Tyk and oidc integration

Ori · February 17, 2021, 12:59pm

Hello,
I am trying to set up tyk with OIDC. I followed this guide:
https://site-dev.tykbeta.com/docs/advanced-configuration/integrate/api-auth-mode/open-id-connect/#setting-up-oidc.
When I am sending a request to tyk (providing the bearer token that I get from my auth server), I see the following error message (in the logs): “Validation Error. The Provider __ does not have a client id matching any of the token audiences __”, and the authentication fails.
My token has the “aud” field set to the same value as in my api definition (the client id base64 encoded), and yet it seems like tyk-gateway fails at the validateAudiences method (from idtokenvalidator.go) when it tries to find a match between the token audiences and the client ids in the api file.
I can’t understand what I am doing wrong here.
Any help would be appreciated!

zaid · February 17, 2021, 2:15pm

Hello @Ori,

Which OIDC provider are you using? I will try to get this setup and get back to you.

Ori · February 17, 2021, 2:41pm

Hey @zaid
I’m using self-hosted OIDC provider (RedHat SSO).

zaid · February 17, 2021, 7:05pm

Hello @Ori were you working with tyk pro or tyk community edition?

Ori · February 18, 2021, 6:05am

tyk community edition

zaid · February 22, 2021, 2:52pm

Hello @Ori I haven’t had a chance to look at this yet. I will have sometime today to try and recreate it however.

zaid · February 23, 2021, 8:12pm

@Ori can you please send me the API definition and gateway logs.

armujahid · January 24, 2022, 12:53pm

I am facing exact issue with keycloak. I am using tyk oss with api and policy as mentioned here Tyk (Open source) + Keycloak (OIDC) - #2 by rwxget

keycloak has myrealm with tyk-test client. I am getting

time="Jan 24 12:52:27" level=warning msg="JWT Invalid" api_id=3 api_name="httpbin.org - OIDC" error="Validation error. Validation error. The provider https://<example.com>/auth/realms/myrealm does not have a client id matching any of the token audiences [tyk-test]" mw=OpenIDMW org_id=1 origin=10.42.0.1 path="/httpbin/oidc/ip"
time="Jan 24 12:52:27" level=warning msg="Attempted access with invalid key." api_id=3 api_name="httpbin.org - OIDC" key="****JWT]" mw=OpenIDMW org_id=1 origin=10.42.0.1 path="/httpbin/oidc/ip"

I have obtained token using https://openidconnect.net/ with client = tyk-test

armujahid · January 24, 2022, 1:26pm

Kindly check my reply Tyk and oidc integration - #8 by armujahid

zaid · January 24, 2022, 1:54pm

Hello @armujahid did you check out this reply Tyk (Open source) + Keycloak (OIDC) - #3 by chris.f?

armujahid · January 24, 2022, 2:24pm

Yes of course. I am using a valid OIDC authentication flow (using https://openidconnect.net/) that is providing me a valid JWT/id token with correct client tyk-test in audience. and I am passing that token to API using

curl --location --request GET 'https://<example.com>/httpbin/oidc/ip' \
--header 'Authorization: Bearer validjwttoken'

zaid · January 24, 2022, 2:55pm

@armujahid I will have a look and get back to you ASAP!

armujahid · January 25, 2022, 8:23am

My issue has been resolved. it was because of incorrect base64 encoded client id.

❯ echo "tyk-test" | base64
dHlrLXRlc3QK // doesn't work with tyk because it has newline https://stackoverflow.com/a/46171699/2073920
❯ echo -n "tyk-test" | base64
dHlrLXRlc3Q=   // works with tyk

Another working example of keycloak oidc with tyk-oss is GitHub - CanDIG/tyk-kc-demo: A toy demo showing how to use Tyk to protect an API, denying access to it without an OIDC token from a Keycloak instance, and enforcing rate limiting