Tyk.io + Auth0 feasibility/example/howto


#1

Would like to create a prototype of Tyk.io + auth0 managing user account creation and auth through auth0. Is this feasible, has anyone successfully accomplished this? Posts about this seem to indicate there may be some existing challenges. If so, what is required, TIB??? What is the recommended workflow - after the user is created in auth0 how is the best way to automatically associate the user with a profile in Tyk - TIB Proxy Identity Broker???

Successful Auth0 and Tyk integration example here.


#2

Yep - it’s been done using Basic Auth flow and Auth0 using the Tyk Identity Broker:

If you have control over the JWT’s that get generated (you need to inject a policy claim) then you can just use Centralised JWT support:

https://tyk.io/docs/tyk-api-gateway-v-2-0/access-control/json-web-tokens/

The JWT option is probably the most flexible, ass it completely externalises control over keygen to an IDP with only a custom claim field (policy) required to get it to work, though Tyk will only support a single public key per API Definition at the moment.


#3

Much closer, but still no solution because the kid must be in the header not the body claims which is a special type of JWT called a JWE.

It’s quite easy with Auth0 to inject a claim into the data portion of the JWT. That apparently isn’t what Tyk needs though. It requires a kid in the header. Yeah - after an entire day getting the claim injected I read the fine print and realized the claim which has been repeatedly stated is special and not in the body. According to OAuth doc, that is a JWE type or JWT which allows claims replicated in the header.

It would be nice if the kid were checked in the body claims as well as the header by Tyk so this would just work. And again, I can’t use the sub because I only want users mapped to policies as roles, not to unique Tyk keys or policies for each user which would be a nightmare to manage for millions of users.

BTW: here is the auth0 rule I created that does the trick for anyone else trying to figure this out.

function (user, context, callback) {
user.kid = configuration.KjPmsukutSwfo0EN03dzT95q3R0tL5Nq;
//console.log('user ', user);
//console.log('context ', context);
callback(null, user, context);
}

WTF - how the @$#& do I inject a field and values into the JWT header with an auth0 rule???

Read the docs and hacked my way through creating a rule that injected a kid and used the global configuration to set the value to a statically entered Tyk.io policy key. Modified the lock authParams to scope: ‘openid kid’ and successfully tested the kid and policy id propagate through in the signed JWT. Success!!! NOT SO FAST!!! Tyk auth still fails - Whaaat? A closer look at the Tyk documentation…

From Tyk documentation:

For JWT-enabled APIs, the user must include the token generated by saving this form and include it as the [kid] header in their JWT.


#4

Hi Troy,

You won’t need the kid header at all, that is only for one to one mapping of JWTs to tokens. And even then, you can use the sub field instead of the kid.

In your case case you don’t need it, you just need an identity field that you want to base the in demerits on and the policy field that identified the rules you want to match on. Do not create a new token within Tyk, it gets generated on the fly.

You can try this manually by creating a JWT using an editor and then sending it through Tyk with these fields present. Might be easier than fighting with auth0 :slight_smile:


#5

Follow up: Auth0 integration is very very easy with tyk 2.1: