Connecting to Google Cloud with JWT

Support Installation and Deployment
1

I’m trying to provide path-based access to a Google Cloud API and I’m trying to work out if this is doable in Tyk Cloud.

  1. The user will authenticate through Tyk using an Oauth token, that will be checked against an Auth0 provider.
  2. If they are authenticated, I need to check if they have access to the current resource before proceeding, by some kind of callback to our own API (??)
  3. Then pass them through to the Google Cloud API using a service account and JWT, which returns the resource.

Item 1 seems easy enough and is documented at Worked Example - API with OpenIDC Using Auth0.

Item 2 seems achievable with:

  • a custom plugin, however I can’t tell how or if these will run on Tyk Cloud? The documentation is thin.
  • a Tyk IDP?

Item 3 requires storing a JWT in Tyk to pass to Google, but I cant find anything on this topic.

Unfortunately, the third-party components we are using are not particularly well documented, so I can’t work out whether I’m trying to do stuff that isn’t possible, the architecture is wrong, or I just can’t find what I’m looking for.

Any help or advice appreciated.

2

Hi @chris_skene, welcome to the community. Let me answer some of your questions below:

  • a custom plugin, however I can’t tell how or if these will run on Tyk Cloud? The documentation is thin.

Have you gone through our using plugins doc page? It details how it can work on Tyk Cloud using S3 buckets.

Item 3 requires storing a JWT in Tyk to pass to Google, but I cant find anything on this topic.

You might want to store the JWT temporarily in Redis. The store_data and get_data of the Python API could be useful in achieving this.

Hope this helps.

3

Thanks @Olu.

I have since found the plugins docs, but thanks for pointing it out.

Could the JWT also be set using the Config Data section or by modifying the headers on an endpoint (e.g. using the Endpoint designer)? I’m not clear on what direction those things are going in…

4

From my understanding, the Config Data would only be useful within the middleware process. You would not be able to access it afterwards. The opposite is true for headers. Users would be able to have access to this.

Hope this helps.