OAuth 2 Access Token (Bug?)


#1

Imported Google Group message. Original thread at: https://groups.google.com/forum/#!topic/tyk-community-support/4V40RRYsPr0 Import Date: 2016-01-19 21:39:59 +0000.
Sender:Albert Phu.
Date:Sunday, 3 January 2016 23:03:16 UTC.

Hi,

I recently was testing OAuth 2.0 and everything went fine. Just found a small bug possibly.
I requested a token at /tyk/oauth/authorize-client/ and when I used it to call the API it worked however, when I deleted a character off the end of the token it still worked. Only after I deleted two characters off the token would it say “Key not authorised”.

Maybe I am doing something weird. Here are some screen shots of Postman of what I described above.
Am I doing something wrong possibly?


#2

Imported Google Group message.
Sender:Martin Buhr.
Date:Monday, 4 January 2016 06:20:23 UTC.

Hi Albert,

Thanks for bringing this to our attention - that is quite odd as it should not be happening. However our key lookup is pretty explicit so I wonder if it might be something else. Do you have caching enabled?

We’ll investigate on our end to confirm and update in this thread.

Many thanks,
Martin

  • show quoted text -

  • show quoted text -


You received this message because you are subscribed to the Google Groups “Tyk Community Support” group.
To unsubscribe from this group and stop receiving emails from it, send an email to [email protected].
To view this discussion on the web, visit https://groups.google.com/d/msgid/tyk-community-support/a0327400-b0cc-476d-813e-cd5b73d022d2%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


#3

Imported Google Group message.
Sender:Martin Buhr.
Date:Monday, 4 January 2016 13:40:20 UTC.

hi Albert,

To follow up on this - we can;t seem to replicate it, when generating an OAuth token and then removing the last character fails authentication. Are you sure your client is sending the right credentials when you send?

Many thanks,
Martin

  • show quoted text -

#4

Imported Google Group message.
Sender:Albert Phu.
Date:Monday, 4 January 2016 13:55:58 UTC.

Hi Martin,

I did have caching enabled on the api but disabling didn’t change anything.
I believe it is sending the correct credentials when I send, if I didn’t I don’t think it would return the correct information.

This is all on Vagrant following the procedure shown in the setup docs. I’ll try re-doing it and see if I can reproduce in another instance.

Regards,
Albert

I did put the pictures of the Postman up there.

  • show quoted text -

#5

Imported Google Group message.
Sender:Albert Phu.
Date:Monday, 4 January 2016 23:50:59 UTC.

Hi,

I created the setup again following the Vagrant setup guide.
It still validated with one character missing.

Steps I took
-Vagrant setup of Tyk
-Add API, with default target URL as http://httpbin.org
-Authentication Mode -Oauth 2.0 , Allow Access Authorization Code and refresh Token, Allow Token and Auth Code
-Use Postman, hit /tyk/oauth/authorize-client/
with response_type token
client_id
redirect uri
key_rules
-It replies a token
-Use that token to access the Oauth’s listen_path
using Authentication header with value of “Bearer {Token}”
-Delete character off the token and run again

Regards,
Albert


#6

Imported Google Group message.
Sender:Albert Phu.
Date:Tuesday, 5 January 2016 00:14:01 UTC.

Hi Martin,
I was going to test it on the free service provided on tyk cloud.
But, I’m not sure where my gateway secret key is for the x-tyk-authorization field.
Where is it provided for cloud users?

Thanks,
Albert

On Monday, January 4, 2016 at 10:40:20 PM UTC+9, Martin Buhr wrote:

  • show quoted text -

#7

Imported Google Group message.
Sender:Martin Buhr.
Date:Tuesday, 5 January 2016 06:28:30 UTC.

Hi Albert,

It isn’t I’m afraid - we’re working on exposing more OAuth features on Tyk Cloud via the advanced API but it isn’t available at the moment.

Many thanks,
Martin

  • show quoted text -

  • show quoted text -

To view this discussion on the web, visit https://groups.google.com/d/msgid/tyk-community-support/d8a50c93-f692-4d2c-862b-8a51e24c7b48%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.