it requires x-tyk-authorization which is the node secret of TYK gateway. I wonder why it does not use the client ID/secret. It means the client app require to keep the tyk node secret and if someone get this node secret, he can call the TYK REST API for authorization the client.
Is there any security issue in this step? Please correct me if I am wrong. Thanks
Step 5 is a call made from the authorization server to Tyk to confirm that the client is authorized, so the client should not have visibility of the call. The client id is included in the request body.
The code returned can then be used to generate an API token, which can be done client side (step 8).