tyk
tyk copied to clipboard
TykTechnologies
Tyk header variable substitution is not possible for certain JWT claims
Branch/Environment/Version
- Branch/Version: Master
- Environment: On-prem
Describe the bug
When context variables are enabled and JWT/OAuth client authentication is configured, Tyk sets jwt_claims_{claim name} context variables to the corresponding JWT claim values. However, no variable name pre-processing is done, and the actual dictionary of context variables could contain records such as jwt_claims_https://my-api/my-claim. Due to the Tyk variable substitution limits, it's impossible to reference such properties from request/response header expressions.
Reproduction steps
- Spin up a Tyk service using a configuration that is similar to the attached one.
- Make a request using a valid JWT, for instance
curl http://localhost:8080/ -H"Authorization: Bearer $token"
Actual behavior
$.headers.X-Forwarded-User-Id response property is set to ://my-domain.org/email value.
Expected behavior
A user can configure passing a claim from a client request JWT to a request header.
Configuration (tyk config file):
{
"name": "my-api",
"api_id": "my-api",
"org_id": "my-org",
"proxy": {
"listen_path": "/",
"target_url": "https://httpbin.org/headers",
"preserve_host_header": false
},
"version_data": {
"not_versioned": true,
"versions": {
"Default": {
"name": "Default",
"global_headers": {
"X-Forwarded-User-Id": "$tyk_context.jwt_claims_https://my-domain.org/email"
}
}
}
},
"use_openid": true,
"openid_options": {
"providers": [
{
"issuer": "https://my-domain.auth0.com/",
"client_ids": {
"aHR0cHM6Ly9teS1hcGkubXktb3JnLmNvbQ==": "undefined"
}
}
]
},
"jwt_scope_to_policy_mapping": {
"my-scope": "everything"
},
"enable_context_vars": true
}
Additional context
