Imported Google Group message. Original thread at: Redirecting to Google Groups Import Date: 2016-01-19 21:10:09 +0000.
Sender:Ladislav Gazo.
Date:Saturday, 18 April 2015 15:20:03 UTC+1.
Hi,
is it possible to connect Tyk to external identity database where credentials are stored? I want to build SPA where Tyk creates authentication tokens, accepts it from HTTP header (auth_header_name), but does the authentication against external identity database/system.
Optionally is it possible to combine this kind of authentication with Facebook sign-in process?
Thank you.
Ladislav
Imported Google Group message.
Sender:Martin Buhr.
Date:Saturday, 18 April 2015 16:09:28 UTC+1.
It is, you can, but you’d need to build the Storage Handler yourself - a good example of something that does this is the LDAP handler in the master branch. This is probably the most efficient thing you could do, we can help with that if you like. The flow here would be request -> tyk -> 3rd party storage -> tyk -> upstream API
Alternatively, you could use the JavaScript plugin system to talk to your auth DB pre-authentication (if it has an API) to validate a key (the key would need to be also stored in Tyk), so long as the key is in the DB you should be OK. If you don’t need the keys to match, you could just have a single Tyk key which you inject as a header and pass through the machinery, I don’t think this approach would be that performant though.
As for Facebook, I’m really not sure, you want to authenticate against facebook, then create a token and give it to the user? If that’s the case I would handle the authentication against FB manually, then have the reply hook generate a token with Tyk and assign it to the user, you can then manage identity/token relationship locally and use FB to provide identity.
Not sure how helpful that is.
Thanks,
Martin
Imported Google Group message.
Sender:Ladislav Gazo.
Date:Monday, 20 April 2015 12:10:47 UTC+1.
Now I understand it that Tyk does handle only the key management but the login should be handled by my backend. Then I am responsible also to request a key from Tyk and send it back within a response back to the client.
The idea with the Facebook looks something like SSO where my application offers login via my authority and also via FB, Google,… So I tried to solved the scenario where:
- my authority will be using OAuth2 in Tyk
- Tyk OAuth2 redirects to my backend login / authentication but Tyk manages the keys
- in case of Facebook login, FB redirects back to my API covered by Tyk with whitelisted URL. This URL points to my backend which in turn should call Tyk to register access_token in Tyk? Would that work?
Dňa sobota, 18. apríla 2015 17:09:28 UTC+2 Martin Buhr napísal(-a):
Imported Google Group message.
Sender:Martin Buhr.
Date:Tuesday, 21 April 2015 14:06:00 UTC+1.
Hi Ladislav,
Regarding the FB login, yes that could work, a little convoluted, but it could work 
If you are using the OAuth2 flow then yes, you will need to build a special page to manage all ther redirects and logins. If you are using the pass-through flow, then keys will be managed for you by Tyk and Tyk will take care of authenticating OAuth requests that come through it in the normal way.
As I said, if you want to generate your own keys, or validate keys against a different DB you’ll need some code, but your scenario above sounds like it will work without having to loearn golang
Thanks,
Martin