WSO2: Unable to generate access_token with scope=apim:subscribe

0
votes

I am using WSO2 Identity Server-5.10.0 and API Manager-3.2.0.

Have created application in devportal and subscribed the APIs to this application. In Identity server have enabled Role based scope validator for this service provider. using below API to generate token: https://IS_host/oauth2/token After enabling Role based scope validator unable to generate token with scope=apim:subscribe and giving the error invalid scope. user is assigned with the role -Internal/Subscriber

We are creating Application in Devportal and subscribing APIs to this Application.

We wanted to list the scopes associated with APIs which are subscribed to Particular application. hence we are calling below API to list scopes based on applicationId
https://AM_HOST/api/am/store/v1/applications/{applicationId}

To invoke this API we need to generate Token with scope: apim:subscribe, But after enabling Role based scope validator we are unable to generate token with apim:subscribe.

if we disable Role based scope validator, user will be able to generate token for all the scopes irrespective of roles associated with user.

1
wso2wso2iswso2-am

1 Answers

0
votes

The apim:subscribe scope is a reserved scope for API Manager REST APIs. Hence, it is not required to create an Application from the Devportal to generate the Tokens with it. You can perform a DCR operation straight to the API Manager to register a client and generate the Access Tokens with the API-M reserved scopes.

Further, I believe that you have configured the IS as the Key Manager by following IS-Connector approach. The Role Based Scope validator feature requires a set of DBs to be shared among the servers.

Hence, the best way to generate the API-M specific scope tokens would be as following

  • Perform DCR operation to the API Manager instance (not the IS)
  • This creates a client in the API Manager using the Resident Key Manager of the API Manager and responds back with the consumer credentials (client ID and secret)
  • Perform Password grant to generate the token using the received consumer credentials

You can learn more on performing the DCR and subsequent calls in Devportal REST API Docs

Hope this helps you to overcome the reported behavior.