OAUTH2 flow credentials retrieve access_token


#21

I spent a lot of time to test this feature and I am still blocked…
This feature is really important for us so we have decided to abandon tyk and use another solution.

Nicolas


#22

Hi Nicolas,

We’re sorry to hear that - we never got a response regarding whether you mapped a valid securioty policy to the client ID that was generated for the OAuth reuqest? In the dashboard, it is this view:

Once this is in place when the OAuth flow completes, the policy is used as the basis for the access credentials of the token that gets generated.


#23

In case anyone else has trouble with OAuth, as we are still updating the documentation on the website, there is a draft of the docs here:

https://docs.google.com/document/d/17Eon4K1QQ6-2xl0BXft2k8WYsL7KJkS2duCYje88WVA/pub


#24

Thanks for the doc @Martin. I followed it and run into the very same error message. Even with a configured policy.

Something I noticed : whatever client secret I use in the Authorization header (the one provided by Tyk or an invalid one), I still have the same error. I tried both on local environment (docker containers) and on cloud environment.

Do you have some other ideas ?

Another question : when a developer request a key in the developer portal for an oAuth2 API, what is that key ? Is it a client_secret ? is it an access token ? How does he use it ?


#25

You can’t use OAuth with the developer portal - the portal only supports standard tokens, We are adding proper OAuth support in the next release, so this is where you might be going wrong?

Every step in the doc attached has been manually tested and verified, so we know the calls work…


#26

Can yu provide the full curl request that is failing?


#27

Hello Martin and thanks for your support.

I found what I was missing in my side : fill the Redirect URI field when we create a OAuth client (with a random url like for example http://example2.com).

This is a bit confusing with the documentation because here is what we can read in the chapter “Tyk, API Gateways and OAuth > How does this work? > Client credentials > Create an OAuth Client” :

“We don’t actually need a redirect URI, but we do need to select the policy we created earlier.”

Hope it can help you @nchapon because I think Tyk is a really cool solution.


#28

Thanks @trameloab and @Martin. I had the same issue and confirm that using a random url for Redirect URI helped.


#29

Hello can i have a Curl example of creating Oauth client with policy because i have always the same issue : “ERROR: Couldn’t use policy or key rules to create token, failing”
“{“error”:“server_error”,“error_description”:“The authorization server encountered an unexpected condition that prevented it from fulfilling the request.”}”


#30

Hello can i have a Curl example of creating Oauth client with policy because i have always the same issue : “ERROR: Couldn’t use policy or key rules to create token, failing”
“{“error”:“server_error”,“error_description”:“The authorization server encountered an unexpected condition that prevented it from fulfilling the request.”}”


#31

this my curl to get token
curl -X POST
http://localhost:8082/hub/v2/oauth/token/
-H ‘authorization: Basic MGFmYjBmYWUzYmZkNDNlZDQ0YzhjYTlkNWFiYWIwN2E6T0dKaU5qVXhZak10WXpObU9DMDBZVFkwTFRZME1HUXRabVZoT1dRMU1qTTBNalk0’
-H ‘content-type: application/x-www-form-urlencoded’
-d ‘client_id=0afb0fae3bfd43ed44c8ca9d5abab07a&client_secret=OGJiNjUxYjMtYzNmOC00YTY0LTY0MGQtZmVhOWQ1MjM0MjY4&grant_type=client_credentials’

I added this conf to tyk.conf to enable policies:
“policies”: {
“policy_source”: “file”,
“policy_record_name”: “./policies/policies.json”
}

my policies.json contains :
{
“default”: {
“access_rights”: {
“openApi”: {
“allowed_urls”: [],
“api_id”: “openApi”,
“api_name”: “moussiApi”,
“versions”: [
“Default”
]
}
},
“active”: true,
“name”: “default”,
“rate”: 100,
“per”: 1,
“quota_max”: 10000,
“quota_renewal_rate”: 3600,
“tags”: [“Startup Users”]
}
}

my oauth2 app contains

{
“name”: “api_oauth_v2_oauth2”,
“api_id”: “openApi”,
“org_id”: “”,
“definition”: {
“location”: “header”,
“key”: “version”
},
“use_oauth2”: true,
“oauth_meta”: {
“allowed_access_types”: [
“authorization_code”,
“refresh_token”,
“client_credentials”
],
“allowed_authorize_types”: [
“code”,
“token”
],
“auth_login_redirect”: “https://www.dev.docapost.io/dashboard/page/external/client/authorize
},

"notifications": {
	"shared_secret": "",
	"oauth_on_keychange_url": "http://provisioning:8080/newton-provisioning-web/v1/external/notify"
},

"version_data": {
    "not_versioned": true,
    "versions": {
        "Default": {
            "name": "Default",
            "expires": "3000-01-02 15:04",
            "use_extended_paths": true,
            "extended_paths": {
                "ignored": [],
                "white_list": [
                            {"path":"/users/mobiles/{smartPhoneId}/{pushToken}","method_actions":{"PUT":{"action":"no_action"},"DELETE":{"action":"no_action"}}},                        
                            {"path":"/users","method_actions":{"GET":{"action":"no_action"}}},                        
                            {"path":"/objects/boxnumber/{boxNumber}/serialnumber/{serialNumber}","method_actions":{"PUT":{"action":"no_action"},"GET":{"action":"no_action"},"DELETE":{"action":"no_action"}}},                        
                            {"path":"/objects","method_actions":{"POST":{"action":"no_action"},"GET":{"action":"no_action"}}},                        
                            {"path":"/data/boxnumber/{boxNumber}/serialnumber/{serialNumber}/code/{code}","method_actions":{"GET":{"action":"no_action"},"POST":{"action":"no_action"}}},                        
                            {"path":"/data","method_actions":{"POST":{"action":"no_action"}}},                        
                            {"path":"/shares","method_actions":{"GET":{"action":"no_action"},"POST":{"action":"no_action"},"DELETE":{"action":"no_action"}}},                        
                            {"path":"/subscriptions/preconditions","method_actions":{"GET":{"action":"no_action"}}},                        
                            {"path":"/subscriptions/{id}/suspend","method_actions":{"PUT":{"action":"no_action"}}},                        
                            {"path":"/subscriptions/{id}/configure","method_actions":{"PUT":{"action":"no_action"}}},                        
                            {"path":"/subscriptions/{id}/resume","method_actions":{"PUT":{"action":"no_action"}}},                        
                            {"path":"/subscriptions/{id}/cancel","method_actions":{"PUT":{"action":"no_action"}}},                        
                            {"path":"/subscriptions","method_actions":{"POST":{"action":"no_action"},"GET":{"action":"no_action"}}},                        
                            {"path":"/objectmodels/{id}/partnerUri","method_actions":{"PUT":{"action":"no_action"}}},                        
                            {"path":"/objectmodels","method_actions":{"POST":{"action":"no_action"},"GET":{"action":"no_action"}}},                        
                            {"path":"/action","method_actions":{"POST":{"action":"no_action"}}},                        
                            {"path":"/organizations/repositories","method_actions":{"GET":{"action":"no_action"},"PUT":{"action":"no_action"},"DELETE":{"action":"no_action"}}},                        
                            {"path":"/repositories/{repositoryName}","method_actions":{"GET":{"action":"no_action"},"DELETE":{"action":"no_action"}}},                        
                            {"path":"/repositories","method_actions":{"PUT":{"action":"no_action"}}},                        
                            {"path":"/buckets/boxnumber/{boxNumber}/serialnumber/{serialNumber}/code/{code}","method_actions":{"GET":{"action":"no_action"}}},                        
                            {"path":"/offers","method_actions":{"GET":{"action":"no_action"}}},                        
                            {"path":"/pictures","method_actions":{"GET":{"action":"no_action"}}},                        
                            {"path":"/authentication/two-factor/code/{code}","method_actions":{"PUT":{"action":"no_action"}}},                        
                            {"path":"/authentication/two-factor/code","method_actions":{"POST":{"action":"no_action"}}},                        
                            {"path":"/scripts/{serviceName}/{functionName}","method_actions":{"POST":{"action":"no_action"}}}                        ],
                "black_list": []
            }
        }
    }
},
"proxy": {
    "listen_path": "/hub/v2/",
    "target_url": "http://mediation:8080/mediation-api/v2/",
    "strip_listen_path": true
},

"enable_batch_request_support": false

}


#32

hello, Martin. Can you help me to solve the error for OAuth2 flow credentials retrieve access_token, the url as follow:
curl -X POST http://10.4.2.98:8080/testapi10/oauth/token/ -H ‘Authorization: Basic YWRtaW5AZGVmYXVsdC5jb206ZXhjZWwxMjM=’ -H ‘Content-type: application/x-www-form-urlencoded’ -d ‘client_id=d8db527d1e764775bf034cfff6c63e21&client_secret=NWNmZjZmNjgtODgxNy00MTg0LTkzNjgtODQ4MWY4ZWFjMzUw&grant_type=client_credentials’
{
“error”: “Bearer token malformed”
}

Gateway log:
localhost systemd: Starting Session 70 of user root.
localhost chronyd[603]: Source 193.228.143.14 replaced with 5.79.108.34
localhost systemd: Started Session 71 of user root.
localhost systemd: Starting Session 71 of user root.
localhost systemd: Started Session 72 of user root.
localhost systemd: Starting Session 72 of user root.
localhost systemd: Started Session 73 of user root.
localhost systemd: Starting Session 73 of user root.
localhost dbus[561]: [system] Activating service name=‘org.freedesktop.problems’ (using servicehelper)
localhost dbus[561]: [system] Successfully activated service ‘org.freedesktop.problems’
localhost tyk: time=“Sep 3 18:55:52” level=info msg=“Retrieved OAuth client list” apiID=2732ae415c3944a554fa5daa19b10805 status=ok
localhost tyk: time=“Sep 3 18:55:54” level=info msg=“Retrieved OAuth client ID” apiID=2732ae415c3944a554fa5daa19b10805 client=d8db527d1e764775bf034cfff6c63e21 status=ok
localhost tyk: time=“Sep 3 18:55:54” level=info msg=“Retrieved OAuth client ID” apiID=2732ae415c3944a554fa5daa19b10805 client=d8db527d1e764775bf034cfff6c63e21 status=ok
localhost tyk: time=“Sep 3 18:56:48” level=info msg=“Bearer token malformed” origin=10.4.2.98 path="/testapi10/oauth/token/"
localhost tyk-pump: time=“Sep 3 18:56:57” level=info msg=“Purging 1 records”
localhost tyk-pump: time=“Sep 3 18:56:57” level=info msg=“Writing 1 records”

The problem detail description refer the url: Appear "Bearer token malformed" error for OAuth 2