You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add a comprehensive step-by-step example demonstrating the full
OAuth 2.0 Authorization Code Grant flow with Tyk as the authorization
server. This addresses the documentation gap identified in DX-2014.
The example covers:
- API Definition setup with OAuth 2.0 configuration
- OAuth client registration
- Authorization request initiation
- Authorization code request from identity server
- Token exchange for access and refresh tokens
- Accessing protected APIs with the access token
- Token refresh flow
Includes practical curl commands, sample responses, and a flow
summary to help developers successfully implement SSO with Tyk.
Resolves: DX-2014
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Here are some key observations to aid the review process:
⏱️ Estimated effort to review: 2 🔵🔵⚪⚪⚪
🧪 No relevant tests
🔒 Security concerns
Guidance hardening: Multiple examples use plain HTTP for sensitive endpoints and include Basic auth headers and bearer tokens. While they are placeholders, readers may replicate insecurely. Recommend explicitly stating to use HTTPS, mark secrets/tokens as examples only, and consider masking or shortening tokens. Additionally, verify that including client_secret in the refresh token form data (line 494) matches Tyk’s expected method when Basic auth is already supplied to avoid duplicating credentials.
The example suggests the Identity Server calls the Dashboard API to obtain an authorization code, which differs from standard OAuth2 where the authorization endpoint is called directly and requires user context/state. Verify this flow aligns with Tyk’s recommended/secure pattern and clarify roles to avoid confusing readers.
#### Step 4: Identity Server Obtains Authorization Code
After the user authenticates and approves access on the identity server, the identity server requests an authorization code from Tyk:
```bash
curl -X POST http://localhost:3000/api/apis/oauth/<API_ID>/authorize-client \
-H "Authorization: <DASHBOARD_API_KEY>" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "response_type=code&client_id=c4a3b79a12d34e5f6789ab0c1d2e3f4a&redirect_uri=http%3A%2F%2Flocalhost%3A3000%2Fidentity-server%2Fcallback"
Use the correct HTTP method for the authorization endpoint per spec and Tyk expectations. Authorization requests should be sent via GET with query parameters to ensure redirects work consistently.
-curl -X POST http://localhost:8080/oauth2-api/oauth/authorize/ \- -H "Content-Type: application/x-www-form-urlencoded" \- -d "response_type=code&client_id=c4a3b79a12d34e5f6789ab0c1d2e3f4a&redirect_uri=http%3A%2F%2Flocalhost%3A3000%2Fidentity-server%2Fcallback"+curl -X GET "http://localhost:8080/oauth2-api/oauth/authorize?response_type=code&client_id=c4a3b79a12d34e5f6789ab0c1d2e3f4a&redirect_uri=http%3A%2F%2Flocalhost%3A3000%2Fidentity-server%2Fcallback"
Suggestion importance[1-10]: 8
__
Why: The OAuth 2.0 authorization endpoint is typically invoked via GET with query parameters; this improves correctness for redirects and matches common expectations, directly fixing a likely issue.
Medium
Remove duplicate client credentials
Avoid sending client_id (and later client_secret) in the body when using HTTP Basic auth for the token endpoint to prevent conflicting credential sources. Rely solely on the Authorization header with grant_type, code, and redirect_uri in the body.
Why: When using Basic auth at the token endpoint, omitting client_id in the body avoids conflicting credentials and aligns with RFC 6749; beneficial for correctness though not strictly mandatory.
Medium
Use absolute OAuth endpoint URLs
Use absolute URLs (including scheme, host, and the API listen path) for the OAuth endpoints to avoid misrouting behind proxies or when the Gateway is not at root. This prevents clients and tools from calling incorrect paths during the flow.
Why: Using absolute URLs for authorizationUrl and tokenUrl can reduce misrouting in proxied setups and aligns with deployed paths; the change is reasonable and contextually accurate but not critical.
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
User description
Summary
Changes Made
api-management/authentication/oauth-2.mdxcurlcommands with sample responsesTest plan
Resolves: DX-2014
🤖 Generated with Claude Code
PR Type
Documentation
Description
Add full OAuth2 Authorization Code example
Step-by-step SSO flow with Tyk
Include curl commands and responses
Add flow summary and IdP notes
Diagram Walkthrough
File Walkthrough
oauth-2.mdx
Add complete OAuth2 Authorization Code SSO walkthroughapi-management/authentication/oauth-2.mdx