Open andytson-inviqa opened 5 years ago
stale[bot]
commented
4 years ago This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs, please add comments to this ticket if you would like it to stay open. Thank you for your contributions.
educroquet
commented
2 years ago Too bad, I have similar need : making a virtual endpoint that handles some Oauth2 cinematic and so needed to properly handle the 302 response ...
Within API frameworks, not automatically following the 302 redirect should be the default as it is more a browser/UI behavior than a server side one, server side code usually requires deep control of the http requests.
andytson-inviqa
commented
2 years ago @educroquet I'd suggest raising another ticket, as closed tickets on github don't usually get re-reviewed.
What I did in the end was make a backend api service that did the authentication, which was routed through Tyk. We didn't end up using Tyk though, as it was just a proof-of-concept
oluwaseyeayinla
commented
4 months ago Discovered internal enhancement request TT-4287 in the backlog and re-opened request
Do you want to request a feature or report a bug? feature
What is the current behavior? When calling TykMakeHttpRequest with a request where the backend responds with a 302 (etc) status code and a Location header, the Location header is visited, as another sub-request, with no documented way to stop that.
What is the expected behavior? The TykMakeHttpRequest have an option to turn off Location forwarding
Which versions of Tyk affected by this issue? Did this work in previous versions of Tyk? 2.7.2
Reason for asking is that I want to implement OpenID connect authorization and token endpoints for a single-page app. TIB is unsuitable for our purpose as it uses server-side sessions, whereas we want httponly cookie-based refresh/access tokens, additionally Implicit flow we've ruled out for our purposes as it exposes the access token to the FE Javascript.
OpenID connect's authorization endpoint returns a 302 response with a redirect, which needs to be performed by the browser rather than Tyk sub-request.