WSO2 APIM Role validation

0
votes

I'm using WSO2 IS (5.10.0) as the key manager of APIM (3.2.0). I have published a graphql API which is secured by a scope (say 'test_scope' based on a role named 'test'). I have subscribed to the API with the Default Application and have generated the keys as well. When I generate the access token with the scope ('test_scope') and invoke the secured API I'm getting the valid response even though the required role ('test') is not assigned to the user. Below is the curl command which I'm using.

curl -k -X POST https://<IP>:8243/token -d "grant_type=password&username=Username&password=Password&scope=test_scope"
-H "Authorization: Basic Base64(consumer-key:consumer-secret)"

How to overcome this issue?

1
wso2-amwso2is
I experienced same situation, what i found so far is when i do same configuration on APIM 3.2.0 without IS - roles validation works as expected. I also described my situation hereNiubi
Could you see requested scopes in access token response ?Gayan
Yes. The requested scope is there in the token.Justus Nithushan

1 Answers

1
votes

This is because you have not enabled the Scope Validator for your application in the Service Provider settings in IS.

In IS management console;

  • Go to the service providers list
  • Go to the service provider for your application (eg: admin_DefaultApplication_SANDBOX) and select "edit"
  • Go to "Inbound Authentication Configuration" > "OAuth/ OpenID Connect Configuration" and select "edit"
  • Enable "Role based scope validator"

enter image description here

Now only the users who have the relevant role to create the scope can access your APIs