OAuth return "Key not authorised"

Meet a problem when trying to use OAuth. I wanna generate an OAuth token using existing policy.
I expected /oauth/test/ callable when using below token.

Result

GET /oauth/test/ HTTP/1.1
Authorization: Bearer wef-Kzd0QHSAQjqjtLX74w
response: { "error": "Key not authorised"}

tyk-gateway.log

WARN[0909] Invalid key detected, not found in storage engine
INFO[0909] Attempted access with non-existent key.       key=wef-Kzd0QHSAQjqjtLX74w origin=10.0.2.2:56386 path=/oauth/test/

found key record from redis

redis 127.0.0.1:6379> get oauth-data.oauth_00001.oauth-authorize.wef-Kzd0QHSAQjqjtLX74w
"{\"Client\":{\"Id\":\"b13167c81c87428d7693ff9466abba09\",\"Secret\":\"ZTkyZTI4YzgtMjgwMy00YzE4LTU1YWUtM2MwODU5OGYzNWUy\",\"RedirectUri\":\"http://10.0.2.2:56337/oauth-redirect/\"},\"Code\":\"wef-Kzd0QHSAQjqjtLX74w\",\"ExpiresIn\":250,\"Scope\":\"\",\"RedirectUri\":\"http://10.0.2.2:56337/oauth-redirect/\",\"State\":\"\",\"CreatedAt\":\"2016-02-02T10:21:44.898304373Z\",\"UserData\":\"{ \\\"apply_policy_id\\\": \\\"oauth_policy_00001\\\"}\"}"

My OAuth Setup

Authorisation and try to apply existing policy via Postman

POST /oauth/test/tyk/oauth/authorize-client/ HTTP/1.1
Host: 127.0.0.1:8080
x-tyk-authorization: 352d20ee67be67f6340b4c0605b044b7
Cache-Control: no-cache
Postman-Token: 49c2bf40-c1ca-b569-de6e-d92c9619907d
Content-Type: application/x-www-form-urlencoded

response_type=code&client_id=b13167c81c87428d7693ff9466abba09&redirect_uri=http%3A%2F%2F10.0.2.2%3A56337%2Foauth-redirect%2F&key_rules=%7B+%22apply_policy_id%22%3A+%22oauth_policy_00001%22%7D

create Oauth client

OPTIONS='
{"api_id": "oauth_00001",
"redirect_uri": "http://10.0.2.2:56337/oauth-redirect/"}
'
RESPONSE=$(curl --silent --header "x-tyk-authorization:$REST_API_SECRET" --header "Content-Type:application/json" --data "$OPTIONS" http://$LOCALIP:8080/tyk/oauth/clients/create)

API Definition

{
    "name": "Test for OAuth Cross API",
    "api_id": "oauth_00001",
    "definition": {
        "location": "header",
        "key": "version"
    },
    "use_oauth2": true,
    "oauth_meta": {
      "allowed_access_types": [
        "authorization_code",
        "refresh_token"
      ],
      "allowed_authorize_types": [
        "code",
        "token"
      ],
      "auth_login_redirect": "http://lonelycode.com/login"
    },
    "notifications": {
      "shared_secret": "9878767657654343123434556564444",
      "oauth_on_keychange_url": "http://posttestserver.com/post.php?dir=oauth_notifications"
    },

That looks like an authorize code, not an access token, so your client now needs to use the authorize token to request an actual access token.

Either that, or you change the grant request type use “token” (response_type=token) when you make your initiali authorize request. Then you won;t need the secret.

I made this earlier to help people out with the OAuth flow: