OpenId Connect Configuration in Tyk Open-Source

lucassf · July 28, 2021, 1:22pm

Hello

I was trying to integrate Tyk and Azure AD to secure my API and got this in Tyk Cloud. However, now I’m trying to do the same configuration I did there in Tyk Open-Source and I don’t know what’s missing. Here’s my Tyk Cloud configuration:

Created an API.
(images 1.png and 2.png)
Configurated the OpenId Connect (issuer, client id and policy) in authentication section.
(image 3.png)
Enabled CORS.
(image 4.png)
Created a policy for the created API.
(images 5.png and 6.png)
Defined the name and the key expiration time for the policy.
(image 7.png)

In Tyk Gateway (Open-Source), I cloned the Github project from GitHub - TykTechnologies/tyk-gateway-docker: Docker compose deployment to run Tyk OSS Gateway. I created a keyless API and everything worked fine. Then, I tried to configure the OpenID Connect, using the configurations below:
// tyk-gateway/apps/a888d8c162964271492fcfb90ce00766.json
(file api.json)
// tyk-gateway/policies/polices.json
(file policy.json)
I also added the policies to the volumes in the docker-compose.yml (I don’t know if it’s necessary) and deleted all the files I was not using, the tyk.conf is the tyk.standalone.conf from Github (everything still worked with the keyless API).
(image tyk-gateway.png)
What am I missing? I need to create a key? I would appreciate if someone could help me.

All the files and images are in the following drive: https://drive.google.com/drive/folders/1-Gxavr_QDsqS-1PUhx8jmFyzRQ84-N7r?usp=sharing

Olu · July 28, 2021, 2:25pm

Hi

Are you getting any specific error message? If not then could you check and share the gateway logs?

lucassf · July 28, 2021, 2:55pm

Hi

I am getting this when I send a request:

tyk-gateway_1  | time="Jul 28 04:24:44" level=warning msg="JWT Invalid" api_id=a888d8c162964271492fcfb90ce00766 api_name="WEB API" error="Validation error. Jwt token validation failed." mw=OpenIDMW org_id=60f08cb4b4c0be0001a87762 origin=172.20.0.1 path="/web-api/navigation"
tyk-gateway_1  | time="Jul 28 04:24:44" level=warning msg="Attempted access with invalid key." api_id=a888d8c162964271492fcfb90ce00766 api_name="WEB API" key="****JWT]" mw=OpenIDMW org_id=60f08cb4b4c0be0001a87762 origin=172.20.0.1 path="/web-api/navigation"

My request:

lucassf · July 28, 2021, 3:00pm

Request to Tyk Cloud using the same token:

Olu · July 28, 2021, 4:46pm

As long as it is the same token it should work. Could you PM me the bearer token to verify a few things?

lucassf · July 28, 2021, 5:25pm

Did you delete the message with the token or was it not sent?

Anyway, here’s the token again:

eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6Im5PbzNaRHJPRFhFSzFqS1doWHNsSFJfS1hFZyJ9.eyJhdWQiOiI5YjMxOTJhMi04MzU3LTQzZmMtYTMwYy0yY2ZhYWEzMGIwOGEiLCJpc3MiOiJodHRwczovL2xvZ2luLm1pY3Jvc29mdG9ubGluZS5jb20vMzIyZDdkYTgtM2MyOS00YzQ2LWIzZWItYTA2NjExMjM5YzJhL3YyLjAiLCJpYXQiOjE2Mjc0OTI2MDMsIm5iZiI6MTYyNzQ5MjYwMywiZXhwIjoxNjI3NDk2NTAzLCJhaW8iOiJBV1FBbS84VEFBQUFwaERCVEowY2tWVlFhL0lMMFQ0MjBFRnRpSkg4dVptclkzeDhmMWliNm96VmhSVzJWSlFXNTJpUnh2dDFHKytJRDQwWnVEdWZBUndzQ0VIN0JhREE2ajNvQzZ0QXJKUE1GZTNLRzh6SHFndEExLzQ4V0lCejFpbUVxQjU2Y0V4TiIsImF6cCI6ImQ0MDM5OTRkLWE5NTgtNDVkZi05ZmM5LTYyNDhiYTRkNjA0OCIsImF6cGFjciI6IjAiLCJpZHAiOiJsaXZlLmNvbSIsIm5hbWUiOiJhZG0uY29tcGFzc28udW9sIiwib2lkIjoiNDdlYmQ0OTItODA2Zi00YTJmLWJlZjktNWY2ZDI4OWU2Zjc5IiwicHJlZmVycmVkX3VzZXJuYW1lIjoiYWRtLmNvbXBhc3NvLnVvbEBnbWFpbC5jb20iLCJyaCI6IjAuQVh3QXFIMHRNaWs4Umt5ejY2Qm1FU09jS2syWkE5UllxZDlGbjhsaVNMcE5ZRWg4QU9vLiIsInNjcCI6ImFjY2Vzc19hc191c2VyIiwic3ViIjoiblM4WUF4MUV5QlNOUldjb2ExbWNKbnl3Z0ttN3BMVEFVZTdUTVNCajlrcyIsInRpZCI6IjMyMmQ3ZGE4LTNjMjktNGM0Ni1iM2ViLWEwNjYxMTIzOWMyYSIsInV0aSI6ImdOV2FISVZmaFVpckowZThMdlZhQUEiLCJ2ZXIiOiIyLjAifQ.MNpBgqLQUxDcDk0vGLtscCqsAwufsZDoHIOfs7TXZ6naVnIcbm799kQs_-h-bHDSLcbcIDMbMYLNFQONUsbY7fvQlXIa98nKmIlF7zefW2MADlt-9mfL2cuKFF1OFqsndT4ZLOD8xG0u_ncpcHZoJEbCMrSerqR_hW9HgGVxy78dylmncRvVn5_vcjcuWG5rPF4I-NS3RFZjLG5va5JFI3M41eEvbFbyvEn7ybtAFh6wBiKNqH1ALNlZ3LqC18_qNarmGOTGGhs8DFUPMKdL6Sfdgdc7Rdzqcqi6jeHxa7U1XmIZfBjVFlYox6y6na32ez7YSiqLX1R2nm8ufcpoTg

Olu · July 29, 2021, 7:25am

Hi @lucassf

Did you delete the message with the token or was it not sent?

I did not. I think you private messaged me so only me can see it. Considering your cloud endpoint was visible, I wanted to prevent sharing sensitive information on a pubic forum.

I have copied the token and asked a colleague to spin up a test environment to test since I had some problems with my own environment. From the outcome it appears it works on 3.1.2 version.

I will fix my own environment and test, however I wanted to inquire what version of the gateway are you using locally?

lucassf · July 29, 2021, 1:03pm

Hello

It’s not a problem to expose the token on this forum because I am just doing a prototype. Also, the token expires in 1 hour.

I am using v3.2.1, I’m going to try a downgrade. Here’s another token if you want to test:

eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6Im5PbzNaRHJPRFhFSzFqS1doWHNsSFJfS1hFZyJ9.eyJhdWQiOiI5YjMxOTJhMi04MzU3LTQzZmMtYTMwYy0yY2ZhYWEzMGIwOGEiLCJpc3MiOiJodHRwczovL2xvZ2luLm1pY3Jvc29mdG9ubGluZS5jb20vMzIyZDdkYTgtM2MyOS00YzQ2LWIzZWItYTA2NjExMjM5YzJhL3YyLjAiLCJpYXQiOjE2Mjc1NjMwMTMsIm5iZiI6MTYyNzU2MzAxMywiZXhwIjoxNjI3NTY2OTEzLCJhaW8iOiJBV1FBbS84VEFBQUFYK0NLK2tPOTVlM3lONkZuN3J6Y0plQzBWYmxOS29PWnpGZU9tdzJqZTFKWVZyTUNwMy9NeFg0czJ1ZVYrTFV6S3hYZE5iYk5ORk5lT0h6S1RaUzdVTnFLeTFxekdOYVlnMUgzUDIxbzZ0M1p5UmZ6MmZFT3FZQkNpeHY1MlhZZiIsImF6cCI6ImQ0MDM5OTRkLWE5NTgtNDVkZi05ZmM5LTYyNDhiYTRkNjA0OCIsImF6cGFjciI6IjAiLCJpZHAiOiJsaXZlLmNvbSIsIm5hbWUiOiJhZG0uY29tcGFzc28udW9sIiwib2lkIjoiNDdlYmQ0OTItODA2Zi00YTJmLWJlZjktNWY2ZDI4OWU2Zjc5IiwicHJlZmVycmVkX3VzZXJuYW1lIjoiYWRtLmNvbXBhc3NvLnVvbEBnbWFpbC5jb20iLCJyaCI6IjAuQVh3QXFIMHRNaWs4Umt5ejY2Qm1FU09jS2syWkE5UllxZDlGbjhsaVNMcE5ZRWg4QU9vLiIsInNjcCI6ImFjY2Vzc19hc191c2VyIiwic3ViIjoiblM4WUF4MUV5QlNOUldjb2ExbWNKbnl3Z0ttN3BMVEFVZTdUTVNCajlrcyIsInRpZCI6IjMyMmQ3ZGE4LTNjMjktNGM0Ni1iM2ViLWEwNjYxMTIzOWMyYSIsInV0aSI6IldGZDFOOW1kNTBpdTM1NW95VlIwQUEiLCJ2ZXIiOiIyLjAifQ.N58K3kkehsJWdPvIWPd-SQHlnG6dzefdXLxnBNdEeNXLZEvBf6uQp1QQvTjuWPkZNQTdyDc6_xCE34HDKLFD4zzFwp9IgDJ97xGSvK9t5ptxgyN_TecdSR9kCd_Wx4ncHQWGqwy3FwXCGW4DyEiG41JPhfkgq5AP0cqpGMpoeMRMh94GHjn8SSA_nMz74jN6OcqHKPwJBJei5qOB9jceb6MmCOh993itO-64TRjcLXfJTF_ikHvOPdotO_SDscKGRjXJ35ZMCQ6IQR9kabxKJ9HltOf-IkmVTDNq_GVCWLr7sOsmFVNDBCzRygI2kHz1fHEPzKZsNC_305ypi009FA

lucassf · July 29, 2021, 1:15pm

I restarted the container and tested a new token and got another error when submitting the request: “Unauthorized key: no matching policy”. I saw the logs: “Trying to apply policy from different organization to key, skipping”. So I put “org_id”: “60f08cb4b4c0be0001a87762” in my policy inside tyk-gateway/policies/policies.json and everything worked.

I think you can close this topic, thanks for the help.

Olu · July 29, 2021, 1:43pm

That’s great news. Thanks for sharing the solution. Did you eventually downgrade from v3.2.1?

lucassf · July 29, 2021, 4:20pm

For sure, I hope my solution can help someone else. And no, I’m still using v3.2.1.