Openidc setup using Tyk Gateway OSS

Martin_Arndt · January 30, 2022, 11:43am

I am trying to set up an API Proxy to use the openidc provider, and keep getting the following error

Attempted access with invalid key
The provider https://dev--.au.auth0.com/ does not have a client id matching any of the token audiences

I have tested my Auth0 setup and API on localhost and can produce Id Tokens using the openidc playground.

I have added a policy using the file as this is OSS Tyk Gateway the policy file looks like the following

{
  "default": {
  "rate": 1000,
  "per": 1,
  "quota_max": 100,
  "quota_renewal_rate": 60,
  "access_rights": {
    "41433797848f41a558c1573d3e55a422": {
      "api_name": "Auth0 api",
      "api_id": "Auth0-Echo-API-1",
      "versions": [
        "Default"
      ]
    }
  },
  "org_id": "1",
  "hmac_enabled": false,
  "active": true,
  "is_inactive": false,
  "tags": [],
  "key_expires_in": 0
  }
}

I create an API referencing the the openidc

{
“name”: “Auth0 api”,
“api_id”: “Auth0-Echo-API-1”,
“org_id”: “1”,
“auth”: {
“auth_header_name”: “Authorization”
},
“definition”: {
“location”: “header”,
“key”: “x-api-version”
},
“version_data”: {
“not_versioned”: true,
“versions”: {
“Default”: {
“name”: “Default”,
“use_extended_paths”: true
}
}
},
“proxy”: {
“listen_path”: “/secure/”,
“target_url”: “http://echo-service.default.svc.cluster.local”,
“strip_listen_path”: true
},
“use_openid”: true,
“openid_options”: {
“providers”: [
{
“issuer”: “https://dev--.au.auth0.com/”,
“client_ids”: {
“iGULH5kgHnT5yK2M2LjEMGGTEOj2uMwd”: “default”
}
}
],
“segregate_by_client”: false
},
“active”: true
}

Keep a 401 with this error when I access using the Bearer Token created by the openidc playground

time=“Jan 30 11:46:13” level=warning msg=“JWT Invalid” api_id=Auth0-Echo-API-1 api_name=“Auth0 api” error=“Validation error. Validation error. The provider https://dev--.au.auth0.com/ does not have a client id matching any of the token audiences [iGULH5kgHnT5yK2M2LjEMGGTEOj2uMwd]” mw=OpenIDMW org_id=1 origin=125.237.222.229 path=“/secure/”

time=“Jan 30 11:46:13” level=warning msg=“Attempted access with invalid key.” api_id=Auth0-Echo-API-1 api_name=“Auth0 api” key=“****JWT]” mw=OpenIDMW org_id=1 origin=125.237.222.229 path=“/secure/”

Michael.m · January 31, 2022, 8:05pm

Hi @Martin_Arndt

From the error that is returned, it looks like the client id is missing.

By design, according to OIDC the aud claim must have the client id:

aud
REQUIRED. Audience(s) that this ID Token is intended for. It MUST contain the OAuth 2.0 client_id of the Relying Party as an audience value. It MAY also contain identifiers for other audiences. In the general case, the aud value is an array of case sensitive strings. In the common special case when there is one audience, the aud value MAY be a single case sensitive string.

In this case this code follows OpenID RFC Final: OpenID Connect Core 1.0 incorporating errata set 1

We also have a working example here

Kindly check why the token is created without the client id in the aud.
Let me know if this helps.