Tyk external oAuth (or not !)

i need some help to setup Tyk and Auth flow for my company.

Here is the context :
My company produce a HR application, we are actually building a API for our customers.
So each of our customers will have access to our API, each customer can only CRUD their own datas.

Actually i have :
oAuth server
Tyk Gateway
Our APIs

Each oAuth client will have his own rate-limits/quotas.

I try to use oAuth2 flow using tyk and my oAuth2 server, at the moment, the best schema in my opinion to do that is :

  • Create a oAuth2 Client with custom metadatas(customerId)
  • Create a tyk api on /oauth/token that forward call to my oAuth server (with client_id client_secret grant_type = client_credentials)
  • oAuth server have to post created token on tyk api to make it accessible from session (but i need to find a way to make all newly created token to group rate-limit/quota by oauth client)
  • customers call my APIs with their bearer

Can this schema work? is it secure enough ?

thanks for your help

Hi what you are saying makes sense. With client credentials you can group by policy so this is the way you group rate limits/quotas by client.

We have a doc here you can also read: https://docs.google.com/document/u/1/d/17Eon4K1QQ6-2xl0BXft2k8WYsL7KJkS2duCYje88WVA/pub#h.iwol31aw4x25

It goes into more detail about the flow you want in the client credentials section - with instructions on setting it up.


Hi, thanks for your reply.

But every token will have his own quota, so each time a token is generated, quota/rate-limit will be reset ?
How can I prevent that ?
I mean, as a customer, I can flood API by just generate a new token for each request I have to do.

The api is only accessible with a tyk dashboard user key with appropriate perms so you can limit issue of tokens to admins

Hi Josh,

sorry but you missed the point, sorry it’s a little bit hard to explain on a forum.

here is the scenario :
I create a oAuth client on my external oauth server
customer can now call my /oauth/token(on external oauth server) to get his bearer
before returning the bearer to the customer, my oauth server send this bearer to TYK API to add this Auth token(with some meta_datas like internal userId).
customer call my api endpoints with this bearer, i use tyk key meta_data to forward my internal userId to my backend API with each request.

all work well, the only problem is that i dont see any way to apply a rate/quota limit on my customer, because those limits work on tokens, not on “customers” level.

exemple :
i set a rate limit to 2 per 10sec

customer call /oauth/token
customer call /myapi with bearer BEARER1
---- rate limit 1/2
customer call /my/api with bearer BEARER1
---- rate limit 2/2

but if my customer do :
customer call /oauth/token
customer call /myapi with bearer BEARER1
---- rate limit 1/2
customer call /oauth/token
customer call /my/api with bearer BEARER2
---- rate limit 1/2
customer call /oauth/token
customer call /my/api with bearer BEARER3
---- rate limit 1/2
customer call /oauth/token
customer call /my/api with bearer BEARER4
---- rate limit 1/2

i search a way to apply those limits at a higher level

How do you create a key in tyk? I assume you import the bearer of your AS using tyk api as explained here
Instead of creating a new key every time, you could update this with suppress_reset set to 1 as explained here
Does this help, or have I missunderstood?