I found tyk searching for an api gateway, we’re evaluating some of them and came to tyk as our main preference. Sadly after a couple of days preparing some internal demos I’m very disappointed with it. It seems like all the documentation that exists is for paid users. I was for example looking to integrate with Keycloak, and everything that can be found is for tyk dashboards users. Very sad, product looks amazing and the getting started guide was really promising.
Let me try to answer this! Obviously, I’m a bit biased because of working here, and I’m in the company for the last 5 years, but I have a good overview of the market.
I think Tyk has the most clear open source strategy - everything related to the gateway functionality is always free and open source. E.g. there are no “paid” plugins which you can install to get some extending API gateway functionality. What we sell is the Dashboard, which is used as a central configuration source with nice UI and some enterprise features, multiple data-center support, and full 24h customer support with various enterprise perks. So there is very clear line what is free and what is not. And we never broke this promise. Additionally, we try to open-source as much as we can, and it is always hard to find the right balance.
Tyk also always positioned itself as a profitable business, and part of that is earning money. And for the first years of company existence, we focused on getting as much revenue as possible, which also assumed focusing more on private parts, like our Dashboard.
This day’s we became more mature, and have a bit more freedom, and one of our goals for the last and upcoming year was to start investing into growing our open-source community. If you compare the docs state year and now, it is night and day, but still so many gaps needs to be solved. Additionally, one of our upcoming goals is improving CI/CD experience. So our upcoming focus in documentation, and overall onboarding, will be on Tyk running in headless mode or controlled via API or declarative configs.
As for your specific example, if you are planning to allow users logging via Keycloak, generate token, and used it for your API, I would recommend 2 possible flow, depending on your setup.
If Keycloak going to generate JWT tokens, you do not really need any specific integration, you just configure JWT API, specify the scope/policy mapping, JWKs, and in the docs you clearly say users that it is a 2 step process: first generate token, after consume API. Even if you use OpenID/oAuth2, it still gives you JWTs which gateway can consume.
Another flow, will be using https://github.com/TykTechnologies/tyk-identity-broker, which is fully open-sourced and that’s what we internally use to configure SSO for all our products. Here you can see documentation for the case where you login via SSO, and it automatically forwards you to Tyk with working token https://github.com/TykTechnologies/tyk-identity-broker#create-an-oauth-token-with-redirect-for-users-logging-into-your-webapp-or-ios-app-via-google. Or similar approach but in this case with SAML https://github.com/TykTechnologies/tyk-identity-broker#generating-a-standard-auth-token-using-saml
However, there is one flow which will not fully possible to use without our developer portal.
What described here Step by step guide using Keycloak
Dynamic client registration assume that you have some developer portal/ui, which on your behalf create OAuth clients in your IDP. But on gateway side it is actually configured as JWT, same as I described above.
Also, one of the tips I can suggest, you can get a free developer licence on our website, and use dashboard to configure your API, and after export it and use in OSS gateway.
Hope it helps!
hello and thank you for your answer, the tip of creating a developer license sounds useful, can you explain on how to do that please?
Just fill the form here Sign up - Tyk API Gateway and API Management and pick on-prem trial license. You will receive it on email.
We are thinking about making our API designer a public service, but at the moment it require full on-prem setup to use it.
@robertotrgt this might interest you… @santoshshinde2012 one of our Community members has just published an excellent Getting Started for integrating Tyk Gateway with Keycloak.
Let us know your updates