OAUTH2 flow credentials retrieve access_token

nchapon · June 20, 2017, 3:15pm

Hello,

I want to use OAUTH2 with client credentials flow and I wish to use Tyk as an authorization Server.

I have a client_id and client_secret and when I try to retrieve an access token I have this error :
{
“error”: “Requested endpoint is forbidden”
}

My listen_path is catalog and I try to retrieve the acces_token from this URL :

curl -i -H ‘Content-Type: application/json’
-H ‘x-tyk-authorization: 352d20ee67be67f6340b4c0605b044b7’
-X POST --url http://localhost:8080/catalog/oauth/token
–data “client_id=c51666e49bc34be96bc0142e5d34fcc6”,
–data “client_secret=MTBhZGNmZTMtZGQzOC00NjBmLTU1MzEtZjZhMzA5OGQzMDU0”,
–data “grant_type=client_credentials”

Any suggestions on where to look or how to fix my problem ?

Thanks

Nicolas

Kos · June 20, 2017, 4:32pm

Hi Nicholas,

the above is not a Tyk endpoint, which guide are you following ?

Thanks,
Kos @ Tyk Support Team

nchapon · June 21, 2017, 8:04am

Hi Kos,

I am using this documentation :
https://tyk.io/docs/security/your-apis/oauth-2-0/

Nicolas

nchapon · June 22, 2017, 10:52am

Hi Kos
So no more suggestions ?
Which endpoint should I use when I want to retrieve an access_token ?

Thanks
Regards
Nicolas

Martin · June 22, 2017, 11:10am

That’s not necessary here - we want to help you. This is a community forum.

Can you share your api definition, this will show us what you have configured.

nchapon · June 22, 2017, 11:29am

Thanks Martin, my configuration

{
“id”: “5947f443ce6298000163a5fe”,
“name”: “Catalogue des applications”,
“slug”: “catalog”,
“api_id”: “180a85b558454745630a98aaf066414c”,
“org_id”: “5947c997ce6298000163a5f6”,
“use_keyless”: false,
“use_oauth2”: true,
“use_openid”: false,
“openid_options”: {
“providers”: [],
“segregate_by_client”: false
},
“oauth_meta”: {
“allowed_access_types”: [
“client_credentials”
],
“allowed_authorize_types”: [],
“auth_login_redirect”: “”
},
“auth”: {
“use_param”: false,
“param_name”: “”,
“use_cookie”: false,
“cookie_name”: “”,
“auth_header_name”: “Authorization”
},
“use_basic_auth”: false,
“enable_jwt”: false,
“use_standard_auth”: false,
“enable_coprocess_auth”: false,
“jwt_signing_method”: “”,
“jwt_source”: “”,
“jwt_identity_base_field”: “”,
“jwt_client_base_field”: “”,
“jwt_policy_field_name”: “”,
“notifications”: {
“shared_secret”: “”,
“oauth_on_keychange_url”: “”
},
“enable_signature_checking”: false,
“hmac_allowed_clock_skew”: -1,
“base_identity_provided_by”: “”,
“definition”: {
“location”: “header”,
“key”: “version”
},
“version_data”: {
“not_versioned”: true,
“versions”: {
“v1”: {
“name”: “v1”,
“expires”: “”,
“paths”: {
“ignored”: [],
“white_list”: [],
“black_list”: []
},
“use_extended_paths”: true,
“extended_paths”: {
“white_list”: [
{
“path”: “/catalog/applications/search”,
“method_actions”: {
“GET”: {
“action”: “no_action”,
“code”: 200,
“data”: “”,
“headers”: {}
}
}
},
{
“path”: “/catalog/applications”,
“method_actions”: {
“GET”: {
“action”: “no_action”,
“code”: 200,
“data”: “”,
“headers”: {}
}
}
},
{
“path”: “/catalog/version”,
“method_actions”: {
“GET”: {
“action”: “no_action”,
“code”: 200,
“data”: “”,
“headers”: {}
}
}
}
]
},
“global_headers”: {
“X-Forwarded-Host”: “localhost:8080”
},
“global_headers_remove”: [],
“global_size_limit”: 0,
“override_target”: “”
}
}
},
“uptime_tests”: {
“check_list”: [],
“config”: {
“expire_utime_after”: 0,
“service_discovery”: {
“use_discovery_service”: false,
“query_endpoint”: “”,
“use_nested_query”: false,
“parent_data_path”: “”,
“data_path”: “”,
“port_data_path”: “”,
“target_path”: “”,
“use_target_list”: false,
“cache_timeout”: 0,
“endpoint_returns_list”: false
},
“recheck_wait”: 0
}
},
“proxy”: {
“preserve_host_header”: false,
“listen_path”: “/catalog”,
“target_url”: “http://172.18.0.1:9080”,
“strip_listen_path”: false,
“enable_load_balancing”: false,
“target_list”: [],
“check_host_against_uptime_tests”: false,
“service_discovery”: {
“use_discovery_service”: false,
“query_endpoint”: “”,
“use_nested_query”: false,
“parent_data_path”: “”,
“data_path”: “”,
“port_data_path”: “”,
“target_path”: “”,
“use_target_list”: false,
“cache_timeout”: 0,
“endpoint_returns_list”: false
}
},
“disable_rate_limit”: false,
“disable_quota”: false,
“custom_middleware”: {
“pre”: [],
“post”: [],
“post_key_auth”: [],
“auth_check”: {
“name”: “”,
“path”: “”,
“require_session”: false
},
“response”: [],
“driver”: “”,
“id_extractor”: {
“extract_from”: “”,
“extract_with”: “”,
“extractor_config”: {}
}
},
“custom_middleware_bundle”: “”,
“cache_options”: {
“cache_timeout”: 0,
“enable_cache”: false,
“cache_all_safe_requests”: false,
“cache_response_codes”: [],
“enable_upstream_cache_control”: false
},
“session_lifetime”: 0,
“active”: true,
“auth_provider”: {
“name”: “”,
“storage_engine”: “”,
“meta”: {}
},
“session_provider”: {
“name”: “”,
“storage_engine”: “”,
“meta”: null
},
“event_handlers”: {
“events”: {}
},
“enable_batch_request_support”: false,
“enable_ip_whitelisting”: false,
“allowed_ips”: [],
“dont_set_quota_on_create”: false,
“expire_analytics_after”: 0,
“response_processors”: [],
“CORS”: {
“enable”: false,
“allowed_origins”: [],
“allowed_methods”: [],
“allowed_headers”: [],
“exposed_headers”: [],
“allow_credentials”: false,
“max_age”: 0,
“options_passthrough”: false,
“debug”: false
},
“domain”: “”,
“do_not_track”: false,
“tags”: [],
“enable_context_vars”: false
}

Martin · June 22, 2017, 8:27pm

I think the problem is because you have a white list enabled - you’ll need to add this path to the white list so it gets let through.

nchapon · June 23, 2017, 9:00am

Hi Martin
Thanks, you are right, the problem come from the withe list (I have created the API from a Swagger file)
But now, I have this error :
{
“error_description”: “The authorization grant type is not supported by the authorization server.”,
“error”: “unsupported_grant_type”
}

Does Tyk support OAUTH client credentials flow ? Did I mss something ?
I made my tests from tyk_quickstart https://github.com/TykTechnologies/tyk_quickstart

Nicolas

Martin · June 23, 2017, 7:52pm

Right I went and looked at the tests for this - and there’s more data you need in your request, you also don’t need your tyk secret:

param.Set("grant_type", "client_credentials")
param.Set("client_id", authClientID)
param.Set("client_secret", authClientSecret)

req := testReq(t, "POST", uri, param.Encode())
req.Header.Set("Authorization", "Basic MTIzNDphYWJiY2NkZA==")
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")

The Authorization here is standard OAuth style clientid:secret I believe.

For reference here is the test:

https://github.com/TykTechnologies/tyk/blob/master/oauth_manager_test.go#L316

nchapon · June 26, 2017, 9:54am

Thanks I progress…
But with the right Authorisation and Content-Type headers I have this error :

{"error":"unauthorized_client","error_description":"The client is not authorized to request a token using this method."}

My query :

curl -X POST \
  --url http://localhost:8080/catalog-ssl/oauth/token/ \
  -H 'authorization: Basic YTUwNjQwZTMwMTJmNDg5ZjY2OGU0MGQ1OTU1MGQwN2M6WTJZNE1tUmlOR0l0TkdWaU1pMDBNV0l4TFRkak56SXRNVGMwTkRVek16STJZekUx' \
  -H 'cache-control: no-cache' \
  -H 'content-type: application/x-www-form-urlencoded' \
  --data "client_id=a50640e3012f489f668e40d59550d07c&client_secret=Y2Y4MmRiNGItNGViMi00MWIxLTdjNzItMTc0NDUzMzI2YzE1&grant_type=client_credentials"

Which method / url should I use ?

Nicolas

Martin · June 27, 2017, 3:24am

This error isn’t about the method or URL, it’s about the client not existing, is this client registered with he gateway?

nchapon · June 27, 2017, 7:29am

I have created the client from the dashboard with OAUTH Clients button.
Dashboard and gateway are not synchronized ?

Nicolas

Martin · June 27, 2017, 9:35am

I actually think you need to enable the Access Token authoriation method too:

"allowed_authorize_types": [
			"token"
		],

You can do this in the dashboard in the API Configuration.

nchapon · June 27, 2017, 1:25pm

No changes when I set this configuration

Martin · June 27, 2017, 4:54pm

And if you add code ?

nchapon · June 28, 2017, 3:57pm

Hi Martin,

I tried with this option and I have the same error.

FYI, we are currently evaluating several API management solutions for deploying our APIs with our partners.
We use OAUTH2 with client credentials workflow to authorize access to our APIs.
So this feature is really important for us.

Could you give me a sample of an API with the right OAUTH2 configuration ?

Thanks

Nicolas

Martin · July 3, 2017, 9:39pm

Sure, this is one we use in our tests to check if the credentials flow works:

https://github.com/TykTechnologies/tyk/blob/master/oauth_manager_test.go#L35

nchapon · July 4, 2017, 9:53am

Hi Martin, thanks I have created an API in dashboard from this tyk definition :

{ "api_id": "999999", "org_id": "default", "name": "Catalogue des applications", "auth": { "auth_header_name": "authorization" }, "use_oauth2": true, "oauth_meta": { "allowed_access_types": [ "authorization_code", "refresh_token", "client_credentials" ], "allowed_authorize_types": [ "code", "token" ], "auth_login_redirect": "http://172.18.0.1:9080/login" }, "notifications": { "shared_secret": "9878767657654343123434556564444", "oauth_on_keychange_url": "http://172.18.0.1:9080/login" }, "version_data": { "not_versioned": true, "versions": { "Default": { "name": "Default" } } }, "proxy": { "listen_path": "/catalog/", "target_url": "http://172.18.0.1:9080" } }

And now when I try to retrieve an access token from curl I have this error
{"error":"server_error","error_description":"The authorization server encountered an unexpected condition that prevented it from fulfilling the request."}

When I inspect gateway logs I see :

time="Jul 4 09:15:36" level=info msg="Retrieved OAuth client list" apiID=84411f233f07409a40a31e2b69d79c0d status=ok time="Jul 4 09:16:20" level=info msg="Created OAuth client" apiID=84411f233f07409a40a31e2b69d79c0d clientID=df973d756a4046f44e36d05bb170bebf clientRedirectURI="http://notused/login" status=ok time="Jul 4 09:16:20" level=info msg="Retrieved OAuth client list" apiID=84411f233f07409a40a31e2b69d79c0d status=ok time="Jul 4 09:16:23" level=info msg="Retrieved OAuth client ID" apiID=84411f233f07409a40a31e2b69d79c0d client=df973d756a4046f44e36d05bb170bebf status=ok time="Jul 4 09:19:38" level=info msg="Getting client ID:df973d756a4046f44e36d05bb170bebf" time="Jul 4 09:19:38" level=info msg="[OAuth] Generating new token" time="Jul 4 09:19:38" level=error msg="ERROR: Couldn't use policy or key rules to create token, failing"

Any suggestions ?

Regards
Nicolas

Martin · July 5, 2017, 10:08am

Have you mapped the Client ID to a policy (you can do this in the dashboard when you create a client ID, select the policy to apply to any key that client generates)?

Alternatively, you need to adda key_rules form parameter to the request which contains a serialised session data object.

trameloab · July 28, 2017, 8:55am

Hello @nchapon , I have the same configuration and get the same error. Do you solve this problem ?