Grant multiple Tyk policies with JWT (granular access rights/rate limiting)

Marco · December 11, 2020, 1:51pm

Hi all !

I face an issue while using JWT with our CE of Tyk Gateway.
As for today, we grant a single “pol” claim while generating the JWT on our IDP (custom idp).
That was fine until we were asked to customize rate-limiting for specific routes.

I’ve checked Tyk possibilities among multiple policies (with granular access rights) but I can’t face how to be able to specify different rate-limiting for routes under the same API

To be more clear :

one api with /api path
another api with /api2 path
both proxyied by Tyk gateway to 2 different webapps
one single policy for both apis, with in consequence one single rate-limiting policy
policy is linked to token via “pol” claim in our JWT

the need :

being able to setup specific rate-limiting to one /api/xxx route, all other routes under /api/… should benefit of current policy (pol claim)

I wander if it can be done
If yes, is it by calling Tyk gateway api to grant multiple policies to token dynamically ?
If so, how can I specify the token/key I want to address these policies, being done that api keys are not pushed to Tyk for the moment (Tyk only validating the JWT with specified certificate and redirects to corresponding webapp regarding the api path (and forwarding the bearer token as a header))

Thank you all for your help, and do not hesitate to correct me if I make any mistake or misunderstanding while using Tyk

kr,
Marco

Marco · December 14, 2020, 3:40pm

I’ve tried with Granular route access rights, but as far as I’ve found, Tyk is merging access rights if allowed_urls are applied on same api

i.e. I can’t link “policy1” to allowed_url “/api/test” of api1 and “policy2” to “/api/test2” of api1 too

zaid · December 18, 2020, 2:37pm

Hello @Marco just to help me understand. Let’s say we have api1, api2, api3 and pol1.

pol1 has a rate limit of x req/day and what you want to do is override api1 rate limit to have y req/day and have api2 and api3 share x req/day. Correct?

Marco · December 18, 2020, 3:17pm

nope
in fact it’s customizing rate limiting for one specific route of a single Api

route /test/specific of api1 with y req/min
all other routes /test/… of api1 with x req/min

zaid · December 18, 2020, 3:36pm

Ahhh, I see. Well to be completely honest I don’t/don’t think this is possible with one API definition but I know that this behavior can be obtained with looping.

This is how you would set it up.

Setup api1 to handle all the traffic going to /test/specific with x rate limit
Setup api2 to handle all the traffic going to /test/{anything other than ‘specific’} with y rate limit

Finally loop those api calls to a api3 using the tyk:// protocol. api3 would be the current api that you have.

Here are the looping release notes. I am also planning on writing a blog about looping in the near future so I can let you know when that is out.

https://site-dev.tykbeta.com/docs/release-notes/version-2.8/#looping-example

Marco · December 18, 2020, 4:03pm

ok, thx for this workaround, I will have a look at those loops

zaid · December 29, 2020, 2:39pm

Here is a link to the looping docs that my colleague just created.

https://tyk.io/docs/advanced-configuration/transform-traffic/looping/