Limit api key to a domain

bkomac · July 1, 2022, 12:34pm

Is there a way to limit an API key to access the same API just through a specific domain.
Let say api key “aaaa” can access API “xy” through a domain aaa.com
and api key “bbbb” can access API “xy” through a domain bbb.com.

Does this make sense? Is more fr auditing purpose than anything else.

Olu · July 4, 2022, 9:11am

I don’t think the Key definition has a feature like that off the top of my head. I could look into it a bit more and confirm

But for something like this the easiest way is to use 2 API definitions with the different domain names as a proxy and funnel it upstream or to another master API definition.

Another method would be to use a custom plugin. I think you could check for the key and the base URL, then take an action depending on the condition. For example, you could set the expected domain name on the API key metadata. Then use a custom post-auth plugin, to check the domain name matches.

Plugins can be written in Python, Lua, Javascript or any language which supports gRPC. Here are some plugin examples in different languages.

Olu · July 4, 2022, 10:24am

Just as a follow up, can you share the main feature or job Tyk is doing for you?

bkomac · July 4, 2022, 10:26am

It is an micro-service api gateway for internal or/and external use.

Olu · July 4, 2022, 11:23am

Great! Can you share the approximate amount or range of APIs Tyk is handling?

bkomac · July 4, 2022, 11:50am

Approximately 100 micro-services, each have it’s own base API, plus few mashup APIS (combine multiple micro-service in one use-case/mobile-app …).
So maybe duplicating APIs for internal or/and external use, might not be a good idea.

Perhaps going the custom plugin way …

Olu · July 4, 2022, 1:25pm

The plugins route sounds less cumbersome considering the number of APIs you have that may need auditing.

bkomac · July 11, 2022, 6:55am

This is the final solution - for reference:

var apiKeyDomainCheck = new TykJS.TykMiddleware.NewMiddleware({});

apiKeyDomainCheck.NewProcessRequest(function (request, session, spec) {
if (session.meta_data.allowed_domain != undefined) {
        var allowed_domain = session.meta_data.allowed_domain

  if (allowed_domain.indexOf(request.Headers.Host) < 0) {
            log('Domain ' + request.Headers.Host + ' not allowed for key (' + session.key_id + '). Allowed domain is ' + allowed_domain + '.')
            request.ReturnOverrides.ResponseCode = 406
            request.ReturnOverrides.ResponseError = "This API-key is not issued for this domain."
        }
    }

   return apiKeyDomainCheck.ReturnData(request, session.meta_data);
});

log("JavaScript middleware 'apiKeyDomainCheck.js' is initialised");