I'm using WSO2 IS (5.10.0) as the key manager of APIM (3.2.0). I have published a graphql API which is secured by a scope (say 'test_scope' based on a role named 'test'). I have subscribed to the API with the Default Application and have generated the keys as well. When I generate the access token with the scope ('test_scope') and invoke the secured API I'm getting the valid response even though the required role ('test') is not assigned to the user. Below is the curl command which I'm using.
curl -k -X POST https://<IP>:8243/token -d "grant_type=password&username=Username&password=Password&scope=test_scope"
-H "Authorization: Basic Base64(consumer-key:consumer-secret)"
How to overcome this issue?