Tyk and oidc integration

I am trying to set up tyk with OIDC. I followed this guide:
When I am sending a request to tyk (providing the bearer token that I get from my auth server), I see the following error message (in the logs): “Validation Error. The Provider __ does not have a client id matching any of the token audiences __”, and the authentication fails.
My token has the “aud” field set to the same value as in my api definition (the client id base64 encoded), and yet it seems like tyk-gateway fails at the validateAudiences method (from idtokenvalidator.go) when it tries to find a match between the token audiences and the client ids in the api file.
I can’t understand what I am doing wrong here.
Any help would be appreciated!


Hello @Ori,

Which OIDC provider are you using? I will try to get this setup and get back to you.

Hey @zaid
I’m using self-hosted OIDC provider (RedHat SSO).

Hello @Ori were you working with tyk pro or tyk community edition?

tyk community edition

1 Like

Hello @Ori I haven’t had a chance to look at this yet. I will have sometime today to try and recreate it however.

@Ori can you please send me the API definition and gateway logs.

I am facing exact issue with keycloak. I am using tyk oss with api and policy as mentioned here Tyk (Open source) + Keycloak (OIDC) - #2 by rwxget

keycloak has myrealm with tyk-test client. I am getting

time="Jan 24 12:52:27" level=warning msg="JWT Invalid" api_id=3 api_name="httpbin.org - OIDC" error="Validation error. Validation error. The provider https://<example.com>/auth/realms/myrealm does not have a client id matching any of the token audiences [tyk-test]" mw=OpenIDMW org_id=1 origin= path="/httpbin/oidc/ip"
time="Jan 24 12:52:27" level=warning msg="Attempted access with invalid key." api_id=3 api_name="httpbin.org - OIDC" key="****JWT]" mw=OpenIDMW org_id=1 origin= path="/httpbin/oidc/ip"

I have obtained token using https://openidconnect.net/ with client = tyk-test

Kindly check my reply Tyk and oidc integration - #8 by armujahid

Hello @armujahid did you check out this reply Tyk (Open source) + Keycloak (OIDC) - #3 by chris.f?

Yes of course. I am using a valid OIDC authentication flow (using https://openidconnect.net/) that is providing me a valid JWT/id token with correct client tyk-test in audience. and I am passing that token to API using

curl --location --request GET 'https://<example.com>/httpbin/oidc/ip' \
--header 'Authorization: Bearer validjwttoken'
1 Like

@armujahid I will have a look and get back to you ASAP!

1 Like

My issue has been resolved. it was because of incorrect base64 encoded client id.

❯ echo "tyk-test" | base64
dHlrLXRlc3QK // doesn't work with tyk because it has newline https://stackoverflow.com/a/46171699/2073920
❯ echo -n "tyk-test" | base64
dHlrLXRlc3Q=   // works with tyk

Another working example of keycloak oidc with tyk-oss is GitHub - CanDIG/tyk-kc-demo: A toy demo showing how to use Tyk to protect an API, denying access to it without an OIDC token from a Keycloak instance, and enforcing rate limiting

1 Like