This demo how Tyk can do the flow of a client in OAuth2.0 Client_credentials flow. Tyk requests for an access_token which later is forwareded to the backend service (in this case, it's a local httpbin service) and then returns to the user the header it had sent to httpbin, i.e. the value of Authorization header as a proof.

azureOauthClientCredVirtualHandler.js

function azureOauthClientCredVirtualHandler (request, session, config) {

    log("request object: " + JSON.stringify(request))
    log("---")

    //Make api call to upstream target
    //In Azure AD APPLICATION ID is the client id
    oauthClientRequest = {
        "Method": "POST",
        "Body": "client_id={YOUR-OWN-CLIENT-ID}&client_secret={YOUR-OWN-CLIENT-SECRET}&grant_type=client_credentials&resource=https%3A%2F%2F{YOUR-OWN-ORG-NAME}.onmicrosoft.com%2F{ID}",
        "Headers": {"content-type":"application/x-www-form-urlencoded"},
        "Domain": "https://login.microsoftonline.com",
        "Resource": "/{YOUR-OWN-DIRECTORY(tenant)-ID}/oauth2/token"
    };
    var oauthClientRequestStr = JSON.stringify(oauthClientRequest)
    log("oauthClientRequest object: " + oauthClientRequestStr)
    
    rawlog("--- before get to upstream ---")
    oauthASResp = TykMakeHttpRequest(oauthClientRequestStr);
    rawlog("--- After get to upstream ---")
    
    log ('----')
    oauthASRespObj = JSON.parse(oauthASResp);
    var oauthASRespCode = JSON.parse(oauthASRespObj.Code);
    log('oauthASRespCode: ' + oauthASRespCode);
    
    var userRespCode = oauthASRespCode
    var userResponseBody = "empty body"
    if (oauthASRespCode != 200) 
    {
        userResponseBody = "Error returned from AS (OAuth2.0 client credentials flow)"
        log("The request that was sent and failed to the AS: " + oauthClientRequestStr)
        log("AS Response error: " + oauthASResp)
    }
    else 
    {
        log('oauthASRespObj.Body: ' + oauthASRespObj.Body);
        oauthASRespBodyObj = JSON.parse(oauthASRespObj.Body)
        var backendReqAuthorization = oauthASRespBodyObj["access_token"]
        log ("backendReqAuthorization: " + backendReqAuthorization)
        
        backendRequest = {
        "Method": "GET",
        //"Body": "{\"empty\":\"body\"}",
        //"Headers": {"content-type":"application/json", "Authorization: Bearer ": backendReqAuthorization},
        "Headers": {"Authorization": "Bearer " + backendReqAuthorization},
        "Domain": "http://0.0.0.0:80",
        "Resource": "/get"
        };
        var backendRequestStr = JSON.stringify(backendRequest)
        log('backendRequestStr: ' + backendRequestStr);
        var backendRequestObj = JSON.parse(backendRequestStr)
        
        rawlog("--- Before get to upstream ---")
        var backendResponse = TykMakeHttpRequest(backendRequestStr);
        rawlog("--- After get to upstream ---")
        
        backendRespObj = JSON.parse(backendResponse);
        userRespCode = JSON.parse(backendRespObj.Code);
        log('userRespCode: ' + userRespCode);

        if (userRespCode != 200) 
        {
            userResponseBody = "Error returned from backend. request was:" + JSON.stringify(backendRequest)
        }
        else
        {
            backendRespBodyObj = JSON.parse(backendRespObj.Body)
            backendRespAuthorization = backendRespBodyObj.headers["Authorization"]
            userResponseBody = backendRespAuthorization
        }
    }
    
    var responseObject = {
        Body: "access_token from body resp of a backend: "+ userResponseBody,
        Headers: {
            "oauth-client": "client_credentials."
        },
        Code: userRespCode
    }
    log('responseObject: ' +  JSON.stringify(responseObject));
    rawlog ('----')
    rawlog("Virtual endpoint about to end")
    rawlog ('----')
    return TykJsResponse(responseObject, session.meta_data)
}