I’m using Auth0 as an identity provider. I get an id_token and an access_token back after authentication, then I’d like to use the access_token to access the API. With id_token, it works ( Integrate Tyk with Auth0 - Tyk API Gateway ), but now the access_tokens are the recommended way to authorize. For this, I’d like to use Tyk in the following way:
- the Bearer access_token is sent to Tyk (it is a JWT with RSA signature)
- Tyk verifies the access_token using preconfigured values (like auth0 domain or JWKS URI - these may be cached)
- Tyk uses the sub claim for analytics and to obtain a session object, or create a new one
- Tyk will exchange the access_token for an internal access_token, which will be sent to microservices, and set it as a Bearer token in the header.
(the last step is used to decouple Auth0 and/or Tyk from the microservices)
What is the preferred way to achieve this? I created a grpc plugin for auth middleware (I have not run that yet tough). I see how the session object can be created (or a policy assigned), but if the session already exists, how can I join it to the token using the sub claim? Specifically I am interested in how step 3 can be achieved.