Tyk gateway / Tyk Idenitity Broker conenction to Oauth2

Support Installation and Deployment
1

Hello All,
I’m trying to figure if Tyk fits in with our current infrastructure.

Didn’t find in the documentation if TIB supports authorization with an external service using the Client Credentials Flow of the OAuth2 standard, there is only mention of OpenID Connect.
In the case of ClientCredentials there is no user information that OpenID Connect can provide.
We would like to give 3rd party access to our customers and assign them a client_id and client_secret in our Authorization Server - how would this relate/couple to the Identity Management in Tyk Gateway?

I also found this in the documentation:
https://tyk.io/docs/security/your-apis/oauth-2-0/#option-1-use-standard-auth-tokens
but it’s not very detailed about where and how to implement this.

Also from the doc here: https://docs.google.com/document/d/17Eon4K1QQ6-2xl0BXft2k8WYsL7KJkS2duCYje88WVA/pub
“The way Tyk handles this problem is by providing it’s own OAuth server”

Does tyk support delegating this to a thrid party Oauth provider? In this case does TIB need to be used?
Thank you.

1 Like
2

So, just to clarify:
You currently have your own Authorization server and want put Tyk on top of it, to expose your date to 3-rd parties.

Like you found is right //tyk.io/docs/basic-config-and-security/security/authentication-authorization/oauth-2-0/ and basic idea here is:

  1. You create an API with standard key based auth.
  2. The client makes authorize call to your auth server with client id and secret you given to him
  3. When you authorized him and created a token, internally, you call Tyk Key API //tyk.io/docs/tyk-apis/tyk-dashboard-api/api-keys/ and create the token with the same id for Tyk
  4. Now since Tyk now know about this token, the user can use it to access API

Hope it makes sense

3

@leon

I found in the docs multiple ways of implementing external Oauth, and it’s a bit confusing as it looks like there are a lot of ways:

  1. //tyk.io/docs/basic-config-and-security/security/authentication-authorization/json-web-tokens/
  2. //tyk.io/docs/basic-config-and-security/security/authentication-authorization/oauth-2-0/ (mentioned above)
  3. https://tyk.io/docs/integrate/3rd-party-identity-providers/custom/
  4. https://tyk.io/docs/customise-tyk/plugins/rich-plugins/grpc/custom-auth-nodejs/ (build a plugin that handles authentication)

Also where does TIB fit in the above ways of securing the api?

I am new to the product and don’t understand all the complexities.

What I am trying to implement is:

  1. user makes request to /oauth endpoint (this will to be outside Tyk) using client_credentials OAuth flow
  2. user receives access_token
  3. user uses access_token in the Tyk Gateway to be able to perform requests
  4. somehow Tyk validates this token and allows him the request

I achieved that in a POC with the method here: //tyk.io/docs/basic-config-and-security/security/authentication-authorization/json-web-tokens/
What are some recommendations for the above implementation?

4

Using JWT is ok, as an alternative you can use simple tokens as I mentioned above, and on step 2) before user receive his access_token, you call can call Tyk API to create a token with exactly same id as access_token from your oauth server, so the user can transparently pass it to Tyk gateway, even without knowing that auth and gateway itself are separate systems.

5

@leon

I didn’t get what you mean by your step 2. How I can create a token with the same id for Tyk using the Tyk Key API (//tyk.io/docs/tyk-apis/tyk-dashboard-api/api-keys/)? I didn’t saw any related parameter on the API documentation. Can you detail more this step?

How we can create a Tyk API Key as a OAuth access_token?

Thanks

6

@leon
Hello Ieon:
We have used the tyk gateway achieved that in a POC. For Oauth2.0 API. use the social of github provider to get Access token,Successful access to the API
Next, we expect to implement a provider of our own, like github(have login function,Authenticate user, provide scope).
Please provide guidance, what functions to implement in order to achieve Oauth2.0 with the purpose of generating Access token with TIB !
I am looking forward to you reply, thank you.

7

Well TIB itself can be configured to work with any OpenID provider GitHub - TykTechnologies/tyk-identity-broker: Tyk Authentication Proxy for third-party login

OpenID is based on oAuth2, but still have some specifics. But consider this option.

Making it work with custom oAuth2 provider can require extending TIB code base.

Additionally have you saw this guide //tyk.io/docs/basic-config-and-security/security/authentication-authorization/oauth-2-0/ ?

If we talking about option 1, it basically means avoiding using TIB at all, and embedding some small application logic part directly to your App, to integrate with Tyk.

Hope it helps.

8

@leon
I have saw the guide: //tyk.io/docs/basic-config-and-security/security/authentication-authorization/oauth-2-0/
We want to use option 2 of Access token flow (e.g. mobile apps, single-page web apps)

9

Option 2 assume that Tyk will act as oAuth2 server, and this functionality already built-in, so you do not need to write own oAuth2 server or se TIB.