Tyk does not seem to ever get to the code block to map scope claims to policies
https://github.com/TykTechnologies/tyk/blob/178511b25135321a34af84ffc76cb9954fd925b4/gateway/mw_jwt.go#L536
here is the snippet of the api definition:
"enable_jwt": true,
"jwt_signing_method": "rsa",
"jwt_source": "my base 64 encoded jwks_uri",
"jwt_scope_to_policy_mapping": {
"admin_role": "admin_policy"
},
"jwt_scope_claim_name": "resource_access.tyk_client.roles",
"jwt_policy_field_name": "",
"jwt_identity_base_field": "sub",
"jwt_default_policies": [],
my admin policy:
"admin_policy": {
"active": true,
"id": "admin_policy",
"name": "admin_policy",
"org_id": "gateway_demo",
"access_rights": {
"3": {
"api_name": "secure-kc-httpbin",
"api_id": "3",
"versions": [
"Default"
],
"allowed_urls": []
}
}
}
the client role from Keycloak JWT:
"resource_access": {
"tyk_client": {
"roles": ["admin_role"]
}
},
here are the logs:
time="Jan 03 22:15:59" level=debug msg=Started api_id=3 api_name="Secure KC plus httpbin API" mw=VersionCheck org_id="gateway_demo" origin=192.168.128.1 path="/secure-test-api/get" ts=1672784159401331800
time="Jan 03 22:15:59" level=debug msg=Finished api_id=3 api_name="Secure KC plus httpbin API" code=200 mw=VersionCheck ns=67800 org_id="gateway_demo" origin=192.168.128.1 path="/secure-test-api/get"
time="Jan 03 22:15:59" level=debug msg=Started api_id=3 api_name="Secure KC plus httpbin API" mw=RateCheckMW org_id="gateway_demo" origin=192.168.128.1 path="/secure-test-api/get" ts=1672784159401452500
time="Jan 03 22:15:59" level=debug msg=Finished api_id=3 api_name="Secure KC plus httpbin API" code=200 mw=RateCheckMW ns=35000 org_id="gateway_demo" origin=192.168.128.1 path="/secure-test-api/get"
time="Jan 03 22:15:59" level=debug msg=Started api_id=3 api_name="Secure KC plus httpbin API" mw=JWTMiddleware org_id="gateway_demo" origin=192.168.128.1 path="/secure-test-api/get" ts=1672784159401560200
time="Jan 03 22:15:59" level=debug msg="Pulling JWK"
time="Jan 03 22:15:59" level=debug msg="Caching JWK" api_id=3 api_name="Secure KC plus httpbin API" mw=JWTMiddleware org_id="gateway_demo" origin=192.168.128.1 path="/secure-test-api/get"
time="Jan 03 22:15:59" level=debug msg="Checking JWKs..." api_id=3 api_name="Secure KC plus httpbin API" mw=JWTMiddleware org_id="gateway_demo" origin=192.168.128.1 path="/secure-test-api/get"
time="Jan 03 22:15:59" level=debug msg="JWT authority is centralised" api_id=3 api_name="Secure KC plus httpbin API" mw=JWTMiddleware org_id="gateway_demo" origin=192.168.128.1 path="/secure-test-api/get"
time="Jan 03 22:15:59" level=debug msg="Found User Id in Base Field" userId=238c4234-9712-4e14-812d-ba1e7a774b64
time="Jan 03 22:15:59" level=debug msg="JWT Temporary session ID is: gateway_demoa967f37d68f96c1fa95a64f2b14947c5" api_id=3 api_name="Secure KC plus httpbin API" mw=JWTMiddleware org_id="gateway_demo" origin=192.168.128.1 path="/secure-test-api/get"
time="Jan 03 22:15:59" level=debug msg="Querying local cache" api_id=3 api_name="Secure KC plus httpbin API" mw=JWTMiddleware org_id="gateway_demo" origin=192.168.128.1 path="/secure-test-api/get"
time="Jan 03 22:15:59" level=debug msg="Querying keystore" api_id=3 api_name="Secure KC plus httpbin API" mw=JWTMiddleware org_id="gateway_demo" origin=192.168.128.1 path="/secure-test-api/get"
time="Jan 03 22:15:59" level=debug msg="Got key" api_id=3 api_name="Secure KC plus httpbin API" mw=JWTMiddleware org_id="gateway_demo" origin=192.168.128.1 path="/secure-test-api/get"
time="Jan 03 22:15:59" level=debug msg="EVENT FIRED: AuthFailure"
time="Jan 03 22:15:59" level=debug msg="Adding Healthcheck to: 3.KeyFailure"
time="Jan 03 22:15:59" level=debug msg="Val is: 1"
time="Jan 03 22:15:59" level=debug msg="Set value to: 1672784159552036200.1"
time="Jan 03 22:15:59" level=debug msg="Incrementing raw key: 3.KeyFailure"
time="Jan 03 22:15:59" level=debug msg="keyName is: 3.KeyFailure"
time="Jan 03 22:15:59" level=debug msg="Now is:2023-01-03 22:15:59.5524942 +0000 UTC m=+6.551126101"
time="Jan 03 22:15:59" level=debug msg="Then is: 2023-01-03 22:14:59.5524942 +0000 UTC m=-53.448873899"
time="Jan 03 22:15:59" level=debug msg="Adding Healthcheck to: 3.BlockedRequest"
time="Jan 03 22:15:59" level=debug msg="Val is: -1"
time="Jan 03 22:15:59" level=debug msg=Finished api_id=3 api_name="Secure KC plus httpbin API" code=403 error="key not authorized: no matching policy found" mw=JWTMiddleware ns=151040400 org_id="gateway_demo" origin=192.168.128.1 path="/secure-test-api/get"
It does not appear to ever attempt to map resource_access.tyk_client.roles to a policy
It seems to stop when it does not find a base policy id here: https://github.com/TykTechnologies/tyk/blob/178511b25135321a34af84ffc76cb9954fd925b4/gateway/mw_jwt.go#L390