauth",
    "org_id": "1",
    "auth_configs": {
      "authToken": {
        "use_param": false,
        "param_name": "",
        "use_cookie": false,
        "auth_header_name": "AuthToken",
        "use_certificate": false,
        "signature": {
          "algorithm": "",
          "header": "",
          "secret": "",
          "allowed_clock_skew": 0,
          "error_code": 0,
          "error_message": ""
        }
      },
      "basic": {
        "use_param": false,
        "param_name": "",
        "use_cookie": false,
        "auth_header_name": "Authorization",
        "use_certificate": false,
        "signature": {
          "algorithm": "",
          "header": "",
          "secret": "",
          "allowed_clock_skew": 0,
          "error_code": 0,
          "error_message": ""
        }
      }
    },
    "version_data": {
      "not_versioned": true,
      "versions": {
        "Default": {
          "name": "Default",
          "use_extended_paths": true
        }
      }
    },
    "proxy": {
      "listen_path": "/demoapimultiauth/",
      "target_url": "http://demoapi.demoapi.svc.cluster.local/",
      "strip_listen_path": true,
      "transport": {
        "ssl_insecure_skip_verify": true
      }
    },
    "active": true
}

{
	"key": "demoapimultiauth",
	"status": "ok",
	"action": "added"
}

Policy Definition:

{
    "id": "demoapimultiauth",
    "name": "demoapimultiauth",
    "org_id": "1",
    "rate": 0,
    "per": 1,
    "quota_max": 1000,
    "quota_renewal_rate": 60,
    "throttle_interval": 0,
    "throttle_retry_limit": 0,
    "max_query_depth": 0,
    "auth_type": "multiAuth",
    "auth_types": [
        "ba",
        "authToken"
    ],
    "access_rights": {
        "demoapimultiauth": {
            "api_id": "demoapimultiauth",
            "api_name": "demoapimultiauth",
            "allowed_urls": [
                {
                    "url": "/demoapimultiauth/echo(.*)$",
                    "methods": ["GET"]
                },
                {
                    "url": "/demoapimultiauth/ping(.*)$",
                    "methods": ["GET"]
                }
            ],
            "versions": ["Default"]
        }
    },
    "hmac_enabled": false,
    "enable_http_signature_validation": false,
    "active": false,
    "is_inactive": false,
    "tags": null,
    "key_expires_in": 0,
    "partitions": {
        "quota": false,
        "rate_limit": false,
        "complexity": false,
        "acl": false,
        "per_api": false
    },
    "last_updated": "",
    "meta_data": null,
    "graphql_access_rights": null
}

{
	"key": "demoapimultiauth",
	"status": "ok",
	"action": "added"
}

Keys Definition:

Basic Auth

{
    "allowance": 1000,
    "rate": 1000,
    "per": 1,
    "expires": -1,
    "quota_max": -1,
    "org_id": "1",
    "quota_remaining": -1,
    "quota_renewal_rate": 60,
    "access_rights": {},
    "meta_data": {},
    "basic_auth_data": {
        "password": "demoapimultiauth"
    },
    "apply_policies": ["demoapimultiauth"]
 }

{
	"key": "eyJvcmciOiIxIiwiaWQiOiJkZW1vYXBpbXVsdGlhdXRoIiwiaCI6Im11cm11cjEyOCJ9",
	"status": "ok",
	"action": "added"
}

Bearer Token

{
    "apply_policies": ["demoapimultiauth"],
    "org_id" : "1",
    "expires": 0,
    "allowance": 0,
    "per": 0,
    "quota_max": 0,
    "rate": 0,
    "access_rights": {}
}

{
	"key": "eyJvcmciOiIxIiwiaWQiOiIwZDUzY2MyYjQ5NDg0NDE1OWM1NzZhOTRlNGVjZDQwMiIsImgiOiJtdXJtdXIxMjgifQ==",
	"status": "ok",
	"action": "added"
}

Results:

Basic Auth

{
    "error": "Authorization field missing"
}

time="Aug 23 01:25:00" level=debug msg=Started api_id=demoapimultiauth api_name=demoapimultiauth mw=VersionCheck org_id=1 origin=11.240.21.130 path=/demoapimultiauth/echo/daniel ts=1692753900448081370
time="Aug 23 01:25:00" level=debug msg=Finished api_id=demoapimultiauth api_name=demoapimultiauth code=200 mw=VersionCheck ns=40286 org_id=1 origin=11.240.21.130 path=/demoapimultiauth/echo/daniel
time="Aug 23 01:25:00" level=debug msg=Started api_id=demoapimultiauth api_name=demoapimultiauth mw=RateCheckMW org_id=1 origin=11.240.21.130 path=/demoapimultiauth/echo/daniel ts=1692753900448135484
time="Aug 23 01:25:00" level=debug msg=Finished api_id=demoapimultiauth api_name=demoapimultiauth code=200 mw=RateCheckMW ns=12280 org_id=1 origin=11.240.21.130 path=/demoapimultiauth/echo/daniel
time="Aug 23 01:25:00" level=debug msg=Started api_id=demoapimultiauth api_name=demoapimultiauth mw=BasicAuthKeyIsValid org_id=1 origin=11.240.21.130 path=/demoapimultiauth/echo/daniel ts=1692753900448157655
time="Aug 23 01:25:00" level=warning msg="Attempted access with malformed header, no auth header found." api_id=demoapimultiauth api_name=demoapimultiauth mw=BasicAuthKeyIsValid org_id=1 origin=11.240.21.130 path=/demoapimultiauth/echo/daniel
time="Aug 23 01:25:00" level=debug msg=Finished api_id=demoapimultiauth api_name=demoapimultiauth code=401 error="Authorization field missing" mw=BasicAuthKeyIsValid ns=49516 org_id=1 origin=11.240.21.130 path=/demoapimultiauth/echo/daniel
time="Aug 23 01:25:03" level=debug msg=Started api_id=demoapimultiauth api_name=demoapimultiauth mw=VersionCheck org_id=1 origin=11.240.21.130 path=/demoapimultiauth/echo/daniel ts=1692753903225879913
time="Aug 23 01:25:03" level=debug msg=Finished api_id=demoapimultiauth api_name=demoapimultiauth code=200 mw=VersionCheck ns=36992 org_id=1 origin=11.240.21.130 path=/demoapimultiauth/echo/daniel
time="Aug 23 01:25:03" level=debug msg=Started api_id=demoapimultiauth api_name=demoapimultiauth mw=RateCheckMW org_id=1 origin=11.240.21.130 path=/demoapimultiauth/echo/daniel ts=1692753903225937433
time="Aug 23 01:25:03" level=debug msg=Finished api_id=demoapimultiauth api_name=demoapimultiauth code=200 mw=RateCheckMW ns=17189 org_id=1 origin=11.240.21.130 path=/demoapimultiauth/echo/daniel
time="Aug 23 01:25:03" level=debug msg=Started api_id=demoapimultiauth api_name=demoapimultiauth mw=BasicAuthKeyIsValid org_id=1 origin=11.240.21.130 path=/demoapimultiauth/echo/daniel ts=1692753903225970360
time="Aug 23 01:25:03" level=debug msg="Querying local cache" api_id=demoapimultiauth api_name=demoapimultiauth mw=BasicAuthKeyIsValid org_id=1 origin=11.240.21.130 path=/demoapimultiauth/echo/daniel
time="Aug 23 01:25:03" level=debug msg="Querying keystore" api_id=demoapimultiauth api_name=demoapimultiauth mw=BasicAuthKeyIsValid org_id=1 origin=11.240.21.130 path=/demoapimultiauth/echo/daniel
time="Aug 23 01:25:03" level=debug msg="Got key" api_id=demoapimultiauth api_name=demoapimultiauth mw=BasicAuthKeyIsValid org_id=1 origin=11.240.21.130 path=/demoapimultiauth/echo/daniel
time="Aug 23 01:25:03" level=debug msg="cache enabled: hit: success" api_id=demoapimultiauth api_name=demoapimultiauth key="****auth" mw=BasicAuthKeyIsValid org_id=1 origin=11.240.21.130 path=/demoapimultiauth/echo/daniel
time="Aug 23 01:25:03" level=debug msg=Finished api_id=demoapimultiauth api_name=demoapimultiauth code=200 mw=BasicAuthKeyIsValid ns=352436 org_id=1 origin=11.240.21.130 path=/demoapimultiauth/echo/daniel
time="Aug 23 01:25:03" level=debug msg=Started api_id=demoapimultiauth api_name=demoapimultiauth key="****OCJ9" mw=AuthKey org_id=1 origin=11.240.21.130 path=/demoapimultiauth/echo/daniel ts=1692753903226349720
time="Aug 23 01:25:03" level=info msg="Attempted access with malformed header, no auth header found." api_id=demoapimultiauth api_name=demoapimultiauth key="****OCJ9" mw=AuthKey org_id=1 origin=11.240.21.130 path=/demoapimultiauth/echo/daniel
time="Aug 23 01:25:03" level=debug msg=Finished api_id=demoapimultiauth api_name=demoapimultiauth code=401 error="Authorization field missing" key="****OCJ9" mw=AuthKey ns=47418 org_id=1 origin=11.240.21.130 path=/demoapimultiauth/echo/daniel

Bearer Token

{
    "error": "Attempted access with malformed header, values not in basic auth format"
}

time="Aug 23 01:26:42" level=debug msg=Started api_id=demoapimultiauth api_name=demoapimultiauth mw=VersionCheck org_id=1 origin=29.240.8.6 path=/demoapimultiauth/echo/daniel ts=1692754002991719317
time="Aug 23 01:26:42" level=debug msg=Finished api_id=demoapimultiauth api_name=demoapimultiauth code=200 mw=VersionCheck ns=43568 org_id=1 origin=29.240.8.6 path=/demoapimultiauth/echo/daniel
time="Aug 23 01:26:42" level=debug msg=Started api_id=demoapimultiauth api_name=demoapimultiauth mw=RateCheckMW org_id=1 origin=29.240.8.6 path=/demoapimultiauth/echo/daniel ts=1692754002991776013
time="Aug 23 01:26:42" level=debug msg=Finished api_id=demoapimultiauth api_name=demoapimultiauth code=200 mw=RateCheckMW ns=17880 org_id=1 origin=29.240.8.6 path=/demoapimultiauth/echo/daniel
time="Aug 23 01:26:42" level=debug msg=Started api_id=demoapimultiauth api_name=demoapimultiauth mw=BasicAuthKeyIsValid org_id=1 origin=29.240.8.6 path=/demoapimultiauth/echo/daniel ts=1692754002991828017
time="Aug 23 01:26:42" level=info msg="Attempted access with malformed header, values not in basic auth format." api_id=demoapimultiauth api_name=demoapimultiauth key="****fQ==" mw=BasicAuthKeyIsValid org_id=1 origin=29.240.8.6 path=/demoapimultiauth/echo/daniel
time="Aug 23 01:26:42" level=warning msg="Attempted access with malformed header, no auth header found." api_id=demoapimultiauth api_name=demoapimultiauth mw=BasicAuthKeyIsValid org_id=1 origin=29.240.8.6 path=/demoapimultiauth/echo/daniel
time="Aug 23 01:26:42" level=debug msg=Finished api_id=demoapimultiauth api_name=demoapimultiauth code=400 error="Attempted access with malformed header, values not in basic auth format" mw=BasicAuthKeyIsValid ns=68218 org_id=1 origin=29.240.8.6 path=/demoapimultiauth/echo/daniel

Thanks,
Daniel

@dszortyka

I think I have been looking at this all wrong.

From your requests it appears you mean OR instead of an AND.

Meaning what you really want is to use Basic Auth or Auth Token with an API definition. Both can work with the API definition but you are only using one at a single time.

If this is what you intended, then Tyk doesn’t support this using a single API definition. Tyk only supports using a single auth mode or multiple authentication modes simultaneously in a single API defintion.

However, you could achieve multi-auth at random/selection using a combination of multiple API definitions (5 in the looping example use case) and our URL rewrite middleware/looping. More information about using this approach can be found on our documentation on Multiple Auth Types for a single API.

Apologies for the rigmarole and hope this makes things clear.

Thanks, that helps to have a better understanding.
And yes, you were right. I was trying to achieve either basic or standard authentication method in a single API definition.

Thanks a lot @Olu !!!

-Daniel