Imported Google Group message. Original thread at: Redirecting to Google Groups Import Date: 2016-01-19 21:03:55 +0000.
Sender:Brian Rodgers
.
Date:Wednesday, 21 January 2015 17:47:56 UTC.
We’re looking at tyk as a possible API gateway solution, but thus far I haven’t seen how we can integrate authentication the way we want. Most of our APIs require clients to pass an Oauth token for the user on whose behalf they’re acting. We want to use the gateway to do a basic validation of the Oauth tokens before passing the request to the implementation, so that requests from people trying to get in with an invalid token (maliciously or not) are blocked at the gateway. This would be separate from any API keys we want to use to regulate the client apps that call a given service. More detailed authorization would be done by the service implementation.
The first question I have is whether the current Oauth integrations allow for integrating with a separate authentication server and doing token validation. From what I’m seeing, that’s not there, but I wanted to confirm that. I do see “Full Oauth2 flow support” as proposed item.
The second would be whether there’s any capability to add something like this into the pipeline, as more full-blown ESB solutions often have. I’d need a hook that would let me run code on an incoming request, and choose to either continue forwarding the request to the service or deny it and return an error instead. At first I thought the answer was no, but now I’m seeing “Plugins” in your “To Document” list for 1.4. Is that going to give me what I need to add this kind of functionality, and if so, do you have any rough timeline for 1.4 being released?