We are looking for an API Gateway to that enforces authN and authZ for upstream APIs. It is not clear from the documentation whether Tyk can constrain access based on the user on whose behalf a client calls the upstream API.
Any clarifications or pointers to sections I have missed?
The documentation below should help you to enforce authN on your API:
Information on how to enforce policies via the Dashboard can also be found here.
For authZ, the Tyk Identity Broker could prove useful. Please see the the documentation at the links below for more information:
Jess @ Tyk
I assume that’s the other way round: first link for authZ (== access control), 2nd and 3rd for authN.
I am still struggling. Am I correct in thinking that the policies apply to the keys, i.e. access tokens, generated by Tyk only? We want an end-user to authenticate with a third party, e.g. AD issuing an OIDC ID token. How do I specify access restrictions based on identity claims, e.g. roles?
As the Tyk Identity Broker acts as a bridge between Tyk and third party identity providers, it can be used to allow you to integrate with AuthZ.
Tyk does support OIDC and roles and permissions are managed with the use of policies assigned to clients. It doesn’t introspect identity claims directly however.
More information regarding JWT and OIDC can be found in the links below:
Jess @ Tyk