Much closer, but still no solution because the kid must be in the header not the body claims which is a special type of JWT called a JWE.
It’s quite easy with Auth0 to inject a claim into the data portion of the JWT. That apparently isn’t what Tyk needs though. It requires a kid in the header. Yeah - after an entire day getting the claim injected I read the fine print and realized the claim which has been repeatedly stated is special and not in the body. According to OAuth doc, that is a JWE type or JWT which allows claims replicated in the header.
It would be nice if the kid were checked in the body claims as well as the header by Tyk so this would just work. And again, I can’t use the sub because I only want users mapped to policies as roles, not to unique Tyk keys or policies for each user which would be a nightmare to manage for millions of users.
BTW: here is the auth0 rule I created that does the trick for anyone else trying to figure this out.
function (user, context, callback) {
user.kid = configuration.KjPmsukutSwfo0EN03dzT95q3R0tL5Nq;
//console.log('user ', user);
//console.log('context ', context);
callback(null, user, context);
}
WTF - how the @$#& do I inject a field and values into the JWT header with an auth0 rule???
Read the docs and hacked my way through creating a rule that injected a kid and used the global configuration to set the value to a statically entered Tyk.io policy key. Modified the lock authParams to scope: ‘openid kid’ and successfully tested the kid and policy id propagate through in the signed JWT. Success!!! NOT SO FAST!!! Tyk auth still fails - Whaaat? A closer look at the Tyk documentation…
From Tyk documentation:
For JWT-enabled APIs, the user must include the token generated by saving this form and include it as the [kid] header in their JWT.