I am using WSO2 Identity server and WSO2 API Manager to manage access. I want to ensure role based access control to APIs using oauth2 scopes and authorize end-users to access my APIs based on their roles. For this purpose, I have to expose my APIs on the api manager and create a SPA for users authentication before accessing the APIs. I have many users (developers, publisher, customer, agent,etc)
To do this, I first configured wso2am-3.2.0 with wso2is-km-5.10.0 using the following guide.
To perform role based access control to APIs for developers, I created scopes to API and assign scopes to roles. I'm able to generate an access token for each scope but the roles validation is not performed and all my users whatever their roles can access to my APIs and access was not restricted by users roles. When I tested role based access control to APIs with the default integrated key manager of the API manager (https://apim.docs.wso2.com/en/latest/learn/api-security/oauth2/oauth2-scopes/fine-grained-access-control-with-oauth-scopes/), it is working normally but the integration of WSO2 identity server as key manager leads to this behavior. Did I missed any setup in the WSO2 identity server or API manager for roles validation when accessing to an API with a given scope?
I can get an access token for each scope as follows:
{
"access_token": "x",
"refresh_token": "x",
"scope": "view_item",
"token_type": "Bearer",
"expires_in": 3600
}
