OAuth 2, Auth0, Tyk - multiple scopes and audiences

Hi there. I’m trying to figure out how we can achieve this with Tyk.

I have Auth0 as my IdP. I have created a data access layer running on GAE which is a REST API that allows access to my database (Snowflake).

I would like to protect the data access layer with Tyk. I also have a web portal that will call Tyk to get to Snowflake to retrieve data that will be rendered for the user to view. So it will be

  1. web portal → Auth0 (to log user in, and obtain a token)
  2. Web portal → Tyk → data access layer → Snowflake

I have also integrated Snowflake with Auth0 so the same token issued by Auth0 is recognized by Snowflake.

When I make the first call from web portal → Auth0, I get a JWT. Ideally, I would like to the same JWT to be used to control which Tyk policy is applied (e.g. rate limiting), and what tables can be accessed in Snowflake. Snowflake can only accept a single scope claim in the JWT.

What is the best way to achieve this? I’ve read some microservices pattern like the phantom token, opaque token, etc. I’m a little confused how best to approach this with Tyk in between.

HI @Jesum_Yip Someone from our internal team should contact you directly. If not then let is know

I have a follow-up question. I would like to use the opaque token pattern . This is because I have 2 scenarios to cater for

  1. An application I built is given to our customers. This application will call Tyk to call our microservices APIs to return data.
  2. Our customers want to consume our microservices APIs via Tyk.

I would like to have Auth0 as my IdP.

What’s the best way to achieve this?

I don’t want my customers to call Auth0 directly. I don’t want the Auth0 JWT token to be in the hands of my customers at any point because I will be embedded some back-end information in custom claims in that token. Hence, I believe the opaque token is the correct pattern to use.