Unable to send request using OpenID Connect

Hi, i have a simple API running locally and I’m trying to access it via Tyk using OpenID Connect as the authentication method. I’m using Auth0 as my OIDC provider (where i send the request via OpenID connect Playground). The issue is that I’m send the request via Postman but the API call returns a response with Status :400 {“error”: “Session state is missing or unset! Please make sure that auth headers are properly applied”}. I’m shring the curl command below for reference: curl --location --request GET ‘http://127.0.0.1:8080/ownapi/tasks
–header ‘Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6Ik92VmxSMmtEc1p4MGc5MkFsR2VYbCJ9.eyJuaWNrbmFtZSI6ImFiY2QiLCJuYW1lIjoiUHJhc2hhbnRoIiwicGljdHVyZSI6Imh0dHBzOi8vcy5ncmF2YXRhci5jb20vYXZhdGFyLzQ2MDQwYzM4ZDFjYmU4ZmZjZDNkZjZjOGJhNzg3OTUxP3M9NDgwJnI9cGcmZD1odHRwcyUzQSUyRiUyRmNkbi5hdXRoMC5jb20lMkZhdmF0YXJzJTJGYWIucG5nIiwidXBkYXRlZF9hdCI6IjIwMjEtMDgtMTNUMDk6NDI6MjUuNzcwWiIsImVtYWlsIjoiYWJjZEBnbWFpbC5jb20iLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsImlzcyI6Imh0dHBzOi8vZGV2LTctMWthcnZ6LnVzLmF1dGgwLmNvbS8iLCJzdWIiOiJhdXRoMHw2MTE2MjRjMTk4M2EwODAwNjg2MjQ1OGMiLCJhdWQiOiJmQkNsMHE4Qk5oRUpScWdvNTc2cmlKdGhxSEowVlR1diIsImlhdCI6MTYyODg0OTg1NSwiZXhwIjoxNjI4ODg1ODU1fQ.Ur8JHXNoq_JBagsS84MlYeeCCNAwfiRO4xb3LBuVPcmMtSQgb41ON1jpx3MEqo5o2nJYrRRk9id0G4_LYNRfpVwfHKf5vDcDxz9zC2oKhrpVentxuX3Uvn2YCt5Wrsf-a5lRMYHuXQTmtjUEIy11xMYzh_DoxQEs7bXm0R9IiqCUHVlGnyHHH9eWugcGlz5tIQzC4yRyCzMf7N7jnOtyKkmPOxsEIirbIEleGw-EM9DFIQhyEsCThB-_YuEVlwDlqwF5kpy0jkOu84jAuLmlcdPjl46IFYCzYJN3o2SANCHZfYrTLkkTbxQBYsl0nIefNEjKAPck3Eml66aetJdkow’

Hi, any update on this thread? Would really appreciate if someone can pitch in on this.
Thanks and cheers!

With OpenID Connect authentication, you need to send the ID Token instead of the Access Token to the API.

Alternatively, if you wish to use the access token, you might be able to do so by embedding the client_id inside the aud claim of the access token (this is done inside the IdP settings).

If you have no joy, I would recommend you use JWT authentication mechanism. And where it asks for your public key, provide your JWKS URI provided by your IdP https://dev-7-1karvz.us.auth0.com/.well-known/jwks.json

Greetings @ahmet.

Yes as you rightly mention, I’m sending the id_token in the Authorization header.
I believe that if the key is incorrect I would be left with a response stating 401 or 403, but instead i’m left with 400 - Bad request.
I’m sure that the flow I followed is correct, yet its not working.

Please tell me if I would have to convert the access token and client Id using Base64 encoder, as mentioned in para 2 of your message?

Referring to para 3 of your message, for my use case it is important to use OpenID Connect and not JWT. Nevertheless I will try to use JWT using my Public Key.

Thanks and regards,
Prashanth

@selvamp could you share a copy of your ApiDefinition object and also SecurityPolicy?

Also, are you using Tyk Gateway Open-Source, or Tyk with Dashboard?

https://tyk.io/docs/advanced-configuration/integrate/api-auth-mode/open-id-connect/

1 Like

Hi @ahmet.
This issue is resolved I created a new application in Auth0, followed by a Policy for OpenID Connect in Tyk. After changing the authorization header name to a custom header name, I’m able to successfully access the API using Tyk wherein OpenID Connect is the Authentication mechanism.

Thanks for the support @ahmet. Cheers!

With regards,
Prashanth

1 Like