Reputation: 470
Tyk Ouath2 flow client_credentials ERROR: Couldn't use policy or key rules to create token, failing
I'm using Tyk 2.2.0 as an api management oauth2, basic, I need to add the client_credentials oauth2 flow as an allowed_access_types.
I made the following changes in order to generate an access token via this new oauth2 access type:
Create a Tyk Api:
{ "name": "api_oauth_v2_oauth2", "api_id": "openApi", "org_id": "", "definition": { "location": "header", "key": "version" }, "use_oauth2": true, "oauth_meta": { "allowed_access_types": [ "authorization_code", "refresh_token", "client_credentials" ], "allowed_authorize_types": [ "code", "token" ], "auth_login_redirect": "https://www.dev.docapost.io/dashboard/page/external/client/authorize" }, "notifications": { "shared_secret": "", "oauth_on_keychange_url": "http://provisioning:8080/newton-provisioning-web/v1/external/notify" }, "version_data": { "not_versioned": true, "versions": { "Default": { "name": "Default", "expires": "3000-01-02 15:04", "use_extended_paths": true, "extended_paths": { "ignored": [], "white_list": [ {"path":"/users/mobiles/{smartPhoneId}/{pushToken}","method_actions":{"PUT":{"action":"no_action"},"DELETE":{"action":"no_action"}}}, {"path":"/users","method_actions":{"GET":{"action":"no_action"}}}, {"path":"/objects/boxnumber/{boxNumber}/serialnumber/{serialNumber}","method_actions":{"PUT":{"action":"no_action"},"GET":{"action":"no_action"},"DELETE":{"action":"no_action"}}}, {"path":"/objects","method_actions":{"POST":{"action":"no_action"},"GET":{"action":"no_action"}}}, {"path":"/data/boxnumber/{boxNumber}/serialnumber/{serialNumber}/code/{code}","method_actions":{"GET":{"action":"no_action"},"POST":{"action":"no_action"}}}, {"path":"/data","method_actions":{"POST":{"action":"no_action"}}}, {"path":"/shares","method_actions":{"GET":{"action":"no_action"},"POST":{"action":"no_action"},"DELETE":{"action":"no_action"}}}, {"path":"/subscriptions/preconditions","method_actions":{"GET":{"action":"no_action"}}}, {"path":"/subscriptions/{id}/suspend","method_actions":{"PUT":{"action":"no_action"}}}, {"path":"/subscriptions/{id}/configure","method_actions":{"PUT":{"action":"no_action"}}}, {"path":"/subscriptions/{id}/resume","method_actions":{"PUT":{"action":"no_action"}}}, {"path":"/subscriptions/{id}/cancel","method_actions":{"PUT":{"action":"no_action"}}}, {"path":"/subscriptions","method_actions":{"POST":{"action":"no_action"},"GET":{"action":"no_action"}}}, {"path":"/objectmodels/{id}/partnerUri","method_actions":{"PUT":{"action":"no_action"}}}, {"path":"/objectmodels","method_actions":{"POST":{"action":"no_action"},"GET":{"action":"no_action"}}}, {"path":"/action","method_actions":{"POST":{"action":"no_action"}}}, {"path":"/organizations/repositories","method_actions":{"GET":{"action":"no_action"},"PUT":{"action":"no_action"},"DELETE":{"action":"no_action"}}}, {"path":"/repositories/{repositoryName}","method_actions":{"GET":{"action":"no_action"},"DELETE":{"action":"no_action"}}}, {"path":"/repositories","method_actions":{"PUT":{"action":"no_action"}}}, {"path":"/buckets/boxnumber/{boxNumber}/serialnumber/{serialNumber}/code/{code}","method_actions":{"GET":{"action":"no_action"}}}, {"path":"/offers","method_actions":{"GET":{"action":"no_action"}}}, {"path":"/pictures","method_actions":{"GET":{"action":"no_action"}}}, {"path":"/authentication/two-factor/code/{code}","method_actions":{"PUT":{"action":"no_action"}}}, {"path":"/authentication/two-factor/code","method_actions":{"POST":{"action":"no_action"}}}, {"path":"/scripts/{serviceName}/{functionName}","method_actions":{"POST":{"action":"no_action"}}} ], "black_list": [] } } } }, "proxy": { "listen_path": "/hub/v2/", "target_url": "http://mediation:8080/mediation-api/v2/", "strip_listen_path": true }, "enable_batch_request_support": false}
add tyk policy to this new api openApi:
{ "default": { "access_rights": { "openApi": { "allowed_urls": [], "api_id": "openApi", "api_name": "moussiApi", "versions": [ "Default" ] } }, "active": true, "name": "default", "rate": 100, "per": 1, "quota_max": 10000, "quota_renewal_rate": 3600, "tags": ["Startup Users"] } }
modify tyk.conf to attach policies by adding this lines
{"policies": { "policy_source": "file”, "policy_record_name": "./policies/policies.json" }}
Reload Tyk configuration
curl -X GET \ http://localhost:8082/tyk/reload/ -H 'x-tyk-authorization: 352d20ee67be67f6341b4c0605b044b8'
Create new Oauth Client with new Api
curl -X POST \ http://localhost:8082/tyk/oauth/clients/create -H 'content-type: application/json' -H 'x-tyk-authorization: 352d20ee67be67f6341b4c0605b044b8' -d '{ "api_id": "openApi", "redirect_uri": "http://www.myuri.fr" }'
generate Access Token:
curl -X POST \ http://localhost:8082/hub/v2/oauth/token/ -H 'authorization: Basic MGFmYjBmYWUzYmZkNDNlZDQ0YzhjYTlkNWFiYWIwN2E6T0dKaU5qVXhZak10WXpObU9DMDBZVFkwTFRZME1HUXRabVZoT1dRMU1qTTBNalk0' -H 'content-type: application/x-www-form-urlencoded' -d 'client_id=0afb0fae3bfd43ed44c8ca9d5abab07a&client_secret=OGJiNjUxYjMtYzNmOC00YTY0LTY0MGQtZmVhOWQ1MjM0MjY4&grant_type=client_credentials'
Unfortuanately I got this error while generating access token with client_credentials grant type:
{"error":"server_error","error_description":"The authorization server encountered an unexpected condition that prevented it from fulfilling the request."} time="Jan 8 13:29:53" level=info msg="Getting client ID:0afb0fae3bfd43ed44c8ca9d5abab07a" time="Jan 8 13:29:54" level=info msg="[OAuth] Generating new token" time="Jan 8 13:29:54" level=error msg="ERROR: Couldn't use policy or key rules to create token, failing"
- logs
time="Jan 10 08:45:54" level=info msg="Initiating reload" time="Jan 10 08:45:54" level=info msg="Reload URL Structure - Scheduled" time="Jan 10 08:46:04" level=info msg="Loading API Specification from /USR/newtprod/tyk/apps/app_api_oauth_v2_oauth2.json" time="Jan 10 08:46:04" level=info msg="Detected 1 APIs" time="Jan 10 08:46:04" level=info msg="Loading API configurations." time="Jan 10 08:46:04" level=info msg="--> Loading API: api_oauth_v2_oauth2" time="Jan 10 08:46:04" level=info msg="----> Tracking: (no host)" time="Jan 10 08:46:04" level=info msg="----> Checking security policy: OAuth" time="Jan 10 08:46:04" level=info msg="----> Setting Listen Path: /hub/v2/" time="Jan 10 08:46:04" level=info msg="Loading uptime tests..." time="Jan 10 08:46:04" level=info msg="Initialised API Definitions" time="Jan 10 08:46:04" level=info msg="API reload complete" time="Jan 10 08:59:24" level=info msg="Getting client ID:14b2ac609a35405169ee3804db1ab406" time="Jan 10 08:59:24" level=info msg="[OAuth] Generating new token" time="Jan 10 08:59:24" level=error msg="ERROR: Couldn't use policy or key rules to create token, failing"
Any idea please. Thanks
Upvotes: 1
Views: 462
Answers (1)
Reputation: 470
I have just completed a full authentication with this Oauth2 access flow.
be attention you may have to restart the tyk service, a simple reload does not load new policies into memory.
I illustrated this in an article that I posted a few days ago.
https://dzone.com/articles/tyk-management-api-oauth2-client-credentials-flow
Upvotes: 1
Related Questions
- Example of Login with Tiktok (web) flow
- Tyk.io - Attempted administrative access with invalid or missing key
- Keycloak - Oauth-2 Authentication Flow
- invalid_scope error in access token for client credential flow
- Kong OAuth2 Plugin Client Credentials Flow provision_key not validated
- How to Validate an Access Token for OAuth2 + PCKE flow
- Google Authorization Code Flow - Getting Access Token Returns "unauthorized_client"
- Service now oauth grant flow error with oauth_token.do
- Client Credentials Grant Flow having subject with null value, cause internal server error
- Salesforce OAuth 2.0 User-Agent Flow: INVALID_SESSION_ID