@CousinLarry I’ve had a re-read on this
What is described looks like an implementation of Upstream OAuth authentication and Tyk doesn’t support this natively. But it can be achieved using a custom plugin.
For instance, the custom plugin would implement steps 4-6 in the Post-auth or Post stage of the request. We have an unofficial sample performing OAuth client_credentials exchange using Javascript here.
However, because of the caching requirement, using Javascript wouldn’t work. A Golang or Python plugin would suffice and you can use some Redis instance or In-memory techniques to achieve caching.
Then as stated in 8, you can use some other Auth method in the API definition for Client → Tyk authentication.
With this setup, when a request is made, Tyk will first authenticate the client using the “different auth” method configured, if successful, will execute the custom plugin to retrieve the provider token, and then make the actual provider API call or maybe modify the original request to include the provider token before sending it upstream - the design and implementation will be up to you.