Thanks for the quick reply.
To clarify, I want to integrate with a third party identity provider. I expect Tyk to generate any access tokens, but I want the resource owner user name and password to be passed to the third party and validated there. Tyk should generate a token if the third party IDP gives a valid response.
This seems to map well to the GenerateOAuthTokenForClient identity handler action documented here: https://tyk.io/docs/integrate/3rd-party-identity-providers/
Am I understanding TIB usage correctly?