Hi Guys,
I’m testing TYK as candidate for out OperationsAPI Gateway. It’s hot candidate for no but I’m trying to connect it to Auth0. I follow working example in documentation but I’m stuck with following error:
curl -H "Authorization: Bearer $TOKEN" https://api.kubetech1.lskube.eu/test/
{
"error": "Key not authorized: no matching policy"
}
In auth0 I’m using Machine-To-Machine Application, so I receive JWT bearer token from Auth0 with following payload
{
"iss": "https://lstech.eu.auth0.com/",
"sub": "oarIGJCH9JkknxjxppCT7213us0v1q5d@clients",
"aud": "https://api.kubetech1.lskube.eu",
"iat": 1583142944,
"exp": 1583229344,
"azp": "oarIGJCH9JkknxjxppCT7213us0v1q5d",
"scope": "read:dns write:dns read:racktables write:racktables",
"gty": "client-credentials"
}
I have createt Provider with policy mapping
"use_openid": true,
"openid_options": {
"providers": [
{
"issuer": "https://lstech.eu.auth0.com/",
"client_ids": {
"aHR0cHM6Ly9hcGkua3ViZXRlY2gxLmxza3ViZS5ldQ==": "admin",
"b2FySUdKQ0g5SmtrbnhqeHBwQ1Q3MjEzdXMwdjFxNWRAY2xpZW50cw==": "admin",
"b2FySUdKQ0g5SmtrbnhqeHBwQ1Q3MjEzdXMwdjFxNWQ=": "admin"
}
}
],
"segregate_by_client": false
},
time="Mar 02 10:05:12" level=debug msg="Setting up providers: [{https://lstech.eu.auth0.com/ map[aHR0cHM6Ly9hcGkua3ViZXRlY2gxLmxza3ViZS5ldQ==:admin] b2FySUdKQ0g5SmtrbnhqeHBwQ1Q3MjEzdXMwdjFxNWQ=:admin b2FySUdKQ0g5SmtrbnhqeHBwQ1Q3MjEzdXMwdjFxNWRAY2xpZW50cw==:admin]}]" api_id=1 api_name=OpsAPI mw=OpenIDMW org_id=tech origin=192.168.1.249 path="/test/"
time="Mar 02 10:05:12" level=debug msg="Setting up Issuer: https://lstech.eu.auth0.com/" api_id=1 api_name=OpsAPI mw=OpenIDMW org_id=tech origin=192.168.1.249 path="/test/"
time="Mar 02 10:05:12" level=debug msg="--> Setting up client: https://api.kubetech1.lskube.eu with policy: admin" api_id=1 api_name=OpsAPI mw=OpenIDMW org_id=tech origin=192.168.1.249 path="/test/"
time="Mar 02 10:05:12" level=debug msg="--> Setting up client: oarIGJCH9JkknxjxppCT7213us0v1q5d@clients with policy: admin" api_id=1 api_name=OpsAPI mw=OpenIDMW org_id=tech origin=192.168.1.249 path="/test/"
time="Mar 02 10:05:12" level=debug msg="--> Setting up client: oarIGJCH9JkknxjxppCT7213us0v1q5d with policy: admin" api_id=1 api_name=OpsAPI mw=OpenIDMW org_id=tech origin=192.168.1.249 path="/test/"
time="Mar 02 10:05:12" level=debug msg="Generated Session ID: techcefa3622b9d153c800f7380deec496ed" api_id=1 api_name=OpsAPI mw=OpenIDMW org_id=tech origin=192.168.1.249 path="/test/"
time="Mar 02 10:05:12" level=debug msg="Querying local cache" api_id=1 api_name=OpsAPI mw=OpenIDMW org_id=tech origin=192.168.1.249 path="/test/"
Error from debug log:
time="Mar 02 10:05:12" level=debug msg="Querying local cache" api_id=1 api_name=OpsAPI mw=OpenIDMW org_id=tech origin=192.168.1.249 path="/test/"
time="Mar 02 10:05:12" level=debug msg="Querying keystore" api_id=1 api_name=OpsAPI mw=OpenIDMW org_id=tech origin=192.168.1.249 path="/test/"
time="Mar 02 10:05:12" level=debug msg="Could not get session detail, key not found" err="key not found" inbound-key="****96ed" prefix=auth-mgr
time="Mar 02 10:05:12" level=debug msg="Querying authstore" api_id=1 api_name=OpsAPI mw=OpenIDMW org_id=tech origin=192.168.1.249 path="/test/"
time="Mar 02 10:05:12" level=debug msg="Error trying to get value:redis: nil"
time="Mar 02 10:05:12" level=warning msg="Key not found in storage engine" err="key not found" inbound-key="****96ed" prefix=auth-mgr
time="Mar 02 10:05:12" level=debug msg="Key does not exist, creating" api_id=1 api_name=OpsAPI mw=OpenIDMW org_id=tech origin=192.168.1.249 path="/test/"
time="Mar 02 10:05:12" level=warning msg="Attempted access with invalid key." api_id=1 api_name=OpsAPI key="****96ed" mw=OpenIDMW org_id=tech origin=192.168.1.249 path="/test/"
time="Mar 02 10:05:12" level=debug msg="EVENT FIRED: AuthFailure"
time="Mar 02 10:05:12" level=debug msg="Adding Healthcheck to: 1.KeyFailure"
time="Mar 02 10:05:12" level=debug msg="Val is: 1"
time="Mar 02 10:05:12" level=debug msg="Set value to: 1583143512543987175.1"
time="Mar 02 10:05:12" level=error msg="Could not find a valid policy to apply to this token!" api_id=1 api_name=OpsAPI mw=OpenIDMW org_id=tech origin=192.168.1.249 path="/test/"
time="Mar 02 10:05:12" level=debug msg="Adding Healthcheck to: 1.BlockedRequest"
time="Mar 02 10:05:12" level=debug msg="Val is: -1"
time="Mar 02 10:05:12" level=debug msg=Finished api_id=1 api_name=OpsAPI code=403 error="Key not authorized: no matching policy" mw=OpenIDMW ns=1657162 org_id=tech origin=192.168.1.249 path="/test/"
time="Mar 02 10:05:12" level=debug msg="Incrementing raw key: 1.KeyFailure"
time="Mar 02 10:05:12" level=debug msg="keyName is: 1.KeyFailure"
time="Mar 02 10:05:12" level=debug msg="Now is:2020-03-02 10:05:12.544176239 +0000 UTC m=+496437.142741164"
time="Mar 02 10:05:12" level=debug msg="Then is: 2020-03-02 10:04:12.544176239 +0000 UTC m=+496377.142741164"
time="Mar 02 10:05:12" level=debug msg="Incrementing raw key: 1.BlockedRequest"
time="Mar 02 10:05:12" level=debug msg="keyName is: 1.BlockedRequest"
time="Mar 02 10:05:12" level=debug msg="Now is:2020-03-02 10:05:12.544265249 +0000 UTC m=+496437.142830137"
time="Mar 02 10:05:12" level=debug msg="Then is: 2020-03-02 10:04:12.544265249 +0000 UTC m=+496377.142830137"
time="Mar 02 10:05:12" level=debug msg="Returned: 0"
time="Mar 02 10:05:12" level=debug msg="Returned: 0"
time="Mar 02 10:05:15" level=debug msg="Primary instance set, I am master" prefix=host-check-mgr
I search this forum, find some similar issues but nothing wich helps me.
Am I understanding this right that I request Authorization with Auth0, receive JWT token with payload and TYK check signature and look into payload and should assign correct policy ?
Thank a Lot for information.
Tyk.conf
{
"listen_port": 8080,
"log_level": "debug",
"pid_file_location": "/tmp/tyk-gateway.pid",
"template_path": "/opt/tyk-gateway/templates",
"tyk_js_path": "/opt/tyk-gateway/js/tyk.js",
"middleware_path": "/opt/tyk-gateway/middleware",
"use_db_app_configs": false,
"app_path": "/opt/tyk-gateway/apps/",
"storage": {
"type": "redis",
"host": "127.0.0.1",
"port": 6379,
"username": "",
"password": "",
"database": 0,
"optimisation_max_idle": 2000,
"optimisation_max_active": 4000
},
"enable_analytics": false,
"analytics_config": {
"type": "csv",
"csv_dir": "/tmp",
"mongo_url": "",
"mongo_db_name": "",
"mongo_collection": "",
"purge_delay": -1,
"ignored_ips": []
},
"health_check": {
"enable_health_checks": true,
"health_check_value_timeouts": 60
},
"optimisations_use_async_session_write": true,
"enable_non_transactional_rate_limiter": true,
"enable_sentinel_rate_limiter": false,
"allow_master_keys": true,
"policies": {
"policy_source": "file",
"policy_record_name": "/opt/tyk-gateway/policies/policies.json"
},
"hash_keys": true,
"enable_hashed_keys_listing": true,
"close_connections": false,
"http_server_options": {
"enable_websockets": true
},
"allow_insecure_configs": true,
"coprocess_options": {
"enable_coprocess": true,
"coprocess_grpc_server": ""
},
"enable_bundle_downloader": true,
"bundle_base_url": "",
"global_session_lifetime": 100,
"force_global_session_lifetime": false,
"max_idle_connections_per_host": 500
}
app conf
{
"name": "OpsAPI",
"api_id": "1",
"org_id": "tech",
"definition": {
"location": "header",
"key": "version"
},
"use_openid": true,
"openid_options": {
"providers": [
{
"issuer": "https://lstech.eu.auth0.com/",
"client_ids": {
"aHR0cHM6Ly9hcGkua3ViZXRlY2gxLmxza3ViZS5ldQ==": "admin",
"b2FySUdKQ0g5SmtrbnhqeHBwQ1Q3MjEzdXMwdjFxNWRAY2xpZW50cw==": "admin",
"b2FySUdKQ0g5SmtrbnhqeHBwQ1Q3MjEzdXMwdjFxNWQ=": "admin"
}
}
],
"segregate_by_client": false
},
"version_data": {
"not_versioned": true,
"versions": {
"Default": {
"name": "Default",
"expires": "",
"use_extended_paths": true,
"extended_paths": {
"ignored": [],
"white_list": [],
"black_list": []
},
"global_headers": {
"X-Backend-Secret": "aacb7fa1-217b-4653-8291-7ed9be163cbc"
}
}
}
},
"proxy": {
"listen_path": "/test/",
"target_url": "https://httpbin.org",
"strip_listen_path": true
},
"enable_batch_request_support": true
}
policies.json
{
"admin": {
"access_rights": {
"1": {
"api_name": "OpsAPI",
"api_id": "1",
"versions": [
"Default"
]
}
},
"org_id": "tech",
"hmac_enabled": false
}
"read": {
"access_rights": {
"1": {
"api_name": "OpsAPI",
"api_id": "1",
"versions": [
"Default"
],
"allowed_urls": [
{
"url": "/.*",
"methods": ["GET"]
}
]
}
},
"org_id": "tech",
"hmac_enabled": false
}
}