Target URL With Oauth

I have a target endpoint which is protected using provider oauth. How can I configure tyk to get the token from provider and use it to make the actual API call to get the response.

Hello @Arijit and welcome to the community.

Have you seen our doc on Oauths?

Hello @Olu
Many thanks for the link. I did look into the content but couldn’t figure out the part which would guide me to configure a proxy which will support the oauth with upstream service / provider. Let me explain the usecase

  1. There is a provider which provides API protected using Oauth
  2. The provider use client credentials grant.
  3. The API will be called by multiple consumers using Tyk. Tyk proxy that provider API.
  4. Since Tyk will become single point of contact with the provider exposing the provider APIs to multiple consumers, provider will onboard Tyk as a consumer for its API. So there will be clientID and secret issued to Tyk
  5. For a API call, Tyk will first check in its cache if there is already token exist to make the provider API call
  6. If token doesn’t exist Tyk initiates client credentails grant flow with provider, get the token, cache it and then use it to make actual provider API call.
  7. Tyk get the API response and send back to the consumer
  8. The consumers perform different authentication with Tyk

Is this possible in Tyk. Apologies I am very new to Tyk

Kind Regards

I feel this Client Credentials Grant Type is what you are looking for.

However, is there any authentication at Tyk level before the request is sent upstream?

Hi @Arijit , did you find a solution in the end? I have a similar issue and want to implement the same flow you laid out above.

@Olu i believe the Client Credentials Grant would be step 7 in his process above, looking for best practice to retrieve, store and refresh tokens within tyk for upstream services

@CousinLarry I’ve had a re-read on this

What is described looks like an implementation of Upstream OAuth authentication and Tyk doesn’t support this natively. But it can be achieved using a custom plugin.

For instance, the custom plugin would implement steps 4-6 in the Post-auth or Post stage of the request. We have an unofficial sample performing OAuth client_credentials exchange using Javascript here.

However, because of the caching requirement, using Javascript wouldn’t work. A Golang or Python plugin would suffice and you can use some Redis instance or In-memory techniques to achieve caching.

Then as stated in 8, you can use some other Auth method in the API definition for Client → Tyk authentication.

With this setup, when a request is made, Tyk will first authenticate the client using the “different auth” method configured, if successful, will execute the custom plugin to retrieve the provider token, and then make the actual provider API call or maybe modify the original request to include the provider token before sending it upstream - the design and implementation will be up to you.