Is it possible to customize Tyk to implement the following authorization flow? If so, what is the best way?
- OAuth module takes some values from headers (some custom claims) and calls internal token web service to get session token from underlying web service.
- Token service returns its own session token, which we need to encrypt. That encrypted internal token now becomes the OAuth token that OAuth module returns back (instead of just generating some random session token).
- On every request our client sends us this OAuth token, which (besides being checked on revocation/expiration in Tyk internal session store – this is standard Tyk behavior) should be decrypted and passed along with every request to internal API.
The following diagram represents the desired flow:
Authentication:
external — claim -----------> Tyk (stores encryped token) -----claim —> Token service
external <- encrypted token — Tyk <— token — Token service
subsequent requests:
external -------encrypted token --> Tyk ---------------------> decrypted token --> Token service
Here is my undrestanding of the (only?) way to implement this in Tyk:
- Tyk custom JS middleware gets the custom claim from the request headers and calls Token Service to get a token using
TykMakeHTTPRequest
- Token Service returns its own session token. Encrypt the token and store it using
TykSetKeyData
. - On subsequent requests, the external service sends the (encrypted) token, which should work, since we saved it in the session store.
Is this customization do-able? Is using the JS custom middleware API the best way of accomplishing the task?