Hi, Iam trying to use my own openid provider with tyk, but my API calls not even hitting my server or even the webhook. The following error is been found on the logs
JWT Invalid: Validation error. The ‘Authorization’ header did not have the correct format.
I have a authorization defined as the key, which i have created for the api, could you please help me on this. I have been struggling on this for very long
Hi Suresh,
Could you please confirm as to whether the Bearer token was used as the value of the Authorization header? If so, could you please provide the API call that was sent?
Kind regards,
Jess @ Tyk
The Authoriazation header, is one which was the api key, i have created
I basically dont understand what are the header informations i have to pass to.
my requirement is simple, i have my own oidc provider
Is this what i want to do, but the gateway is proceesing the below error
e[90m[Dec 22 18:34:53]e[0m e[33m WARNe[0m e[36mopenid:e[0m JWT Invalid: Validation error. The ‘Authorization’ header did not have the correct format.
e[90m[Dec 22 18:34:53]e[0m e[33m WARNe[0m e[36mopenid:e[0m Attempted access with invalid key. e[33mkeye[0m=[JWT]
e[90m[Dec 22 18:34:53]e[0m e[31mERRORe[0m e[36mgateway:e[0m request error: Key not authorised e[31mapi_id
Hi Suresh,
When sending an API request with JWT, you need to include to the Bearer Token in Authorization key, like so:
Authorization: Bearer {token}
This page briefly mentions the format the header should take as well as further details regarding Bearer Token and this link contains information on the use of JWT in Tyk.
Please let me know if that helps at all or if you still have questions. If you run into trouble generating this API call, please bear in mind that we may need to see the API call that was sent in order to troubleshoot the matter.
Kind regards,
Jess @ Tyk
Thanks for the response,
Im able to proxy when i choose the Auth as my Authentication mode, the problem is when i select my authentication mode as openidconnect, im the gateway rejecting my request as mentioned above, i have no idea how the headers will be in this case. below is my Api definition
{
“id”: “585a51424fa8504b59fca776”,
“name”: “test”,
“slug”: “test”,
“api_id”: “4d6312b6dadb440e5e8b5ac7c872cd25”,
“org_id”: “5856699b4fa8500695bf03c0”,
“use_keyless”: false,
“use_oauth2”: false,
“use_openid”: true,
“openid_options”: {
“providers”: [
{
“issuer”: “http://localhost:3000/op”,
“client_ids”: {
“b2lkY0NMSUVOVA==”: “585671204fa8500695bf03c2”
}
}
],
“segregate_by_client”: false
},
“oauth_meta”: {
“allowed_access_types”: [],
“allowed_authorize_types”: [],
“auth_login_redirect”: “”
},
“auth”: {
“use_param”: false,
“param_name”: “”,
“use_cookie”: false,
“cookie_name”: “”,
“auth_header_name”: “”
},
“use_basic_auth”: false,
“enable_jwt”: false,
“use_standard_auth”: false,
“enable_coprocess_auth”: false,
“jwt_signing_method”: “”,
“jwt_source”: “”,
“jwt_identity_base_field”: “”,
“jwt_client_base_field”: “”,
“jwt_policy_field_name”: “”,
“notifications”: {
“shared_secret”: “”,
“oauth_on_keychange_url”: “”
},
“enable_signature_checking”: false,
“hmac_allowed_clock_skew”: -1,
“base_identity_provided_by”: “”,
“definition”: {
“location”: “header”,
“key”: “x-api-version”
},
“version_data”: {
“not_versioned”: true,
“versions”: {
“Default”: {
“name”: “Default”,
“expires”: “”,
“paths”: {
“ignored”: [],
“white_list”: [],
“black_list”: []
},
“use_extended_paths”: true,
“extended_paths”: {},
“global_headers”: {},
“global_headers_remove”: [],
“global_size_limit”: 0,
“override_target”: “”
}
}
},
“uptime_tests”: {
“check_list”: [],
“config”: {
“expire_utime_after”: 0,
“service_discovery”: {
“use_discovery_service”: false,
“query_endpoint”: “”,
“use_nested_query”: false,
“parent_data_path”: “”,
“data_path”: “”,
“port_data_path”: “”,
“target_path”: “”,
“use_target_list”: false,
“cache_timeout”: 60,
“endpoint_returns_list”: false
},
“recheck_wait”: 0
}
},
“proxy”: {
“preserve_host_header”: false,
“listen_path”: “/test/”,
“target_url”: “http://httpbin.org/”,
“strip_listen_path”: true,
“enable_load_balancing”: false,
“target_list”: [],
“check_host_against_uptime_tests”: false,
“service_discovery”: {
“use_discovery_service”: false,
“query_endpoint”: “”,
“use_nested_query”: false,
“parent_data_path”: “”,
“data_path”: “hostname”,
“port_data_path”: “port”,
“target_path”: “/api-slug”,
“use_target_list”: false,
“cache_timeout”: 60,
“endpoint_returns_list”: false
}
},
“disable_rate_limit”: false,
“disable_quota”: false,
“custom_middleware”: {
“pre”: [],
“post”: [],
“post_key_auth”: [],
“auth_check”: {
“name”: “”,
“path”: “”,
“require_session”: false
},
“response”: [],
“driver”: “”,
“id_extractor”: {
“extract_from”: “”,
“extract_with”: “”,
“extractor_config”: {}
}
},
“custom_middleware_bundle”: “”,
“cache_options”: {
“cache_timeout”: 60,
“enable_cache”: true,
“cache_all_safe_requests”: false,
“cache_response_codes”: [],
“enable_upstream_cache_control”: false
},
“session_lifetime”: 0,
“active”: true,
“auth_provider”: {
“name”: “”,
“storage_engine”: “”,
“meta”: {}
},
“session_provider”: {
“name”: “”,
“storage_engine”: “”,
“meta”: null
},
“event_handlers”: {
“events”: {
“AuthFailure”: [
{
“handler_name”: “eh_web_hook_handler”,
“handler_meta”: {
“_id”: “585bb4344fa8504b59fca777”,
“event_timeout”: 60,
“header_map”: {
“client_id”: “oidcCLIENT”,
“scope”: “openid email”
},
“method”: “GET”,
“name”: “call to the auth server”,
“org_id”: “5856699b4fa8500695bf03c0”,
“target_path”: “http://localhost:3000/op/auth/”,
“template_path”: “”
}
}
]
}
},
“enable_batch_request_support”: false,
“enable_ip_whitelisting”: false,
“allowed_ips”: [],
“dont_set_quota_on_create”: false,
“expire_analytics_after”: 0,
“response_processors”: [],
“CORS”: {
“enable”: false,
“allowed_origins”: [],
“allowed_methods”: [],
“allowed_headers”: [],
“exposed_headers”: [],
“allow_credentials”: false,
“max_age”: 24,
“options_passthrough”: false,
“debug”: false
},
“domain”: “localhost:8383”,
“do_not_track”: false,
“tags”: [],
“enable_context_vars”: false
}
Hi Suresh,
I think the API call sent would probably be more helpful than the API definition itself, as the request you made would include the header which seems to have caused the issue (the API definition would only form the body of the request made.
In any case, Tyk expects the client to send its OpenID token as an Authorization bearer token (as stated earlier) and so will not be able to validate an OAuth token generated by an OIDC Identity Provider. Instead it needs the ID token which is essentially the JWT.
Kind regards,
Jess @ Tyk
Thanks for the response, tyk is able to proxy to my api, tons of thanks