I started looking at Tyk for our API gateway and it looks very promising however I am confused about what the exact workflow will be.
Here’s our use case. We have a platform with a number of microservices providing APIs that mobile apps can call and consume. If we wanted to translate the access tokens to tokens that include user information (identity tokens) that are only available inside our system would the following work?
- A user calls our authentication server (AS) and logs in.
- At this time AS calls Tyk and creates an access key with user specific metadata (e.g. userID etc.) with a half-hour expiration
- AS returns a JWT to the user that includes the appropriate “kid” and is signed by the correct secret.
- User calls our APIs with that JWT as value of “Authorization” header.
- Tyk rewrites the headers of the inbound request with metadata of the key (e.g. userID) that microservices can consume.
- JWT token expires in half an hour which is in sync with Tyk access token.
Looking at the documentation this seems quite possible. However, it seems that Tyk is mostly targeted towards a developer workflow rather than an end user workflow (i.e. handling calls by developers rather than managing user sessions but I could be completely wrong). Does this workflow scale if we have millions of users and therefore hundred’s of thousands of access token are live at any time?