I am using the combination of WSO2 API Manager and WSO2 identity server and configured using the following documentation https://docs.wso2.com/display/CLUSTER44x/Configuring+the+Pre-Packaged+Identity+Server+5.2.0+with+API+Manager+2.0.0
In this case ,WSO2 idenity server acts as key manager and API Manager manages scopes.
I have configured and its working. I tried to use the password grant and its giving me a bearer token even if i hit with wrong username and password.It feels as if its only checking the client id which i pass in the url.
curl -X POST \
https://mycustomwsourl.in:9443/oauth2/token \
-H 'authorization: Basic TnVMb0tGRmJlZ3hqUThNeW5uYzlHWmE1bkpBYTpKSzRINmp5M3V4Zl8wNFZNX25lbDhncnJwMm9h' \
-H 'content-type: application/x-www-form-urlencoded' \
-H 'grant_type: password' \
-H 'password: testuser' \
-H 'scope: SCOPE_EDIT SCOPE_READ SCOPE_REMOVE' \
-H 'username: testuser'
If i pass a client code differently it throws me an error. Otherwise it gives back bearer token always.
Can it be because identity server is not acting as key manager? any configuration?