Upstream Authentication possibilities

chbaumgaertnerhb · November 2, 2023, 10:00am

I am currently evaluating Tyk OS to use as API-Gateway. So far it seems pretty nice but there is currently one requirement which I do not know how to solve with Tyk.

My question is about the possibilites for upstream authentication. We have some services which require authentication like apiKeys, BasicAuth or some other custom auth mechanisms. As far as i could tell, Tyk supports only mTLS for upstream auth.

We do not want our clients to send the auth data via headers and just forward it. The upstream auth should be hidden from the clients and only implemented in the gateway.

As far as i understand, custom auth mechanisms could be implemented using a middleware plugin. Would this be a recommended way of doing something like this?
If so, my next question would be where to store the secrets. I wouldn’t like to have them hard coded inside the plugin. I had the idea to import them as keys via the Gateway API and read them from redis via the plugins api methods. But the keys seem intended to be used only as client keys connected to an existing API, which makes sense.

I guess I could create some dummy API and add the keys this way but this seems false.

Is there any other way of solving my problem I just don’t see currently?

Thanks for your help.

CousinLarry · November 5, 2023, 6:31pm

I am looking for best practice on how to do this too (also am new to Tyk), in my instance I have upstream oauth 2. Did you find out the best solution in the end? Leaning towards some custom middleware at the moment.

Ubong · November 9, 2023, 12:13pm

Hi @chbaumgaertnerhb @CousinLarry

Thank you for your questions and welcome to the community

You can use Global Headers to add upstream auth to the original request. The upstream auth keys can be hardcoded in the API definition,

"version_data": {
  "versions": {
    "Default": {
    ...
    "global_headers": {
      "X-Upstream-Auth-Header": "dXBzdHJlYW0tYXV0aGVudGljYXRpb24ta2V5",
    },
    ...
    }
  }
},

Or stored and retrieved from Secrets Storage.

"version_data": {
  "versions": {
    "Default": {
    ...
    "global_headers": {
      "X-Upstream-Auth-Header": "$secret_conf.upstream_auth_token",
    },
    ...
    }
  }
},

Either way, the clients won’t need or see this data when making their requests to Tyk.

Even closer to what you were thinking with keys… you can include the upstream auth data as metadata in the keys you issue to your clients. Then when the Tyk API is called using a key, the upstream auth data will be retrieved from the key and added to the request (using $tyk_meta.METADATA_KEY) before sending it upstream.

For situations, like OAuth, where the upstream auth data needs to be generated, a custom plugin would be needed. Please see a similar discussion in this Post.

Hope this helps. Please write back if you have further questions.