Controlling API access through OAuth tokens in Tyk (oss)

Anup_Rai · April 19, 2021, 2:28pm

We have created an OAuth API which generates the OAuth tokens with below steps -

Created API Definition and security policy as defined here
Create OAuth client by giving client_id, policy_id and redirect_uri.
Triggered the call to generate token successfully.
Used that token to call another API successful. This API and token API are added in the same security policy.

We want to have only one API which generates the OAuth tokens and with this token consumer should be able to call multiple APIs.

For this to work we need to add all the APIs in the same security policy. When a OAuth client is create then it will have access to all the APIs present in that security policy.

How can we restrict consumer to call only few APIs and not all of them?

For example while creating a Key we can specify the api_ids as an arrays and using that key consumer will have access to only those APIs.

How can we achieve the same if consumer is using OAuth tokens without creating multiple OAuth /token endpoints?

Anup_Rai · April 21, 2021, 5:19am

Has anyone implemented this before?

Anup_Rai · April 22, 2021, 3:53pm

Do we have scope concept in Tyk Gateway which can be used to restrict API access for an OAuth token?

Gregor · April 23, 2021, 11:47am

Hey @Anup_Rai
We’d recommend using a 3rd Party IDP for this kind of flow. Implementing this directly on the gateway starts getting a bit tricky.
We do have a PR on Github [TT-3303] support more complex scope / role objects from JWT claims by asoorm · Pull Request #3529 · TykTechnologies/tyk · GitHub
that seeks to deal with more complex scope handling.

Cheers, Gregor