Ok, I was totally mistaken. I thought that TIB would work like the Amazon Custom Authorizer of the API Gateway.
I thought this flow :
I call my API through the Tyk gateway with Authorization: Basic xxxxx header
Tyk gateway detect that for this API there is a TIB Profile associated and call the Target Host
Target host treats the Basic Header and return a 200 or 401 response to the tyk gateway.
This is a behavior that we can find in the Custom Authorizer of API Gateway : the header values are sent to a Lambda expression which return a Policy (grant or deny).
Ok, so if I understand what you explain, I need to call my TIB endpoint first (to ask an access token). Then, TIB call my custom provider, wait for an OK response and generate an access token that I can use to call my API. The lifetime of this token is determined by the policy I specified in the MatchedPolicyID property.
It a bit clearer now ^^
Martin
April 13, 2016, 12:08pm
10
fmeriot:
Ok, so if I understand what you explain, I need to call my TIB endpoint first (to ask an access token). Then, TIB call my custom provider, wait for an OK response and generate an access token that I can use to call my API. The lifetime of this token is determined by the policy I specified in the MatchedPolicyID property.
Yup that should work - though to expire the token, you need to add an Expires
field into your profile with an epoch value, so:
{
...
"IdentityHandlerConfig": {
...
"TokenAuth": {
"BaseAPIID": "1a188fa6b20d47d078450b1f2be26ff3",
"Expires": 1460549190
}
},
...
}
I think that the trial expiry policy feature only applies to tokens generated via our portal.
Hi,
It’s almost fine.
Now I’am calling http://{your-tib-host}:{tib-port}/auth/{profile-id}/proxy/ posting some json data. TIB foward this json payload to my custom provider which reply a dummy json response like this
{
“user_name”: “toto”,
“access_token”: “123456789”
}
But my tib response is always :
HTTP 200 OK
Content-Length: 12
Content-Type: text/plain; charset=utf-8
Date: Thu, 14 Apr 2016 09:00:31 GMT
Login failed
I feel I’am not far from succeed, but I can’t see what’s wrong :)))
Martin
April 14, 2016, 9:36am
12
Right, TIB is sending the response and you’re getting something back - now TIB needs to evaluate your response - lets take a look at your profile again?
Also what response code does the dummy handler respond to TIB with (if any)?
Here is my profile :
=======================================================
{
“ActionType”: “GenerateTemporaryAuthToken”,
“ID”: “2”,
“OrgID”: “570b59228352270ae5000001”,
“IdentityHandlerConfig”: {
“DashboardCredential”: “3d5a367eb9064eed4455c9fbf1075100”,
“DisableOneTokenPerAPI”: false,
“TokenAuth”: {
“BaseAPIID”: “1a188fa6b20d47d078450b1f2be26ff3”
}
},
“MatchedPolicyID”:“570d0c97835227162c000001”,
“ProviderConfig”: {
“AccessTokenField”: “access_token”,
“ExrtactUserNameFromBasicAuthHeader”: false,
“OKCode”: 200,
“OKRegex”: “”,
“OKResponse”: “”,
“ResponseIsJson”: true,
“TargetHost”: “http:/my_custom_idp:port/auth”,
“UsernameField”: “user_name”
},
“ProviderName”: “ProxyProvider”,
“ReturnURL”: “”,
“Type”: “passthrough”
}
=======================================================
My custom IDP is running in a Docker container and I can see what requests are coming in live. So I can see requests that are forwarded from my Tyk Identity Broker.
This custom IDP always replies the same JSON response :
{“user_name”:“toto”, “access_token”:“123456789”}
I also tried to just respond a HTTP 200 without any payload, but my TIB server always send me back a :
HTTP 200 OK
Content-Length: 12
Content-Type: text/plain; charset=utf-8
Date: Thu, 14 Apr 2016 09:00:31 GMT
Login failed
Thank you again ^^
Martin
April 14, 2016, 10:01am
14
It looks ok, but since you don;t provisde an access token, you might want to clear this bit:
Is TIB outputting anything to stderr / log?
I have this in TIB log :
INFO[0000] Tyk Identity Broker v0.1
INFO[0000] Copyright Martin Buhr 2016
INFO[0000] [MAIN] Initialising Profile Configuration Store
INFO[0000] [IN-MEMORY STORE] Initialised
INFO[0000] [MAIN] Initialising Identity Cache
INFO[0000] [REDIS STORE] Initialised
INFO[0000] [FILE LOADER] Loaded: 2 profiles from profiles.json
INFO[0000] [MAIN] Broker Listening on :3010
WARN[0005] [TYK ID HANDLER] No expiry found - defaulting to 3600 seconds
INFO[0005] [TYK ID HANDLER] Starting Token Flow…
WARN[0005] Response code was: 404
WARN[0005] GOT:404 page not found
ERRO[0005] [TYK ID HANDLER] --> Login failure. Request not allowed
I do not understand the “404” because I see the request coming from TIB in my provider, and my provider reply a 200.
Martin
April 14, 2016, 10:08am
16
There it is… TIB is getting a 404 when calling your endpoint, not a 200
Id your URL absolutely correct?
Yes, I think.
You can try it :
http://54.194.61.205:8888/auth
You can call it in GET or POST
Martin
April 14, 2016, 10:22am
18
Ok, so I just tried this out locally (replacing values in my handler) and I got a key back. So your configuration works ok.
Can you try removing the slash from your call (it 404’ed on mine), so instead of
http://{your-tib-host}:{tib-port}/auth/{profile-id}/proxy/
do:
http://{your-tib-host}:{tib-port}/auth/{profile-id}/proxy
M.
It seems I have another problem because I already call
http://{your-tib-host}:{tib-port}/auth/{profile-id}/proxy (without the tailing /)
And I still have the Login fail.
you can try it here : http://54.194.109.37:3010/auth/2/proxy (GET or POST)
Martin
April 14, 2016, 10:35am
20
Can I see your whole profile (you can PM it to me if you don;t want to make it public)?
It’s a test so I don’t care if it’s public
[{
“ActionType”: “GenerateOrLoginUserProfile”,
“ID”: “1”,
“OrgID”: “570b59228352270ae5000001”,
“ProviderConfig”: {
“CallbackBaseURL”: “http://127.0.0.1:3010 ”,
“FailureRedirect”: “http://127.0.0.1:3000/?fail=true ”,
“UseProviders”: [{
“Key”: “YOUR-API-KEY”,
“Name”: “gplus”,
“Secret”: “YOUR-OAUTH-SECRET”
}]
},
“ProviderName”: “SocialProvider”,
“ReturnURL”: “http://127.0.0.1:3000/tap ”,
“Type”: “redirect”
},
{
“ActionType”: “GenerateTemporaryAuthToken”,
“ID”: “2”,
“OrgID”: “570b59228352270ae5000001”,
“IdentityHandlerConfig”: {
“DashboardCredential”: “3d5a367eb9064eed4455c9fbf1075100”,
“DisableOneTokenPerAPI”: false,
“TokenAuth”: {
“BaseAPIID”: “1a188fa6b20d47d078450b1f2be26ff3”
}
},
“MatchedPolicyID”:“570d0c97835227162c000001”,
“ProviderConfig”: {
“ExrtactUserNameFromBasicAuthHeader”: false,
“OKCode”: 200,
“OKRegex”: “”,
“OKResponse”: “”,
“ResponseIsJson”: true,
“TargetHost”: “http://54.194.61.205:8888/auth ”,
“UsernameField”: “user_name”
},
“ProviderName”: “ProxyProvider”,
“ReturnURL”: “”,
“Type”: “passthrough”
}]
Martin
April 14, 2016, 10:42am
22
There’s definetely something up at the config level AFAICT, because I’ve dug into the code at the release level, and can see that the thing returning the 404 code is that standard, built-in http proxy (as in we’re not doing anything fancy to the request).
Which means that TIB really does think it’s getting a 404 back, not a 200, even though the request is arriving.
Are these docker containers? Can you curl from within the TIB container to your IDP?
My TIB is not a docker container. I just follow the setup tutorial and start ./tib in my EC2 linux prompt.
My custom provider is running inside a container but as you say earlier, you succeed in calling it.
Here the content of my tib.conf (just in case) :
"Secret": "test-secret",
"HttpServerOptions": {
"UseSSL": false,
"CertFile": "./certs/server.pem",
"KeyFile": "./certs/server.key"
},
"BackEnd": {
"Name": "in_memory",
"ProfileBackendSettings": {},
"IdentityBackendSettings": {
"Hosts" : {
"localhost": "6379"
},
"Password": "",
"Database": 0,
"EnableCluster": false,
"MaxIdle": 1000,
"MaxActive": 2000
}
},
"TykAPISettings": {
"GatewayConfig": {
"Endpoint": "http://localhost",
"Port": "8080",
"AdminSecret": "54321"
},
"DashboardConfig": {
"Endpoint": "http://localhost",
"Port": "3000",
"AdminSecret": "12345"
}
}
}
And I also tried to curl my custom provider from the TIB EC2 VM
curl -X POST http://54.194.61.205:8888/auth
And it works fine relying : {“user_name”:“toto”} (http 200)
Martin
April 14, 2016, 10:56am
24
And you can curl the provider from the TIB box?
We need to track down this 404 basically.
If I curl my custom provider from the TIB EC2 VM
curl -X POST http://54.194.61.205:8888/auth
It works fine replying : {“user_name”:“toto”} (http 200)
I restart it. Always the :
INFO[0000] Tyk Identity Broker v0.1
INFO[0000] Copyright Martin Buhr 2016
INFO[0000] [MAIN] Initialising Profile Configuration Store
INFO[0000] [IN-MEMORY STORE] Initialised
INFO[0000] [MAIN] Initialising Identity Cache
INFO[0000] [REDIS STORE] Initialised
INFO[0000] [FILE LOADER] Loaded: 2 profiles from profiles.json
INFO[0000] [MAIN] Broker Listening on :3010
WARN[0015] [TYK ID HANDLER] No expiry found - defaulting to 3600 seconds
INFO[0015] [TYK ID HANDLER] Starting Token Flow…
WARN[0015] Response code was: 404
WARN[0015] GOT:404 page not found
ERRO[0015] [TYK ID HANDLER] --> Login failure. Request not allowed
Martin
April 14, 2016, 11:09am
28
fmeriot:
GOT:
Dammit. Figured it out - it’s not your handler, it’s the Tyk Dashboard URL:
(the error is defined i the tyk API Handler:
return []byte{}, reqErr
}
retBody, bErr := t.readBody(response)
if bErr != nil {
return []byte{}, bErr
}
log.Debug("GOT:", string(retBody))
if response.StatusCode > 201 {
log.Warning("Response code was: ", response.StatusCode)
log.Warning("GOT:", string(retBody))
return retBody, errors.New("Response code was not 200!")
}
return retBody, nil
}
func (t *TykAPI) readBody(response *http.Response) ([]byte, error) {
defer response.Body.Close()
TIB can’t access that URL, I would suggest you use the same URL that you use to browse to the dash in the configuration file.