Auth0 and Tyk.io API Gateway Integration

In Tyk:

  1. Create an API - mocks run before authentication, so use virtual end-point if you are mocking the API for testing
  2. Create Policy, select API under Access Rights, save and record Policy ID for entering in Auth0
    Create a unique tag on the policy so that it can be queried to validate it is being used by Tyk
    (chicken & egg here as you have to create API before policy for rights and need to enter policy ID in API Auth)
  3. Set API Authentication Mode to JWT, HMAC, and set the secret to some plain text
  4. Set API Authentication Identity Source to sub or it will be logged that base wasn't found, using sub
  5. Set API, Policy Field Name to pol or some other unused JWT claim name
    This will be used to find the Tyk Policy by ID (not name) which is auto generated when the policy is created

In Auth0:

  1. Set the secret to some base64 encoded plain text since Auth0 requires base64 & Tyk requires plain text
  2. In Rules : Settings add a key=value, e.g., auth0 clientId=Tyk Policy ID, the ID is auto-generated by Tyk on policy save
  3. Create a Rule to inject the Tyk policy ID as a JWT pol claim or some other unused JWT claim name

function (user, context, callback) {   
  user.pol = configuration[user.clientID];
  //console.log('user ', user);
  //console.log('context ', context);
  callback(null, user, context);
}

In the application:

Add pol to the lock claims so that the JWT claim "pol": "Tyk Policy ID" will be requested during authentication.
lock.show({ authParams: { scope: 'openid pol' } });

Testing:

At this point you can create a signed JWT at jwt.io and use curl to test local Tyk authentication.
curl -X GET -H "Accept: application/vnd.api+json" -H "Authorization: ey...JWT.bytes...jI" 'http://tyk-vbox:8080/test2/foo'
Make sure to use plain text secret or Tyk will log an error: Token validation error: signature is invalid
Decoded JWT should look like this:

JWT Header:

{
  "typ": "JWT",
  "alg": "HS256"
}

JWT Data:

{
  "pol": "571fc5dfbceab80251000001",
  "iss": "https://skillsoft-troy.auth0.com/",
  "sub": "google-oauth2|114386168700053341693",
  "aud": "KjPmsukutSwfo0EN03dzT95q3R0tL5Nq",
  "exp": 1461734146,
  "iat": 1461698146
}

Rate limiting:

Tyk creates virtual tokens for the user ID in the JWT sub field and applies the policy with the matching ID in the JWT pol. If we had created a Tyk key which had JWT ID checked and a secret entered and the API had a blank secret, and the JWT header included a kid with the Tyk key ID, Tyk would rate limit all users as a single group. By matching a policy instead of key, Tyk rate limits each user independently.

Comments

Popular posts from this blog

Sites, Newsletters, and Blogs

Oracle JDBC ReadTimeout QueryTimeout

Locks held on Oracle for hours after sessions abnormally terminated by node failure