Successful Auth0 and Tyk JWT Integration

In Tyk:

  1. Create an API - mocks run before authentication, so use virtual end-point if you are mocking the API for testing
  2. Create Policy, select API under Access Rights, save and record Policy ID for entering in Auth0
    Create a unique tag on the policy so that it can be queried to validate it is being used by Tyk
    (chicken & egg here as you have to create API before policy for rights and need to enter policy ID in API Auth)
  3. Set API Authentication Mode to JWT, HMAC, and set the secret to some plain text
  4. Set API Authentication Identity Source to sub or it will be logged that base wasn’t found, using sub
  5. Set API, Policy Field Name to pol or some other unused JWT claim name
    This will be used to find the Tyk Policy by ID (not name) which is auto generated when the policy is created

In Auth0:

  1. Set the secret to some base64 encoded plain text since Auth0 requires base64 & Tyk requires plain text

  2. In Rules : Settings add a key=value, e.g., auth0 clientId=Tyk Policy ID, the ID is auto-generated by Tyk on policy save

  3. Create a Rule to inject the Tyk policy ID as a JWT pol claim or some other unused JWT claim name

    function (user, context, callback) {
    user.pol = configuration[user.clientID];
    //console.log('user ', user);
    //console.log('context ', context);
    callback(null, user, context);

In the application:

Add pol to the lock claims so that the JWT claim “pol”: “Tyk Policy ID” will be requested during authentication.{ authParams: { scope: 'openid pol' } });


At this point you can create a signed JWT at and use curl to test local Tyk authentication.

curl -X GET -H "Accept: application/vnd.api+json" -H "Authorization: ey...JWT.bytes...jI" 'http://tyk-vbox:8080/test2/foo'

Make sure to use plain text secret or Tyk will log an error: Token validation error: signature is invalid

Decoded JWT should look like this:

JWT Header:

  "typ": "JWT",
  "alg": "HS256"

JWT Data:

  "pol": "571fc5dfbceab80251000001",
  "iss": "",
  "sub": "google-oauth2|114386168700053341693",
  "aud": "KjPmsukutSwfo0EN03dzT95q3R0tL5Nq",
  "exp": 1461734146,
  "iat": 1461698146

Rate limiting:

Tyk creates virtual tokens for the user ID in the JWT sub field and applies the policy with the matching ID in the JWT pol. If we had created a Tyk key which had JWT ID checked and a secret entered and the API had a blank secret, and the JWT header included a kid with the Tyk key ID, Tyk would rate limit all users as a single group. By matching a policy instead of key, Tyk rate limits each user independently.

1 Like

Amazing - that’s quite the workaround :slight_smile:

Though you may have some superfluous steps, this config conflates the two versions of JWT handling and one might be completely ignored by Tyk :-/

Either you put the secret in the API or you create a key with a secret. I don’t think you need step 2, because step 6 will basically forgo a secret lookup based on the kid.

Hopefully you won’t need this much pain in future - we have just merged full OpenID Connect support into Tyk Dev branch (gateway only so far) as an auth method for your APIs, so that will be available soon - I believe Auth0 does support OIDC, so it should make things much easier in future :smiley:

I just tested it by changing the kid and validated what you said. I was incorrect. I’ll update the posting. The kid is not needed in the header which eliminates the kludge - thank goodness for that.


You might want to edit the above replay as I’ve removed the superfluous steps and renumbered what remains. Otherwise, future readers may get confused.

Follow up: Auth0 integration is very very easy with tyk 2.1: