Tyk (Open source) + Keycloak (OIDC)

Support Administration and Operation
, , ,
2

Hello,

Well, I’ve tried to configure my API without the Identity Broker, as below :

./apps/httpbin-oidc.json :

{
   "name":"httpbin.org - OIDC",
   "api_id":"3",
   "org_id":"1",
   "version_data": {
     "not_versioned": true,
     "versions": {
       "Default": {
         "name": "Default",
         "use_extended_paths": true
       }
     }
   },
   "use_openid": true,
   "openid_options": {
      "providers": [
         {
            "issuer": "http://localhost:8089/auth/realms/tyk",
            "client_ids": {
               "dHlrLXRlc3QK": "admin"
            }
         }
      ],
      "segregate_by_client": false
   },
   "proxy":{
      "listen_path":"/httpbin/oidc/",
      "target_url":"http://httpbin.org/",
      "strip_listen_path":true
   },
   "active":true
}

As you can see, I’ve created my client (tyk-test / Base64 = dHlrLXRlc3QK) on Keycloak and linked it to the policy "admin"which is configured as below :

./policies/policies.json :

{
	"admin": {
		"rate": 1000,
		"per": 1,
		"quota_max": 100,
		"quota_renewal_rate": 60,
		"access_rights": {
			"3": {
				"api_name": "httpbin.org - OIDC",
				"api_id": "3",
				"versions": [
					"Default"
				]
			}
		},
		"org_id": "1",
		"hmac_enabled": false
	}
}

After reloading Tyk Gateway (http localhost:8080/tyk/reload ‘x-tyk-authorization:foo’), I’ve tried to access my protected endpoint and I got the message below :

http 127.0.0.1:8080/httpbin/oidc/ -v
GET /httpbin/oidc/ HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Connection: keep-alive
Host: 127.0.0.1:8080
User-Agent: HTTPie/1.0.3



HTTP/1.1 401 Unauthorized
Content-Length: 37
Content-Type: application/json
Date: Sun, 07 Nov 2021 22:08:31 GMT
X-Generator: tyk.io

{
    "error": "Key not authorised"
}

I’ve checked the logs (Docker-compose), I found those warning messages :

tyk-gateway_1  | time="Nov 07 21:54:05" level=warning msg="JWT Invalid" api_id=3 api_name="httpbin.org - OIDC" error="Validation error. The 'Authorization' header was not found or was empty." mw=OpenIDMW org_id=1 origin=192.168.208.1 path="/httpbin/oidc/"
tyk-gateway_1  | time="Nov 07 21:54:05" level=warning msg="Attempted access with invalid key." api_id=3 api_name="httpbin.org - OIDC" key="****JWT]" mw=OpenIDMW org_id=1 origin=192.168.208.1 path="/httpbin/oidc/"

So, am I doing it right ? Or am I doing it wrong ? What did I miss ? And how to get the Authorization key ? Shouldn’t I be redirected to Keycloak to authenticate my user and redirected back to my endpoint with the right key ?

Thank you so much for you help and clarifications :slight_smile:

1 Like