About Tyk OAuth 2.0 (Need client secret to request access token or not)


#1

Imported Google Group message. Original thread at: https://groups.google.com/forum/#!topic/tyk-community-support/UctrROrtB1o Import Date: 2016-01-19 21:34:28 +0000.
Sender:Yuttana Krittasampan.
Date:Thursday, 10 December 2015 13:01:52 UTC.

Hi All ,

     My organization  interest in Tyk to be an API Gateway on AWS. I am now researching about OAuth 2.0 using Tyk and have question about parameter to request token. 

I am wondering that Tyk not need client_secret or not since I never send it but still get access token. Do I misunderstand or do something wrong ? Please kindly advise.

     The screen capture is in the attachment. Thanks in advance.

Yutttana K.


#2

Imported Google Group message.
Sender:Martin Buhr.
Date:Thursday, 10 December 2015 13:19:25 UTC.

Hi Yuttana,

I’m not sure I follow what you are asking for, the OAuth flows are documented here:

https://tyk.io/v1.9/access-control/oauth2/#authorisation-token-flow-e-g-server-side-web-apps:104b8754b8328b1d92c1d1307a5e2a85

And there are several posts in this forum about how to get the OAuth flow working with Tyk (what params to send and what structures).

Depending on your access control method, client_secret is optional, I think it is required for authorization tokens (server-based client) but not for access-token flow (mobile apps where client_secret should not be exposed).

I hope that helps a little.

Cheers,
Martin


#3

Imported Google Group message.
Sender:Yuttana Krittasampan.
Date:Thursday, 10 December 2015 13:45:49 UTC.

Hi Martin ,

       Thanks a lot for your advise. Actually my client is server-based so I follow steps of server-side flow. Please kindly find attachment for each step.
  1. I request access token but not send client secret but it works.

  2. I request endpoint using access token it is done.

        Are these steps are correct for server-side flow. Since I try to add client secret but no any effect. 
    

Thanks again.

เมื่อ วันพฤหัสบดีที่ 10 ธันวาคม ค.ศ. 2015 20 นาฬิกา 19 นาที 25 วินาที UTC+7, Martin Buhr เขียนว่า:

  • show quoted text -

#4

Imported Google Group message.
Sender:Martin Buhr.
Date:Thursday, 10 December 2015 14:47:38 UTC.

What options are enabled in your API definition for OAuth?

Cheers,
Martin


#5

Imported Google Group message.
Sender:Yuttana Krittasampan.
Date:Thursday, 10 December 2015 16:05:13 UTC.

Hi Martin ,

        I enabled all options as attachment.Is it correct or not , please kindly advise.

Yuttana

เมื่อ วันพฤหัสบดีที่ 10 ธันวาคม ค.ศ. 2015 21 นาฬิกา 47 นาที 38 วินาที UTC+7, Martin Buhr เขียนว่า:
What options are enabled in your API definition for OAuth?

Cheers,
Martin


#6

Imported Google Group message.
Sender:Martin Buhr.
Date:Thursday, 10 December 2015 18:41:40 UTC.

Hi,

Try deactivating the ‘Token’ option. As it is allowing both methods now.

Cheers,
Martin

  • show quoted text -

  • show quoted text -


You received this message because you are subscribed to the Google Groups “Tyk Community Support” group.
To unsubscribe from this group and stop receiving emails from it, send an email to [email protected].
To view this discussion on the web, visit https://groups.google.com/d/msgid/tyk-community-support/25f3eafe-c917-4233-a4dd-6f33b0ccfc94%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


#7

Imported Google Group message.
Sender:Yuttana Krittasampan.
Date:Friday, 11 December 2015 03:13:24 UTC.

Hi Martin ,

       I have tried for this already as attachmen (4.png and 5.png) t but the result is the same. Tyk does not require client_secret.
      By the way, I saw oauth_manager_test.go and walk through test case. It does not send the client_secret true. So can I suppose that Tyk does not need client_secret, it needs only client_id to get access token

Thanks so much
Yuttana

เมื่อ วันศุกร์ที่ 11 ธันวาคม ค.ศ. 2015 1 นาฬิกา 41 นาที 40 วินาที UTC+7, Martin Buhr เขียนว่า:

  • show quoted text -

#8

Imported Google Group message.
Sender:Martin Buhr.
Date:Friday, 11 December 2015 06:15:52 UTC.

Hi Yuttana,

It does need it in certain cases, I can’t remember in which though.

Many thanks,
Martin

  • show quoted text -

  • show quoted text -

To view this discussion on the web, visit https://groups.google.com/d/msgid/tyk-community-support/f49262a8-a736-461d-ac0d-dbbb88f46497%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.