Imported Google Group message. Original thread at: Redirecting to Google Groups Import Date: 2016-01-19 21:23:24 +0000.
Sender:Anand Natarajan
.
Date:Wednesday, 9 September 2015 22:53:18 UTC+1.
Hello,
I wanted to check if it is possible to grant OAuth Access token in exchange of a service ticket granted by SSO(CAS server).
So, flow will be something like below,
- User Sign on to SSO and SSO gives them a Service Ticket
- User/App turn around and request Tyk OAuth Flow to request a token by passing service ticket
- Tyk calls out to SSO server to validate the Service Ticket
- SSO RESPONDS WITH “VALID”
4.1. Tyk grant the access token
- SSO RESPONDS WITH “INVALID”
5.1 Tyk response with 401 or similar.
So question is, is it possible to intercept OAuth token request call and do the SSO service ticket validation and upon valid response let tyk create a OAuth Token?
Thanks…
Imported Google Group message.
Sender:Martin Buhr
.
Date:Thursday, 10 September 2015 07:29:09 UTC+1.
Hi Anand,
At the moment we don’t support an SSO flow like this, we are investigating introducing AWS-style SAML implementation though.
Tyk does have a full OAuth server built in though,nap it can support an OAuth flow where the request goes VIA your SSO, but you would need to integrate the SSO app with Tyk’s flow…
Cheers,
Martin
From: Anand Natarajan [email protected]
Sent: Wednesday, September 9, 2015 22:53
Subject: Granting OAuth token in exchange to SSO(CAS) Service Ticket
To: Tyk Community Support [email protected]
–
You received this message because you are subscribed to the Google Groups “Tyk Community Support” group.
To unsubscribe from this group and stop receiving emails from it, send an email to [email protected].
To view this discussion on the web, visit https://groups.google.com/d/msgid/tyk-community-support/a64bdd83-9ce7-47bd-b556-bd00e20bb831%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Imported Google Group message.
Sender:Anand Natarajan
.
Date:Thursday, 10 September 2015 15:15:55 UTC+1.
Thanks Martin for the swift response.
Bit of history, we are trying to replace an existing gateway solution by big red vendor. One of the customization we did was to accommodate the flow I described. I wasn’t necessarily expecting an out of the box support of SSO integration, Rather, i was hoping I could do some customization to the existing OAuth flow to accommodate SSO. Question is, is it possible to have add custom code which would essentially call SSO, validate Service Ticket and then either decide to continue to flow or respond with error.
Imported Google Group message.
Sender:Martin Buhr
.
Date:Thursday, 10 September 2015 15:34:32 UTC+1.
Hi Anand,
Gotcha 
There isn’t a hook in the OAuth flow that could accommodate that flow, you would need to modify the source to get that to work.
However, The Tyk OAuth flow is actually an inverse of what you’ve described, it’s quite similar:
- User makes a request, client requests a request token
- Tyk forwards the request on to a login page
- The user logs in
- The login app then sends the initial OAuth token request to Tyk, which generates and returns a request token to the login app
- The login page redirects to the client with the request token as if we were in a standard OAuth flow
- The app then uses the request token to get an access token and continue through the gateway
The simplest thing to do is to have your SSO do step 4 but instead of using the original request objects, it generates its own valid ones for that client. The process from there on looks very similar to what you’ve described except for the calling back and forth to the SSO. If the SSO is the originator of the request token (it requested it, not the client), then it would be valid, wouldn’t it?
It depends on whether the SSO can be modified to send a POST to the Tyk API.
The alternative is to modify the OAuth server itself in Tyk, which is totally possible, but might be painful to do…
If you want to take this conversation offline to discuss your requirements and capability in more detail, email me on [email protected] 
Cheers,
Martin
From: Anand Natarajan [email protected]
Sent: Thursday, September 10, 2015 15:15
Subject: Re: Granting OAuth token in exchange to SSO(CAS) Service Ticket
To: Tyk Community Support [email protected]
Cc: [email protected]
To view this discussion on the web, visit https://groups.google.com/d/msgid/tyk-community-support/79de1fe2-b907-4265-a625-eef7ebbae62c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.