Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[TT-13332] Update tyk docs with enhanced upstream authentication (OAuth CC&PW flows) #5695

Draft
wants to merge 2 commits into
base: master
Choose a base branch
from
Draft

[TT-13332] Update tyk docs with enhanced upstream authentication (OAuth CC&PW flows) #5695

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
ee9f9e2
TT-13332, added docs for upstream OAuth
andrei-tyk Nov 6, 2024
db5f5c8
TT-13332, fixed small mistake
andrei-tyk Nov 6, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
117 changes: 117 additions & 0 deletions ...ocs/content/basic-config-and-security/security/upstream-authentication/oauth.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,117 @@
---
title: Upstream OAuth Authentication
tags: ["upstream-oauth-auth"]
description: "How to authenticate upstream requests with OAuth authentication"
menu:
main:
parent: "Upstream Authentication"
weight: 3
---

If your upstream API is protected with OAuth authentication, you can configure Tyk to send requests with OAuth authentication credentials.

## How To Set Up

### Via API Definition

Inside your OAS API definition you should configure `x-tyk-api-gateway.upstream.authentication.oauth` field.

### Client Credentials Grant

To use the client credentials grant type, configure the following fields:

- `enabled` needs to be true to enable OAuth authentication.
- `allowedAuthorizeTypes` should include `clientCredentials`.
- `clientCredentials` should be configured with:
- `header.enabled` set to true.
- `header.name` is the header to be used.
- `tokenUrl` is the URL to obtain the token.
- `clientId` is the client ID to be used.
- `clientSecret` is the client secret to be used.
- `scopes` is an array of scopes to be requested.
- `extraMetadata` is an array of additional fields to be read from the OAuth provider response and saved to the request context.

Example:
```json
{
"x-tyk-api-gateway": {
"upstream": {
"authentication": {
"enabled": true,
"oauth": {
"allowedAuthorizeTypes": [
"clientCredentials"
],
"clientCredentials": {
"header": {
"enabled": true,
"name": "Authorization"
},
"tokenUrl": "http://salesforce.com",
"clientId": "client123",
"clientSecret": "secret123",
"scopes": ["scope1"],
"extraMetadata": ["instance_url"]
}
}
}
}
}
}
```

### Password Grant

To use the password grant type, configure the following fields:
- `enabled` needs to be true to enable OAuth authentication.
- `allowedAuthorizeTypes` should include `password`.
- `password` should be configured with:
- `header.enabled` set to true.
- `header.name` is the header to be used.
- `tokenUrl` is the URL to obtain the token.
- `clientId` is the client ID to be used.
- `clientSecret` is the client secret to be used.
- `scopes` is an array of scopes to be requested.
- `username` is the username to be used.
- `password` is the password to be used.
- `extraMetadata` is an array of additional fields to read from the OAuth provider response and saved to the request context.


Example:
```json
{
"x-tyk-api-gateway": {
"upstream": {
"authentication": {
"oauth": {
"enabled": true,
"allowedAuthorizeTypes": [
"password"
],
"password": {
"header": {
"enabled": true,
"name": "Authorization"
},
"tokenUrl": "http://salesforce.com",
"clientId": "client123",
"clientSecret": "secret123",
"scopes": ["scope1"],
"username": "user",
"password": "pass",
"extraMetadata": ["instance_url"]
}
}
}
}
}
}
```

**Note**
If the `extraMetadata` field is configured, the response from the OAuth provider will be parsed and the fields specified in the `extraMetadata` array will be saved to the request context.
Those fields can be accessed in the middlewares (e.g. URL Rewrite) via the $tyk_context object.
In our use case, the `instance_url` field will be saved to the request context and can be accessed in the URL Rewrite middleware as `$tyk_context.instance_url`.
However, when creating a matching rule based on Request Context in the URL Rewrite middleware, the field identifier is just `instance_url` as $tyk_context is implied.


8 changes: 8 additions & 0 deletions tyk-docs/data/menu.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1380,6 +1380,14 @@ menu:
path: /basic-config-and-security/security/authentication-authorization/json-web-tokens/jwt-keycloak
category: Page
show: True
- title: "Upstream Authentication"
category: Directory
show: True
menu:
- title: "Upstream OAuth"
path: /basic-config-and-security/security/upstream-authentication/oauth
category: Page
show: True
- title: "MTLS"
category: Directory
show: True
Expand Down
Loading