[Solved] Key not authorized JWT

JohnPhoto · December 4, 2017, 3:03pm

I am trying to set up JWT auth on one of my API’s. But constantly getting

{
    "error": "Key not authorized"
}

and in the log:

Dec 04 14:49:49 tyk1 tyk[16074]: time="Dec  4 14:49:49" level=warning msg="Base Field not found, using SUB"
Dec 04 14:49:49 tyk1 tyk[16074]: time="Dec  4 14:49:49" level=error msg="ID Could not be generated. Failing Request."

When casually looking into the settings in mongodb of the tyk_apis I found that jwt_identit_base_field: "sub" (note the missing y in the key). and according to Tyk + JWT HMAC validation error - #17 by Martin it should be jwt_identity_base_field

Im running:

tyk-dashboard/trusty,now 1.4.1 amd64 [installed]
tyk-gateway/trusty,now 2.4.1 amd64 [installed]
tyk-pump/trusty,now 0.4.2 amd64 [installed]

JohnPhoto · December 4, 2017, 3:20pm

tyk/api_definitions.go at a79117fb2765d1de9e73ba4720749cf8396e3746 · TykTechnologies/tyk · GitHub Seems to be the line.

But that probably means that everything “should” work anyway. And it did not help to manually change the values.

Martin · December 5, 2017, 12:08am

This shouldn’t matter - the JSON tag will ensure that it gets loaded correctly by the gateway or dashboard when it is marshalled and unmarshalled.

Can you provide your JWT?

Martin · December 5, 2017, 12:17am

Also, you could check the actual claims match - the lookup is case sensitive.

JohnPhoto · December 5, 2017, 6:00am

My jwt:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOjcsInRyYWNrIjoiZWZlMWQ2OTYtMjc0Zi00MWI4LTlhYmYtYTMzOWNlNmQ0MmIzIiwicG9saWN5IjoiNWExZDU4ODAyMTRkZGMwNmU0YzUzYjQ3IiwiaWF0IjoxNTEyMzk1NTY0LCJleHAiOjE1MjAxNzE1NjQsImF1ZCI6InRlc3QtYXBpLmJvZmluay5jb20iLCJpc3MiOiJhdXRoLnRlc3QuYXBpLmJvZmluay5jb20ifQ.gwXTz_TRiQLe6OjOKLhuTpyT4fc3d-qOneYDpqTA0LA

{
  "sub": 7,
  "track": "efe1d696-274f-41b8-9abf-a339ce6d42b3",
  "policy": "5a1d5880214ddc06e4c53b47",
  "iat": 1512395564,
  "exp": 1520171564,
  "aud": "test-api.bofink.com",
  "iss": "auth.test.api.bofink.com"
}

api-def (from mongo document):

{ 
    "_id" : ObjectId("5a2521ab214ddc3eaf12ffe4"), 
    "name" : "My Real API Name", 
    "slug" : "real-api", 
    "api_id" : "996194c8130a4782499b94f1de4f1edc", 
    "org_id" : "5a12b183214ddc0754bb3a32", 
    "use_keyless" : false, 
    "use_oauth2" : false, 
    "use_openid" : false, 
    "openid_options" : {
        "providers" : [

        ], 
        "segregate_by_client" : false
    }, 
    "oauth_meta" : {
        "allowed_access_types" : [

        ], 
        "allowed_authorize_types" : [

        ], 
        "auth_login_redirect" : ""
    }, 
    "auth" : {
        "use_param" : false, 
        "param_name" : "", 
        "use_cookie" : false, 
        "cookie_name" : "", 
        "auth_header_name" : "Authorization", 
        "use_certificate" : false
    }, 
    "use_basic_auth" : false, 
    "use_mutual_tls_auth" : false, 
    "client_certificates" : [

    ], 
    "upstream_certificates" : {

    }, 
    "enable_jwt" : true, 
    "use_standard_auth" : false, 
    "enable_coprocess_auth" : false, 
    "jwt_signing_method" : "hmac", 
    "jwt_source" : "MyRealJWTSourceSecret", 
    "jwt_identit_base_field" : "sub", 
    "jwt_client_base_field" : "", 
    "jwt_policy_field_name" : "policy", 
    "notifications" : {
        "shared_secret" : "", 
        "oauth_on_keychange_url" : ""
    }, 
    "enable_signature_checking" : false, 
    "hmac_allowed_clock_skew" : -1.0, 
    "base_identity_provided_by" : "", 
    "definition" : {
        "location" : "header", 
        "key" : "x-api-version"
    }, 
    "version_data" : {
        "not_versioned" : true, 
        "versions" : {
            "RGVmYXVsdA==" : {
                "name" : "RGVmYXVsdA==", 
                "expires" : "", 
                "paths" : {
                    "ignored" : [

                    ], 
                    "white_list" : [

                    ], 
                    "black_list" : [

                    ]
                }, 
                "use_extended_paths" : true, 
                "extended_paths" : {
                    "ignored" : [

                    ], 
                    "white_list" : [

                    ], 
                    "black_list" : [

                    ], 
                    "cache" : [

                    ], 
                    "transform" : [

                    ], 
                    "transform_response" : [

                    ], 
                    "transform_headers" : [

                    ], 
                    "transform_response_headers" : [

                    ], 
                    "hard_timeouts" : [

                    ], 
                    "circuit_breakers" : [

                    ], 
                    "url_rewrites" : [

                    ], 
                    "virtual" : [

                    ], 
                    "size_limits" : [

                    ], 
                    "method_transforms" : [

                    ], 
                    "track_endpoints" : [

                    ], 
                    "do_not_track_endpoints" : [

                    ]
                }, 
                "global_headers" : {

                }, 
                "global_headers_remove" : [

                ], 
                "global_size_limit" : NumberLong(0), 
                "override_target" : ""
            }
        }
    }, 
    "uptime_tests" : {
        "check_list" : [

        ], 
        "config" : {
            "expire_utime_after" : NumberLong(0), 
            "service_discovery" : {
                "use_discovery_service" : false, 
                "query_endpoint" : "", 
                "use_nested_query" : false, 
                "parent_data_path" : "", 
                "data_path" : "", 
                "port_data_path" : "", 
                "target_path" : "", 
                "use_target_list" : false, 
                "cache_timeout" : NumberLong(60), 
                "endpoint_returns_list" : false
            }, 
            "recheck_wait" : NumberInt(0)
        }
    }, 
    "proxy" : {
        "preserve_host_header" : false, 
        "listen_path" : "/myRealPath/", 
        "target_url" : "https://myRealDomain.com", 
        "strip_listen_path" : true, 
        "enable_load_balancing" : false, 
        "target_list" : [

        ], 
        "check_host_against_uptime_tests" : false, 
        "service_discovery" : {
            "use_discovery_service" : false, 
            "query_endpoint" : "", 
            "use_nested_query" : false, 
            "parent_data_path" : "", 
            "data_path" : "", 
            "port_data_path" : "", 
            "target_path" : "", 
            "use_target_list" : false, 
            "cache_timeout" : NumberLong(0), 
            "endpoint_returns_list" : false
        }
    }, 
    "disable_rate_limit" : false, 
    "disable_quota" : false, 
    "custom_middleware" : {
        "pre" : [

        ], 
        "post" : [

        ], 
        "post_key_auth" : [

        ], 
        "auth_check" : {
            "name" : "", 
            "path" : "", 
            "require_session" : false
        }, 
        "response" : [

        ], 
        "driver" : "", 
        "id_extractor" : {
            "extract_from" : "", 
            "extract_with" : "", 
            "extractor_config" : {

            }
        }
    }, 
    "custom_middleware_bundle" : "", 
    "cache_options" : {
        "cache_timeout" : NumberLong(60), 
        "enable_cache" : true, 
        "cache_all_safe_requests" : false, 
        "cache_response_codes" : [

        ], 
        "enable_upstream_cache_control" : false
    }, 
    "session_lifetime" : NumberLong(0), 
    "active" : true, 
    "auth_provider" : {
        "name" : "", 
        "storage_engine" : "", 
        "meta" : {

        }
    }, 
    "session_provider" : {
        "name" : "", 
        "storage_engine" : "", 
        "meta" : {

        }
    }, 
    "event_handlers" : {
        "events" : {

        }
    }, 
    "enable_batch_request_support" : false, 
    "enable_ip_whitelisting" : false, 
    "allowed_ips" : [

    ], 
    "dont_set_quota_on_create" : false, 
    "expire_analytics_after" : NumberLong(0), 
    "response_processors" : [

    ], 
    "CORS" : {
        "enable" : false, 
        "allowed_origins" : [

        ], 
        "allowed_methods" : [

        ], 
        "allowed_headers" : [

        ], 
        "exposed_headers" : [

        ], 
        "allow_credentials" : false, 
        "max_age" : NumberInt(24), 
        "options_passthrough" : false, 
        "debug" : false
    }, 
    "domain" : "", 
    "do_not_track" : false, 
    "tags" : [

    ], 
    "enable_context_vars" : false, 
    "config_data" : {

    }, 
    "tag_headers" : [

    ], 
    "global_rate_limit" : {
        "rate" : 0.0, 
        "per" : 0.0
    }, 
    "strip_auth_data" : false, 
    "hook_references" : [

    ], 
    "is_site" : false, 
    "sort_by" : NumberInt(0)
}

The policy-def:

{ 
    "_id" : ObjectId("5a1d5880214ddc06e4c53b47"), 
    "org_id" : "5a12b183214ddc0754bb3a32", 
    "rate" : 15.0, 
    "per" : 1.0, 
    "quota_max" : NumberLong(-1), 
    "quota_renewal_rate" : NumberLong(3600), 
    "access_rights" : {
        "996194c8130a4782499b94f1de4f1edc" : {
            "apiname" : "My Real API Name", 
            "apiid" : "996194c8130a4782499b94f1de4f1edc", 
            "versions" : [
                "Default"
            ], 
            "allowed_urls" : [

            ]
        }
    }, 
    "hmac_enabled" : false, 
    "active" : true, 
    "name" : "My Real Policy", 
    "is_inactive" : false, 
    "date_created" : ISODate("0001-01-01T00:00:00.000+0000"), 
    "tags" : [

    ], 
    "key_expires_in" : NumberLong(3600), 
    "partitions" : {
        "quota" : false, 
        "rate_limit" : false, 
        "acl" : false
    }, 
    "last_updated" : "1512383054"
}

Martin · December 5, 2017, 7:11am

I think sub needs to be a string

JohnPhoto · December 5, 2017, 7:26am

Thank you very much, this seems to have been the problem.