Tyk (Open source) + Keycloak (OIDC)

Hello,

I’m trying to configure Tyk (Open source) with Keycloak (OIDC) as IdP. I’m not sure if the documentation is a little bit confusing or it’s because of my understanding to how OIDC works ?

What I’m trying to do :

  • When a user wants to get access to an API, Tyk will redirect that user to authenticate on Keycloak using his login & password. If he succeeds he will be redirected to the API.

So, my first question is : shoudl I configure my json API definition like described here or should I use the Identity broker like described here ?

Thank you so much for your help !

Hello,

Well, I’ve tried to configure my API without the Identity Broker, as below :

./apps/httpbin-oidc.json :

{
   "name":"httpbin.org - OIDC",
   "api_id":"3",
   "org_id":"1",
   "version_data": {
     "not_versioned": true,
     "versions": {
       "Default": {
         "name": "Default",
         "use_extended_paths": true
       }
     }
   },
   "use_openid": true,
   "openid_options": {
      "providers": [
         {
            "issuer": "http://localhost:8089/auth/realms/tyk",
            "client_ids": {
               "dHlrLXRlc3QK": "admin"
            }
         }
      ],
      "segregate_by_client": false
   },
   "proxy":{
      "listen_path":"/httpbin/oidc/",
      "target_url":"http://httpbin.org/",
      "strip_listen_path":true
   },
   "active":true
}

As you can see, I’ve created my client (tyk-test / Base64 = dHlrLXRlc3QK) on Keycloak and linked it to the policy "admin"which is configured as below :

./policies/policies.json :

{
	"admin": {
		"rate": 1000,
		"per": 1,
		"quota_max": 100,
		"quota_renewal_rate": 60,
		"access_rights": {
			"3": {
				"api_name": "httpbin.org - OIDC",
				"api_id": "3",
				"versions": [
					"Default"
				]
			}
		},
		"org_id": "1",
		"hmac_enabled": false
	}
}

After reloading Tyk Gateway (http localhost:8080/tyk/reload ‘x-tyk-authorization:foo’), I’ve tried to access my protected endpoint and I got the message below :

http 127.0.0.1:8080/httpbin/oidc/ -v
GET /httpbin/oidc/ HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Connection: keep-alive
Host: 127.0.0.1:8080
User-Agent: HTTPie/1.0.3



HTTP/1.1 401 Unauthorized
Content-Length: 37
Content-Type: application/json
Date: Sun, 07 Nov 2021 22:08:31 GMT
X-Generator: tyk.io

{
    "error": "Key not authorised"
}

I’ve checked the logs (Docker-compose), I found those warning messages :

tyk-gateway_1  | time="Nov 07 21:54:05" level=warning msg="JWT Invalid" api_id=3 api_name="httpbin.org - OIDC" error="Validation error. The 'Authorization' header was not found or was empty." mw=OpenIDMW org_id=1 origin=192.168.208.1 path="/httpbin/oidc/"
tyk-gateway_1  | time="Nov 07 21:54:05" level=warning msg="Attempted access with invalid key." api_id=3 api_name="httpbin.org - OIDC" key="****JWT]" mw=OpenIDMW org_id=1 origin=192.168.208.1 path="/httpbin/oidc/"

So, am I doing it right ? Or am I doing it wrong ? What did I miss ? And how to get the Authorization key ? Shouldn’t I be redirected to Keycloak to authenticate my user and redirected back to my endpoint with the right key ?

Thank you so much for you help and clarifications :slight_smile:

Hi!

The use of the OIDC Authentication method is the correct way to protect your API, however please understand that the intent is that you are protecting a Resource API, it is expected that the OIDC Authentication flow has already been performed elsewhere and you are expected to use the resulting access token obtained via that Authentication in the API call. It is not expected that the API call would trigger the authorization flow, as it is merely a resource server.

Triggering the Authorization flow and obtaining the Access Token is outside the scope of the OIDC authentication method offered in the API Designer.

Hope that helps and makes sense.

Best Regards,
Chris

1 Like