Service Discovery and oauth 2.0


#1

Imported Google Group message. Original thread at: https://groups.google.com/forum/#!topic/tyk-community-support/N4v2TkUVezg Import Date: 2016-01-19 21:43:44 +0000.
Sender:[email protected].
Date:Monday, 18 January 2016 09:44:26 UTC.

Hi,

Is there a way for granular control of apis in tyk node so that i can generate a single access token for all the apis using oauth2.0 protocol .

To elaborate , if one is using microservices architecture and have configured each service as a separate api then it does not seem to be a ideal solution to generate access token for each individual service. Is there way to solve this problem .

also is there a way such that value of parent datapath in service discovery can be dynamic

that is if say the request url is api.xyz.com/booking then parent data path should be booking

Thanks
Kalyan


#2

Imported Google Group message.
Sender:Martin Buhr.
Date:Monday, 18 January 2016 13:17:53 UTC.

i set that allow_master_keys to true and the key which created has access to all the apis in node . strange

Again - please read the documentation for this setting, it is quite clear as to what it does and why it is defaulted to off: https://tyk.io/v1.9/configuration/configuration/#allow-master-keys:a66b35d20295cb764719ac8bd35837ec

Thanks,
Martin


#3

Imported Google Group message.
Sender:[email protected].
Date:Monday, 18 January 2016 10:35:42 UTC.

Hi Kalyan,

This is covered in the docs:
Is there a way for granular control of apis in tyk node so that i can generate a single access token for all the apis using oauth2.0 protocol

You can set multiple access permissions on a token quite easily (just add each API and version you want to grant access to for the token to the access rights section). To centralise this, you can use token policies, they will enable multiple tokens to share an access policy so you don’t need to define it on a per-key level, it’s all right there in the documentation.

also is there a way such that value of parent datapath in service discovery can be dynamic that is if say the request url is api.xyz.com/booking then parent data path should be booking

No


#4

Imported Google Group message.
Sender:Martin Buhr.
Date:Monday, 18 January 2016 12:27:00 UTC.

sorry to bother you

but if one goes for key based authentication then one cannot use tyk oauth rest apis like APIID/tyk/oauth/authorize-client…isnt it?

also ,

the api https://xxx.yyy.com:5000/tyk/keys/create

body:

{
“allowance”: 2,
“rate”: 3,
“per”: 1,
“expires”: 0,
“quota_max”: 1000,
“quota_renews”: 1429804261,
“quota_remaining”: 1000,
“quota_renewal_rate”: 90000,
“access_rights”: {},
“org_id”: “5677bec2fa63de11a8928000001”,
“hmac_enabled”: false,
“hmac_string”: “”,
“is_inactive”: false,
“apply_policy_id”: “testPolicy”
}

creating a key which gives access to all apis not just one defined in policy

here is my policy

{
“_id” : ObjectId(“5693a9e4fa63de6da1000004”),
“org_id” : “5677bec2fa63de11a9056700001”,
“rate” : 1000.0000000000000000,
“per” : 60.0000000000000000,
“quota_max” : NumberLong(-1),
“quota_renewal_rate” : NumberLong(60),
“access_rights” : {
“906c0825666a55e549cd5dda5c899e26100f” : {
“apiname” : “api 1”,
“apiid” : “906c0825666a55e549cd5dda5c899e26100f”,
“versions” : [
“Default”
],
“allowed_urls” : []
},
“bd0c533b6243431341c35614d6bbe8dcc0b1” : {
“apiname” : "api 2 ",
“apiid” : “bd0c533b6243431341c35614d6bbe8dcc0b1”,
“versions” : [
“Default”
],
“allowed_urls” : []
}
},
“hmac_enabled” : false,
“active” : true,
“name” : “testPolicy”,
“is_inactive” : false,
“date_created” : Date(-62135596800000),
“tags” : []
}

and yes , when tyk starts its shows that this policy loaded

  • show quoted text -

#5

Imported Google Group message.
Sender:[email protected].
Date:Monday, 18 January 2016 12:44:29 UTC.

but if one goes for key based authentication then one cannot use tyk oauth rest apis like APIID/tyk/oauth/authorize-client…isnt it?

No, that endpoint takes a parameter called key_rules which is a string encoded key object, so it can take any valid key definition, just add it to the string-encoded key param.

When you call that endpoint, it generates an auth token (depending on your grant), which the user can exchange for an access token, that access token will be built using the template you provide in this initial call. So you can set up OAuth tokens to have both policies and individual access rights.

the api https://xxx.yyy.com:5000/tyk/keys/create

body:

{
“allowance”: 2,
“rate”: 3,
“per”: 1,
“expires”: 0,
“quota_max”: 1000,
“quota_renews”: 1429804261,
“quota_remaining”: 1000,
“quota_renewal_rate”: 90000,
“access_rights”: {},
“org_id”: “5677bec2fa63de11a8928000001”,
“hmac_enabled”: false,
“hmac_string”: “”,
“is_inactive”: false,
“apply_policy_id”: “testPolicy”
}

creating a key which gives access to all apis not just one defined in policy

If you have allow_master_keys set to true then this will work, otherwise the above should fail with an error saying that master keys are not allowed.

Thanks,
Martin


#6

Imported Google Group message.
Sender:Martin Buhr.
Date:Monday, 18 January 2016 13:00:00 UTC.

wow cool , it will solve my problem if can have access token for policies . i will try it out thanks

as for other problem

i set that allow_master_keys to true and the key which created has access to all the apis in node . strange

  • show quoted text -

#7

Imported Google Group message.
Sender:[email protected].
Date:Monday, 18 January 2016 13:17:53 UTC.

i set that allow_master_keys to true and the key which created has access to all the apis in node . strange

Again - please read the documentation for this setting, it is quite clear as to what it does and why it is defaulted to off: https://tyk.io/v1.9/configuration/configuration/#allow-master-keys:a66b35d20295cb764719ac8bd35837ec

Thanks,
Martin