Tag: JWT

Integrate Tyk with Auth0

There’s been a lot of community chatter about this, and a lot of back-and forth trying to get Auth0 to play nice with Tyk’s low-level JWT handling.

Well, now you can chill, because Auth0 integration is now easy as pie!

Let’s get things ready:

  1. In your Auth0 Application, under OAuth Settings, click “Show Advanced Settings”
  2. Select the “OAuth” tab
  3. Make sure “JsonWebToken Token Signature Algorithm” is set to RS256
  4. Save it

Tyk OpenID Connect Support with RSA Keys

We’re going to simulate a login here, but in a real app, as part of your OAuth flow, you will need to add scope=openid to your authorize request in order to get the OpenID ID Token.

To simulate a login (I assume you have a test user), browse to your “Users” section and click “Sign In As User” and select your App. In order to get the ID Token, you must use the “Client Side App” option.

Tyk Auth0 OpenID Connect Support

When you click this, you’ll be taken to a login page provided by Auth0, you don’t actually need to log in, Auth0 will do that for you. But in the address bar, you will see a query-string parameter called “id_token”, this is your OpenID ID token you are going to try and use with Tyk, copy that token to a file somewhere safe.

Now that we have a token we can play with, we can use it with an API we are proxying with Tyk.

Setting up Auth0 with Tyk

  1. Create a new API, let’s call it auth0
  2. Select “OpenID Connect” as your Authentication mode
  3. Save it.

OIDC with Tyk is a little chicken-and-egg, because we need to apply a set of access rules to users coming in via different clients, so we actually need to create a policy before adding the rules to your API Definition. So now that we’ve saved the API: go create a policy that grants access to it.

Now, back to your Auth0 API Definition:

  1. Add your Auth0 URL as the provider (e.g. https://tyk-test.eu.auth0.com/, each one is different) – in the field that has accounts.google.com as a sample text, and click “Add”
  2. When the new issuer is added, get your Auth0 App’s Client ID and add it as an approved Client ID, and under policies, select the policy you just created.
  3. Click “Add” – you’ll see the policy add to the table
  4. Save the API

Ok, you’re all set – now all you need to do is craft a request to your API using the Authorization: Bearer {id-token} header. You’ll see that the token will get through, and the rate limits / policies will be applied for the user that was requested.

Easy as pie 🙂

OpenID Connect Support in Tyk Cloud is Here!

OpenID Connect support just went live on Tyk Cloud!

So let’s talk about how openID connect support works with Tyk – cause it’s pretty cool.

You can now take JSON Web Tokens generated by OpenID Connect-compatible Identity Provider (id_tokens, in OIDC parlance) and point them at your Tyk-Cloud-Managed API, Tyk will then jump through hoops to make your life easier:

First, we validate the token:

  1. Is the token a valid jwt?
  2. Is the token issued by a known OP?
  3. Is the token issued for a known client?
  4. Is the token valid at the time (‘not use before’ and ‘expire at’ claims)?
  5. Is the token signed accordingly?

Then, we apply some rules:

  1. For this client ID, is there an associated token policy?
  2. Is there an underlying identity (the user ID of the bearer of the token)
  3. Generate an internal representation of that user, so they can be identified across JWT’s and Clients
  4. Apply the policy template to that identity (that’s your access control, throttling and quota’s)
  5. Generate some useful meta-data for your analytics
  6. Let the request go on

You can, if you are so inclined, even have the bearer rate-limited differently depending on their source, so if they came from your free client, then they get low access, but if they use your enterprise version, they get super-fueled access. It’s as easy as flipping a switch in your API configuration.

What does this mean?

It means that you do not need to integrate with Tyk at all, or even have Tyk generate tokens for you, token generation and control can rest entirely with your IDP’s using the OIDC standard, and point them at your Tyk Cloud instance. All you need to do is decide which issuers, and which of their registered clients to allow through, and set which policies and rules to set for those clients.

That means Mitre, Google+, Auth0 and any other Single-Sign-On provider that can handle Open ID Connect tokens is now compatible with Tyk Cloud.

But Wait, I’m an on-prem user! I want OIDC Too!

Well, you won’t have to wait long – we’re going to be pushing a release very soon with this feature because we think it’s so awesome. If you are extremely impatient, it will be live in our nightlies very shortly.

Scroll to top