The permissions of the use role have no relevance to the issuance of the token. For a user to obtain a token with a certain set of scopes, the two criteria below needs to be fulfilled.
1) The user should be in a role that is bound to the scope being requested. 2) The particular application that makes the /token request needs to bear a valid subscription to the API that has the scope attached to a Resource. Thanks, NuwanD. On Thu, Jan 18, 2018 at 1:33 PM, Isuru Uyanage <isur...@wso2.com> wrote: > Hi All, > I need to clarify if the below scenario is valid. > > Role Permission Scope Resource > HRDept Admin Permission add_user POST > Accounts Login, api create, api publish, api subscribe search_user GET > > 1. The role HRDept(With admin permission) can create an application and > generate access token according to the scope from the Management Console as > well as from a cURL command. Further, the particular resource can be > invoked successfully. > > 2. The users belong to role Account *create a new application*, but they > are not allowed select their own scope(search_user) from the Management > console and generate the access token. An access token is generated for a > default scope and using that they cannot proceed the GET operation. > The same thing was tried by the curl command and got the same above > result. > > curl -k -d "grant_type=password&username=user1S&password=Test123&scope= > *search_user*" -H "Authorization: Basic TnNRUXpoZjhZR2EyYmNSU1kwblZScG > lqcllFYTo4X21Rb0VfSzZyWVB6T2VjZnM5RVlEWjNJXzBh" -H "Content-Type: > application/x-www-form-urlencoded" https://localhost:8243/token > > > {"access_token":"b5484ade-42e4-3709-a6a6-cfc18008b6ec"," > refresh_token":"56142251-f1e8-3951-91d2-091a98d07d70","scope":"*default* > ","token_type":"Bearer","expires_in":3600} > > > > > This happens only if access tokens are generated for newly created > applications other than the default application. With the default > application above scenario works successfully. > > In a summary, > > - *Users who do not have admin permissions(Role - Accounts) creates a > new application, using that they cannot get the access token for particular > scope(search_user), instead, they get a default scope. And the resource > cannot be invoked through that. But, with the default application, they get > the access token for the particular scope and the resource can be invoked > successfully. * > > > - *Users who have admin permission (Role HRDept) can create a new > application, using that they can get an access token for particular > scope(add_user) and invoke the resource successfully. * > > Could you please confirm if above concerns are valid. Any feedback would > be appreciated if I've missed anything. > > References: https://docs.wso2.com/display/AM2xx/Scope+ > Management+with+OAuth+Scopes > Product: apim 2.1.0 update 6 > > *Thanks and Best Regards,* > > *Isuru Uyanage* > *Software Engineer - QA | WSO2* > *Mobile : **+94 77 <+94%2077%20767%201807> 55 30752* > *LinkedIn: **https://www.linkedin.com/in/isuru-uyanage/ > <https://www.linkedin.com/in/isuru-uyanage/>* > > > > -- Nuwan Dias Software Architect - WSO2, Inc. http://wso2.com email : nuw...@wso2.com Phone : +94 777 775 729
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev