Hi Arash,
Why not just use a JWT with a centralised JWT setup (you would need to compile the develop branch, as it’s not in the cut release yet), then your workflow is:
- A user calls our authentication server (AS) and logs in.
- The AS generates a signed JWT with all the required metadata in the claims (identity field, policy to use, whatever data your back end requires)
- The JWT has a half hour expiration
- User uses JWT to access Tyk
In the centralised JWT scenario, Tyk will validate the claims with a public key, so you can be assured claims are correct. And then your back end can just use the metadata in the claims of the JWT for UserID info.
Tyk will keep track of an internal “Virtual” token for the identity (this is a hash of the identity field), so it is re-usable across JWTs without having to generate a corresponding key in Tyk.
Cheers,
Martin