I actually think you need to enable the Access Token authoriation method too:
"allowed_authorize_types": [
"token"
],
You can do this in the dashboard in the API Configuration.
No changes when I set this configuration
And if you add code ?
Hi Martin,
I tried with this option and I have the same error.
FYI, we are currently evaluating several API management solutions for deploying our APIs with our partners.
We use OAUTH2 with client credentials workflow to authorize access to our APIs.
So this feature is really important for us.
Could you give me a sample of an API with the right OAUTH2 configuration ?
Thanks
Nicolas
Sure, this is one we use in our tests to check if the credentials flow works:
https://github.com/TykTechnologies/tyk/blob/master/oauth_manager_test.go#L35
Hi Martin, thanks I have created an API in dashboard from this tyk definition :
{ "api_id": "999999", "org_id": "default", "name": "Catalogue des applications", "auth": { "auth_header_name": "authorization" }, "use_oauth2": true, "oauth_meta": { "allowed_access_types": [ "authorization_code", "refresh_token", "client_credentials" ], "allowed_authorize_types": [ "code", "token" ], "auth_login_redirect": "http://172.18.0.1:9080/login" }, "notifications": { "shared_secret": "9878767657654343123434556564444", "oauth_on_keychange_url": "http://172.18.0.1:9080/login" }, "version_data": { "not_versioned": true, "versions": { "Default": { "name": "Default" } } }, "proxy": { "listen_path": "/catalog/", "target_url": "http://172.18.0.1:9080" } }
And now when I try to retrieve an access token from curl I have this error
{"error":"server_error","error_description":"The authorization server encountered an unexpected condition that prevented it from fulfilling the request."}
When I inspect gateway logs I see :
time="Jul 4 09:15:36" level=info msg="Retrieved OAuth client list" apiID=84411f233f07409a40a31e2b69d79c0d status=ok time="Jul 4 09:16:20" level=info msg="Created OAuth client" apiID=84411f233f07409a40a31e2b69d79c0d clientID=df973d756a4046f44e36d05bb170bebf clientRedirectURI="http://notused/login" status=ok time="Jul 4 09:16:20" level=info msg="Retrieved OAuth client list" apiID=84411f233f07409a40a31e2b69d79c0d status=ok time="Jul 4 09:16:23" level=info msg="Retrieved OAuth client ID" apiID=84411f233f07409a40a31e2b69d79c0d client=df973d756a4046f44e36d05bb170bebf status=ok time="Jul 4 09:19:38" level=info msg="Getting client ID:df973d756a4046f44e36d05bb170bebf" time="Jul 4 09:19:38" level=info msg="[OAuth] Generating new token" time="Jul 4 09:19:38" level=error msg="ERROR: Couldn't use policy or key rules to create token, failing"
Any suggestions ?
Regards
Nicolas
Have you mapped the Client ID to a policy (you can do this in the dashboard when you create a client ID, select the policy to apply to any key that client generates)?
Alternatively, you need to adda key_rules form parameter to the request which contains a serialised session data object.
I spent a lot of time to test this feature and I am still blocked…
This feature is really important for us so we have decided to abandon tyk and use another solution.
Nicolas
Hi Nicolas,
We’re sorry to hear that - we never got a response regarding whether you mapped a valid securioty policy to the client ID that was generated for the OAuth reuqest? In the dashboard, it is this view:
Once this is in place when the OAuth flow completes, the policy is used as the basis for the access credentials of the token that gets generated.
In case anyone else has trouble with OAuth, as we are still updating the documentation on the website, there is a draft of the docs here:
Thanks for the doc @Martin. I followed it and run into the very same error message. Even with a configured policy.
Something I noticed : whatever client secret I use in the Authorization header (the one provided by Tyk or an invalid one), I still have the same error. I tried both on local environment (docker containers) and on cloud environment.
Do you have some other ideas ?
Another question : when a developer request a key in the developer portal for an oAuth2 API, what is that key ? Is it a client_secret ? is it an access token ? How does he use it ?
You can’t use OAuth with the developer portal - the portal only supports standard tokens, We are adding proper OAuth support in the next release, so this is where you might be going wrong?
Every step in the doc attached has been manually tested and verified, so we know the calls work…
Can yu provide the full curl request that is failing?
Hello Martin and thanks for your support.
I found what I was missing in my side : fill the Redirect URI field when we create a OAuth client (with a random url like for example http://example2.com).
This is a bit confusing with the documentation because here is what we can read in the chapter “Tyk, API Gateways and OAuth > How does this work? > Client credentials > Create an OAuth Client” :
“We don’t actually need a redirect URI, but we do need to select the policy we created earlier.”
Hope it can help you @nchapon because I think Tyk is a really cool solution.
Thanks @trameloab and @Martin. I had the same issue and confirm that using a random url for Redirect URI helped.
Hello can i have a Curl example of creating Oauth client with policy because i have always the same issue : “ERROR: Couldn’t use policy or key rules to create token, failing”
“{“error”:“server_error”,“error_description”:“The authorization server encountered an unexpected condition that prevented it from fulfilling the request.”}”
Hello can i have a Curl example of creating Oauth client with policy because i have always the same issue : “ERROR: Couldn’t use policy or key rules to create token, failing”
“{“error”:“server_error”,“error_description”:“The authorization server encountered an unexpected condition that prevented it from fulfilling the request.”}”
this my curl to get token
curl -X POST
http://localhost:8082/hub/v2/oauth/token/
-H ‘authorization: Basic MGFmYjBmYWUzYmZkNDNlZDQ0YzhjYTlkNWFiYWIwN2E6T0dKaU5qVXhZak10WXpObU9DMDBZVFkwTFRZME1HUXRabVZoT1dRMU1qTTBNalk0’
-H ‘content-type: application/x-www-form-urlencoded’
-d ‘client_id=0afb0fae3bfd43ed44c8ca9d5abab07a&client_secret=OGJiNjUxYjMtYzNmOC00YTY0LTY0MGQtZmVhOWQ1MjM0MjY4&grant_type=client_credentials’
I added this conf to tyk.conf to enable policies:
“policies”: {
“policy_source”: “file”,
“policy_record_name”: “./policies/policies.json”
}
my policies.json contains :
{
“default”: {
“access_rights”: {
“openApi”: {
“allowed_urls”: [],
“api_id”: “openApi”,
“api_name”: “moussiApi”,
“versions”: [
“Default”
]
}
},
“active”: true,
“name”: “default”,
“rate”: 100,
“per”: 1,
“quota_max”: 10000,
“quota_renewal_rate”: 3600,
“tags”: [“Startup Users”]
}
}
my oauth2 app contains
{
“name”: “api_oauth_v2_oauth2”,
“api_id”: “openApi”,
“org_id”: “”,
“definition”: {
“location”: “header”,
“key”: “version”
},
“use_oauth2”: true,
“oauth_meta”: {
“allowed_access_types”: [
“authorization_code”,
“refresh_token”,
“client_credentials”
],
“allowed_authorize_types”: [
“code”,
“token”
],
“auth_login_redirect”: “https://www.dev.docapost.io/dashboard/page/external/client/authorize”
},
"notifications": {
"shared_secret": "",
"oauth_on_keychange_url": "http://provisioning:8080/newton-provisioning-web/v1/external/notify"
},
"version_data": {
"not_versioned": true,
"versions": {
"Default": {
"name": "Default",
"expires": "3000-01-02 15:04",
"use_extended_paths": true,
"extended_paths": {
"ignored": [],
"white_list": [
{"path":"/users/mobiles/{smartPhoneId}/{pushToken}","method_actions":{"PUT":{"action":"no_action"},"DELETE":{"action":"no_action"}}},
{"path":"/users","method_actions":{"GET":{"action":"no_action"}}},
{"path":"/objects/boxnumber/{boxNumber}/serialnumber/{serialNumber}","method_actions":{"PUT":{"action":"no_action"},"GET":{"action":"no_action"},"DELETE":{"action":"no_action"}}},
{"path":"/objects","method_actions":{"POST":{"action":"no_action"},"GET":{"action":"no_action"}}},
{"path":"/data/boxnumber/{boxNumber}/serialnumber/{serialNumber}/code/{code}","method_actions":{"GET":{"action":"no_action"},"POST":{"action":"no_action"}}},
{"path":"/data","method_actions":{"POST":{"action":"no_action"}}},
{"path":"/shares","method_actions":{"GET":{"action":"no_action"},"POST":{"action":"no_action"},"DELETE":{"action":"no_action"}}},
{"path":"/subscriptions/preconditions","method_actions":{"GET":{"action":"no_action"}}},
{"path":"/subscriptions/{id}/suspend","method_actions":{"PUT":{"action":"no_action"}}},
{"path":"/subscriptions/{id}/configure","method_actions":{"PUT":{"action":"no_action"}}},
{"path":"/subscriptions/{id}/resume","method_actions":{"PUT":{"action":"no_action"}}},
{"path":"/subscriptions/{id}/cancel","method_actions":{"PUT":{"action":"no_action"}}},
{"path":"/subscriptions","method_actions":{"POST":{"action":"no_action"},"GET":{"action":"no_action"}}},
{"path":"/objectmodels/{id}/partnerUri","method_actions":{"PUT":{"action":"no_action"}}},
{"path":"/objectmodels","method_actions":{"POST":{"action":"no_action"},"GET":{"action":"no_action"}}},
{"path":"/action","method_actions":{"POST":{"action":"no_action"}}},
{"path":"/organizations/repositories","method_actions":{"GET":{"action":"no_action"},"PUT":{"action":"no_action"},"DELETE":{"action":"no_action"}}},
{"path":"/repositories/{repositoryName}","method_actions":{"GET":{"action":"no_action"},"DELETE":{"action":"no_action"}}},
{"path":"/repositories","method_actions":{"PUT":{"action":"no_action"}}},
{"path":"/buckets/boxnumber/{boxNumber}/serialnumber/{serialNumber}/code/{code}","method_actions":{"GET":{"action":"no_action"}}},
{"path":"/offers","method_actions":{"GET":{"action":"no_action"}}},
{"path":"/pictures","method_actions":{"GET":{"action":"no_action"}}},
{"path":"/authentication/two-factor/code/{code}","method_actions":{"PUT":{"action":"no_action"}}},
{"path":"/authentication/two-factor/code","method_actions":{"POST":{"action":"no_action"}}},
{"path":"/scripts/{serviceName}/{functionName}","method_actions":{"POST":{"action":"no_action"}}} ],
"black_list": []
}
}
}
},
"proxy": {
"listen_path": "/hub/v2/",
"target_url": "http://mediation:8080/mediation-api/v2/",
"strip_listen_path": true
},
"enable_batch_request_support": false
}
hello, Martin. Can you help me to solve the error for OAuth2 flow credentials retrieve access_token, the url as follow:
curl -X POST http://10.4.2.98:8080/testapi10/oauth/token/ -H ‘Authorization: Basic YWRtaW5AZGVmYXVsdC5jb206ZXhjZWwxMjM=’ -H ‘Content-type: application/x-www-form-urlencoded’ -d ‘client_id=d8db527d1e764775bf034cfff6c63e21&client_secret=NWNmZjZmNjgtODgxNy00MTg0LTkzNjgtODQ4MWY4ZWFjMzUw&grant_type=client_credentials’
{
“error”: “Bearer token malformed”
}
Gateway log:
localhost systemd: Starting Session 70 of user root.
localhost chronyd[603]: Source 193.228.143.14 replaced with 5.79.108.34
localhost systemd: Started Session 71 of user root.
localhost systemd: Starting Session 71 of user root.
localhost systemd: Started Session 72 of user root.
localhost systemd: Starting Session 72 of user root.
localhost systemd: Started Session 73 of user root.
localhost systemd: Starting Session 73 of user root.
localhost dbus[561]: [system] Activating service name=‘org.freedesktop.problems’ (using servicehelper)
localhost dbus[561]: [system] Successfully activated service ‘org.freedesktop.problems’
localhost tyk: time=“Sep 3 18:55:52” level=info msg=“Retrieved OAuth client list” apiID=2732ae415c3944a554fa5daa19b10805 status=ok
localhost tyk: time=“Sep 3 18:55:54” level=info msg=“Retrieved OAuth client ID” apiID=2732ae415c3944a554fa5daa19b10805 client=d8db527d1e764775bf034cfff6c63e21 status=ok
localhost tyk: time=“Sep 3 18:55:54” level=info msg=“Retrieved OAuth client ID” apiID=2732ae415c3944a554fa5daa19b10805 client=d8db527d1e764775bf034cfff6c63e21 status=ok
localhost tyk: time=“Sep 3 18:56:48” level=info msg=“Bearer token malformed” origin=10.4.2.98 path=“/testapi10/oauth/token/”
localhost tyk-pump: time=“Sep 3 18:56:57” level=info msg=“Purging 1 records”
localhost tyk-pump: time=“Sep 3 18:56:57” level=info msg=“Writing 1 records”
The problem detail description refer the url: Appear "Bearer token malformed" error for OAuth 2