Setting OIDC error 502

Support Installation and Deployment
, ,
1

I am facing an issue while setting up OIDC using Auth0 as IdP.
I set up OIDC using Tyk open source, Auth0 and obtained the ID token and passed it in header.

Response I get is:

502 Bad Gateway

The server returned an invalid or incomplete response.

From logs this causes the issue:

http: panic serving 172.23.0.2:55052: KeyHash cache not found. You should call SetKeyHash before.

After logging this it breaks with a stack trace.

In struct SessionState I found the field keyHash. Can someone please let me know how is KeyHash set? I am left clueless.

2

From looking at the source, it appears the issue is with an empty KeyHash. Could you walk me through your flow?

3

Yeah I understood that. But where is this being set? Key is not found in keystore or authstore or local cache so it cannot be set from there. It doesn’t seem to be set when creating the session as well.

Where is the key supposed to be present in case of OIDC?

What I have done:

  1. Set up Auth0

  2. Set up API definition in Tyk with client id, issuer, client secret, policy id etc.

  3. Follow steps to generate ID token in openidconnect.org giving the necessary information. Then validate the ID token from there itself.

  4. Use the ID token in header to access the API. This resulted in error 502.

4

But where is this being set and where is the key supposed to be present in case of OIDC?

I think this is for hashed keys when they are created. I don’t think it should apply for OIDC.

To fully understand your setup, could you share your API definition for review as well as the Auth0 client/application type?

In have implemented OIDC with Auth0 in the past with the Generic application and Machine to Machine application types. Here is a sample of mine below:

"openid_options": {
      "providers": [
        {
          "issuer": "https://{ACCT}.{REGION}.auth0.com/",
          "client_ids": {
            "base64({AUTH0_CLIENT_ID})=": "{TYK_POLICY_ID}",
            "base64({AUTH0_AUDIENCE})": "{TYK_POLICY_ID}"
          }
        }
      ],
      "segregate_by_client": false
    },
5

What is the difference between AUTH0_AUDIENCE and AUTH0_CLIENT_ID?

Also does that “=” in base64({AUTH0_CLIENT_ID})= is to be added extra? The base64 encoded client id ends with an =

6

What is the difference between AUTH0_AUDIENCE and AUTH0_CLIENT_ID?

The AUTH0_AUDIENCE is a url you get when you use Machine to Machine type application. The AUTH0_CLIENT_ID is the id of the client created for Generic and other application types. You only need to specify one of them. I dropped it as a sample incase you were using either one.

Also does that “=” in base64({AUTH0_CLIENT_ID})= is to be added extra?

No, that’s my mistake when removing my client ID. You don’t need to add it if the encoded base64 ends with it.