so basically what we want is that user requests hitting our api (single point of entry) will be
forced to authenticate if they are not yet (oidc provider login page)
allowed to hit the API if they are authenticated (using ID token)
so the access_token and ID token are issued by the auth server
and our tyk gateway needs to act based on whether they are present in request
basically here is the flow i want to achieve
Client (header with no id token or invalid id token) -> gateway(proxy to oidc provider) -> oidc login page
Client(submits username and password in oidc provider login page) -> oidc provider (redirects to the url specified by gateway)
and is it possible to pass the payload data to the requested api?
You will need some custom pre-auth middleware that checks for the existence of an Authorization header, if this header is present and contains an OPIDC ID token, then it just returns, if however the header is missing, it can then redirect to the login page.
Unfortunately that’s as far as it goes, if the user’s OIDC ID token is invalid and Tyk’s auth middleware bounces it there’s nothing that can be done about the response (except customising it), it will not redirect. To do that you would need to completely replace the OIDC auth middleware with your own rich plugin (which while possible might be overkill).
However, you could check the claims of the inbound ID token (expiry etc.) to make sure it’s valid as a soft pre-check without doing the crypto (so the inital check trusts they are valid, and then Tyk does the hard check with the signature/key)