Multiple Auth for an API Definition

Can we have multiple authentication mechanism defined for an API Definition. For example when an API call is made then gateway should validate both Key and OAuth token. Key can be passed in any custom header and OAuth token in Authentication header.
Is this supported now in CE gateway?

Is above can be implemented in API Definition?

Hello @Anup_Rai - yes this is possible with Tyk Gateway, although we did not implement/test it in the Operator yet.

Please open a ticket in GitHub - TykTechnologies/tyk-operator: Tyk Operator for Kubernetes and we will try to add it to the next sprint.

kind: ApiDefinition
  name: httpbin.oauth2
  name: HttpBin OAuth2 API
  protocol: http
  active: true
    listen_path: /httpbin-oauth2
    target_url: http://httpbin.default.svc:8000
    strip_listen_path: true
  use_oauth2: true
      - client_credentials
    allowed_authorize_types: []
  use_standard_auth: true
    - authToken:
        auth_header_name: apikey    # remapped the authToken authorization header
  base_identity_provided_by: oauth_key      # tyk operator needs to know about this field

The API Definition would look something like the above.

1 Like

Thanks @ahmet , I created an API Definition which the help of Admin API and I am able to pass two authentication headers, one Bearer token and second one with apikey.

In this case I used a Key in which this API was not added under access_rights. I created this key using /tyk/keys API. Still I was able to call this API successfully. I changed below parameter in the API by referring to this link-

"base_identity_provided_by": "auth_token"

Now call failed. After I added this API in the key it started working. Now API is checking access_rights in both Key and OAuth token.

So when we have two Authentication mechanism then which one will be used to check the access_rights, Quota, Rate etc?
Which parameter we can set if we want API to check access_rights, Quota, Rate set in the Key?