Policy configuration specific to methods of same api

My policy.json snapsot is

{
“default”: {
“rate”: 1000,
“per”: 1,
“quota_max”: 100,
“quota_renewal_rate”: 60,
“access_rights”: {
“12345”: {
“api_name”: “My API”,
“api_id”: “12345”,
“versions”: [
“Default”
]
}
},
“org_id”: “”,
“hmac_enabled”: false,
“active”: true,
“is_inactive”: false
},
“user1”: {
“rate”: 1000,
“per”: 1,
“quota_max”: 100,
“quota_renewal_rate”: 60,
“access_rights”: {
“12345”: {
“api_name”: “My API”,
“api_id”: “12345”,
“versions”: [
“Default”
],
“allowed_urls”: [
{
“url”: “(.)",
“methods”: [“GET”]
}
]
}
},
“org_id”: “”,
“hmac_enabled”: false,
“active”: true,
“is_inactive”: false
},
“user2”: {
“rate”: 1000,
“per”: 1,
“quota_max”: 100,
“quota_renewal_rate”: 60,
“access_rights”: {
“12345”: {
“api_name”: “My API”,
“api_id”: “12345”,
“versions”: [
“Default”
],
“allowed_urls”: [
{
“url”: "(.
)”,
“methods”: [“POST”]
}
]
}
},
“org_id”: “”,
“hmac_enabled”: false,
“active”: true,
“is_inactive”: false
}
}

If i create a JWT with policy ID “user3” it still passes through and access it success. Am I missing something here?. My goal is to restrict access to specific methods with different JWT. e.g “user1” can access only GET method of the app id 12345 and “user2” can access only POST method of the same app id.

Hi @sairam866,

Just to confirm, did you create those policies using a modified version of the POST request defined on this page? It may be worth noting that the allowed_urls object should be nested within the access_rights.{{api_id}} object when a new policy is created.

Kind regards,
Jess @ Tyk

What about the unknown policy still able to access my API?

No i didnt create via the POST request. I added policy manually.

Hi @sairam866,

It sounds like the third policy you created was set up with access to the API as well. Are you able to confirm that the API doesn’t appear in its Access Rights? As well, it might be worth checking that the API itself hasn’t been configured with the Authentication mode set to “Open (Keyless)” which could explain why all of the policies you’ve set up seem to have access.

Edit: Also please see Martin’s answer here. Apologies for not catching that earlier - I hadn’t realised that the ID you were using was literally “user3” which would be invalid.

Kind regards,
Jess @ Tyk

My API settings are below

{
“name”: “My API”,
“slug”: “firsttest-api”,
“api_id”: “12345”,
“org_id”: “”,
“use_keyless”: false,
“use_oauth2”: false,
“use_openid”: false,
“openid_options”: {
“providers”: null,
“segregate_by_client”: false
},
“oauth_meta”: {
“allowed_access_types”: null,
“allowed_authorize_types”: null,
“auth_login_redirect”: “”
},
“auth”: {
“use_param”: false,
“param_name”: “”,
“use_cookie”: false,
“cookie_name”: “”,
“auth_header_name”: “Authorization”
},
“use_basic_auth”: false,
“enable_jwt”: true,
“use_standard_auth”: false,
“enable_coprocess_auth”: false,
“jwt_signing_method”: “rsa”,
“jwt_source”: “LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0NCk1JR2ZNQTBHQ1NxR1NJYjNEUUVCQVFVQUE0R05BRENCaVFLQmdRRFdtakFiUEV3ZTFRdm44RHdHTnhTdlE1c1gNCnIyWmxNMUwvaCtMczQ0WTNHeHhYY3dKc0RlelREbnhzNFdrekpIZHNPeWh3eDRLNGVnTDBGOEVaZHpBUlBtT28NCkFqWEpEOG8vdlB0V202dFIzRVdkVkNQaTBjZTE2ekZhVUUxRkVZRGZNbDFXUHFtOG9Na2Rsd2tFbG1DT1ZJR2INClFIQjJyQ2R4dFN2ZlZpNk9PUUlEQVFBQg0KLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0t”,
“jwt_identity_base_field”: “sub”,
“jwt_client_base_field”: “”,
“jwt_policy_field_name”: “policy”,
“notifications”: {
“shared_secret”: “”,
“oauth_on_keychange_url”: “”
},
“enable_signature_checking”: false,
“hmac_allowed_clock_skew”: 0,
“base_identity_provided_by”: “”,
“definition”: {
“location”: “header”,
“key”: “x-api-version”
},
“version_data”: {
“not_versioned”: true,
“versions”: {
“Default”: {
“name”: “Default”,
“expires”: “”,
“paths”: {
“ignored”: null,
“white_list”: null,
“black_list”: null
},
“use_extended_paths”: true,
“extended_paths”: {},
“global_headers”: null,
“global_headers_remove”: null,
“global_size_limit”: 0,
“override_target”: “”
}
}
},
“uptime_tests”: {
“check_list”: null,
“config”: {
“expire_utime_after”: 0,
“service_discovery”: {
“use_discovery_service”: false,
“query_endpoint”: “”,
“use_nested_query”: false,
“parent_data_path”: “”,
“data_path”: “”,
“port_data_path”: “”,
“target_path”: “”,
“use_target_list”: false,
“cache_timeout”: 0,
“endpoint_returns_list”: false
},
“recheck_wait”: 0
}
},
“proxy”: {
“preserve_host_header”: false,
“listen_path”: “/firsttest-api/”,
“target_url”: “https://reqres.in/”,
“strip_listen_path”: true,
“enable_load_balancing”: false,
“target_list”: null,
“check_host_against_uptime_tests”: false,
“service_discovery”: {
“use_discovery_service”: false,
“query_endpoint”: “”,
“use_nested_query”: false,
“parent_data_path”: “”,
“data_path”: “”,
“port_data_path”: “”,
“target_path”: “”,
“use_target_list”: false,
“cache_timeout”: 0,
“endpoint_returns_list”: false
}
},
“disable_rate_limit”: false,
“disable_quota”: false,
“custom_middleware”: {
“pre”: null,
“post”: null,
“post_key_auth”: null,
“auth_check”: {
“name”: “”,
“path”: “”,
“require_session”: false
},
“response”: null,
“driver”: “”,
“id_extractor”: {
“extract_from”: “”,
“extract_with”: “”,
“extractor_config”: null
}
},
“custom_middleware_bundle”: “”,
“cache_options”: {
“cache_timeout”: 0,
“enable_cache”: false,
“cache_all_safe_requests”: false,
“cache_response_codes”: null,
“enable_upstream_cache_control”: false
},
“session_lifetime”: 0,
“active”: true,
“auth_provider”: {
“name”: “”,
“storage_engine”: “”,
“meta”: null
},
“session_provider”: {
“name”: “”,
“storage_engine”: “”,
“meta”: null
},
“event_handlers”: {
“events”: null
},
“enable_batch_request_support”: false,
“enable_ip_whitelisting”: false,
“allowed_ips”: null,
“dont_set_quota_on_create”: false,
“expire_analytics_after”: 0,
“response_processors”: null,
“CORS”: {
“enable”: false,
“allowed_origins”: null,
“allowed_methods”: null,
“allowed_headers”: null,
“exposed_headers”: null,
“allow_credentials”: false,
“max_age”: 0,
“options_passthrough”: false,
“debug”: false
},
“domain”: “”,
“do_not_track”: false,
“tags”: null,
“enable_context_vars”: false,
“raw_data”: {
“active”: true,
“api_id”: “12345”,
“auth”: {
“auth_header_name”: “Authorization”
},
“definition”: {
“key”: “x-api-version”,
“location”: “header”
},
“enable_jwt”: true,
“jwt_identity_base_field”: “sub”,
“jwt_policy_field_name”: “policy”,
“jwt_signing_method”: “rsa”,
“jwt_source”: “LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0NCk1JR2ZNQTBHQ1NxR1NJYjNEUUVCQVFVQUE0R05BRENCaVFLQmdRRFdtakFiUEV3ZTFRdm44RHdHTnhTdlE1c1gNCnIyWmxNMUwvaCtMczQ0WTNHeHhYY3dKc0RlelREbnhzNFdrekpIZHNPeWh3eDRLNGVnTDBGOEVaZHpBUlBtT28NCkFqWEpEOG8vdlB0V202dFIzRVdkVkNQaTBjZTE2ekZhVUUxRkVZRGZNbDFXUHFtOG9Na2Rsd2tFbG1DT1ZJR2INClFIQjJyQ2R4dFN2ZlZpNk9PUUlEQVFBQg0KLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0t”,
“name”: “My API”,
“org_id”: “”,
“proxy”: {
“listen_path”: “/firsttest-api/”,
“strip_listen_path”: true,
“target_url”: “https://reqres.in/
},
“slug”: “firsttest-api”,
“use_keyless”: false,
“version_data”: {
“not_versioned”: true,
“versions”: {
“Default”: {
“name”: “Default”,indent preformatted text by 4 spaces
“use_extended_paths”: true
}
}
}
}
}

@jess Sorry to bug you. Do you find any problem is these configuration?

Hi @sairam866,

Apologies for the delayed response. Fortunately, there doesn’t seem to be an issue with the way in which you’ve configured your API. Having spoken to one of my colleagues regarding this issue, we think that if you’re controlling the means with which the different JSON Web Tokens are generated, you really should only ever have to use valid policies with your API (as users are unlikely to be able to use an unknown API policy in this case). Not doing so can risk the creation of a master key which might explain this issue. You may prefer to use OIDC as an alternative as policy control can then be moved into the API definition if you believe this is likely to cause an issue with your users but we don’t believe that this is likely to affect your use case.

I will however add a feature request to our backlog which should make it possible add a configuration option that can completely block requests sent with invalid policies which should limit the affect that this issue could have on non-JWT users. Hopefully you will see this enhancement in a future release of the Gateway.

Hope that helps.

Kind regards,
Jess @ Tyk