I have a TIB server running with a custom identity provider (Thank you @Martin ).
In my scenario I need to ask an API Key to my TIB server first. TIB forward this request to my custom IDP which authenticate (or not) the user. Then, TIB creates an API Key (according to a policy) and returns it.
Now, I can call my APIs behind the gateway.
My question is : How APIs will do to retrieve users information from the API Key they recieve? For example, I have an API that need a userid (an email or a numeric identifier or whatever identifies my user) in order to perform its job (this API need to know what options the caller subscribes).
The answer is header injection and metadata from the token itself.
When TIB generates your token, it will also insert metadata about the key (go on, look up the data in the created token in the dashboard):
You can use Header Transforms to then inject the metadata from the token into the header of the outbound request, and then retrieve that from the header using the $tyk_meta reserved metadata key.
So in the above case, you add a header called
UserID with the value:
$tyk_meta.AuthProviderUserID and Tyk will put that into the header that gets created:
Here’s some output from an API that points at HTTP Bin:
UserID header there?)
If you want to integrate, you could also do this programatically by requesting the key detail via the API, this will also return the metadata.
TIB Proxy provider supports two injected meta data fields: a
UsernameField and an
AccessTokenField, both of these, if the TIB response is JSON, will be extracted from the proxied IDP and inserted int o the temporary access token from the gateway.
Ok, so my API just needs to ask the Key API to retrieve these informations (and eventually cache them to improve perf). Great!
Yup, or, as I said - inject them into the header (only your app will see them) and then you can save a round-trip.