Hi , We are discussing with a potential client that would like to integrate their backend with TYK gateway. As TYK oauth2 does not support scope and state parameters. I would like to know if there is roadmap in TYK to support the scope and state parameters in Oauth2 (or Is there is any existing alternative setup in TYK that can provide the same functionality)
Use Case:
i. TYK provides client ID and client secret
ii. client app calls oAuth2 flow and redirect to the bank’s user authorization login URL
iii. user login and authorize the scope/access right of “userInfo” and “accountAccess” and then redirect back to client app
iv. client app calls TYK to get authorization code (using provided clientID/secret) for scope “userInfo” and “accountAccess” in TYK
v. client app uses the authorization code to request access token with scope “userInfo” and “accountAccess” in TYK
Whenever the client app uses the access token (generated by TYK with scope “userInfo” and “accountAccess”), it allow to access the API resources that bounded with scope “userInfo” and “accountAccess”.
In current TYK setup, we need to implement logic to control the access right in body key_rules to allow access of “userInfo” and “accountAccess” API in the session object. The developers require certain knowledge about this setup.(e.g. need to get the API ID, setup in the access right)
If TYK supports scope parameters, we can simply pass the scope parameters as part of the configuration and validation.
For the state parameter, it is for security purpose to make sure the request is from the origin and not hacked.
Appreciate if TYK will consider to support the scope/state parameter in OAuth2 flow in the future.
Or If there is any existing alternative setup in TYK that can provide the same functionality. Thanks