Hi All, I need to clarify if the below scenario is valid. Role Permission Scope Resource HRDept Admin Permission add_user POST Accounts Login, api create, api publish, api subscribe search_user GET
1. The role HRDept(With admin permission) can create an application and generate access token according to the scope from the Management Console as well as from a cURL command. Further, the particular resource can be invoked successfully. 2. The users belong to role Account *create a new application*, but they are not allowed select their own scope(search_user) from the Management console and generate the access token. An access token is generated for a default scope and using that they cannot proceed the GET operation. The same thing was tried by the curl command and got the same above result. curl -k -d "grant_type=password&username=user1S&password=Test123&scope= *search_user*" -H "Authorization: Basic TnNRUXpoZjhZR2EyYmNSU1kwblZScGlqcllFYTo4X21Rb0VfSzZyWVB6T2VjZnM5RVlEWjNJXzBh" -H "Content-Type: application/x-www-form-urlencoded" https://localhost:8243/token {"access_token":"b5484ade-42e4-3709-a6a6-cfc18008b6ec","refresh_token":"56142251-f1e8-3951-91d2-091a98d07d70","scope":" *default*","token_type":"Bearer","expires_in":3600} This happens only if access tokens are generated for newly created applications other than the default application. With the default application above scenario works successfully. In a summary, - *Users who do not have admin permissions(Role - Accounts) creates a new application, using that they cannot get the access token for particular scope(search_user), instead, they get a default scope. And the resource cannot be invoked through that. But, with the default application, they get the access token for the particular scope and the resource can be invoked successfully. * - *Users who have admin permission (Role HRDept) can create a new application, using that they can get an access token for particular scope(add_user) and invoke the resource successfully. * Could you please confirm if above concerns are valid. Any feedback would be appreciated if I've missed anything. References: https://docs.wso2.com/display/AM2xx/Scope+Management+with+OAuth+Scopes Product: apim 2.1.0 update 6 *Thanks and Best Regards,* *Isuru Uyanage* *Software Engineer - QA | WSO2* *Mobile : **+94 77 <+94%2077%20767%201807> 55 30752* *LinkedIn: **https://www.linkedin.com/in/isuru-uyanage/ <https://www.linkedin.com/in/isuru-uyanage/>*
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
