Hi,
I’m exposing an API to our partner and I want to protect it through Tyk API Gateway. My API must be used only by applications and not end users.
We are currently using release 4.3.
I have several questions:
-
Is it OK that the best authentication method that suit my purpose is JWT ? If not can you please suggest me other authentication mode ? At first trials I was thinking about protecting my API with OpenId or OAuth2 but the documentation is not so clear.
-
I have tried to configure my API using JWT and the following tutorial https://tyk.io/docs/basic-config-and-security/security/authentication-authorization/json-web-tokens/jwt-keycloak/ and https://www.youtube.com/watch?v=7d95zmx4Iic but I always found this error on Tyk logs
12cd70001948f0c origin=10.0.0.209 path="/envoi-sms"
time="May 03 08:20:06" level=debug msg="Querying keystore" api_id=f29bea48468a4aa851d889a3e1612455 api_name="Envoi SMS" mw=JWTMiddleware org_id=62583367b12cd70001948f0c origin=10.0.0.209 path="/envoi-sms"
time="May 03 08:20:06" level=debug msg="Got key" api_id=f29bea48468a4aa851d889a3e1612455 api_name="Envoi SMS" mw=JWTMiddleware org_id=62583367b12cd70001948f0c origin=10.0.0.209 path="/envoi-sms"
time="May 03 08:20:06" level=debug msg="Could not identify a policy to apply to this token from field: pol" api_id=f29bea48468a4aa851d889a3e1612455 api_name="Envoi SMS" mw=JWTMiddleware org_id=62583367b12cd70001948f0c origin=10.0.0.209 path="/envoi-sms"
time="May 03 08:20:06" level=debug msg="Getting client ID:sms-api-ccr"
time="May 03 08:20:06" level=debug msg="Error trying to get value:redis: nil"
time="May 03 08:20:06" level=debug msg="Failure retrieving client ID key "oauth-clientid.sms-api-ccr": key not found"
time="May 03 08:20:06" level=debug msg="Couldn't get OAuth client" api_id=f29bea48468a4aa851d889a3e1612455 api_name="Envoi SMS" error="key not found" mw=JWTMiddleware org_id=62583367b12cd70001948f0c origin=10.0.0.209 path="/envoi-sms"
Here is an extract of the API definition
"jwt_scope_to_policy_mapping": {},
"pinned_public_keys": {},
"expire_analytics_after": 0,
"external_oauth": {
"enabled": false,
"providers": []
},
"domain": "",
"openid_options": {
"providers": [],
"segregate_by_client": false
},
"jwt_policy_field_name": "pol",
"enable_proxy_protocol": false,
"jwt_default_policies": [
"66335029846a0200019ff8ae"
],
"active": true,
"jwt_expires_at_validation_skew": 0,
"config_data": {},
"notifications": {
"shared_secret": "",
"oauth_on_keychange_url": ""
},
"jwt_client_base_field": "",
"auth": {
"disable_header": false,
"auth_header_name": "Authorization",
"cookie_name": "",
"name": "",
"validate_signature": false,
"use_param": false,
"signature": {
"algorithm": "",
"header": "",
"use_param": false,
"param_name": "",
"secret": "",
"allowed_clock_skew": 0,
"error_code": 0,
"error_message": ""
},...
"jwt_scope_claim_name": "",
"use_standard_auth": false,
"session_lifetime": 0,
"hmac_allowed_algorithms": [],
"disable_rate_limit": false,
"definition": {
"enabled": false,
"name": "",
"default": "",
"location": "header",
"key": "x-api-version",
"strip_path": false,
"strip_versioning_data": false,
"versions": {}
},
"use_oauth2": false,
"jwt_source": "BLABLA",
"jwt_signing_method": "rsa",
"jwt_not_before_validation_skew": 0,
"use_go_plugin_auth": false,
"jwt_identity_base_field": "clientId",
"allowed_ips": [],
"request_signing": {
"is_enabled": false,
"secret": "",
"key_id": "",
"algorithm": "",
"header_list": [],
"certificate_id": "",
"signature_header": ""
},...
My JWT has a kid in its header and also a field clientId with the right value.
Can you please help me ?
