We building our API with wso2 API manager + separate identity server.
For implementation of resource server we need to
- validate token (that it's valid)
- get information about user (roles, username, full name etc.)
- details of authentication through OAuth (scope)
User roles and auth scope are necessary to do determine user capabilities and apply security settings (as an intersection of user roles and granted scopes)
Currently it seems that I can get all necessary information with 2 requests:
call "validate" method at SOAP web service, that is located at /services/OAuth2TokenValidationService/ (IS or ApiManager in case of no dedicated IS)
Response contains information about token validity, expiration data and user scopes.
do GET on /oauth2/userinfo?schema=openid
Response contains JSON with information about user (roles, username etc.)
First request requires a basic auth with the credentials of user, registered at wso2 IS server. The second one requires only OAuth token that a resource server obtained from a client.
So the question is: are this 2 requests with the different technologies are necessary for this use case (to get scopes and user info at resource server) or maybe I'm missing something?
The second request is almost good, but it does not contains information about token scope, thus the server can't restrict access to resource if a user, in general, has access to it (according to his roles)
If 2 request are necessary what are the minimum system roles at wso2 app the user should have to access SoapService? Using admin credentials (like default admin/admin) seems too unsecure to me and I'd like to create user for token validation with minimum permissions.