I have tyk-oss, tyk-pump and tyk-operator running on a local minikube cluster.
I want to use basic authentication to secure my APIs.
I have created an API using the following configuration:
apiVersion: tyk.tyk.io/v1alpha1
kind: ApiDefinition
metadata:
name: address
spec:
name: address
use_keyless: false
protocol: http
active: true
enable_context_vars: true
enable_detailed_recording: true
proxy:
target_url: http://192.168.1.200:8080
listen_path: /address
strip_listen_path: false
global_rate_limit:
rate: 10
per: 1
use_basic_auth: true
version_data:
default_version: Default
not_versioned: true
versions:
Default:
name: Default
I have then created an Basic Auth via the api:
curl -X POST -H 'x-tyk-authorization: password' -s -H 'Content-Type: application/json' -d '
{
"allowance": 1000,
"rate": 1000,
"per": 1,
"expires": -1,
"quota_max": -1,
"quota_renews": 1449051461,
"quota_remaining": -1,
"quota_renewal_rate": 60,
"access_rights": {
"dHlrL2FkZHJlc3M": {
"api_id": "dHlrL2FkZHJlc3M",
"api_name": "address",
"versions": ["Default"]
}
},
"meta_data": {},
"basic_auth_data": {
"password": "password"
}
}' localhost:5000/tyk/keys/user
{"key":"","status":"ok","action":"added","key_hash":"a267a6ee3c29c2ee8543858d3bf29218"}
It is stored in redis:
127.0.0.1:6379> keys *
1) "redis-test-fb67228f-e150-4077-b6d8-3e997fed68b4"
2) "redis-test-2a18f688-bcc5-4580-a437-9f0946808f64"
3) "apikey-a267a6ee3c29c2ee8543858d3bf29218"
4) "version-check-pump"
5) "host-checker:PollerActiveInstanceID"
6) "redis-test-d3491124-5ae9-44a5-ab4b-4acfe8ef98b9"
7) "tyk-liveness-probe"
127.0.0.1:6379> get apikey-a267a6ee3c29c2ee8543858d3bf29218
"{\"last_check\":0,\"allowance\":1000,\"rate\":1000,\"per\":1,\"throttle_interval\":0,\"throttle_retry_limit\":0,\"max_query_depth\":0,\"date_created\":\"2024-03-15T12:33:45.279957648Z\",\"expires\":-1,\"quota_max\":-1,\"quota_renews\":1710506085,\"quota_remaining\":-1,\"quota_renewal_rate\":60,\"access_rights\":{\"dHlrL2FkZHJlc3M\":{\"api_name\":\"address\",\"api_id\":\"dHlrL2FkZHJlc3M\",\"versions\":[\"Default\"],\"allowed_urls\":null,\"restricted_types\":null,\"allowed_types\":null,\"limit\":{\"rate\":0,\"per\":0,\"throttle_interval\":0,\"throttle_retry_limit\":0,\"max_query_depth\":0,\"quota_max\":0,\"quota_renews\":0,\"quota_remaining\":0,\"quota_renewal_rate\":0},\"field_access_rights\":null,\"disable_introspection\":false,\"allowance_scope\":\"\"}},\"org_id\":\"\",\"oauth_client_id\":\"\",\"oauth_keys\":null,\"certificate\":\"\",\"basic_auth_data\":{\"password\":\"$2a$10$BeslKqNJN78AU3bRsh9Ofe2VHdnGgYZMblOD1NUAJ7tpyXnIRhq9i\",\"hash_type\":\"bcrypt\"},\"jwt_data\":{\"secret\":\"\"},\"hmac_enabled\":false,\"enable_http_signature_validation\":false,\"hmac_string\":\"\",\"rsa_certificate_id\":\"\",\"is_inactive\":false,\"apply_policy_id\":\"\",\"apply_policies\":null,\"data_expires\":0,\"monitor\":{\"trigger_limits\":null},\"enable_detail_recording\":false,\"enable_detailed_recording\":false,\"meta_data\":{},\"tags\":[],\"alias\":\"\",\"last_updated\":\"1710506025\",\"id_extractor_deadline\":0,\"session_lifetime\":0}"
127.0.0.1:6379>
But when I want to call my API, I get an error “User not authorized”:
curl -v http://localhost:5000/address -u user:password
* processing: http://localhost:5000/address
* Trying [::1]:5000...
* Connected to localhost (::1) port 5000
* Server auth using Basic with user 'user'
> GET /address HTTP/1.1
> Host: localhost:5000
> Authorization: Basic dXNlcjpwYXNzd29yZA==
> User-Agent: curl/8.2.1
> Accept: */*
>
< HTTP/1.1 401 Unauthorized
< Content-Type: application/json
* Authentication problem. Ignoring this.
< Www-Authenticate: Basic realm="address"
< X-Generator: tyk.io
< Date: Fri, 15 Mar 2024 12:34:52 GMT
< Content-Length: 38
<
{
"error": "User not authorised"
}
The gateway logs show the following:
time="Mar 15 12:34:52" level=info msg="Could not find user, falling back to legacy format key." api_id=dHlrL2FkZHJlc3M api_name=address key=-- mw=BasicAuthKeyIsValid org_id= origin=127.0.0.1 path=/address
time="Mar 15 12:34:52" level=warning msg="Attempted access with non-existent user." api_id=dHlrL2FkZHJlc3M api_name=address key=-- mw=BasicAuthKeyIsValid org_id= origin=127.0.0.1 path=/address
The database entry from tyk-pump also shows 00000000 in the apiKey column. Which also happens when I do not provide -u user:password in the curl command
| method | host | path | rawpath | contentlength | useragent | day | month | year | hour | responsecode | apikey | timestamp | apiversion | api_name | apiid | orgid | oauthid | requesttime | rawrequest | rawresponse | ipaddress | geo_country_iso_code | geo_city_geoname_id | geo_city_names | geo_location_latitude | geo_location_longitude | geo_location_time_zone | network_open_connections | network_closed_connections | network_bytes_in | network_bytes_out | latency_total | latency_upstream | tags | alias | trackpath | expireAt |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| GET | 192.168.1.200:8080 | /address | /address | 0 | curl/8.2.1 | 15 | 3 | 2024 | 12 | 401 | 00000000 | 2024-03-15 12:34:52.286361 +00:00 | Non Versioned | address | dHlrL2FkZHJlc3M | 0 | R0VUIC9hZGRyZXNzIEhUVFAvMS4xDQpIb3N0OiBsb2NhbGhvc3Q6NTAwMA0KVXNlci1BZ2VudDogY3VybC84LjIuMQ0KQWNjZXB0OiAqLyoNCkF1dGhvcml6YXRpb246IEJhc2ljIGRYTmxjanB3WVhOemQyOXlaQT09DQoNCg== | SFRUUC8wLjAgNDAxIFVuYXV0aG9yaXplZA0KQ29udGVudC1UeXBlOiBhcHBsaWNhdGlvbi9qc29uDQpYLUdlbmVyYXRvcjogdHlrLmlvDQoNCnsKICAgICJlcnJvciI6ICJVc2VyIG5vdCBhdXRob3Jpc2VkIgp9 | 127.0.0.1 | 0 | {} | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | [“key-00000000”,“api-dHlrL2FkZHJlc3M”] | false | 2124-02-20 12:34:52.286390 +00:00 |
What am I doing wrong?
