TIB to authenticate API users

Hi, I’ve currently set up a trial of tyk as a POC for our organization.
I read about TIB and how it can enable SSO access to the dashboard and/or the developer portal, but I’m confused on how to configure it to authenticate users who try to access our tyk-managed APIs.

Let me explain the flow:

  1. User access one of the tyk-managed APIs.
  2. The API is configured to be secured by openid connect so it redirects the user to the TIB to be autheticated.
  3. TIB is configured to authenticate users via existing openid connect server (ping federate in our case). so it redirects the user to ping.
  4. Ping authenticates the user and redirects him back to TIB with an authorization code.
  5. TIB makes a request to ping with the given authorization code and it’s configured client id and secret and receives the access token.
  6. TIB returns the access token to tyk gateway, who then use the access token to identify the user and apply him any matching policies.
  7. Not sure how, but somehow the access token need to be passed to the API itself to perform authorization.

Basically I’m talking about authorization code flow of openid connect where TIB is a mediator between tyk gateway and our existing openid server.

I’ve seen how to configure this similar flow for dashboard login, but it is not clear what is required to do for the API.

I hope I’ve explained myself well, thanks!

Hi,
To secure APIs with OIDC we have this feature OFTB, so you don’t need to use TIB anymore (you would for SSO to our UI front ends).
Please check this doc for the configuration. There’s also an Auth0 example further down the page.
Please let me know if that works for you.
Thanks
Yaara

Hi Yaara,

According to the doc you’ve given:

The iss will look something like https://tyk.auth0.com/ and the aud will be the client ID that you created in step 1 of the pre-requisites.

I don’t understand why the policy would apply according to the aud field, which represents the app you wish to access, instead of the sub field, which represents the user whos trying to access the app.
Maybe I don’t understand something, but shouldn’t policy be applied on users, instead of the client apps?

Hi,
The session object we create in the GW for this request is on the user (const subjectClaimName = “sub”),
But in Tyk we use a policy to manage a collection of tyk’s generated keys (manage Rate-limit, Quota and ACL), so in a similar manager we will manage the jwts. All the users of a certain client_id will share the same policy, i.e same Rate-limit, Quota and ACL.
This is the place in the code tyk/mw_openid.go at 90fab7335a3eb16091b2fb4298523f4454ad33e0 · TykTechnologies/tyk · GitHub, feel free to verify that.

Does that mean that if I want to define multiple policys for the same API, each with different rate limit, etc… I would need to register my API multiple times on my openid server, and the same API would have multiple client IDs?

That seems odd…

Your “aud” claim could contain an array of client_ids. client_ids usually represent an application which you would potentially want to allocate all its users the same rate-limit, quota and ACL.
How would you suggest of doing this?