What is Tyk Identity Broker?
The Tyk Identity Broker provides a service-level component that enables delegated identities to be authorized and provide authenticated access to various Tyk-powered components such as the Tyk Dashboard, the Tyk Developer Portal and Tyk Gateway API flows such as OAuth access tokens, and regular API tokens.
How it works
Tyk Identity Broker provides a simple API, which traffic can be sent through, the API will match the request to a profile which then exposes two things:
- An Identity Provider – the thing that will authorize a user and validate their identity
- An Identity Handler – the thing that will authenticate a user with a delegated service (in this case, Tyk)
Identity providers can be anything, so long as they implement the
tap.TAProvider interface. Bundled with TIB at the moment you have three providers:
- Social – Provides OAuth handlers for many popular social logins (such as Google, Github and Bitbucket)
- LDAP – A simple LDAP protocol binder that can validate a username and password against an LDAP server (tested against OpenLDAP)
- Proxy – A generic proxy handler that will forward a request to a third party and provides multiple “validators” to identify whether a response is successful or not (e.g. status code, content match and regex)
An identity handler will perform a predefined set of actions once a provider has validated an identity, these actions are defined as a set of action types:
Pass through or redirect user-based actions
GenerateOrLoginDeveloperProfile– Will create or login a user to the Tyk Developer Portal
GenerateOrLoginUserProfile– Will log a user into the dashboard (this does not create a user, only drops a temporary session for the user to have access)
GenerateOAuthTokenForClient– Will act as a client ID delegate and grant an Tyk-provided OAuth token for a user using a fragment in the redirect URL (standard flow)
Direct or redirect
GenerateTemporaryAuthToken – Will generate a Tyk standard access token for the user, can be delivered as a redirect fragment OR as a direct API response (JSON)
These are actions are all handled by the
tap.providers.TykIdentityHandler module which wraps the Tyk Gateway, Dashboard and Admin APIs to grant access to a stack.
Handlers are not limited to Tyk, a handler can be added quite easily by implementing the
TAProvider so long as it implements this pattern and is registered it can handle any of the above actions for it’s own target.
Requirements and dependencies
- Tyk Gateway v1.9.1+
- Tyk Dashboard v0.9.7.1+
Extract the tarball and run the binary:
tar -xvzf tib-linux-amd64-v0.1.tar.gz
No command line arguments are needed, but if you are running TIB from another dir or during startup, you will need to set the absolute paths to the profile and config files
Usage of ./tyk-auth-proxy: -c=string Path to the config file (default "tib.conf") -p#=string Path to the profiles file (default "profiles.json")