X-tyk-authorization in TYK Key Management API

neonlai 2018-12-07 17:20:29 UTC #1

According to OAuth 2.0 flow in https://tyk.io/docs/security/your-apis/oauth-2-0/

For example, Access token flow (e.g. mobile apps, single-page web apps)

Step 5, it requires TYK REST API /tyk/oauth/authorize-client/ to generate the access code/token for the access purpose

According to the Key management API in https://tyk.io/docs/tyk-rest-api/oauth-key-management/

it requires x-tyk-authorization which is the node secret of TYK gateway. I wonder why it does not use the client ID/secret. It means the client app require to keep the tyk node secret and if someone get this node secret, he can call the TYK REST API for authorization the client.
Is there any security issue in this step? Please correct me if I am wrong. Thanks

david 2018-12-11 09:20:29 UTC #2

Step 5 is a call made from the authorization server to Tyk to confirm that the client is authorized, so the client should not have visibility of the call. The client id is included in the request body.

The code returned can then be used to generate an API token, which can be done client side (step 8).

neonlai 2018-12-11 09:42:56 UTC #3

Thanks @david. I misunderstood the concept of Step 5. before. Got it now.