> ## Documentation Index
> Fetch the complete documentation index at: https://tyk.io/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Step by step guide using Gluu

<Warning>
  **Legacy: Tyk Classic Portal**

  You're viewing documentation for the **Tyk Classic Portal**, which is no longer actively maintained.

  If you're looking for the latest API documentation for the **new Tyk Developer Portal**, please refer to the
  [Postman collection](/5.9/product-stack/tyk-enterprise-developer-portal/api-documentation/tyk-edp-api) or visit the
  [Tyk Developer Portal](/5.9/portal/overview/intro) section.

  The Classic Portal is in maintenance mode and will be deprecated soon. For questions or support, contact us at
  [support@tyk.io](<mailto:support@tyk.io?subject=Tyk classic developer portal>).
</Warning>

We are going walk you through a basic integration of Tyk with [Gluu](https://gluu.org/) using the [OpenID Connect Dynamic Client Registration protocol](https://tools.ietf.org/html/rfc7591). Our current implementation provides support for the client credentials flow with support for <Tooltip tip="JSON Web Tokens">JWT</Tooltip>.

The user journey is as follow:

1. A developer signs up and creates a Dynamic Client Registration provider using your Developer Portal.

2. Tyk sends the Dynamic Client Registration call to your <Tooltip tip="Identity Provider">IDP</Tooltip>. The IDP replies with the client ID and secret.

3. Using that information, the developer (or the application) triggers a call to the token endpoint of the IDP.

4. Your developer (or the application) then triggers a call to Tyk, using the token that was generated by the IDP. Tyk validates this token using the <Tooltip tip="JSON Web Key Sets">JWKS</Tooltip> provided by the IDP.

### Requirements

* A Gluu installation, more details [here](https://gluu.org/get-started/).
* A [Tyk Self Managed installation](/5.9/tyk-self-managed/install) (Gateway + Dashboard).

### Getting started with Gluu

In order to get started with Dynamic Client Registration you’ll need to get the OpenID Connect registration endpoint. Open your Gluu dashboard and select the "Configuration" section. Select "JSON Configuration" and toggle the "OxAuth Configuration" tab.

<img src="https://mintcdn.com/tyk/gQqrg0xptB2_TmVu/img/dcr/gluu/step_1.png?fit=max&auto=format&n=gQqrg0xptB2_TmVu&q=85&s=fda27495b9a0ba2bebf4469c680e36b6" alt="Step 1" width="2792" height="1564" data-path="img/dcr/gluu/step_1.png" />

In this view you will find the registration endpoint:

<img src="https://mintcdn.com/tyk/gQqrg0xptB2_TmVu/img/dcr/gluu/step_2.png?fit=max&auto=format&n=gQqrg0xptB2_TmVu&q=85&s=809f79c0a37f7649f737ece188c0f068" alt="Step 2" width="1210" height="758" data-path="img/dcr/gluu/step_2.png" />

Another endpoint that will be relevant for your setup is the Well-Known configuration endpoint. Keep both URLs handy as you’ll use them for our next steps. This endpoint typically looks as follows: [https://gluu-server/.well-known/openid-configuration](https://gluu-server/.well-known/openid-configuration)

Because of known issues with Tyk’s JWT driver, you’ll set specific algorithms for the JWKS endpoint. In the same "OxAuth Configuration" tab, scroll down to "jwksAlgorithmsSupported" and select the following options:

<img src="https://mintcdn.com/tyk/gQqrg0xptB2_TmVu/img/dcr/gluu/step_3.png?fit=max&auto=format&n=gQqrg0xptB2_TmVu&q=85&s=f25e12f991fd6e98fec35c7a1477dd3f" alt="Step 3" width="1804" height="1296" data-path="img/dcr/gluu/step_3.png" />

Click "Save OxAuth Configuration" afterwards.

For more information on this particular issue please check [this thread](https://support.gluu.org/authentication/8780/wrong-size-of-ec-x-value-in-jwks_uri-while-using-openid/) in the Gluu forum.

### Setting up Tyk

Now you're ready to set up Tyk. For compatibility reasons, check your `tyk_analytics.conf` and make sure that a proper `oauth_redirect_uri_separator` parameter is set. You can use the following value:

```json theme={null}
    "oauth_redirect_uri_separator": ";",
```

Remember to restart the service after applying the above change.

Now open the Tyk Dashboard and click **APIs** under **System Management**. Create a new API called "Gluu API":

<img src="https://mintcdn.com/tyk/gQqrg0xptB2_TmVu/img/dcr/gluu/step_4.png?fit=max&auto=format&n=gQqrg0xptB2_TmVu&q=85&s=5fd2e5ef3d3537ba81daeaf76225df19" alt="Step 4" width="2066" height="1488" data-path="img/dcr/gluu/step_4.png" />

After the first part of the API creation form was filled, click on "Configure API" and set the authentication settings as follows:

<img src="https://mintcdn.com/tyk/gQqrg0xptB2_TmVu/img/dcr/gluu/step_5.png?fit=max&auto=format&n=gQqrg0xptB2_TmVu&q=85&s=bce9720988b40bf4b9b7441870863ca6" alt="Step 5" width="2234" height="1424" data-path="img/dcr/gluu/step_5.png" />

<Note>
  Where do I get the proper JWKS URI for my Gluu environment?

  The JWKS URI is a required field in the `.well-known/openid-configuration` endpoint of your OpenID Connect Provider metadata. Typically found as `"jwks_uri"`. Please see the spec [https://openid.net/specs/openid-connect-discovery-1\_0.html#ProviderConfigurationResponse](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse) for further information.
</Note>

For the **Identity Source** field use `"client_id"` and for **Policy Field Name** use `"pol"`.

Click "Save" and switch to the "Policies" button under "System Management". Once in this section, click on "Create a Policy" and call it "Gluu Policy". Use the default values for this one. Remember to select the previously created "Gluu API" in the access rights section. You will also need to set an expiration setting for the keys.

After the policy is ready, switch back to the API settings and make sure that the API is using the appropriate policy:

<img src="https://mintcdn.com/tyk/gQqrg0xptB2_TmVu/img/dcr/gluu/step_6.png?fit=max&auto=format&n=gQqrg0xptB2_TmVu&q=85&s=91eeb046bed15d6770c2f669ea0cf0ca" alt="Step 6" width="1524" height="892" data-path="img/dcr/gluu/step_6.png" />

Now you’re ready to add this API to the developer portal. Switch to the "Catalog" section under "Portal Management" on the navigation menu. Click on "Add New API", set a name for it and select the newly created policy. For this example use "Gluu Policy":

<img src="https://mintcdn.com/tyk/gQqrg0xptB2_TmVu/img/dcr/gluu/step_7.png?fit=max&auto=format&n=gQqrg0xptB2_TmVu&q=85&s=db0defb3c7ddb49c289f36449b116970" alt="Step 7" width="2256" height="1374" data-path="img/dcr/gluu/step_7.png" />

Hit "Save" and click on the recently created item again, switch to the "Settings" tab that’s next to "API Details". In "API Details" toggle the "Override global settings" option.

<Note>
  Tyk lets you set global portal settings that apply to **all portal-listed APIs**, in this guide we assume you’re enabling and setting up DCR for a single API. In case you want to enable DCR for all the APIs, you should go to the **Settings** section under **Portal Management**, and in the **API Access** tab you can enter your DCR settings there.
</Note>

Once the "Override global settings" option is toggled, scroll down to the DCR section in the bottom and enter the following settings:

<img src="https://mintcdn.com/tyk/gQqrg0xptB2_TmVu/img/dcr/gluu/step_8.png?fit=max&auto=format&n=gQqrg0xptB2_TmVu&q=85&s=8d4f6cc9832fbf27ab3a909da3ad4747" alt="Step 8" width="2220" height="1170" data-path="img/dcr/gluu/step_8.png" />

**Providers:** Different providers might implement the standard in slightly different ways. Tyk provides a specific driver for each one. For IDPs that aren’t on the list use the "Other" option. For this guide, pick "Gluu".

**Grant Types:** The [OAuth 2.0 grant types](/5.9/api-management/authentication/oauth-2) types that will be used by the client, see the [specification](https://openid.net/specs/openid-connect-registration-1_0.html#rfc.section.2) for more details. Set "Client Credentials".

**Token Endpoint Auth Method:** defines the way the client will authenticate against the token endpoint. Use "Client Secret - Post".

**Response Types:** OAuth 2.0 response types that will be used by the client. Set **Token**.

**Identity Provider Host:** Base IDP URL, e.g. `https://gluu-server/`

**Client Registration Endpoint:** OpenID Connect client registration endpoint. The value we use is `https://gluu-server/oxauth/restv1/register`

This value is found in your well-known discovery document as `registration_endpoint`. The well-known location URL is typically `https://gluu-server/.well-known/openid-configuration` (replace "gluu-server" with your hostname).

**Initial Registration Access Token:** the token that’s used to register new clients, this was generated in the early steps of the guide.

### Testing the flow

Now that both Tyk and Gluu are ready you can try the complete flow. Click "Developers" under "Portal Management", then click "Add developer" and enter some basic information here to create a developer user.

After the developer is created, open the portal, click on the "OAuth Clients" navigation bar button and follow the wizard:

<img src="https://mintcdn.com/tyk/gQqrg0xptB2_TmVu/img/dcr/gluu/step_9.png?fit=max&auto=format&n=gQqrg0xptB2_TmVu&q=85&s=d25776d5d9d2da1be250c51c7eac6861" alt="Step 9" width="1600" height="896" data-path="img/dcr/gluu/step_9.png" />

After clicking "Create first OAuth Client" you’ll see your previously created "Gluu API". Select it and click "Save and continue". The following screen will require you to enter a client name. It’s possible to set redirect URLs if you also plan to use this client for other flow types. This setting can be left blank for the purposes of this example.

<img src="https://mintcdn.com/tyk/gQqrg0xptB2_TmVu/img/dcr/gluu/step_10.png?fit=max&auto=format&n=gQqrg0xptB2_TmVu&q=85&s=3e4bffca080cb6cc44cd16aa7c93b2a8" alt="Step 10" width="1556" height="1146" data-path="img/dcr/gluu/step_10.png" />

Once you click "Create", Tyk will trigger a registration on your IDP and the details of your client will show up:

<img src="https://mintcdn.com/tyk/gQqrg0xptB2_TmVu/img/dcr/gluu/step_11.png?fit=max&auto=format&n=gQqrg0xptB2_TmVu&q=85&s=a461c11931d76c31748c50ce51262c46" alt="Step 11" width="1562" height="1298" data-path="img/dcr/gluu/step_11.png" />

If you check the Gluu dashboard you will see new client (named "GluuClient"):

<img src="https://mintcdn.com/tyk/gQqrg0xptB2_TmVu/img/dcr/gluu/step_12.png?fit=max&auto=format&n=gQqrg0xptB2_TmVu&q=85&s=7c41fbd594e628e0b943a9eab9dd277c" alt="Step 12" width="2240" height="1404" data-path="img/dcr/gluu/step_12.png" />

The next step is to generate a token and use it for accessing your "Gluu API". you can use Postman for this. You will need the token URL which it’s also present in the Well-Known URI of your organization. The field is named `"token_endpoint"`.
For this example use the following: [https://gluu-server/oxauth/restv1/token](https://gluu-server/oxauth/restv1/token)

Your Postman request should contain the following body, where `"client_id"` and `"client_secret"` are the values you got from the developer portal:

<img src="https://mintcdn.com/tyk/gQqrg0xptB2_TmVu/img/dcr/gluu/step_13.png?fit=max&auto=format&n=gQqrg0xptB2_TmVu&q=85&s=bdc9dbeacb2b713a523dedcbbe616c5d" alt="Step 13" width="1782" height="1350" data-path="img/dcr/gluu/step_13.png" />

Note that you aren’t using any additional headers for this request, the client credentials are enough.

Once you get a response from the IDP, you can copy the `"access_token"` and use it to access your "Gluu API", this request will be proxied by Tyk:

<img src="https://mintcdn.com/tyk/gQqrg0xptB2_TmVu/img/dcr/gluu/step_14.png?fit=max&auto=format&n=gQqrg0xptB2_TmVu&q=85&s=4176e72bcd53452863fe87d00f6b8cdc" alt="Step 14" width="1796" height="1330" data-path="img/dcr/gluu/step_14.png" />