Imported Google Group message. Original thread at: Redirecting to Google Groups Import Date: 2016-01-19 21:17:28 +0000.
Sender:S. Alexander Zaman.
Date:Tuesday, 7 July 2015 17:26:40 UTC+1.
Hey Martin,
I’m trying to make an OAuth ‘create app key’ call and had some questions about it.
- The main issue is that the call does not seem to work. Below is my request
POST /a39e0fa55f6e445e58355bde9a9377fa/tyk/oauth/clients/create/ HTTP/1.1
Host: 192.168.33.10:3030
X-Tyk-Authorization: 352d20ee67be67f6340b4c0605b044bc4
Authorization: f5cd3c04-1d2d-48f8-5c8a-ec56cee7d245
Content-Type: application/json
Cache-Control: no-cache
Postman-Token: 4a133abb-72bb-7e82-076c-db36f73e6cf2
{“api_id”: “a39e0fa55f6e445e58355bde9a9377fa”, “redirect_uri”: “http://localhost/”}
Also the following are screenshots from my postman request. i got the value for Authorization from the http request made by some of the calls in tyk dashboard:
The below questions are somewhat unrelated but just out of curiosity:
- I noticed in the Dashboard calls, they do not call the OAuth create call but instead call some dashboard call.
What’s particularly weird about the call is that it refers to a value ‘557215aac3ff9c0001000002’ in the URL.
I’m not sure what that value is associated with as its not the api_id, listen_path, user_id, org_id. What is it?
e.g., ‘http://192.168.33.10:3000/api/apis/557215aac3ff9c0001000002’
- What is the dashboard key (‘Tyk Dashboard API Access Credentials’) for under a user’s details? I assume it would work for
Dashboard Advanced api calls but it seems that that is a different value when I see those calls being made in the dashboard UI.
I’m guessing 2 & 3 might be that the dashboard uses some unique hidden user to make the calls but it’s just a wild guess.
Imported Google Group message.
Sender:Martin Buhr.
Date:Tuesday, 7 July 2015 19:48:46 UTC+1.
I had tried making the call without the the listen_id as you said but it did not work. I tried again to make sure and here is the call and results (which are slightly different but still forbidden
- Are any of your paths white listed?
- Is the authorisation key correct?
- Can you see the output from the logs?
- Try removing the slash from the end of the - URL, it might be causing issues (we really need to make these homogenous)
What did you mean about ‘targeting the nodes’ are my calls targeting the nodes by using api_id in the body parameter or is there something else that I need to do?
The advanced API and the Tyk rest API are served by different applications. The advanced API lives with the dashboard application while the gateway API (the raw one we are speaking about here) is on the Tyk gateway application. You actually target them on different ports.
In a large setup you might devote a whole server to just the Tyk gateway application and have that auto-scale, then have the dashboard app somewhere else, since the dashboard can manage all nodes so long as it can see only one.
Also in some setups you may not use the dashboard at all and only have a headless Tyk node working in file-based mode (this is he simplest deployment).
For Tyk Cloud we actually scale all three binaries together for the sake of architectural simplicity, but some users may not want that. Either way Tyk can handle some pretty varied setup scenarios.
This isn’t clear if you are using docker, since it masks how everything works, but there’s a handy diagram here: https://tyk.io/advanced-api-v0-9/about/
Does the API need any setting or configuration turned on to use the create call? (it’s already set up as an oauth2 authenticated api).
Hope that should do it…
Cheers,
Martin
Imported Google Group message.
Sender:.
Date:Tuesday, 7 July 2015 18:45:10 UTC+1.
- The main issue is that the call does not seem to work.
To create a client you don’t need to target the listen path, this is only for the specific token authorisation endpoints, you can just target /tyk /* at the root level
Do not use the Authorize token, this is for the advanced API (documented on the site).
To create a client you need to target the node and use the Tyk secret defined in the Tyk.conf file.
2) I noticed in the Dashboard calls, they do not call the OAuth create call but instead call some dashboard call.
OAuth clients are stored with the node not in the dashboard (to minimise database calls, the node can operate without mongo once it starts), the API requests you see the dashboard make are to an internal API wrapper that actually talks to the node and the ID you see is the internal API ID (objectID) in Mongo.
The UI never directly talks to the nodes, everything happens via the advanced API.
- What is the dashboard key (‘Tyk Dashboard API Access Credentials’) for under a user’s details? I assume it would work for
Dashboard Advanced api calls but it seems that that is a different value when I see those calls being made in the dashboard UI.
The UI uses a separate session token to access the advanced API (makes it easier to handle auth and various other session issues, whereas the token associated with a user in the profile is always stateless). The credentials you see are for the advanced management API and would work just as well as the one the dashboard UI uses.
Let me know how you get on 
Martin
Imported Google Group message.
Sender:S. Alexander Zaman.
Date:Tuesday, 7 July 2015 19:16:34 UTC+1.
Hey Martin thanks for quickly getting back to me.
I had tried making the call without the the listen_id as you said but it did not work. I tried again to make sure and here is the call and results (which are slightly different but still forbidden)
==== CALL =====
POST /tyk/oauth/clients/create/ HTTP/1.1
Host: 192.168.33.10:3030
X-Tyk-Authorization: 352d20ee67be67f6340b4c0605b044bc4
Content-Type: application/json
Cache-Control: no-cache
Postman-Token: d9dce71f-0541-4784-d42a-b9b8576ed85c
{
“api_id”: “a39e0fa55f6e445e58355bde9a9377fa”,
“redirect_uri”: “http://localhost/”
}
====== RESPONSE ======
{“status”:“error”,“error”:“Forbidden”}
Any idea why? Also what did you mean about ‘targeting the nodes’ are my calls targeting the nodes by using api_id in the body parameter or is there something else that I need to do? Does the API need any setting or configuration turned on to use the create call? (it’s already set up as an oauth2 authenticated api).
Best regards,
Alex
Imported Google Group message.
Sender:S. Alexander Zaman.
Date:Tuesday, 7 July 2015 23:21:01 UTC+1.
Hey Martin,
Thanks for your help. Problem solved. turns out that I was in fact not using the right key I had copied the auth key from the docs and assumed they were the same as the tyk defaults because the first couple of numbers matched. After I checked all the numbers I noticed the discrepency and that solved my problem.
Thanks for helping me troubleshoot this.
Best,
Alex