lonelycode/Generate ID Token with Auth0 And Tyk

## Generate ID Token with Auth0 And Tyk
###  Prerequisites:

1. You must have a client set up in Auth0, make sure you know the client ID
2. You must have a user set up in Auth0

### Step 1: Log in

Point your browser at the Auth0 login URL, it will be something like the below, let's make sure we are also including all the details needed for the first leg of the OAuth leg:

```
https://{YOUR-ACCT}.auth0.com/authorize?client_id={CLIENT_ID}&scope=openid&response_type=code&redirect_uri=https://{YOUR-ACCT}.auth0.com/login&state=123456789
```

This will take you to the Auth0 login page.

###  Step 2: Log in as you fake user

The system will now redirect you to whatever URL you have set, I'd suggest a request bin so you can pull out authorization code.

Get the authorization code from the URL that you have been redirected to, it should just be a parameter in the URL.

### Step 3. Exchange the code for your id token:

Standard OAuth stuff here, using the Auth0 data API:

```
curl --request POST \
  --url 'https://{ACCT}.auth0.com/oauth/token' \
  --header 'content-type: application/json' \
  --data '{"grant_type":"authorization_code","client_id": "{CLEINT_ID}","client_secret": "{SECRET}","code": "{CODE}","redirect_uri": "https://tyk.auth0.com/login"}' | python -m json.tool
```

And you get:

```
{
    "access_token": "ee7c1X2gmN5f0VyGsRjuB_RJgKIAAU8u",
    "expires_in": 86400,
    "id_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6Ik1UUXlSRUUxTmpKQ1FUSkdRVVUwTWpCR1JVVkRPVFZHTjBNMk1VSkZOalZHTVRRNU5UazJNdyJ9.eyJpc3MiOiJodHRwczovL3R5ay5hdXRoMC5jb20vIiwic3ViIjoiYXV0aDB8NWEyNGFhNTI0NTE1NzcxMWJlODI1OTRhIiwiYXVkIjoib1FFc045X0hJVXpDWFRKdU9wdTVybTQxRG9EYkFiTEMiLCJpYXQiOjE1MTI2MDg4MjAsImV4cCI6MTUxMjY0NDgyMH0.enFsCw29fvU5PlQfQDF4IjhLyz9xuD7B8JlF1LSm9x7aapaNGL3l9Ko8iLrSLzg3GYXHQUvMuH6n4dsa0U_xo8hJN-s932wwQFbnAVbSms4de9QifUoVMFMohPL7TVUTuSn0N1F-vvepQZJol2kDYRK2DlUPMn43I3ZdPrY7f8LTE9OADPACKeQ9xRZwStzuR3ILab0HZcA4w-KQQJ1nTKIByziC9BOi1nIuu5suIlsrmBhEWxIV1bMKn-7YUfg70wOfxT0xvjIHzV5aWx9fe_7IgTrhH9doO48nmmEzOgRGpnseZi071ZyFFeTg_GPkn6WqypgnjlUxkY42KNoG9Q",
    "token_type": "Bearer"
}
```

### Step 4: Set up an OIDC API in Tyk, make sure to also create a policy for it.

This is a bit chicken and egg, you need to create the API, then the policy and then edit the APi again to add the IDPs.

### Step 5. Re-open the policy and add the appropriate data to allow your ID Token through.

Open your ID token up using jwt.io or something similar. You will ned the `iss` claim and the `aud` claim.

The `iss` will look something like `https://tyk.auth0.com/` and the `aud` will be the client ID that you created in step 1 of the pre-requisites.

Put the `iss` value into the IDP section of your authorised clients list in the API Designer, then add the client ID underneath that, finally, bind it to the policy you creates in Step 4.

Save the API.

### Step 6. Access the API:

```
curl -X GET \
  https://yourthang.cloud.tyk.io/openid-1/get \
  -H 'authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6Ik1UUXlSRUUxTmpKQ1FUSkdRVVUwTWpCR1JVVkRPVFZHTjBNMk1VSkZOalZHTVRRNU5UazJNdyJ9.eyJpc3MiOiJodHRwczovL3R5ay5hdXRoMC5jb20vIiwic3ViIjoiYXV0aDB8NWEyNGFhNTI0NTE1NzcxMWJlODI1OTRhIiwiYXVkIjoib1FFc045X0hJVXpDWFRKdU9wdTVybTQxRG9EYkFiTEMiLCJpYXQiOjE1MTI2MDg4MjAsImV4cCI6MTUxMjY0NDgyMH0.enFsCw29fvU5PlQfQDF4IjhLyz9xuD7B8JlF1LSm9x7aapaNGL3l9Ko8iLrSLzg3GYXHQUvMuH6n4dsa0U_xo8hJN-s932wwQFbnAVbSms4de9QifUoVMFMohPL7TVUTuSn0N1F-vvepQZJol2kDYRK2DlUPMn43I3ZdPrY7f8LTE9OADPACKeQ9xRZwStzuR3ILab0HZcA4w-KQQJ1nTKIByziC9BOi1nIuu5suIlsrmBhEWxIV1bMKo-7YUfg70wOfxT0xvjIHzV5aWx9fe_7IgTrhH9doO48nmmEzOgRGpnseZi071ZyFFeTg_GPkn6WqypgnjlUxkY42KNoG9Q'
```

That's it, it should just work.
	### Prerequisites:

	1. You must have a client set up in Auth0, make sure you know the client ID
	2. You must have a user set up in Auth0

	### Step 1: Log in

	Point your browser at the Auth0 login URL, it will be something like the below, let's make sure we are also including all the details needed for the first leg of the OAuth leg:

	```
	https://{YOUR-ACCT}.auth0.com/authorize?client_id={CLIENT_ID}&scope=openid&response_type=code&redirect_uri=https://{YOUR-ACCT}.auth0.com/login&state=123456789
	```

	This will take you to the Auth0 login page.

	### Step 2: Log in as you fake user

	The system will now redirect you to whatever URL you have set, I'd suggest a request bin so you can pull out authorization code.

	Get the authorization code from the URL that you have been redirected to, it should just be a parameter in the URL.

	### Step 3. Exchange the code for your id token:

	Standard OAuth stuff here, using the Auth0 data API:

	```
	curl --request POST \
	--url 'https://{ACCT}.auth0.com/oauth/token' \
	--header 'content-type: application/json' \
	--data '{"grant_type":"authorization_code","client_id": "{CLEINT_ID}","client_secret": "{SECRET}","code": "{CODE}","redirect_uri": "https://tyk.auth0.com/login"}' \| python -m json.tool
	```

	And you get:

	```
	{
	"access_token": "ee7c1X2gmN5f0VyGsRjuB_RJgKIAAU8u",
	"expires_in": 86400,
	"id_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6Ik1UUXlSRUUxTmpKQ1FUSkdRVVUwTWpCR1JVVkRPVFZHTjBNMk1VSkZOalZHTVRRNU5UazJNdyJ9.eyJpc3MiOiJodHRwczovL3R5ay5hdXRoMC5jb20vIiwic3ViIjoiYXV0aDB8NWEyNGFhNTI0NTE1NzcxMWJlODI1OTRhIiwiYXVkIjoib1FFc045X0hJVXpDWFRKdU9wdTVybTQxRG9EYkFiTEMiLCJpYXQiOjE1MTI2MDg4MjAsImV4cCI6MTUxMjY0NDgyMH0.enFsCw29fvU5PlQfQDF4IjhLyz9xuD7B8JlF1LSm9x7aapaNGL3l9Ko8iLrSLzg3GYXHQUvMuH6n4dsa0U_xo8hJN-s932wwQFbnAVbSms4de9QifUoVMFMohPL7TVUTuSn0N1F-vvepQZJol2kDYRK2DlUPMn43I3ZdPrY7f8LTE9OADPACKeQ9xRZwStzuR3ILab0HZcA4w-KQQJ1nTKIByziC9BOi1nIuu5suIlsrmBhEWxIV1bMKn-7YUfg70wOfxT0xvjIHzV5aWx9fe_7IgTrhH9doO48nmmEzOgRGpnseZi071ZyFFeTg_GPkn6WqypgnjlUxkY42KNoG9Q",
	"token_type": "Bearer"
	}
	```

	### Step 4: Set up an OIDC API in Tyk, make sure to also create a policy for it.

	This is a bit chicken and egg, you need to create the API, then the policy and then edit the APi again to add the IDPs.

	### Step 5. Re-open the policy and add the appropriate data to allow your ID Token through.

	Open your ID token up using jwt.io or something similar. You will ned the `iss` claim and the `aud` claim.

	The `iss` will look something like `https://tyk.auth0.com/` and the `aud` will be the client ID that you created in step 1 of the pre-requisites.

	Put the `iss` value into the IDP section of your authorised clients list in the API Designer, then add the client ID underneath that, finally, bind it to the policy you creates in Step 4.

	Save the API.

	### Step 6. Access the API:

	```
	curl -X GET \
	https://yourthang.cloud.tyk.io/openid-1/get \
	-H 'authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6Ik1UUXlSRUUxTmpKQ1FUSkdRVVUwTWpCR1JVVkRPVFZHTjBNMk1VSkZOalZHTVRRNU5UazJNdyJ9.eyJpc3MiOiJodHRwczovL3R5ay5hdXRoMC5jb20vIiwic3ViIjoiYXV0aDB8NWEyNGFhNTI0NTE1NzcxMWJlODI1OTRhIiwiYXVkIjoib1FFc045X0hJVXpDWFRKdU9wdTVybTQxRG9EYkFiTEMiLCJpYXQiOjE1MTI2MDg4MjAsImV4cCI6MTUxMjY0NDgyMH0.enFsCw29fvU5PlQfQDF4IjhLyz9xuD7B8JlF1LSm9x7aapaNGL3l9Ko8iLrSLzg3GYXHQUvMuH6n4dsa0U_xo8hJN-s932wwQFbnAVbSms4de9QifUoVMFMohPL7TVUTuSn0N1F-vvepQZJol2kDYRK2DlUPMn43I3ZdPrY7f8LTE9OADPACKeQ9xRZwStzuR3ILab0HZcA4w-KQQJ1nTKIByziC9BOi1nIuu5suIlsrmBhEWxIV1bMKo-7YUfg70wOfxT0xvjIHzV5aWx9fe_7IgTrhH9doO48nmmEzOgRGpnseZi071ZyFFeTg_GPkn6WqypgnjlUxkY42KNoG9Q'
	```

	That's it, it should just work.