Example for external_oauth

shinneng · August 24, 2023, 5:29pm

Hi.

I am using tyk-gateway docker.

how do I add external_oauth in OAS? I tried adding it under “securitySchemes” but the api responds with the following message:
components.securitySchemes.keycloak_oauth: Must validate one and only one schema (oneOf)\ncomponents.securitySchemes.keycloak_oauth: $ref is required

can someone point me in the right direction where the “external_oauth” definition block should be inserted?

Olu · August 28, 2023, 11:00am

Hello @shinneng and welcome to the community.

Could you share where you added the external auth middleware in your api_definition?

I assume you followed this doc guide on how to add it.

"x-tyk-api-gateway": {
    "info": {},
    "upstream": {},
    "server": {
      "listenPath": {},
      "authentication": {
        "enabled": true,
        "securitySchemes": {
          "keycloak_oauth": {
            "enabled": true,
            "header": {
              "enabled": true,
              "name": "Authorization"
            },
            "providers": [
              {
                "introspection": {
                  "enabled": true,
                  "url": "http://localhost:8080/realms/tyk/protocol/openid-connect/token/introspect",
                  "clientId": "introspection-client",
                  "clientSecret": "DKyFN0WXu7IXWzR05QZOnnSnK8uAAZ3U",
                  "identityBaseField": "sub",
                  "cache": null
                }
              }
            ]
          }
        }
      }
    }
  }

shinneng · September 4, 2023, 5:24am

how do I implement keycloak_oauth on specific endpoint? e.g. /test/createUser requires keycloak_oauth but not /test/userInfo:

e.g.

{
  "components": {},
  "info": {
    "title": "test_oauth2",
    "version": "1.0"
  },
  "openapi": "3.0.3",
  "paths": {},
  "security": [],
  "servers": [
    {
      "url": "http://127.0.0.1:9000/test/"
    },
    {
      "url": "http://echo.tyk-demo.com:8080/"
    }
  ],
  "x-tyk-api-gateway": {
    "info": {
      "id": "",
      "name": "test_oauth2",
      "state": {
        "active": true
      }
    },
    "upstream": {
      "url": "http://echo.tyk-demo.com:8080/"
    },
    "server": {
      "listenPath": {
        "value": "/test/",
        "strip": true
      },
      "authentication": {
            "enabled": true,
            "securitySchemes": {
                "keycloak_oauth": {
                    "enabled": true,
                    "header": {
                      "enabled": true,
                      "name": "Authorization"
                    },
                    "providers": [
                      {
                        "introspection": {
                          "enabled": true,
                          "url": "http://localhost:8080/realms/tyk/protocol/openid-connect/token/introspect",
                          "clientId": "introspection-client",
                          "clientSecret": "DKyFN0WXu7IXWzR05QZOnnSnK8uAAZ3U",
                          "identityBaseField": "sub",
                          "cache": null
                        }
                      }
                    ]
                }
            }
        }
    }
  }
}

Olu · September 4, 2023, 4:03pm

I am not sure I fully understand but I assume you have 2 endpoints

/test/createUser should be auth protected
/test/userInfo should have no authentication

If this is the case, then what you are looking for is an ignore/allowance middleware operation

Just to confirm, did you get KeyCloak working?