Question

我使用Tyk 2.2.0作为api管理oauth2，基本的，我需要将client_credentials oauth2流添加为allowed_access_types。我做了以下更改，以便通过这个新的oauth2访问类型生成访问令牌：

创建一个Tyk Api：

{
"name": "api_oauth_v2_oauth2",
"api_id": "openApi",
"org_id": "",
"definition": {
    "location": "header",
    "key": "version"
},
"use_oauth2": true,
"oauth_meta": {
    "allowed_access_types": [
        "authorization_code",
        "refresh_token",
        "client_credentials"
    ],
    "allowed_authorize_types": [
        "code",
        "token"
    ],
    "auth_login_redirect": "https://www.dev.docapost.io/dashboard/page/external/client/authorize"
},

"notifications": {
    "shared_secret": "",
    "oauth_on_keychange_url": "http://provisioning:8080/newton-provisioning-web/v1/external/notify"
},

"version_data": {
    "not_versioned": true,
    "versions": {
        "Default": {
            "name": "Default",
            "expires": "3000-01-02 15:04",
            "use_extended_paths": true,
            "extended_paths": {
                "ignored": [],
                "white_list": [
                            {"path":"/users/mobiles/{smartPhoneId}/{pushToken}","method_actions":{"PUT":{"action":"no_action"},"DELETE":{"action":"no_action"}}},                        
                            {"path":"/users","method_actions":{"GET":{"action":"no_action"}}},                        
                            {"path":"/objects/boxnumber/{boxNumber}/serialnumber/{serialNumber}","method_actions":{"PUT":{"action":"no_action"},"GET":{"action":"no_action"},"DELETE":{"action":"no_action"}}},                        
                            {"path":"/objects","method_actions":{"POST":{"action":"no_action"},"GET":{"action":"no_action"}}},                        
                            {"path":"/data/boxnumber/{boxNumber}/serialnumber/{serialNumber}/code/{code}","method_actions":{"GET":{"action":"no_action"},"POST":{"action":"no_action"}}},                        
                            {"path":"/data","method_actions":{"POST":{"action":"no_action"}}},                        
                            {"path":"/shares","method_actions":{"GET":{"action":"no_action"},"POST":{"action":"no_action"},"DELETE":{"action":"no_action"}}},                        
                            {"path":"/subscriptions/preconditions","method_actions":{"GET":{"action":"no_action"}}},                        
                            {"path":"/subscriptions/{id}/suspend","method_actions":{"PUT":{"action":"no_action"}}},                        
                            {"path":"/subscriptions/{id}/configure","method_actions":{"PUT":{"action":"no_action"}}},                        
                            {"path":"/subscriptions/{id}/resume","method_actions":{"PUT":{"action":"no_action"}}},                        
                            {"path":"/subscriptions/{id}/cancel","method_actions":{"PUT":{"action":"no_action"}}},                        
                            {"path":"/subscriptions","method_actions":{"POST":{"action":"no_action"},"GET":{"action":"no_action"}}},                        
                            {"path":"/objectmodels/{id}/partnerUri","method_actions":{"PUT":{"action":"no_action"}}},                        
                            {"path":"/objectmodels","method_actions":{"POST":{"action":"no_action"},"GET":{"action":"no_action"}}},                        
                            {"path":"/action","method_actions":{"POST":{"action":"no_action"}}},                        
                            {"path":"/organizations/repositories","method_actions":{"GET":{"action":"no_action"},"PUT":{"action":"no_action"},"DELETE":{"action":"no_action"}}},                        
                            {"path":"/repositories/{repositoryName}","method_actions":{"GET":{"action":"no_action"},"DELETE":{"action":"no_action"}}},                        
                            {"path":"/repositories","method_actions":{"PUT":{"action":"no_action"}}},                        
                            {"path":"/buckets/boxnumber/{boxNumber}/serialnumber/{serialNumber}/code/{code}","method_actions":{"GET":{"action":"no_action"}}},                        
                            {"path":"/offers","method_actions":{"GET":{"action":"no_action"}}},                        
                            {"path":"/pictures","method_actions":{"GET":{"action":"no_action"}}},                        
                            {"path":"/authentication/two-factor/code/{code}","method_actions":{"PUT":{"action":"no_action"}}},                        
                            {"path":"/authentication/two-factor/code","method_actions":{"POST":{"action":"no_action"}}},                        
                            {"path":"/scripts/{serviceName}/{functionName}","method_actions":{"POST":{"action":"no_action"}}}                        ],
                "black_list": []
            }
        }
    }
},
"proxy": {
    "listen_path": "/hub/v2/",
    "target_url": "http://mediation:8080/mediation-api/v2/",
    "strip_listen_path": true
},

"enable_batch_request_support": false

}

将tyk政策添加到这个新的api openApi：

{ ＆＃34;默认＆＃34;：{ ＆＃34; access_rights＆＃34;：{ ＆＃34; openApi＆＃34;：{ ＆＃34; allowed_urls＆＃34;：[]，＆＃34; api_id＆＃34;：＆＃34; openApi＆＃34;，＆＃34; api_name＆＃34;：＆＃34; moussiApi＆＃34;，＆＃34;版本＆＃34;：[ ＆＃34;默认＆＃34; ] } }，＆＃34;活跃＆＃34;：是的，＆＃34;名称＆＃34;：＆＃34;默认＆＃34;，＆＃34;率＆＃34;：100，＆＃34; per＆＃34;：1，＆＃34; quota_max＆＃34;：10000，＆＃34; quota_renewal_rate＆＃34;：3600，＆＃34;标签＆＃34;：[＆＃34;初创用户＆＃34;] } }

修改tyk.conf以通过添加此行来附加策略

{"policies": {
"policy_source": "file”,
"policy_record_name": "./policies/policies.json"
}

}

重新加载Tyk配置

卷曲-X GET \ http://localhost:8082/tyk/reload/ -H＆＃39; x-tyk-authorization：352d20ee67be67f6341b4c0605b044b8＆＃39;
使用新的Api
创建新的Oauth客户端
卷曲-X POST \ http://localhost:8082/tyk/oauth/clients/create -H＆＃39; content-type：application / json＆＃39; -H＆＃39; x-tyk-authorization：352d20ee67be67f6341b4c0605b044b8＆＃39; -d＆＃39; { ＆＃34; api_id＆＃34;：＆＃34; openApi＆＃34;，＆＃34; redirect_uri＆＃34;：＆＃34; http://www.myuri.fr＆＃34; }＆＃39;
生成访问令牌：

curl -X POST \ http://localhost:8082/hub/v2/oauth/token/ -H＆＃39;授权：基本MGFmYjBmYWUzYmZkNDNlZDQ0YzhjYTlkNWFiYWIwN2E6T0dKaU5qVXhZak10WXpObU9DMDBZVFkwTFRZME1HUXRabVZoT1dRMU1qTTBNalk0＆＃39; -H＆＃39; content-type：application / x-www-form-urlencoded＆＃39; -d＆＃39; client_id = 0afb0fae3bfd43ed44c8ca9d5abab07a＆amp; client_secret = OGJiNjUxYjMtYzNmOC00YTY0LTY0MGQtZmVhOWQ1MjM0MjY4＆amp; grant_type = client_credentials＆＃39;

不幸的是，在使用client_credentials授权类型生成访问令牌时出现此错误：

{"error":"server_error","error_description":"The authorization server encountered an unexpected condition that prevented it from fulfilling the request."}


time="Jan  8 13:29:53" level=info msg="Getting client ID:0afb0fae3bfd43ed44c8ca9d5abab07a" 
time="Jan  8 13:29:54" level=info msg="[OAuth] Generating new token" 
time="Jan  8 13:29:54" level=error msg="ERROR: Couldn't use policy or key rules to create token, failing"

日志

time="Jan 10 08:45:54" level=info msg="Initiating reload" 
time="Jan 10 08:45:54" level=info msg="Reload URL Structure - Scheduled" 
time="Jan 10 08:46:04" level=info msg="Loading API Specification from /USR/newtprod/tyk/apps/app_api_oauth_v2_oauth2.json" 
time="Jan 10 08:46:04" level=info msg="Detected 1 APIs" 
time="Jan 10 08:46:04" level=info msg="Loading API configurations." 
time="Jan 10 08:46:04" level=info msg="--> Loading API: api_oauth_v2_oauth2" 
time="Jan 10 08:46:04" level=info msg="----> Tracking: (no host)" 
time="Jan 10 08:46:04" level=info msg="----> Checking security policy: OAuth" 
time="Jan 10 08:46:04" level=info msg="----> Setting Listen Path: /hub/v2/" 
time="Jan 10 08:46:04" level=info msg="Loading uptime tests..." 
time="Jan 10 08:46:04" level=info msg="Initialised API Definitions" 
time="Jan 10 08:46:04" level=info msg="API reload complete" 
time="Jan 10 08:59:24" level=info msg="Getting client ID:14b2ac609a35405169ee3804db1ab406" 
time="Jan 10 08:59:24" level=info msg="[OAuth] Generating new token" 
time="Jan 10 08:59:24" level=error msg="ERROR: Couldn't use policy or key rules to create token, failing"

请知道。感谢

Answer 1

我刚刚使用此Oauth2访问流程完成了完整身份验证。

注意你可能要重启tyk服务，简单重装不会将新策略加载到内存中。

我在几天前发布的一篇文章中说明了这一点。

https://dzone.com/articles/tyk-management-api-oauth2-client-credentials-flow

Answer 2

您可以在进行热重新加载时共享网关的日志吗？只是为了确认该政策正在加载。它可能没有加载，在哪种情况下它找不到。

Tyk Ouath2 flow client_credentials错误：无法使用策略或密钥规则来创建令牌，失败

2 个答案: