TIB with external oauth2 flow

I started to learn Tyk recently and want to use Tyk to manage our APIs.
I have
- an Oauth2 server to issue jwt access_token and refresh_token. the response is {
“access_token”: “xxx.xxxx.xxx”, “token_type”: “bearer”,
“refresh_token”: “yyy.yyyy.yyy”,
“expires_in”: 3599,
“user”: {
“accNo”: 123456,
“email”: “[email protected]”}
- a login service which call oauth to authenticate user and get access_token (grant_type = password in this case)
- API which requires access_token to access
Now I want to integrate those components with Tyk and TIB because access_token which holds user info that will be used by API

  1. If I configure TIB profile (ProxyProvider) with the login endpoint which’s response is json like {“token”: “zzz.zzz.zzz”, “email”: “[email protected]”}, it works.
    I can get tyk access token with
    curl -X POST ‘http://TIB_DOMAIN:3010/auth/1/proxy’ -H ‘content-type: application/json’ -d ‘{“username”: “[email protected]”, “password”: “abcdabcd”}’

  2. I add new profile which is similar to the first profile but I change the target url to my Oauth2 (http://MY_OAUTH2/oauth/token) and the mapping of AccessTokenField=“access_token” and UsernameField=“user”
    I can get access_token with
    curl -X POST ‘http://MY_OAUTH2/oauth/token’ -H ‘authorization: Basic zzzzzzzz’ -H ‘content-type: application/x-www-form-urlencoded’ -d ‘grant_type=password&[email protected]&password=abcdabcd&client_id=dc2c8bdb70bd42087b63706bf8011453’

but via TIB, I always get “Authentication Fail”
curl -X POST ‘http://TIB_DOMAIN:3010/auth/2/proxy’ -H ‘authorization: Basic zzzzzzzz’ -H ‘content-type: application/x-www-form-urlencoded’ -d ‘grant_type=password&[email protected]&password=abcdabcd&client_id=dc2c8bdb70bd42087b63706bf8011453’

So I have questions for now:

  1. What I do wrong in #2? The client_id/secret I even took the value of tyk oauth2 client and imported to my oauth2 so the request to Oauth2 was successful
  2. Even if tyk return me a key but it is tyk standard token. How can I change it to jwt token with the user info in token payload?

Your help is appreciated.

Sorry I didn’t yet get the chance to look into your query, but from the top of my head - can you try to use oauth without TIB? try to define it on the dashboard (are you using the dashboard?)
With the dashboard you can also use JWT as authentication method without going through TIB.

Please do let me know if you need further help.

Hi Yaara,
Thank you for your reply. I tried both flow oauth2 and jwt on dashboard
With oauth2, when grant type is password owner or authorization code, is there any way to use username/password from external database like oracle? because i see that the username/password in guideline is actually added in “Keys” section which mean that username/password is in redis and associate with another key issued by tyk which actually can be used to access api
Please correct me if i am wrong

Want to know about this as well, can someone help?

I’m sorry but not sure I managed to follow your question very well. Could you please explain what is it that you are asking and what is not working for you/ or what you are trying to achieve?

Also please have a look at our documentation:
For different security options (including OAuth2.0 and JWT: //tyk.io/docs/basic-config-and-security/security/authentication-authorization/
For integration with 3rd Party IDPs: https://tyk.io/docs/integrate/ (There’s a custom Proxy Provider)

Thank you,

Hi Yaara,

Currently we have our own oauth2 but we want to move to Tyk oauth2 for client credentials, password owner, refresh token and authorization grant types. But username/password for some grant types is from our IDP then we dont need to maintain oauth2 in our side anymore. Is there any way to do that?

I tried with TIB but because TIB only maps access_token and username, then I dont know how to integrate with oauth2 refresh token grant type so I think I wont use TIB.

So I wonder if I write a plugin which call our service to authenticate username/password, if valid then Tyk oauth2 will generate access_token (and refresh_token) for this username/password. Is it possible?
Then I can get access_token and refresh_token with this

curl -X POST http://TYK/my-api/oauth/token/ -H ‘authorization: Basic base64_of_clientId:secret’ -H ‘content-type: application/x-www-form-urlencoded’ -d ‘grant_type=password&client_id=clientId&username=user@name&password=password’

(user@name/password is user in our db)