Integrating with Tyk API Gateway

Integrating with Tyk API Gateway

tutorials

The Tyk API Gateway and specifically the Tyk Developer Portal at version 3.2 added support for Dynamic Client Registration (DCR). This is a very powerful functionality to enable integration with the Curity Identity Server.

Detailed step-by-step documentation

This article provides a high-level overview of the integration. A detailed step-by-step guide can be found in the Tyk documentation.

Prerequisites

Enable DCR

Dynamic Client Registration is not enabled by default in the Curity Identity Server. Follow the Non-Templatized Dynamic Client Registration article to learn how to enable and configure DCR.

Configure Tyk

Tyk is configured with an API that is to be exposed on the Developer Portal. What the upstream API is doesn’t really matter, although the detailed documentation uses httpbin.org as the upstream API for testing purposes. This improves visibility to see what access token gets passed upstream in the Authorization header.

There are two different ways to protect the API that is to be published to the Developer Portal: JWT access tokens and split tokens. Choose the one appropriate to your use case.

JWT Protected APIs

The configuration in Tyk is very straightforward. Tyk uses the JWKS endpoint of the Curity Identity Server to validate the JWT. Note that the Curity Identity Server does not issue JWTs as access tokens by default, but this can easily be configured. Do so by enabling Use Access Token As JWT in Profiles -> Token Service -> Token Issuers. Or, configure individual token issuers per client as outlined in the Custom Token Issuer article.

Split Token Protected APIs

The Split Token Approach is a bit more involved and requires a middleware to be deployed to the Tyk Gateway. However, it is more in line with a best practices approach of not using JWTs with external clients.

Conclusion

When fully configured, it will be possible to dynamically register an OAuth client in the Tyk Developer Portal. The portal will handle the client’s registration in the Curity Identity Server. It will display the generated client_id and secret that can then be used to obtain a token (JWT or split token) that can be used to access the API in question.