Tyk (Open source) + Keycloak (OIDC)

rwxget · November 6, 2021, 3:11pm

Hello,

I’m trying to configure Tyk (Open source) with Keycloak (OIDC) as IdP. I’m not sure if the documentation is a little bit confusing or it’s because of my understanding to how OIDC works ?

What I’m trying to do :

When a user wants to get access to an API, Tyk will redirect that user to authenticate on Keycloak using his login & password. If he succeeds he will be redirected to the API.

So, my first question is : shoudl I configure my json API definition like described here or should I use the Identity broker like described here ?

Thank you so much for your help !

rwxget · November 7, 2021, 10:18pm

Hello,

Well, I’ve tried to configure my API without the Identity Broker, as below :

./apps/httpbin-oidc.json :

{
   "name":"httpbin.org - OIDC",
   "api_id":"3",
   "org_id":"1",
   "version_data": {
     "not_versioned": true,
     "versions": {
       "Default": {
         "name": "Default",
         "use_extended_paths": true
       }
     }
   },
   "use_openid": true,
   "openid_options": {
      "providers": [
         {
            "issuer": "http://localhost:8089/auth/realms/tyk",
            "client_ids": {
               "dHlrLXRlc3QK": "admin"
            }
         }
      ],
      "segregate_by_client": false
   },
   "proxy":{
      "listen_path":"/httpbin/oidc/",
      "target_url":"http://httpbin.org/",
      "strip_listen_path":true
   },
   "active":true
}

As you can see, I’ve created my client (tyk-test / Base64 = dHlrLXRlc3QK) on Keycloak and linked it to the policy "admin"which is configured as below :

./policies/policies.json :

{
	"admin": {
		"rate": 1000,
		"per": 1,
		"quota_max": 100,
		"quota_renewal_rate": 60,
		"access_rights": {
			"3": {
				"api_name": "httpbin.org - OIDC",
				"api_id": "3",
				"versions": [
					"Default"
				]
			}
		},
		"org_id": "1",
		"hmac_enabled": false
	}
}

After reloading Tyk Gateway (http localhost:8080/tyk/reload ‘x-tyk-authorization:foo’), I’ve tried to access my protected endpoint and I got the message below :

http 127.0.0.1:8080/httpbin/oidc/ -v
GET /httpbin/oidc/ HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Connection: keep-alive
Host: 127.0.0.1:8080
User-Agent: HTTPie/1.0.3



HTTP/1.1 401 Unauthorized
Content-Length: 37
Content-Type: application/json
Date: Sun, 07 Nov 2021 22:08:31 GMT
X-Generator: tyk.io

{
    "error": "Key not authorised"
}

I’ve checked the logs (Docker-compose), I found those warning messages :

tyk-gateway_1  | time="Nov 07 21:54:05" level=warning msg="JWT Invalid" api_id=3 api_name="httpbin.org - OIDC" error="Validation error. The 'Authorization' header was not found or was empty." mw=OpenIDMW org_id=1 origin=192.168.208.1 path="/httpbin/oidc/"
tyk-gateway_1  | time="Nov 07 21:54:05" level=warning msg="Attempted access with invalid key." api_id=3 api_name="httpbin.org - OIDC" key="****JWT]" mw=OpenIDMW org_id=1 origin=192.168.208.1 path="/httpbin/oidc/"

So, am I doing it right ? Or am I doing it wrong ? What did I miss ? And how to get the Authorization key ? Shouldn’t I be redirected to Keycloak to authenticate my user and redirected back to my endpoint with the right key ?

Thank you so much for you help and clarifications

chris.f · November 8, 2021, 9:27am

Hi!

The use of the OIDC Authentication method is the correct way to protect your API, however please understand that the intent is that you are protecting a Resource API, it is expected that the OIDC Authentication flow has already been performed elsewhere and you are expected to use the resulting access token obtained via that Authentication in the API call. It is not expected that the API call would trigger the authorization flow, as it is merely a resource server.

Triggering the Authorization flow and obtaining the Access Token is outside the scope of the OIDC authentication method offered in the API Designer.

Hope that helps and makes sense.

Best Regards,
Chris

armujahid · February 7, 2022, 5:02am

Correct base64(“tyk-test”) = dHlrLXRlc3Q=
Reference: Tyk and oidc integration - #14 by armujahid

badou · May 2, 2024, 4:22pm

Hi there, I’m having trouble setting up Tyk and Keycloak for the flow descried before (: redirecting the user to Keycloak for authentication when they make an API call without a token). When I check tutorials, they all seem to work with OpenID Playground to trigger authentication. However, in a real-life scenario, I believe the logical flow should be that the user attempts to access the API. If authorized, they can access it; if not, they will be prompted to authenticate before accessing the API. But from what you wrote this flow seems impossible. can you please explain is it really impossible and why.

Olu · May 8, 2024, 6:10pm

The flow is not impossible. It’s just one where Tyk does not fully control. This would be done in your app (web or mobile) and abstracted from the user.

What you are describing is the user flow and experience. In your app you would hide all the integrations, connections and implementations to present a very seamless view.

badou · May 8, 2024, 9:03pm

Thanks that makes it clear