The Tyk API Gateway and specifically the Tyk Developer Portal at version 3.2 added support for Dynamic Client Registration (DCR). This is a very powerful functionality to enable integration with the Curity Identity Server.
Detailed step-by-step documentation
This article provides a high-level overview of the integration. A detailed step-by-step guide can be found in the Tyk documentation.
- An installation of the Curity Identity Server. The Getting Started Guide is a great place to start.
- An installation of the Tyk API Gateway. The detailed documentation assumes this is an on-premise installation of Tyk.
Dynamic Client Registration is not enabled by default in the Curity Identity Server. Follow the Non-Templatized Dynamic Client Registration article to learn how to enable and configure DCR.
Tyk is configured with an API that is to be exposed on the Developer Portal. What the upstream API is doesn’t really matter, although the detailed documentation uses httpbin.org as the upstream API for testing purposes. This improves visibility to see what access token gets passed upstream in the Authorization header.
There are two different ways to protect the API that is to be published to the Developer Portal: JWT access tokens and split tokens. Choose the one appropriate to your use case.
The configuration in Tyk is very straightforward. Tyk uses the JWKS endpoint of the Curity Identity Server to validate the JWT. Note that the Curity Identity Server does not issue JWTs as access tokens by default, but this can easily be configured. Do so by enabling Use Access Token As JWT in
Token Service ->
Token Issuers. Or, configure individual token issuers per client as outlined in the Custom Token Issuer article.
The Split Token Approach is a bit more involved and requires a middleware to be deployed to the Tyk Gateway. However, it is more in line with a best practices approach of not using JWTs with external clients.
When fully configured, it will be possible to dynamically register an OAuth client in the Tyk Developer Portal. The portal will handle the client’s registration in the Curity Identity Server. It will display the generated
client_id and secret that can then be used to obtain a token (JWT or split token) that can be used to access the API in question.