Hi,
I was abled to implement this process:
I would like to ask if the following process can be implemented and how?:
Can the process described above be implemented using External-OAuth Middelware described in the documentation ? Or should I use another method?
In this process I use JWT Token but it could be any other Authentication method.
Thank you
Hi @pascal-chenevas,
Thanks for the question.
From what I see in the image you would like to use Tyk to proxy a request to “Fusion Auth Service” to get a Token and then for the client to use that Token to make another request.
If the Client has all the information you could just use the Tyk API Gateway to proxy the request to the Fusion Auth token endpoint and serve back the JWT token for the client to use it.
Something like in the image
@cvillanua , thanks for the quick answer !
- What do you include in the “Ask JWT Token” request and do you need the Tyk API Gateway to hold any variables for you? (clientID, secretID…)
At the moment a user must supply an API key to the Fusion Auth Service to be allowed to get a JWT generated by the Fusion Auth Service. In the configuration of the API I have set the public key which was used to sign the JWT Token.
If the Client has all the information you could just use the Tyk API Gateway to proxy the request to the Fusion Auth token endpoint and serve back the JWT token for the client to use it.
How can I do that ?
@pascal-chenevas, my pleasure!
My understanding is that you want to have two steps.
First - Proxying an API request to the Fusion Auth Service with an API Key to get a JWT
Second - using the JWT returned to the client by the Tyk API Gateway to access via the Tyk API Gateway to the Web Server.
If the above is correct, you would need to have another API in Tyk API Gateway that proxies to the Fusion Auth Service endpoint that provides the JWT.
The Client will use the API Key (I am assuming as a header) in the API that proxies the request to the Fusion Auth Service.
You will then have another API that is used to proxy the request to the “Web Service” . In there is where you are placing the Public Key, that way can check if the Client is allowed to make a request to the “Web Service”.
Let me know if the above is correct and we can elaborate a bit more how you could secure the first step.
Thank you!
Carlos.
yes, your drawing are correct.
So, if I understand correctly, I need to create 2 APIs in Tyk:
Or can I create only one API that do both?
Is this correct ?
At the current time and Out of the Box you will need to create two APIs as you mentioned.
What you mention is correct.
I was able to implement the new process by creating a new API (Fusion Auth) to the gateway. Thanks!
I have a few questions:
I use the classic definition and I have set up the following:
I set use_keyless to true, because I think that everything is take in charge by the fusion auth. Is that correct?
Skip ssl verify
Is it possible to define this in a OAS Specification ? I didn’t find any information in the documentation.
Does the OAS Spec support this?
"proxy": {
"listen_path": "/login",
"target_url": "https://fusion-auth.localhost",
"strip_listen_path": false,
"transport": {
"ssl_insecure_skip_verify": true,
"ssl_ciphers": null,
"ssl_min_version": 0,
"ssl_max_version": 0,
"ssl_force_common_name_check": false
}
I want that any requests sent to http://tyk-gw.localhost/login are rewritten to https://my-fusion-auth.localhost/api/login and for that I have defined the following working rule:
"url_rewrites": [
{
"path": ".*",
"method": "POST",
"match_pattern": "\/login$",
"rewrite_to": "/api/login"
}
]
Is it possible to use a rule like describe below?
From my understanding this should not work because the request must be sent to http://tyk-gw.localhost/login/login. Correct?
"url_rewrites": [
{
"path": "/login",
"method": "POST",
"match_pattern": "\/login$",
"rewrite_to": "/api/login"
}
]
Thank you!