Unable to authorize using Keycloak roles

Tyk does not seem to ever get to the code block to map scope claims to policies
https://github.com/TykTechnologies/tyk/blob/178511b25135321a34af84ffc76cb9954fd925b4/gateway/mw_jwt.go#L536

here is the snippet of the api definition:

  "enable_jwt": true,
  "jwt_signing_method": "rsa",
  "jwt_source": "my base 64 encoded jwks_uri",

  "jwt_scope_to_policy_mapping": {
    "admin_role": "admin_policy"
  },
  "jwt_scope_claim_name": "resource_access.tyk_client.roles",
  "jwt_policy_field_name": "",
  "jwt_identity_base_field": "sub",
  "jwt_default_policies": [],

my admin policy:

    "admin_policy": {
        "active": true,
        "id": "admin_policy",
        "name": "admin_policy",
        "org_id": "gateway_demo",
        "access_rights": {
            "3": {
                "api_name": "secure-kc-httpbin",
                "api_id": "3",
                "versions": [
                    "Default"
                ],
                "allowed_urls": []
            }
        }
    }

the client role from Keycloak JWT:

  "resource_access": {
    "tyk_client": {
      "roles": ["admin_role"]
    }
  },

here are the logs:

time="Jan 03 22:15:59" level=debug msg=Started api_id=3 api_name="Secure KC plus httpbin API" mw=VersionCheck org_id="gateway_demo" origin=192.168.128.1 path="/secure-test-api/get" ts=1672784159401331800
time="Jan 03 22:15:59" level=debug msg=Finished api_id=3 api_name="Secure KC plus httpbin API" code=200 mw=VersionCheck ns=67800 org_id="gateway_demo" origin=192.168.128.1 path="/secure-test-api/get"
time="Jan 03 22:15:59" level=debug msg=Started api_id=3 api_name="Secure KC plus httpbin API" mw=RateCheckMW org_id="gateway_demo" origin=192.168.128.1 path="/secure-test-api/get" ts=1672784159401452500
time="Jan 03 22:15:59" level=debug msg=Finished api_id=3 api_name="Secure KC plus httpbin API" code=200 mw=RateCheckMW ns=35000 org_id="gateway_demo" origin=192.168.128.1 path="/secure-test-api/get"
time="Jan 03 22:15:59" level=debug msg=Started api_id=3 api_name="Secure KC plus httpbin API" mw=JWTMiddleware org_id="gateway_demo" origin=192.168.128.1 path="/secure-test-api/get" ts=1672784159401560200
time="Jan 03 22:15:59" level=debug msg="Pulling JWK"
time="Jan 03 22:15:59" level=debug msg="Caching JWK" api_id=3 api_name="Secure KC plus httpbin API" mw=JWTMiddleware org_id="gateway_demo" origin=192.168.128.1 path="/secure-test-api/get"
time="Jan 03 22:15:59" level=debug msg="Checking JWKs..." api_id=3 api_name="Secure KC plus httpbin API" mw=JWTMiddleware org_id="gateway_demo" origin=192.168.128.1 path="/secure-test-api/get"
time="Jan 03 22:15:59" level=debug msg="JWT authority is centralised" api_id=3 api_name="Secure KC plus httpbin API" mw=JWTMiddleware org_id="gateway_demo" origin=192.168.128.1 path="/secure-test-api/get"
time="Jan 03 22:15:59" level=debug msg="Found User Id in Base Field" userId=238c4234-9712-4e14-812d-ba1e7a774b64
time="Jan 03 22:15:59" level=debug msg="JWT Temporary session ID is: gateway_demoa967f37d68f96c1fa95a64f2b14947c5" api_id=3 api_name="Secure KC plus httpbin API" mw=JWTMiddleware org_id="gateway_demo" origin=192.168.128.1 path="/secure-test-api/get"
time="Jan 03 22:15:59" level=debug msg="Querying local cache" api_id=3 api_name="Secure KC plus httpbin API" mw=JWTMiddleware org_id="gateway_demo" origin=192.168.128.1 path="/secure-test-api/get"
time="Jan 03 22:15:59" level=debug msg="Querying keystore" api_id=3 api_name="Secure KC plus httpbin API" mw=JWTMiddleware org_id="gateway_demo" origin=192.168.128.1 path="/secure-test-api/get"
time="Jan 03 22:15:59" level=debug msg="Got key" api_id=3 api_name="Secure KC plus httpbin API" mw=JWTMiddleware org_id="gateway_demo" origin=192.168.128.1 path="/secure-test-api/get"
time="Jan 03 22:15:59" level=debug msg="EVENT FIRED: AuthFailure"
time="Jan 03 22:15:59" level=debug msg="Adding Healthcheck to: 3.KeyFailure"
time="Jan 03 22:15:59" level=debug msg="Val is: 1"
time="Jan 03 22:15:59" level=debug msg="Set value to: 1672784159552036200.1"
time="Jan 03 22:15:59" level=debug msg="Incrementing raw key: 3.KeyFailure"
time="Jan 03 22:15:59" level=debug msg="keyName is: 3.KeyFailure"
time="Jan 03 22:15:59" level=debug msg="Now is:2023-01-03 22:15:59.5524942 +0000 UTC m=+6.551126101"
time="Jan 03 22:15:59" level=debug msg="Then is: 2023-01-03 22:14:59.5524942 +0000 UTC m=-53.448873899"
time="Jan 03 22:15:59" level=debug msg="Adding Healthcheck to: 3.BlockedRequest"
time="Jan 03 22:15:59" level=debug msg="Val is: -1"
time="Jan 03 22:15:59" level=debug msg=Finished api_id=3 api_name="Secure KC plus httpbin API" code=403 error="key not authorized: no matching policy found" mw=JWTMiddleware ns=151040400 org_id="gateway_demo" origin=192.168.128.1 path="/secure-test-api/get"

It does not appear to ever attempt to map resource_access.tyk_client.roles to a policy

It seems to stop when it does not find a base policy id here: https://github.com/TykTechnologies/tyk/blob/178511b25135321a34af84ffc76cb9954fd925b4/gateway/mw_jwt.go#L390

Hi @tomrwillis,

Welcome to the community. :tada:

Saw your question on Filtering access using Keycloak roles - #5 by tomrwillis as well.

Taking a look now and will revert in a few hours.

Hi @tomrwillis,

I think you need to define these as well.

  • "jwt_default_policies": [ "<policy-id>" ] a default policy (admin_policy should be fine)
  • "jwt_policy_field_name" is usually set to “pol” (and is a validated required field if using the Dashboard)
  • scopes section
"scopes": {
      "jwt": {
        "scope_claim_name": "resource_access.tyk_client.roles",
        "scope_to_policy": {
          "admin_role": "admin_policy"
        }
      }
    }

Although I see you’re using jwt auth method, but open_id is used in the other post. Here’s a part of the API definition in that regard.

{
    "use_openid": true,
    "openid_options": {
        "providers": [
            {
                "issuer": "<issuer-url>",
                "client_ids": {
                    "<bas64 encoded>": "<policy-id>"
                }
            }
        ],
        "segregate_by_client": false
    },
    "enable_jwt": false,
    "jwt_signing_method": "",
    "jwt_source": "",
    "jwt_identity_base_field": "",
    "jwt_client_base_field": "",
    "jwt_policy_field_name": "",
    "jwt_default_policies": [],
    "jwt_skip_kid": false,
    "scopes": {
        "jwt": {},
        "oidc": {
            "scope_claim_name": "resource_access.tyk-client.roles",
            "scope_to_policy": {
                "[admin]": "62e92f5f679275000162348c",
                "[developer]": "62e96999679275000162348d",
                "[sre]": "62e96a7c679275000162348e",
                "[tester]": "62e970fb6792750001623490"
            }
        }
    },
    "jwt_scope_to_policy_mapping": {
        "[admin]": "62e92f5f679275000162348c",
        "[developer]": "62e96999679275000162348d",
        "[sre]": "62e96a7c679275000162348e",
        "[tester]": "62e970fb6792750001623490"
    },
    "jwt_scope_claim_name": "resource_access.tyk-client.roles",
    "base_identity_provided_by": ""
}

Thank you this worked. I thought I had tried that but I guess not. I have a question about using openid. Can you also authorize access to an api based on keycloak role? Where do you specify the scope, claim, and policy mapping?

never mind, I see it in your response