Using proxy authentication with OAuth2

shiva · November 28, 2017, 9:03am

Hi,

I have configured a profile in TIB as given below, this will add ProxyProvider with Oauth IdentityHandler whenever I send password grant_type request to generate oauth token, authentication should happen from proxy and token should generate for the configured oauth client. Now authentication is returning json response but tyk could not be able to generate token and showing below errors in the log.
Please help me resolve this.

time="2017-11-28T08:54:34Z" level=warning msg="Response code was: 403" time="2017-11-28T08:54:34Z" level=warning msg="GOT:{\"Status\":\"Error\",\"Message\":\"User does not have permission to add API to key Access Rights!\",\"Meta\":null}\n" time="2017-11-28T08:54:34Z" level=error msg="[TYK ID HANDLER] --> Login failure. Request not allowed"

{ "ID": "4", "OrgID": "5a16cf191d41c80a85ff4492", "ActionType": "GenerateTemporaryAuthToken", "MatchedPolicyID": "5a16da371d41c80a85ff4499", "Type": "passthrough", "ProviderName": "ProxyProvider", "ProviderConfig": { "AccessTokenField": "access_token", "ExrtactUserNameFromBasicAuthHeader": false, "OKCode": 200, "OKRegex": "", "OKResponse": "", "ResponseIsJson": true, "TargetHost": "http://api-server.dev.com:8080/Spring4MVCCRUDRestService/auth", "UsernameField": "user_name" }, "IdentityHandlerConfig": { "DashboardCredential": "b0cb84e275434da2774e75cdd5cff3ab", "DisableOneTokenPerAPI": false, "OAuth": { "APIListenPath": "customoauth2", "BaseAPIID": "customoauth2", "ClientId": "27f6e23bab8b4c9981ba71bfa9f7aa63", "NoRedirect": false, "RedirectURI": "http:/www.google.co.in", "ResponseType": "token", "Secret": "N2M1OTJjNTYtYzc4MC00ZDQxLTgzNmUtMDY3ZGYyOGFkNGUz" } }, "ProviderConstraints": { "Domain": "", "Group": "" }, "ReturnURL": "" }

Thank You,
Shiva

leon · November 28, 2017, 9:23am

It looks like user credentials you are using here “b0cb84e275434da2774e75cdd5cff3ab”, do not have enough permissions. You can verify it by trying to create a key directly using Dashboard API. User should have “write” key permissions.

shiva · November 28, 2017, 9:42am

Hi leon thank you for your quick response, I created key using dashboard API using its credential configured in the profile. I got below response

POST http://tyk-dashboard.dev.com:3000/api/keys
Headers:
Authorization : b0cb84e275434da2774e75cdd5cff3ab
Content-Type : application/json

Response
{ "api_model": {}, "key_id": "5a16cf191d41c80a85ff449223c533016b0b42cc983cfd95fa59a538", "data": { "last_check": 0, "allowance": 1000, "rate": 1000, "per": 60, "expires": 0, "quota_max": 10000, "quota_renews": 1514381776, "quota_remaining": 10000, "quota_renewal_rate": 2520000, "access_rights": { "088122f756b5437d581167bbac58506d": { "api_name": "customoauth2", "api_id": "088122f756b5437d581167bbac58506d", "versions": [ "Default" ], "allowed_urls": null } }, "org_id": "5a16cf191d41c80a85ff4492", "oauth_client_id": "", "basic_auth_data": { "password": "", "hash_type": "" }, "jwt_data": { "secret": "" }, "hmac_enabled": false, "hmac_string": "", "is_inactive": false, "apply_policy_id": "", "apply_policies": null, "data_expires": 0, "monitor": { "trigger_limits": null }, "meta_data": null, "tags": null, "alias": "", "last_updated": "1511861776", "certificate": "" } }

leon · November 28, 2017, 11:15am

In your original TIB config, you specify “5a16da371d41c80a85ff4499” as “MatchedPolicyID”. So ensure that this policy exists, as well as APIs defined inside this policy (and you have access to them).

In context of creating key via API, it will mean using “apply_policy_id” field instead of specifying “access_rights”

shiva · November 28, 2017, 3:38pm

Hi leon, I have changed my profile configuration as given below and I could able to obtain access_token but when I use that to access my API getting below error. Please help

Profile Configuration
{ "ID": "4", "OrgID": "5a16cf191d41c80a85ff4492", "ActionType": "GenerateOAuthTokenForClient", "MatchedPolicyID": "5a16da371d41c80a85ff4499", "Type": "passthrough", "ProviderName": "ProxyProvider", "ProviderConfig": { "AccessTokenField": "access_token", "ExrtactUserNameFromBasicAuthHeader": false, "OKCode": 200, "OKRegex": "", "OKResponse": "", "ResponseIsJson": true, "TargetHost": "http://api-server.dev.com:8080/Spring4MVCCRUDRestService/auth", "UsernameField": "user_name" }, "IdentityHandlerConfig": { "DashboardCredential": "b0cb84e275434da2774e75cdd5cff3ab", "DisableOneTokenPerAPI": false, "OAuth": { "APIListenPath": "customoauth2", "BaseAPIID": "customoauth2", "ClientId": "d8c4b9c50e3d4067a5bfe40c18e39136", "NoRedirect": true, "RedirectURI": "http://httpbin.org", "ResponseType": "token", "Secret": "N2ZhZTQyNzEtY2RkNi00NjAzLTgyZTQtOTQyZGYyMTZhOTli" } }, "ProviderConstraints": { "Domain": "", "Group": "" }, "ReturnURL": "" }

POST http://tyk-broker.dev.com:3010/auth/4/proxy
Headers:
Authorization: Basic base64(username:password)

Response
{ "access_token": "5a16cf191d41c80a85ff44920e9a1ea5e8884b9598217cc9982c5657", "expires_in": 3600, "redirect_to": "http://httpbin.org#access_token=5a16cf191d41c80a85ff44920e9a1ea5e8884b9598217cc9982c5657&expires_in=3600&token_type=bearer", "token_type": "bearer" }

Gateway Request details
GET http://tyk-gateway.dev.com:8070/customoauth2/
Headers:
Authorization: Bearer 5a16cf191d41c80a85ff44920e9a1ea5e8884b9598217cc9982c5657
Response
{
“error”: “Session state is missing or unset! Please make sure that auth headers are properly applied”
}

shiva · November 28, 2017, 4:01pm

Hi leon Sorry for the reply. I got it working, I had multiple authentication mode configured in my API after changing Base identity provider to Oauth2.0 it worked…

Thank You,
Shiva

lms008 · September 7, 2018, 11:06am

shiva, I have refer you Profile Configuration to test proxy provider to get Access_token, but response the error: Authentication Failed

Profile Configuration:
{
“ActionType”: “GenerateOAuthTokenForClient”,
“ID”: “16”,
“OrgID”: “5b6a9a6ae138230df675f3c0”,
“MatchedPolicyID”: “5b88c1d8e138230c54c37e98”,
“Type”: “passthrough”,
“ProviderName”: “ProxyProvider”,
“ProviderConfig”: {
“AccessTokenField”: “access_token”,
“ExrtactUserNameFromBasicAuthHeader”: false,
“OKCode”: 200,
“OKRegex”: “”,
“OKResponse”: “”,
“ResponseIsJson”: true,
“TargetHost”: “http://www.port.com:3000/login”,
“UsernameField”: “user_name”
},
“IdentityHandlerConfig”: {
“DashboardCredential”: “f0775c8904b34bfd5bdbd242d588add2”,
“DisableOneTokenPerAPI”: false,
“OAuth”: {
“APIListenPath”: “/githuboauthtonkerforclient-api1”,
“BaseAPIID”: “githuboauthtonkerforclient-api1”,
“ClientId”: “0b22cbedc2bb47b8813b93f23c50f863”,
“NoRedirect”: true,
“RedirectURI”: “http://httpbin.org/get”,
“ResponseType”: “token”,
“Secret”: “NTdiZDRiYjAtYmZiNS00NTE3LWJhNGEtODQ2MmI2OGQzNWIw”
}
},
“ProviderConstraints”: {
“Domain”: “”,
“Group”: “”
},
“ReturnURL”: “”
}

curl -X POST -H ‘Authorization: Basic YWRtaW5AZGVmYXVsdC5jb206ZXhjZWwxMjM=’ -i ‘http://10.4.2.98:3010/auth/16/proxy’
HTTP/1.1 401 Unauthorized
Date: Fri, 07 Sep 2018 11:08:39 GMT
Content-Length: 21
Content-Type: text/plain; charset=utf-8

Do you know how to solve the problem?