Tyk and Auth0 Integration Does Not Work

https://tyk.io/2016/05/17/integrate-tyk-auth0/

This integration as described does not work. I have tried nearly everything at this point.

Does anyone actually have this working?

All I can ever get from this setup is:

{
“error”: “Key not authorised”
}

Worked fine when I tested it just now with our cloud, here’s a demo definition:

{
    "id": "CHANGME",
    "name": "test-OIDC",
    "slug": "test-oidc",
    "api_id": "CHANGME",
    "org_id": "CHANGME",
    "use_keyless": false,
    "use_oauth2": false,
    "use_openid": true,
    "openid_options": {
        "providers": [
            {
                "issuer": "https://your-autho-endpoint/",
                "client_ids": {
                    "ZlMwWkxjMGk1VmVkZEpadjVLc0p3V2xFSUJkWkNIbjc=": "CHANGME"
                }
            }
        ],
        "segregate_by_client": false
    },
    "oauth_meta": {
        "allowed_access_types": [],
        "allowed_authorize_types": [],
        "auth_login_redirect": ""
    },
    "auth": {
        "use_param": false,
        "param_name": "",
        "use_cookie": false,
        "cookie_name": "",
        "auth_header_name": ""
    },
    "use_basic_auth": false,
    "enable_jwt": false,
    "jwt_signing_method": "",
    "jwt_source": "",
    "jwt_identity_base_field": "",
    "jwt_client_base_field": "",
    "jwt_policy_field_name": "",
    "notifications": {
        "shared_secret": "",
        "oauth_on_keychange_url": ""
    },
    "enable_signature_checking": false,
    "hmac_allowed_clock_skew": -1,
    "definition": {
        "location": "header",
        "key": "x-api-version"
    },
    "version_data": {
        "not_versioned": true,
        "versions": {
            "Default": {
                "name": "Default",
                "expires": "",
                "paths": {
                    "ignored": [],
                    "white_list": [],
                    "black_list": []
                },
                "use_extended_paths": true,
                "extended_paths": {
                    "ignored": [],
                    "white_list": [],
                    "black_list": [],
                    "cache": [],
                    "transform": [],
                    "transform_response": [],
                    "transform_headers": [],
                    "transform_response_headers": [],
                    "hard_timeouts": [],
                    "circuit_breakers": [],
                    "url_rewrites": [],
                    "virtual": [],
                    "size_limits": [],
                    "method_transforms": []
                },
                "global_headers": {},
                "global_headers_remove": [],
                "global_size_limit": 0,
                "override_target": ""
            }
        }
    },
    "uptime_tests": {
        "check_list": [],
        "config": {
            "expire_utime_after": 0,
            "service_discovery": {
                "use_discovery_service": false,
                "query_endpoint": "",
                "use_nested_query": false,
                "parent_data_path": "",
                "data_path": "",
                "port_data_path": "",
                "target_path": "",
                "use_target_list": false,
                "cache_timeout": 60,
                "endpoint_returns_list": false
            },
            "recheck_wait": 0
        }
    },
    "proxy": {
        "preserve_host_header": false,
        "listen_path": "/791c4980c68245a24556ff6fa4180f33/",
        "target_url": "http://httpbin.org/",
        "strip_listen_path": true,
        "enable_load_balancing": false,
        "target_list": [],
        "check_host_against_uptime_tests": false,
        "service_discovery": {
            "use_discovery_service": false,
            "query_endpoint": "",
            "use_nested_query": false,
            "parent_data_path": "",
            "data_path": "hostname",
            "port_data_path": "port",
            "target_path": "/api-slug",
            "use_target_list": false,
            "cache_timeout": 60,
            "endpoint_returns_list": false
        }
    },
    "custom_middleware": {
        "pre": [],
        "post": [],
        "response": []
    },
    "cache_options": {
        "cache_timeout": 60,
        "enable_cache": true,
        "cache_all_safe_requests": false,
        "cache_response_codes": [],
        "enable_upstream_cache_control": false
    },
    "session_lifetime": 0,
    "active": true,
    "auth_provider": {
        "name": "",
        "storage_engine": "",
        "meta": {}
    },
    "session_provider": {
        "name": "",
        "storage_engine": "",
        "meta": null
    },
    "event_handlers": {
        "events": {}
    },
    "enable_batch_request_support": false,
    "enable_ip_whitelisting": false,
    "allowed_ips": [],
    "dont_set_quota_on_create": false,
    "expire_analytics_after": 0,
    "response_processors": [],
    "CORS": {
        "enable": false,
        "allowed_origins": [],
        "allowed_methods": [],
        "allowed_headers": [],
        "exposed_headers": [],
        "allow_credentials": false,
        "max_age": 24,
        "options_passthrough": false,
        "debug": false
    },
    "domain": "",
    "do_not_track": false,
    "tags": [],
    "enable_context_vars": false
}

The trick is to check your given JWT to set your issuer and client ID properly:

My config looks fine as compared to your example.

The trick is to check your given JWT to set your issuer and client ID properly:

What does this mean exactly? Am I to assume the token given to me by auth0 is not valid unless I otherwise modify it?

The instructions state to simply add the Authorization header with a value of Bearer {token} (which is familiar JWT practice).

What version does the Tyk Cloud run?

It means you must authorise each issuer and client Id with Tyk first, and bind those to a policy.

You don’t need to modify the token.

The above example was done using Tyk Cloud, the JWT token was added as a header:

Authorization: Bearer {token}

You need to use the JWT ID Token to access your APIs. It’s likely there’s a problem with the issuer / client is in your config (e.g. Missing https://).

It was a missing “/” at the end of the issuer.

Stared at it for an hour before noticing.

Thanks for the help Martin!

1 Like