OpenID Connect Support in Tyk Cloud is Here!


OpenID Connect support just went live on Tyk Cloud!

So let’s talk about how openID connect support works with Tyk – cause it’s pretty cool.

You can now take JSON Web Tokens generated by OpenID Connect-compatible Identity Provider (id_tokens, in OIDC parlance) and point them at your Tyk-Cloud-Managed API, Tyk will then jump through hoops to make your life easier:

First, we validate the token:

  1. Is the token a valid jwt?
  2. Is the token issued by a known OP?
  3. Is the token issued for a known client?
  4. Is the token valid at the time (‘not use before’ and ‘expire at’ claims)?
  5. Is the token signed accordingly?

Then, we apply some rules:

  1. For this client ID, is there an associated token policy?
  2. Is there an underlying identity (the user ID of the bearer of the token)
  3. Generate an internal representation of that user, so they can be identified across JWT’s and Clients
  4. Apply the policy template to that identity (that’s your access control, throttling and quota’s)
  5. Generate some useful meta-data for your analytics
  6. Let the request go on

You can, if you are so inclined, even have the bearer rate-limited differently depending on their source, so if they came from your free client, then they get low access, but if they use your enterprise version, they get super-fueled access. It’s as easy as flipping a switch in your API configuration.

What does this mean?

It means that you do not need to integrate with Tyk at all, or even have Tyk generate tokens for you, token generation and control can rest entirely with your IDP’s using the OIDC standard, and point them at your Tyk Cloud instance. All you need to do is decide which issuers, and which of their registered clients to allow through, and set which policies and rules to set for those clients.

That means Mitre, Google+, Auth0 and any other Single-Sign-On provider that can handle Open ID Connect tokens is now compatible with Tyk Cloud.

But Wait, I’m an on-prem user! I want OIDC Too!

Well, you won’t have to wait long – we’re going to be pushing a release very soon with this feature because we think it’s so awesome. If you are extremely impatient, it will be live in our nightlies very shortly.