OAS API Definition with Basic Auth / no auth (Keyless?)

Hi,

I am using the documentation to set up an API with basic auth using the OAS format. Unfortunately this do not work.

{
  "info": {
    "title": "test webservice",
    "version": "1.0.0"
  },
  "openapi": "3.0.3",
  "components": {
    "securitySchemes": {
      "my_auth": {
        "scheme": "basic",
        "type": "http"
      }
    }
  },
  "security": [
    {
      "my_auth": []
    }
  ],
  "paths": {
  },
  "x-tyk-api-gateway": {
    "info": {
      "name": "Test webservice",
      "id": "test-webservice",
      "state": {
        "active": true,
        "internal": false
      }
    },
    "upstream": {
      "url": "http://nginx/service/test"
    },
    "server": {
      "authentication": {
        "enabled": true,
        "securitySchemes": {
          "my_auth": {
            "enabled": true,
            "header": {
              "name": "Authorization"
            }
          }
        }
      },
      "listenPath": {
        "strip": true,
        "value": "/test/"
      }
    }
  }
}

Tyk send me the following response back:

{
  "status": "error",
  "message": "x-tyk-api-gateway.server.authentication.securitySchemes.my_auth: Must validate at least one schema (anyOf)\nx-tyk-api-gateway.server.authentication.securitySchemes.my_auth.header: enabled is required"
}

Based on the documentation I do not know what I am doing wrong.

I have some questions:

  1. what is wrong with my API Definition?
  2. is the configuration of the basic auth in the API Definition mandatory or Tyk default auth mechanism is set to basic auth?
  3. the example given in the documentation do not mention that we need to set up the property “enabled”: true in the “authentication” object. I discovered this in the error message sent by Tyk. Could you please maybe update the example?
"message": "x-tyk-api-gateway.server.authentication: enabled is required ...
  1. I have the use case for setting up an API Definition without authentication. Is keyless the right word for that? how can I configure the API OAS Definition to allow no auth?

Thank you!

Kind regards

Hello, any Idea regarding my Problems?
Thank you!

Hi @pascal-chenevas,

I’m sorry for the slow reply - not sure how we missed that coming in.

You’ve found a bug in the documentation… I’m sorry about that too and will get it corrected.

You need to set header.enabled:true within your my_auth config in x-tyk-api-gateway.server.authentication.securitySchemes so that Tyk knows to use the named HTTP header to expect the authorization data.

If you want to have an unsecured API (keyless) then you can omit the x-tyk-api-gateway.server.authentication section completely - or set x-tyk-api-gateway.server.authentication.enabled to false.

I hope this unblocks you.

Thanks again for your patience.

Hi @Andy_O , thanks for the reply. I will try this and come back here with an update.

Hi @Andy_O , I got a 401 error when trying to send a request to the API…

OAS Definition:

{
  "info": {
    "title": "Test webservice",
    "version": "1.0.0"
  },
  "openapi": "3.0.3",
  "components": {
    "securitySchemes": {
      "my_auth": {
        "scheme": "basic",
        "type": "http"
      }
    }
  },
  "security": [
    {
      "my_auth": []
    }
  ],
  "paths": {
  },
  "x-tyk-api-gateway": {
    "info": {
      "name": "A test API using Basic Auth",
      "id": "my-test-api",
      "state": {
        "active": true,
        "internal": false
      }
    },
    "upstream": {
      "url": "http://nginx/service/test"
    },
    "server": {
      "authentication": {
        "enabled": true,
        "securitySchemes": {
          "my_auth": {
            "enabled": true,
            "header": {
              "name": "Authorization",
              "enabled": true
            }
          }
        }
      },
      "listenPath": {
        "strip": true,
        "value": "/test/"
      }
    }
  }
}

Basic Auth User (request sent to /tyk/keys/my-test-user):

{
  "allowance": 1000,
  "rate": 1000,
  "per": 1,
  "expires": -1,
  "quota_max": -1,
  "org_id": "1",
  "quota_renews": 1449051461,
  "quota_remaining": -1,
  "quota_renewal_rate": 60,
  "access_rights": {
    "my-test-api": {
      "api_id": "my-test-api",
      "api_name": "A test API using Basic Auth",
      "versions": ["Default"]
    }
  },
  "meta_data": {},
  "basic_auth_data": {
    "password": "my-password"
  }
}

Response received after sending a request to the Tyk-Gateway

HTTP/1.1 401 Unauthorized
{
  "error": "User not authorised"
}

In the Tyk log there is:

level=debug msg="Error trying to get value:key not found"
level=debug msg="Could not get session detail, key not found" err="key not found" inbound-key=-- prefix=auth-mgr
level=warning msg="Attempted access with non-existent user." api_id=my-test-api api_name="A test API using Basic Auth" key=-- mw=AccessRightsCheck org_id= origin=x.xx.x.x path=/test/status
level=debug msg="EVENT FIRED: AuthFailure"

Thank you for your support.

Hi @pascal-chenevas,

I just tried with your example API definition and key.

The only changes I made were to direct to a different upstream (I used httpbin.org for simplicity) and, in the key creation, I added my Gateway’s org_id.

Initially it didn’t work, but then I realised I’d forgotten the -n switch when converting the username:password to base64… when I got that right and set the Authorization header to Basic <base64-encoded-username:password> then my request was accepted.

Can you please confirm that you’ve set your org_id in the key?

@Andy_O

yes. When asking for the user I got a 200 Ok.

GET {{base-url}}/tyk/keys/my-test-user?username=true&org_id=1

HTTP/1.1 200 OK

I am also abled to delete it:

DELETE {{base-url}}/tyk/keys/my-test-user?username=true&org_id=1
{
  "key": "1my-test-user",
  "status": "ok",
  "action": "deleted"
}

Hi @pascal-chenevas,

I probably wasn’t clear enough.

When you created the base64 encoded username/password combination, did you use the -n switch?

Thanks.

Hi @Andy_O ,

I am sorry I do not understand in which scenario you use the -n switch.
Do you refer to the command curl and how the username and password have to be encoded in base64 before to send the request?

I send my requests using the http client from my IDE (intellij) so I do not need to encode them before.
This works perfectly when I use the tyk-classic format. I have the problem when trying to use the OAS format.

Hi @pascal-chenevas,

Please update the API definition to include the OrgID in x-tyk-api-gateway.info, and try again.

"x-tyk-api-gateway": {
    "info": {
      "name": "A test API using Basic Auth",
      "id": "my-test-api",
      "orgId": "1",
      <-->