tyk icon indicating copy to clipboard operation
tyk copied to clipboard

Published 20 hours ago verified publisher icon TykTechnologies

[TT-6279] JWT Middleware doesn't allow to use a key provided by the claims.

Open jgouro-hub opened this issue 3 years ago • 1 comments

Branch/Environment/Version master

Describe the bug

It seems that the JWT middleware implement a different hash workflow when we use a "key" attached to a policy to create the token than the one implemented in API_KEY. It results an impossibility to load a session from REDIS based on a created key.

Reproduction steps Steps to reproduce the behavior:

  1. Add an API with JWT auth
  2. Add a Policy
  3. Create a key with the POST method
  4. Try to connect with the key hash/id to the API.

Actual behavior Currently the key that i provide is re-hashed (unconditionnaly) at fly in the "processCentralisedJWT" method ligne 416 and 417. With this fragment of code :

  // Generate a virtual token
  data := []byte(baseFieldData)
  keyID := fmt.Sprintf("%x", md5.Sum(data))
  sessionID := k.Gw.generateToken(k.Spec.OrgID, keyID)

This disallow the possibility to load a key from the store because keyID will never be the same as the one registered. At the opposite, in mw_auth_key.go we can find the good pattern :

  key, authConfig := k.getAuthToken(k.getAuthType(), r)
  [...]
  session, keyExists = k.CheckSessionAndIdentityForValidKey(key, r)

Expected behavior

We need to be able to load the session and its attached policies from a key provided by the JWT claim.

Screenshots/Video image

Do not hesitate to ask for details if it isn't clear enough.

Best regards.

jgouro-hub avatar Aug 02 '22 08:08 jgouro-hub

Hi @Dje-G, thank you for submitting this in the detail that you have.

I'll relay this to our support and internal engineers.

vverbani avatar Aug 02 '22 16:08 vverbani

Hello any update here?

jgouro-hub avatar Nov 03 '22 10:11 jgouro-hub

Hello @jgouro-hub, I am not sure what you are looking to do here. Can you please explain the use case? When you talk about reproduction steps. What JWT Signing Method are you using to validate the JWT? Which POST endpoint are you hitting? What does the key look like?

zalbiraw avatar May 09 '23 16:05 zalbiraw

We don't understand and cannot reproduce the issue you're reporting here, as the use case is not clear.

If you're still having problems, please don't hesitate to comment with an explanation of what you're trying to do, then we can re-open the ticket.

Thank you for supporting Tyk!

andyo-tyk avatar May 24 '23 12:05 andyo-tyk