Hi,
i need some help to setup Tyk and Auth flow for my company.
Here is the context :
My company produce a HR application, we are actually building a API for our customers.
So each of our customers will have access to our API, each customer can only CRUD their own datas.
Actually i have :
oAuth server
Tyk Gateway
Our APIs
Each oAuth client will have his own rate-limits/quotas.
I try to use oAuth2 flow using tyk and my oAuth2 server, at the moment, the best schema in my opinion to do that is :
Create a oAuth2 Client with custom metadatas(customerId)
Create a tyk api on /oauth/token that forward call to my oAuth server (with client_id client_secret grant_type = client_credentials)
oAuth server have to post created token on tyk api to make it accessible from session (but i need to find a way to make all newly created token to group rate-limit/quota by oauth client)
But every token will have his own quota, so each time a token is generated, quota/rate-limit will be reset ?
How can I prevent that ?
I mean, as a customer, I can flood API by just generate a new token for each request I have to do.
sorry but you missed the point, sorry it’s a little bit hard to explain on a forum.
here is the scenario :
I create a oAuth client on my external oauth server
customer can now call my /oauth/token(on external oauth server) to get his bearer
before returning the bearer to the customer, my oauth server send this bearer to TYK API to add this Auth token(with some meta_datas like internal userId).
customer call my api endpoints with this bearer, i use tyk key meta_data to forward my internal userId to my backend API with each request.
all work well, the only problem is that i dont see any way to apply a rate/quota limit on my customer, because those limits work on tokens, not on “customers” level.
How do you create a key in tyk? I assume you import the bearer of your AS using tyk api as explained here
Instead of creating a new key every time, you could update this with suppress_reset set to 1 as explained here
Does this help, or have I missunderstood?