We are using WS02 1.90 and have encountered an issue with a character length limit on the scope value that can assigned against tokens generated behind scenes.
For example, we have 39 scopes added across 60 API end points configured in Publisher.
Some of our individual scope names can be as long as 50 characters, for example:
customer-order-authorisation-requests_create
Anyway, after generating a token for a given user, when we tried to access an API we get an error from WSO2 telling us the access token is invalid for the resource requested. We double checked the scope values we were sending in the token request and the scope values returned and can see matching scope values for the resource in question being referenced in the error message.
After some further digging in the WSO2 logs we came across the following:
2017-03-09 10:43:58,845 [-] [pool-46-thread-100] ERROR TokenPersistenceTask Error occurred while persisting access token 60efd3d6b9112d453c451d2965a753e1
org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception: Invalid request
at org.wso2.carbon.identity.oauth2.dao.TokenMgtDAO.storeAccessToken(TokenMgtDAO.java:196)
at org.wso2.carbon.identity.oauth2.dao.TokenMgtDAO.persistAccessToken(TokenMgtDAO.java:229)
at org.wso2.carbon.identity.oauth2.dao.TokenPersistenceTask.run(TokenPersistenceTask.java:56)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:745)
Caused by: com.mysql.jdbc.MysqlDataTruncation: Data truncation: Data too long for column 'TOKEN_SCOPE' at row 1
at com.mysql.jdbc.MysqlIO.checkErrorPacket(MysqlIO.java:3868)
at com.mysql.jdbc.MysqlIO.checkErrorPacket(MysqlIO.java:3806)
at com.mysql.jdbc.MysqlIO.sendCommand(MysqlIO.java:2470)
at com.mysql.jdbc.MysqlIO.sqlQueryDirect(MysqlIO.java:2617)
at com.mysql.jdbc.ConnectionImpl.execSQL(ConnectionImpl.java:2550)
at com.mysql.jdbc.PreparedStatement.executeInternal(PreparedStatement.java:1861)
at com.mysql.jdbc.PreparedStatement.execute(PreparedStatement.java:1192)
at org.wso2.carbon.identity.oauth2.dao.TokenMgtDAO.storeAccessToken(TokenMgtDAO.java:188)
... 5 more
Looking at the database schema for the API Manager, the TOKEN_SCOPE column is in the table IDN_OAUTH2_ACCESS_TOKEN and is defined as follows:
CREATE TABLE IDN_OAUTH2_ACCESS_TOKEN (
ACCESS_TOKEN VARCHAR(255),
REFRESH_TOKEN VARCHAR(255),
CONSUMER_KEY VARCHAR(255),
AUTHZ_USER VARCHAR(100),
USER_TYPE VARCHAR (25),
TIME_CREATED TIMESTAMP DEFAULT 0,
VALIDITY_PERIOD BIGINT,
TOKEN_SCOPE VARCHAR(767),
TOKEN_STATE VARCHAR(25) DEFAULT 'ACTIVE',
TOKEN_STATE_ID VARCHAR (255) DEFAULT 'NONE',
PRIMARY KEY (ACCESS_TOKEN),
FOREIGN KEY (CONSUMER_KEY) REFERENCES IDN_OAUTH_CONSUMER_APPS(CONSUMER_KEY) ON DELETE CASCADE,
CONSTRAINT CON_APP_KEY UNIQUE (CONSUMER_KEY, AUTHZ_USER,USER_TYPE,TOKEN_STATE,TOKEN_STATE_ID,TOKEN_SCOPE)
)ENGINE INNODB;
There is 767 character limit on the TOKEN_SCOPE field.
So to further test this, we started removing the number of scopes added across our API's in Publisher until such point the value of the scope field being returned in the token request response from the token API was below this limit.
This allowed us to start accessing our API's again without any errors being thrown.
This is a problem for us since we have only around a third of our API's protected by scopes.
We can of course come up with sorter naming conventions for our scopes, but we dont want to sacrifice readability of these scope values since we use them in our application for determining permission sets for logged in users.
There doesnt seem to be any limits imposed by WSO2 when creating and assigning the scopes in Publisher.
Should we be using scopes in some other way? A 767 character limit seems rather specific!
Thanks
