TYK + Auth0 (Machine to Machine App)

Robert_Vojcik · March 2, 2020, 10:15am

Hi Guys,

I’m testing TYK as candidate for out OperationsAPI Gateway. It’s hot candidate for no but I’m trying to connect it to Auth0. I follow working example in documentation but I’m stuck with following error:

curl -H "Authorization: Bearer $TOKEN" https://api.kubetech1.lskube.eu/test/
{
    "error": "Key not authorized: no matching policy"
}

In auth0 I’m using Machine-To-Machine Application, so I receive JWT bearer token from Auth0 with following payload

{
  "iss": "https://lstech.eu.auth0.com/",
  "sub": "oarIGJCH9JkknxjxppCT7213us0v1q5d@clients",
  "aud": "https://api.kubetech1.lskube.eu",
  "iat": 1583142944,
  "exp": 1583229344,
  "azp": "oarIGJCH9JkknxjxppCT7213us0v1q5d",
  "scope": "read:dns write:dns read:racktables write:racktables",
  "gty": "client-credentials"
}

I have createt Provider with policy mapping

        "use_openid": true,
        "openid_options": {
            "providers": [
                {
                    "issuer": "https://lstech.eu.auth0.com/",
                    "client_ids": {
                        "aHR0cHM6Ly9hcGkua3ViZXRlY2gxLmxza3ViZS5ldQ==": "admin",
                        "b2FySUdKQ0g5SmtrbnhqeHBwQ1Q3MjEzdXMwdjFxNWRAY2xpZW50cw==": "admin",
                        "b2FySUdKQ0g5SmtrbnhqeHBwQ1Q3MjEzdXMwdjFxNWQ=": "admin"
                    }
                }
            ],
        "segregate_by_client": false
        },


time="Mar 02 10:05:12" level=debug msg="Setting up providers: [{https://lstech.eu.auth0.com/ map[aHR0cHM6Ly9hcGkua3ViZXRlY2gxLmxza3ViZS5ldQ==:admin] b2FySUdKQ0g5SmtrbnhqeHBwQ1Q3MjEzdXMwdjFxNWQ=:admin b2FySUdKQ0g5SmtrbnhqeHBwQ1Q3MjEzdXMwdjFxNWRAY2xpZW50cw==:admin]}]" api_id=1 api_name=OpsAPI mw=OpenIDMW org_id=tech origin=192.168.1.249 path="/test/" 
time="Mar 02 10:05:12" level=debug msg="Setting up Issuer: https://lstech.eu.auth0.com/" api_id=1 api_name=OpsAPI mw=OpenIDMW org_id=tech origin=192.168.1.249 path="/test/" 
time="Mar 02 10:05:12" level=debug msg="--> Setting up client: https://api.kubetech1.lskube.eu with policy: admin" api_id=1 api_name=OpsAPI mw=OpenIDMW org_id=tech origin=192.168.1.249 path="/test/" 
time="Mar 02 10:05:12" level=debug msg="--> Setting up client: oarIGJCH9JkknxjxppCT7213us0v1q5d@clients with policy: admin" api_id=1 api_name=OpsAPI mw=OpenIDMW org_id=tech origin=192.168.1.249 path="/test/" 
time="Mar 02 10:05:12" level=debug msg="--> Setting up client: oarIGJCH9JkknxjxppCT7213us0v1q5d with policy: admin" api_id=1 api_name=OpsAPI mw=OpenIDMW org_id=tech origin=192.168.1.249 path="/test/" 
time="Mar 02 10:05:12" level=debug msg="Generated Session ID: techcefa3622b9d153c800f7380deec496ed" api_id=1 api_name=OpsAPI mw=OpenIDMW org_id=tech origin=192.168.1.249 path="/test/" 
time="Mar 02 10:05:12" level=debug msg="Querying local cache" api_id=1 api_name=OpsAPI mw=OpenIDMW org_id=tech origin=192.168.1.249 path="/test/"

Error from debug log:

time="Mar 02 10:05:12" level=debug msg="Querying local cache" api_id=1 api_name=OpsAPI mw=OpenIDMW org_id=tech origin=192.168.1.249 path="/test/" 
time="Mar 02 10:05:12" level=debug msg="Querying keystore" api_id=1 api_name=OpsAPI mw=OpenIDMW org_id=tech origin=192.168.1.249 path="/test/" 
time="Mar 02 10:05:12" level=debug msg="Could not get session detail, key not found" err="key not found" inbound-key="****96ed" prefix=auth-mgr 
time="Mar 02 10:05:12" level=debug msg="Querying authstore" api_id=1 api_name=OpsAPI mw=OpenIDMW org_id=tech origin=192.168.1.249 path="/test/" 
time="Mar 02 10:05:12" level=debug msg="Error trying to get value:redis: nil" 
time="Mar 02 10:05:12" level=warning msg="Key not found in storage engine" err="key not found" inbound-key="****96ed" prefix=auth-mgr 
time="Mar 02 10:05:12" level=debug msg="Key does not exist, creating" api_id=1 api_name=OpsAPI mw=OpenIDMW org_id=tech origin=192.168.1.249 path="/test/" 
time="Mar 02 10:05:12" level=warning msg="Attempted access with invalid key." api_id=1 api_name=OpsAPI key="****96ed" mw=OpenIDMW org_id=tech origin=192.168.1.249 path="/test/" 
time="Mar 02 10:05:12" level=debug msg="EVENT FIRED: AuthFailure" 
time="Mar 02 10:05:12" level=debug msg="Adding Healthcheck to: 1.KeyFailure" 
time="Mar 02 10:05:12" level=debug msg="Val is: 1" 
time="Mar 02 10:05:12" level=debug msg="Set value to: 1583143512543987175.1" 
time="Mar 02 10:05:12" level=error msg="Could not find a valid policy to apply to this token!" api_id=1 api_name=OpsAPI mw=OpenIDMW org_id=tech origin=192.168.1.249 path="/test/" 
time="Mar 02 10:05:12" level=debug msg="Adding Healthcheck to: 1.BlockedRequest" 
time="Mar 02 10:05:12" level=debug msg="Val is: -1" 
time="Mar 02 10:05:12" level=debug msg=Finished api_id=1 api_name=OpsAPI code=403 error="Key not authorized: no matching policy" mw=OpenIDMW ns=1657162 org_id=tech origin=192.168.1.249 path="/test/" 
time="Mar 02 10:05:12" level=debug msg="Incrementing raw key: 1.KeyFailure" 
time="Mar 02 10:05:12" level=debug msg="keyName is: 1.KeyFailure" 
time="Mar 02 10:05:12" level=debug msg="Now is:2020-03-02 10:05:12.544176239 +0000 UTC m=+496437.142741164" 
time="Mar 02 10:05:12" level=debug msg="Then is: 2020-03-02 10:04:12.544176239 +0000 UTC m=+496377.142741164" 
time="Mar 02 10:05:12" level=debug msg="Incrementing raw key: 1.BlockedRequest" 
time="Mar 02 10:05:12" level=debug msg="keyName is: 1.BlockedRequest" 
time="Mar 02 10:05:12" level=debug msg="Now is:2020-03-02 10:05:12.544265249 +0000 UTC m=+496437.142830137" 
time="Mar 02 10:05:12" level=debug msg="Then is: 2020-03-02 10:04:12.544265249 +0000 UTC m=+496377.142830137" 
time="Mar 02 10:05:12" level=debug msg="Returned: 0" 
time="Mar 02 10:05:12" level=debug msg="Returned: 0" 
time="Mar 02 10:05:15" level=debug msg="Primary instance set, I am master" prefix=host-check-mgr

I search this forum, find some similar issues but nothing wich helps me.

Am I understanding this right that I request Authorization with Auth0, receive JWT token with payload and TYK check signature and look into payload and should assign correct policy ?

Thank a Lot for information.

Tyk.conf

    {
      "listen_port": 8080,
      "log_level": "debug",
      "pid_file_location": "/tmp/tyk-gateway.pid",
      "template_path": "/opt/tyk-gateway/templates",
      "tyk_js_path": "/opt/tyk-gateway/js/tyk.js",
      "middleware_path": "/opt/tyk-gateway/middleware",
      "use_db_app_configs": false,
      "app_path": "/opt/tyk-gateway/apps/",
      "storage": {
        "type": "redis",
        "host": "127.0.0.1",
        "port": 6379,
        "username": "",
        "password": "",
        "database": 0,
        "optimisation_max_idle": 2000,
        "optimisation_max_active": 4000
      },
      "enable_analytics": false,
      "analytics_config": {
        "type": "csv",
        "csv_dir": "/tmp",
        "mongo_url": "",
        "mongo_db_name": "",
        "mongo_collection": "",
        "purge_delay": -1,
        "ignored_ips": []
      },
      "health_check": {
        "enable_health_checks": true,
        "health_check_value_timeouts": 60
      },
      "optimisations_use_async_session_write": true,
      "enable_non_transactional_rate_limiter": true,
      "enable_sentinel_rate_limiter": false,
      "allow_master_keys": true,
      "policies": {
        "policy_source": "file",
        "policy_record_name": "/opt/tyk-gateway/policies/policies.json"
      },
      "hash_keys": true,
      "enable_hashed_keys_listing": true,
      "close_connections": false,
      "http_server_options": {
        "enable_websockets": true
      },
      "allow_insecure_configs": true,
      "coprocess_options": {
        "enable_coprocess": true,
        "coprocess_grpc_server": ""
      },
      "enable_bundle_downloader": true,
      "bundle_base_url": "",
      "global_session_lifetime": 100,
      "force_global_session_lifetime": false,
      "max_idle_connections_per_host": 500
    }

app conf

    {
        "name": "OpsAPI",
        "api_id": "1",
        "org_id": "tech",
        "definition": {
            "location": "header",
            "key": "version"
        },
        "use_openid": true,
        "openid_options": {
            "providers": [
                {
                    "issuer": "https://lstech.eu.auth0.com/",
                    "client_ids": {
                        "aHR0cHM6Ly9hcGkua3ViZXRlY2gxLmxza3ViZS5ldQ==": "admin",
                        "b2FySUdKQ0g5SmtrbnhqeHBwQ1Q3MjEzdXMwdjFxNWRAY2xpZW50cw==": "admin",
                        "b2FySUdKQ0g5SmtrbnhqeHBwQ1Q3MjEzdXMwdjFxNWQ=": "admin"
                    }
                }
            ],
        "segregate_by_client": false
        },
        "version_data": {
            "not_versioned": true,
            "versions": {
                "Default": {
                    "name": "Default",
                    "expires": "",
                    "use_extended_paths": true,
                    "extended_paths": {
                        "ignored": [],
                        "white_list": [],
                        "black_list": []
                    },
                    "global_headers": {
                        "X-Backend-Secret": "aacb7fa1-217b-4653-8291-7ed9be163cbc"
                    }
                }
            }
        },
        "proxy": {
            "listen_path": "/test/",
            "target_url": "https://httpbin.org",
            "strip_listen_path": true
        },
        "enable_batch_request_support": true
    }

policies.json

    {
        "admin": {
            "access_rights": {
                "1": {
                    "api_name": "OpsAPI",
                    "api_id": "1",
                    "versions": [
                        "Default"
                    ]
                }
            },
            "org_id": "tech",
            "hmac_enabled": false
        }
        "read": {
            "access_rights": {
                "1": {
                    "api_name": "OpsAPI",
                    "api_id": "1",
                    "versions": [
                        "Default"
                    ],
                    "allowed_urls": [
                        {
                            "url": "/.*",
                            "methods": ["GET"]
                        }
                    ]
                }
            },
            "org_id": "tech",
            "hmac_enabled": false
        }
    }

Robert_Vojcik · March 2, 2020, 10:50am

I have working public setup, i can provide you any access informations, tokens or its for auth0.

Robert_Vojcik · March 6, 2020, 4:43pm

Little update.

Today i prepared setup in docker-compose with dashboard.

I tried to setup OIDC auth through dasboard with Auth0, now with SINGLE PAGE APPLICATION and https://openidconnect.net/ to retrieve bearer token.

I tried curl api but always get same problem

curl -H "Authorization: Bearer $TOKEN" http://localhost:8080/test/headers
{
    "error": "Key not authorized: no matching policy"
}

tyk_gateway_1    | time="Mar 06 16:34:30" level=info msg="Detected 1 APIs" prefix=main
tyk_gateway_1    | time="Mar 06 16:34:30" level=info msg="Loading API configurations." prefix=main
tyk_gateway_1    | time="Mar 06 16:34:30" level=info msg="Tracking hostname" api_name=myapi domain="(no host)" prefix=main
tyk_gateway_1    | time="Mar 06 16:34:30" level=info msg="Initialising Tyk REST API Endpoints" prefix=main
tyk_gateway_1    | time="Mar 06 16:34:30" level=info msg="API bind on custom port:0" prefix=main
tyk_gateway_1    | time="Mar 06 16:34:30" level=info msg="Initializing HealthChecker"
tyk_gateway_1    | time="Mar 06 16:34:30" level=info msg="Checking security policy: OpenID" api_id=89987cb2510d4f97642fa2c42cf02674 api_name=myapi org_id=5e61fdfda7575e00014b0be6
tyk_gateway_1    | time="Mar 06 16:34:30" level=info msg="API Loaded" api_id=89987cb2510d4f97642fa2c42cf02674 api_name=myapi org_id=5e61fdfda7575e00014b0be6 prefix=gateway server_name=-- user_id=-- user_ip=--
tyk_gateway_1    | time="Mar 06 16:34:30" level=info msg="Loading uptime tests..." prefix=host-check-mgr
tyk_gateway_1    | time="Mar 06 16:34:30" level=info msg="Initialised API Definitions" prefix=main
tyk_gateway_1    | time="Mar 06 16:34:30" level=info msg="API reload complete" prefix=main
tyk_gateway_1    | time="Mar 06 16:34:30" level=info msg="reload: complete" prefix=main
tyk_gateway_1    | time="Mar 06 16:34:30" level=info msg="Initiating coprocess reload" prefix=main
tyk_gateway_1    | time="Mar 06 16:34:30" level=info msg="Reloading middlewares" prefix=coprocess
tyk_gateway_1    | time="Mar 06 16:34:37" level=warning msg="Key not found in storage engine" err="key not found" inbound-key="****1acf" prefix=auth-mgr
tyk_gateway_1    | time="Mar 06 16:34:37" level=warning msg="Attempted access with invalid key." api_id=89987cb2510d4f97642fa2c42cf02674 api_name=myapi key="****1acf" mw=OpenIDMW org_id=5e61fdfda7575e00014b0be6 origin=172.19.0.1 path="/test/headers"
tyk_gateway_1    | time="Mar 06 16:34:37" level=error msg="Could not find a valid policy to apply to this token!" api_id=89987cb2510d4f97642fa2c42cf02674 api_name=myapi mw=OpenIDMW org_id=5e61fdfda7575e00014b0be6 origin=172.19.0.1 path="/test/headers"

I have a valid admin policy mapped to aud field of the data paylod of the token

Token payload looks like this

{
  "given_name": "Róbert",
  "family_name": "Vojčík",
  "nickname": "robert.vojcik",
  "name": "Róbert Vojčík",
  "picture": "https://lh3.googleusercontent.com/a-/AOh14GhY9nolugwTaNnfu3oLeGfTPETHKMSEdWpUp7rK",
  "gender": "male",
  "locale": "en-GB",
  "updated_at": "2020-03-06T16:20:34.440Z",
  "email": "[email protected]",
  "email_verified": true,
  "iss": "https://lstech.eu.auth0.com/",
  "sub": "google-oauth2|105555337474725685577",
  "aud": "T28tLsECRYUYIK2z1ONMz1qbhp3oCXEn",
  "iat": 1583511640,
  "exp": 1583547640
}

Robert_Vojcik · March 7, 2020, 6:17pm

Update:

I tried setup demo-pro, and everything works. It looks like problem is when using community headless edition and policies defined in policies.json file. Then there is somewhere problem to link the policies from the file to the actual bearer token audition.

In pro version works oauth app and machine-to-machine to.

I try to investigate configuration differences between CE and PRO.

Robert_Vojcik · March 7, 2020, 10:25pm

Ok finally I have few issues at once but mainly with referencing the policies and syntax of the policies file.

my working setup looks like that

   {
        "admin": {
            "access_rights": {
                "1": {
                    "api_name": "OpsAPI",
                    "api_id": "1",
                    "versions": [
                        "Default"
                    ]
                }
            },
            "org_id": "tech",
            "active": true,
            "name": "Operations API",
            "rate": 100,
            "per": 1,
            "quota_max": 10000,
            "quota_renewal_rate": 3600,
            "tags": ["admin"]
        },
        "default": {
            "rate": 1000,
            "per": 1,
            "quota_max": 100,
            "quota_renewal_rate": 60,
            "access_rights": {
                "41433797848f41a558c1573d3e55a410": {
                    "api_name": "OpsAPI",
                    "api_id": "1",
                    "versions": [
                        "Default"
                    ]
                }
            },
        "org_id": "tech",
        "hmac_enabled": false
        }
    }

Referencing OIDC from app definition

        "use_openid": true,
        "openid_options": {
            "providers": [
                {
                    "issuer": "https://lstech.eu.auth0.com/",
                    "client_ids": {
                        "aHR0cHM6Ly9hcGkua3ViZXRlY2gxLmxza3ViZS5ldQ==": "admin"
                    }
                }
            ],
        "segregate_by_client": false
        },

Really missing policies endpoint on the gateway API, to be able to check how gateway see the policies.

flyte · November 24, 2021, 4:15pm

Really missing policies endpoint on the gateway API, to be able to check how gateway see the policies.

Yeah, I missed that too, so I built a version from the master branch which has that endpoint enabled (it’s just not released yet) Docker

According to this comment it’ll come out in release v4.0.1: