But what is the endpoint or API that I should use for “OAuth2 Client Credential”. I’m using :
curl -X POST http://xyz:8080/**clientcredentials/oauth/token**/ -H ‘authorization: Basic b64(clientid:secret)’ -H ‘content-type: application/x-www-form-urlencoded’ -d ‘grant_type=client_credentials&client_id=82272ab4de864ae9ad887b85d6114fd5&client_secret=YTBmYzdlZjctNTkxNC00ODJmLThhYzUtNjY3MzZiMGY0YjBk’
Take some time to read through our docs starting here: //tyk.io/docs/basic-config-and-security/security/authentication-authorization/oauth-2-0/
Hi,
Maybe I misunderstood you but it seems you are using the the wrong path. In order to create the bearer token you need to put your api name instead of clientcredentials
/oauth/token/: This is a reserved endpoint on the API slug that provides the authentication endpoint.
thanks, but now I have other error, are you help me?
Blockquote
curl -X POST
http://localhost:8080/poc-oauth-fly/oauth/token/
-H ‘Authorization: Basic Y3ZpbGxhbWlAZXZlcmlzLmNvbTpSaW5nbzAxMA==’
-H ‘Content-Type: application/x-www-form-urlencoded’
-d ‘client_id=82272ab4de864ae9ad887b85d6114fd5&client_secret=YTBmYzdlZjctNTkxNC00ODJmLThhYzUtNjY3MzZiMGY0YjBk&grant_type=client_credentials’{“error”:“server_error”,“error_description”:“The authorization server encountered an unexpected condition that prevented it from fulfilling the request.”}
Hi,
In other topics talk about updating to the version of the dashboard, but I can not find documentation, can you give me a link?
The version of my dashboard is v1.5.1
Thanks and regards.
Authorization header: This takes the form of “Basic b64encode(client_id:secret)”
And not user name or email.
Hope this helps.
Yaara
IDN suggest checking this doc here - it runs through most of the OAuth flows.
It’s probably something as simple as your client not having a callback url (which shouldn’t be needed, but is).
Forgive me write so late but I must combine jobs.
As I said @Yaara was confusing client_id with a key, solved that, I changed error, now is:
curl -X POST http://my-tyk-instance.com:8080/poc-oauth-fly/oauth/token/ -H 'authorization: Basic NDQ3ZjQ2NjFhZDA5NDJiY2I4Y2Q1NGVkMTk3OWNhMTk6MTIzNDU=' -H 'content-type: application/x-www-form-urlencoded' -d 'grant_type=client_credentials&client_id=447f4661ad0942bcb8cd54ed1979ca19&client_secret=MWM3NmUyZmMtMzI4Zi00MmJhLTg1MGMtMjBmN2ZhZGE5NDQ4'
{“error”:“unauthorized_client”,“error_description”:“The client is not authorized to request a token using this method.”}
I leave some things of my configuration in case you see something strange.
{
"id": "5a776c9256c02c04b27668fe",
"name": "PoC-OAuth-Fly",
"slug": "poc-oauth-fly",
"api_id": "37d79fe6912946a14dfe7039fce844ae",
"org_id": "5a7443ba56c02c0b1f49ec6a",
"use_keyless": false,
"use_oauth2": true,
"use_openid": false,
"openid_options": {
"providers": [],
"segregate_by_client": false
},
"oauth_meta": {
"allowed_access_types": [
"client_credentials"
],
"allowed_authorize_types": [
"token"
],
"auth_login_redirect": "http://example.com"
},
"auth": {
"use_param": false,
"param_name": "",
"use_cookie": false,
"cookie_name": "",
"auth_header_name": "Authorization",
"use_certificate": false
},
"use_basic_auth": false,
"use_mutual_tls_auth": false,
"client_certificates": [],
"upstream_certificates": {},
"enable_jwt": false,
"use_standard_auth": false,
"enable_coprocess_auth": false,
"jwt_signing_method": "",
"jwt_source": "",
"jwt_identity_base_field": "",
"jwt_client_base_field": "",
"jwt_policy_field_name": "",
"notifications": {
"shared_secret": "12345",
"oauth_on_keychange_url": ""
},
"enable_signature_checking": false,
"hmac_allowed_clock_skew": -1,
"base_identity_provided_by": "",
"definition": {
"location": "header",
"key": "x-api-version"
},
"version_data": {
"not_versioned": true,
"default_version": "",
"versions": {
"Default": {
"name": "Default",
"expires": "",
"paths": {
"ignored": [],
"white_list": [],
"black_list": []
},
"use_extended_paths": true,
"extended_paths": {
"white_list": [
{
"path": "mock/fly",
"method_actions": {
"GET": {
"action": "reply",
"code": 202,
"data": "OK Response",
"headers": {
"IsMock": "true"
}
}
}
}
]
},
"global_headers": {},
"global_headers_remove": [],
"global_size_limit": 0,
"override_target": ""
}
}
},
"uptime_tests": {
"check_list": [],
"config": {
"expire_utime_after": 0,
"service_discovery": {
"use_discovery_service": false,
"query_endpoint": "",
"use_nested_query": false,
"parent_data_path": "",
"data_path": "",
"port_data_path": "",
"target_path": "",
"use_target_list": false,
"cache_timeout": 60,
"endpoint_returns_list": false
},
"recheck_wait": 0
}
},
"proxy": {
"preserve_host_header": false,
"listen_path": "/poc-oauth-fly/",
"target_url": "http://httpbin.org/",
"strip_listen_path": true,
"enable_load_balancing": false,
"target_list": [],
"check_host_against_uptime_tests": false,
"service_discovery": {
"use_discovery_service": false,
"query_endpoint": "",
"use_nested_query": false,
"parent_data_path": "",
"data_path": "",
"port_data_path": "",
"target_path": "",
"use_target_list": false,
"cache_timeout": 0,
"endpoint_returns_list": false
}
},
"disable_rate_limit": false,
"disable_quota": false,
"custom_middleware": {
"pre": [],
"post": [],
"post_key_auth": [],
"auth_check": {
"name": "",
"path": "",
"require_session": false
},
"response": [],
"driver": "",
"id_extractor": {
"extract_from": "",
"extract_with": "",
"extractor_config": {}
}
},
"custom_middleware_bundle": "",
"cache_options": {
"cache_timeout": 60,
"enable_cache": true,
"cache_all_safe_requests": false,
"cache_response_codes": [],
"enable_upstream_cache_control": false,
"cache_control_ttl_header": ""
},
"session_lifetime": 0,
"active": true,
"auth_provider": {
"name": "",
"storage_engine": "",
"meta": {}
},
"session_provider": {
"name": "",
"storage_engine": "",
"meta": {}
},
"event_handlers": {
"events": {}
},
"enable_batch_request_support": false,
"enable_ip_whitelisting": false,
"allowed_ips": [],
"dont_set_quota_on_create": false,
"expire_analytics_after": 0,
"response_processors": [],
"CORS": {
"enable": false,
"allowed_origins": [],
"allowed_methods": [],
"allowed_headers": [],
"exposed_headers": [],
"allow_credentials": false,
"max_age": 24,
"options_passthrough": false,
"debug": false
},
"domain": "",
"do_not_track": false,
"tags": [],
"enable_context_vars": false,
"config_data": {},
"tag_headers": [],
"global_rate_limit": {
"rate": 1000,
"per": 100
},
"strip_auth_data": false
}
OAuth2 Clients
Policies
Policy Name : OAuthPolicy
Policy ID : 5a9485df56c02c04b587e104
I think your redirect URI is still empty.
In the way that the documentation said, that is:
curl -X POST
http://my-tyk-instance.com:8080/secondapi/oauth/token/
-H ‘Authorization: Basic NjM3MWY0ZWZlMGYxNGE5MjgzN2M5NzY2MjRiOTE0Yzc6c2Vjb25kYXBp’
-H ‘content-type: application/x-www-form-urlencoded’
-d ‘grant_type=client_credentials&client_id=6371f4efe0f14a92837c976624b914c7&client_secret=ODY2OTFmM2MtMmY3Yy00YmVkLThjYTEtMDYwMGQyMjFmODcz’
It was impossible, it always gives me the same error “{" error “:” server_error “,” error_description “:” The authorization server encountered an unexpected condition that prevented it from fulfilling the request. "}”.
Now trying it from a client I can finish a test, the difference is in the header, I think, I leave screen impressions.
This operation is correct ???
– Request –
– tail -50f tyk-gateway.log
Not sure, it seems strange.
Have you set up a policy and attached it while creating the oauth client? the error “The authorization server encountered an unexpected condition that prevented it from fulfilling the request.” might be related to this.
You should either define a policy for the oauth client or use key_rules as paramer when creating an access_token.
Hello, Yaara. I use OAuth2 to get Access token, When I refer the doc :https://docs.google.com/document/d/17Eon4K1QQ6-2xl0BXft2k8WYsL7KJkS2duCYje88WVA/edit to getting Access token for OAuth2 also appear the same error:
[root@localhost ~]# curl -X POST http://10.4.2.98:8080/testapi10/oauth/token/ -H ‘authorization: Basic YmI5NDJmZTg3NjhmNDNiYzk1NTNjOTMxZjYzYjJmNTI6WVdFeU16SXpPRFV0TW1Zek15MDBNekk1TFdGak5UTXRZamMwTmpWa1lXRXdNR1Jp’ -H ‘content-type: application/x-www-form-urlencoded’ -d ‘grant_type=client_credentials&client_id=bb942fe8768f43bc9553c931f63b2f52&client_secret=YWEyMzIzODUtMmYzMy00MzI5LWFjNTMtYjc0NjVkYWEwMGRi’
{
“error”: “Bearer token malformed”
}
The gateway.log
localhost systemd: Starting Docker Cleanup…
Sep 5 18:00:00 localhost systemd: Started Docker Cleanup.
Sep 5 18:00:01 localhost systemd: Started Session 408 of user root.
Sep 5 18:00:01 localhost systemd: Starting Session 408 of user root.
Sep 5 18:01:01 localhost systemd: Started Session 409 of user root.
Sep 5 18:01:01 localhost systemd: Starting Session 409 of user root.
Sep 5 18:10:01 localhost systemd: Started Session 410 of user root.
Sep 5 18:10:01 localhost systemd: Starting Session 410 of user root.
Sep 5 18:12:36 localhost chronyd[603]: Source 85.199.214.101 replaced with 2a03:8600::ee
Sep 5 18:15:52 localhost tyk: time=“Sep 5 18:15:52” level=info msg=“Bearer token malformed” origin=10.4.2.98 path=“/testapi10/oauth/token/”
Sep 5 18:15:57 localhost tyk-pump: time=“Sep 5 18:15:57” level=info msg=“Writing 1 records”
Sep 5 18:15:57 localhost tyk-pump: time=“Sep 5 18:15:57” level=info msg=“Purging 1 records”
Sep 5 18:17:34 localhost tyk: time=“Sep 5 18:17:34” level=info msg=“Bearer token malformed” origin=10.4.2.98 path=“/testapi10/oauth/token/”
Sep 5 18:17:37 localhost tyk-pump: time=“Sep 5 18:17:37” level=info msg=“Writing 1 records”
Sep 5 18:17:37 localhost tyk-pump: time=“Sep 5 18:17:37” level=info msg=“Purging 1 records”
Sep 5 18:20:01 localhost systemd: Started Session 411 of user root.
Sep 5 18:20:01 localhost systemd: Starting Session 411 of user root.
What’s wrong i have set up?
