My own OpenID Connect Server(OAuth2)


#1

We have our own OpenID Connect Server (OAuth2) and our applications can talk directly to it to obtain access_tokens. What would be the easiest way to just add the Authorization bearer header check to registered APIs within TYK? This check should consist of calling the OpenID Introspection endpoint and verifying the response. Ideally we want the response, if valid, to be cached locally within TYK to avoid too many round trips to OpenID. Basically we want to put the API Manager in front of our Resource Server.

Regards,
Luiz


#2

Hi Luiz,

I’d suggest looking at Tyk Identity Broker, or the Javascript middleware. The current stable version of Tyk doesn’t handle the tokens with a “bearer” prefix. So you’d need to do some modification there if you wanted to do it as part of a request.

TIB would probably be better because it acts like Amazon STS to trade a valid identity for a token Tyk supports (internal OAuth provider, or standard Auth token). Since identity info can be embedded in the Tyk key, you could do some header substitution to put the valid token back into the request.

It’s convoluted, but the best way to work with a third-party IDM is with Tyk Identity Broker, since it will validate an inbound auth request against the IDM, then provide a one-time auth token based on a specific policy (essentially acting as a cache) which can be used to get through the gateway.

Cheers,
Martin