On Thu, Jan 18, 2018 at 1:41 PM, Nuwan Dias <[email protected]> wrote: > The permissions of the use role have no relevance to the issuance of the > token. For a user to obtain a token with a certain set of scopes, the two > criteria below needs to be fulfilled. > > 1) The user should be in a role that is bound to the scope being requested. > 2) The particular application that makes the /token request needs to bear > a valid subscription to the API that has the scope attached to a Resource. > > Thanks, > NuwanD. > > On Thu, Jan 18, 2018 at 1:33 PM, Isuru Uyanage <[email protected]> wrote: > >> Hi All, >> I need to clarify if the below scenario is valid. >> >> Role Permission Scope Resource >> HRDept Admin Permission add_user POST >> Accounts Login, api create, api publish, api subscribe search_user GET >> >> 1. The role HRDept(With admin permission) can create an application and >> generate access token according to the scope from the Management Console as >> well as from a cURL command. Further, the particular resource can be >> invoked successfully. >> >> 2. The users belong to role Account *create a new application*, but they >> are not allowed select their own scope(search_user) from the Management >> console and generate the access token. >> > In this case, we use management console to create roles and assign those to users. Scopes are defined in API publisher UI (resource section). You can find an in-detail example in [1] as well. Please follow the instructions there and it will provide you the overall idea.
[1] https://wso2.com/library/articles/2017/01/article-an-overview-of-scope-management-with-wso2-api-manager/#example > An access token is generated for a default scope and using that they >> cannot proceed the GET operation. >> The same thing was tried by the curl command and got the same above >> result. >> >> curl -k -d "grant_type=password&username=user1S&password=Test123&scope= >> *search_user*" -H "Authorization: Basic TnNRUXpoZjhZR2EyYmNSU1kwblZScG >> lqcllFYTo4X21Rb0VfSzZyWVB6T2VjZnM5RVlEWjNJXzBh" -H "Content-Type: >> application/x-www-form-urlencoded" https://localhost:8243/token >> >> >> {"access_token":"b5484ade-42e4-3709-a6a6-cfc18008b6ec","refr >> esh_token":"56142251-f1e8-3951-91d2-091a98d07d70","scope":"*default* >> ","token_type":"Bearer","expires_in":3600} >> >> >> >> >> This happens only if access tokens are generated for newly created >> applications other than the default application. With the default >> application above scenario works successfully. >> >> In a summary, >> >> - *Users who do not have admin permissions(Role - Accounts) creates a >> new application, using that they cannot get the access token for >> particular >> scope(search_user), instead, they get a default scope. And the resource >> cannot be invoked through that. But, with the default application, they >> get >> the access token for the particular scope and the resource can be invoked >> successfully. * >> >> >> - *Users who have admin permission (Role HRDept) can create a new >> application, using that they can get an access token for particular >> scope(add_user) and invoke the resource successfully. * >> >> Could you please confirm if above concerns are valid. Any feedback would >> be appreciated if I've missed anything. >> >> References: https://docs.wso2.com/display/AM2xx/Scope+Manage >> ment+with+OAuth+Scopes >> Product: apim 2.1.0 update 6 >> >> *Thanks and Best Regards,* >> >> *Isuru Uyanage* >> *Software Engineer - QA | WSO2* >> *Mobile : **+94 77 <+94%2077%20767%201807> 55 30752* >> *LinkedIn: **https://www.linkedin.com/in/isuru-uyanage/ >> <https://www.linkedin.com/in/isuru-uyanage/>* >> >> >> >> > > > -- > Nuwan Dias > > Software Architect - WSO2, Inc. http://wso2.com > email : [email protected] > Phone : +94 777 775 729 <+94%2077%20777%205729> > -- Chamin Dias Mobile : 0716097455 Email : [email protected] LinkedIn : https://www.linkedin.com/in/chamindias
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
