Tyk custom authentication session

I’m using Auth0 as an identity provider. I get an id_token and an access_token back after authentication, then I’d like to use the access_token to access the API. With id_token, it works ( https://tyk.io/blog/integrate-tyk-auth0/ ), but now the access_tokens are the recommended way to authorize. For this, I’d like to use Tyk in the following way:

  1. the Bearer access_token is sent to Tyk (it is a JWT with RSA signature)
  2. Tyk verifies the access_token using preconfigured values (like auth0 domain or JWKS URI - these may be cached)
  3. Tyk uses the sub claim for analytics and to obtain a session object, or create a new one
  4. Tyk will exchange the access_token for an internal access_token, which will be sent to microservices, and set it as a Bearer token in the header.
    (the last step is used to decouple Auth0 and/or Tyk from the microservices)

What is the preferred way to achieve this? I created a grpc plugin for auth middleware (I have not run that yet tough). I see how the session object can be created (or a policy assigned), but if the session already exists, how can I join it to the token using the sub claim? Specifically I am interested in how step 3 can be achieved.

There might be an easier solution here, if the access token is just a JWT, would it not be possible to add a policy claim to the access token?

If so, then you can just use the JWT auth method which will do internal token translation from the sub claim.

Regarding the internal token swap, where are you going to get this internal token from? If you can add it as a claim, then you can use context variables to perform the header substitution.

If the token needs to be looked up, then you can use a post-auth MW (your gRPC code would run exactly one step after the JWT auth middleware) to just replace the header with your computed internal token. Then yo udon;t need to generate a session or worry about it existing, you just need to trade external for internal.