Using proxy authentication with OAuth2


I have configured a profile in TIB as given below, this will add ProxyProvider with Oauth IdentityHandler whenever I send password grant_type request to generate oauth token, authentication should happen from proxy and token should generate for the configured oauth client. Now authentication is returning json response but tyk could not be able to generate token and showing below errors in the log.
Please help me resolve this.

time="2017-11-28T08:54:34Z" level=warning msg="Response code was: 403" time="2017-11-28T08:54:34Z" level=warning msg="GOT:{\"Status\":\"Error\",\"Message\":\"User does not have permission to add API to key Access Rights!\",\"Meta\":null}\n" time="2017-11-28T08:54:34Z" level=error msg="[TYK ID HANDLER] --> Login failure. Request not allowed"

{ "ID": "4", "OrgID": "5a16cf191d41c80a85ff4492", "ActionType": "GenerateTemporaryAuthToken", "MatchedPolicyID": "5a16da371d41c80a85ff4499", "Type": "passthrough", "ProviderName": "ProxyProvider", "ProviderConfig": { "AccessTokenField": "access_token", "ExrtactUserNameFromBasicAuthHeader": false, "OKCode": 200, "OKRegex": "", "OKResponse": "", "ResponseIsJson": true, "TargetHost": "", "UsernameField": "user_name" }, "IdentityHandlerConfig": { "DashboardCredential": "b0cb84e275434da2774e75cdd5cff3ab", "DisableOneTokenPerAPI": false, "OAuth": { "APIListenPath": "customoauth2", "BaseAPIID": "customoauth2", "ClientId": "27f6e23bab8b4c9981ba71bfa9f7aa63", "NoRedirect": false, "RedirectURI": "http:/", "ResponseType": "token", "Secret": "N2M1OTJjNTYtYzc4MC00ZDQxLTgzNmUtMDY3ZGYyOGFkNGUz" } }, "ProviderConstraints": { "Domain": "", "Group": "" }, "ReturnURL": "" }

Thank You,

It looks like user credentials you are using here “b0cb84e275434da2774e75cdd5cff3ab”, do not have enough permissions. You can verify it by trying to create a key directly using Dashboard API. User should have “write” key permissions.

Hi leon thank you for your quick response, I created key using dashboard API using its credential configured in the profile. I got below response

Authorization : b0cb84e275434da2774e75cdd5cff3ab
Content-Type : application/json

{ "api_model": {}, "key_id": "5a16cf191d41c80a85ff449223c533016b0b42cc983cfd95fa59a538", "data": { "last_check": 0, "allowance": 1000, "rate": 1000, "per": 60, "expires": 0, "quota_max": 10000, "quota_renews": 1514381776, "quota_remaining": 10000, "quota_renewal_rate": 2520000, "access_rights": { "088122f756b5437d581167bbac58506d": { "api_name": "customoauth2", "api_id": "088122f756b5437d581167bbac58506d", "versions": [ "Default" ], "allowed_urls": null } }, "org_id": "5a16cf191d41c80a85ff4492", "oauth_client_id": "", "basic_auth_data": { "password": "", "hash_type": "" }, "jwt_data": { "secret": "" }, "hmac_enabled": false, "hmac_string": "", "is_inactive": false, "apply_policy_id": "", "apply_policies": null, "data_expires": 0, "monitor": { "trigger_limits": null }, "meta_data": null, "tags": null, "alias": "", "last_updated": "1511861776", "certificate": "" } }

In your original TIB config, you specify “5a16da371d41c80a85ff4499” as “MatchedPolicyID”. So ensure that this policy exists, as well as APIs defined inside this policy (and you have access to them).

In context of creating key via API, it will mean using “apply_policy_id” field instead of specifying “access_rights”

Hi leon, I have changed my profile configuration as given below and I could able to obtain access_token but when I use that to access my API getting below error. Please help

Profile Configuration
{ "ID": "4", "OrgID": "5a16cf191d41c80a85ff4492", "ActionType": "GenerateOAuthTokenForClient", "MatchedPolicyID": "5a16da371d41c80a85ff4499", "Type": "passthrough", "ProviderName": "ProxyProvider", "ProviderConfig": { "AccessTokenField": "access_token", "ExrtactUserNameFromBasicAuthHeader": false, "OKCode": 200, "OKRegex": "", "OKResponse": "", "ResponseIsJson": true, "TargetHost": "", "UsernameField": "user_name" }, "IdentityHandlerConfig": { "DashboardCredential": "b0cb84e275434da2774e75cdd5cff3ab", "DisableOneTokenPerAPI": false, "OAuth": { "APIListenPath": "customoauth2", "BaseAPIID": "customoauth2", "ClientId": "d8c4b9c50e3d4067a5bfe40c18e39136", "NoRedirect": true, "RedirectURI": "", "ResponseType": "token", "Secret": "N2ZhZTQyNzEtY2RkNi00NjAzLTgyZTQtOTQyZGYyMTZhOTli" } }, "ProviderConstraints": { "Domain": "", "Group": "" }, "ReturnURL": "" }

Authorization: Basic base64(username:password)

{ "access_token": "5a16cf191d41c80a85ff44920e9a1ea5e8884b9598217cc9982c5657", "expires_in": 3600, "redirect_to": "", "token_type": "bearer" }

Gateway Request details
Authorization: Bearer 5a16cf191d41c80a85ff44920e9a1ea5e8884b9598217cc9982c5657
“error”: “Session state is missing or unset! Please make sure that auth headers are properly applied”

Hi leon Sorry for the reply. I got it working, I had multiple authentication mode configured in my API after changing Base identity provider to Oauth2.0 it worked…

Thank You,

shiva, I have refer you Profile Configuration to test proxy provider to get Access_token, but response the error: Authentication Failed

Profile Configuration:
“ActionType”: “GenerateOAuthTokenForClient”,
“ID”: “16”,
“OrgID”: “5b6a9a6ae138230df675f3c0”,
“MatchedPolicyID”: “5b88c1d8e138230c54c37e98”,
“Type”: “passthrough”,
“ProviderName”: “ProxyProvider”,
“ProviderConfig”: {
“AccessTokenField”: “access_token”,
“ExrtactUserNameFromBasicAuthHeader”: false,
“OKCode”: 200,
“OKRegex”: “”,
“OKResponse”: “”,
“ResponseIsJson”: true,
“TargetHost”: “”,
“UsernameField”: “user_name”
“IdentityHandlerConfig”: {
“DashboardCredential”: “f0775c8904b34bfd5bdbd242d588add2”,
“DisableOneTokenPerAPI”: false,
“OAuth”: {
“APIListenPath”: “/githuboauthtonkerforclient-api1”,
“BaseAPIID”: “githuboauthtonkerforclient-api1”,
“ClientId”: “0b22cbedc2bb47b8813b93f23c50f863”,
“NoRedirect”: true,
“RedirectURI”: “”,
“ResponseType”: “token”,
“ProviderConstraints”: {
“Domain”: “”,
“Group”: “”
“ReturnURL”: “”

curl -X POST -H ‘Authorization: Basic YWRtaW5AZGVmYXVsdC5jb206ZXhjZWwxMjM=’ -i ‘
HTTP/1.1 401 Unauthorized
Date: Fri, 07 Sep 2018 11:08:39 GMT
Content-Length: 21
Content-Type: text/plain; charset=utf-8

Do you know how to solve the problem?