Grant multiple Tyk policies with JWT (granular access rights/rate limiting)

Hi all !

I face an issue while using JWT with our CE of Tyk Gateway.
As for today, we grant a single “pol” claim while generating the JWT on our IDP (custom idp).
That was fine until we were asked to customize rate-limiting for specific routes.

I’ve checked Tyk possibilities among multiple policies (with granular access rights) but I can’t face how to be able to specify different rate-limiting for routes under the same API

To be more clear :

  • one api with /api path
  • another api with /api2 path
  • both proxyied by Tyk gateway to 2 different webapps
  • one single policy for both apis, with in consequence one single rate-limiting policy
  • policy is linked to token via “pol” claim in our JWT

the need :

  • being able to setup specific rate-limiting to one /api/xxx route, all other routes under /api/… should benefit of current policy (pol claim)

I wander if it can be done
If yes, is it by calling Tyk gateway api to grant multiple policies to token dynamically ?
If so, how can I specify the token/key I want to address these policies, being done that api keys are not pushed to Tyk for the moment (Tyk only validating the JWT with specified certificate and redirects to corresponding webapp regarding the api path (and forwarding the bearer token as a header))

Thank you all for your help, and do not hesitate to correct me if I make any mistake or misunderstanding while using Tyk

kr,
Marco

I’ve tried with Granular route access rights, but as far as I’ve found, Tyk is merging access rights if allowed_urls are applied on same api

i.e. I can’t link “policy1” to allowed_url “/api/test” of api1 and “policy2” to “/api/test2” of api1 too

Hello @Marco just to help me understand. Let’s say we have api1, api2, api3 and pol1.

pol1 has a rate limit of x req/day and what you want to do is override api1 rate limit to have y req/day and have api2 and api3 share x req/day. Correct?

nope
in fact it’s customizing rate limiting for one specific route of a single Api

route /test/specific of api1 with y req/min
all other routes /test/… of api1 with x req/min

Ahhh, I see. Well to be completely honest I don’t/don’t think this is possible with one API definition but I know that this behavior can be obtained with looping.

This is how you would set it up.

Setup api1 to handle all the traffic going to /test/specific with x rate limit
Setup api2 to handle all the traffic going to /test/{anything other than ‘specific’} with y rate limit

Finally loop those api calls to a api3 using the tyk:// protocol. api3 would be the current api that you have.

Here are the looping release notes. I am also planning on writing a blog about looping in the near future so I can let you know when that is out.

https://site-dev.tykbeta.com/docs/release-notes/version-2.8/#looping-example

ok, thx for this workaround, I will have a look at those loops

1 Like

Here is a link to the looping docs that my colleague just created.

https://tyk.io/docs/advanced-configuration/transform-traffic/looping/