Hi Nuwan/ Chamin, Thank you for the replies.
*Thanks and Best Regards,* *Isuru Uyanage* *Software Engineer - QA | WSO2* *Mobile : **+94 77 <+94%2077%20767%201807> 55 30752* *LinkedIn: **https://www.linkedin.com/in/isuru-uyanage/ <https://www.linkedin.com/in/isuru-uyanage/>* On Fri, Jan 19, 2018 at 11:54 AM, Chamin Dias <cham...@wso2.com> wrote: > On Thu, Jan 18, 2018 at 1:41 PM, Nuwan Dias <nuw...@wso2.com> wrote: > >> The permissions of the use role have no relevance to the issuance of the >> token. For a user to obtain a token with a certain set of scopes, the two >> criteria below needs to be fulfilled. >> >> 1) The user should be in a role that is bound to the scope being >> requested. >> 2) The particular application that makes the /token request needs to bear >> a valid subscription to the API that has the scope attached to a Resource. >> >> Thanks, >> NuwanD. >> >> On Thu, Jan 18, 2018 at 1:33 PM, Isuru Uyanage <isur...@wso2.com> wrote: >> >>> Hi All, >>> I need to clarify if the below scenario is valid. >>> >>> Role Permission Scope Resource >>> HRDept Admin Permission add_user POST >>> Accounts Login, api create, api publish, api subscribe search_user GET >>> >>> 1. The role HRDept(With admin permission) can create an application and >>> generate access token according to the scope from the Management Console as >>> well as from a cURL command. Further, the particular resource can be >>> invoked successfully. >>> >>> 2. The users belong to role Account *create a new application*, but >>> they are not allowed select their own scope(search_user) from the >>> Management console and generate the access token. >>> >> In this case, we use management console to create roles and assign those > to users. Scopes are defined in API publisher UI (resource section). You > can find an in-detail example in [1] as well. Please follow the > instructions there and it will provide you the overall idea. > > [1] https://wso2.com/library/articles/2017/01/article-an- > overview-of-scope-management-with-wso2-api-manager/#example > > > >> An access token is generated for a default scope and using that they >>> cannot proceed the GET operation. >>> The same thing was tried by the curl command and got the same above >>> result. >>> >>> curl -k -d "grant_type=password&username=user1S&password=Test123&scope= >>> *search_user*" -H "Authorization: Basic TnNRUXpoZjhZR2EyYmNSU1kwblZScG >>> lqcllFYTo4X21Rb0VfSzZyWVB6T2VjZnM5RVlEWjNJXzBh" -H "Content-Type: >>> application/x-www-form-urlencoded" https://localhost:8243/token >>> >>> >>> {"access_token":"b5484ade-42e4-3709-a6a6-cfc18008b6ec","refr >>> esh_token":"56142251-f1e8-3951-91d2-091a98d07d70","scope":"*default* >>> ","token_type":"Bearer","expires_in":3600} >>> >>> >>> >>> >>> This happens only if access tokens are generated for newly created >>> applications other than the default application. With the default >>> application above scenario works successfully. >>> >>> In a summary, >>> >>> - *Users who do not have admin permissions(Role - Accounts) creates >>> a new application, using that they cannot get the access token for >>> particular scope(search_user), instead, they get a default scope. And the >>> resource cannot be invoked through that. But, with the default >>> application, >>> they get the access token for the particular scope and the resource can >>> be >>> invoked successfully. * >>> >>> >>> - *Users who have admin permission (Role HRDept) can create a new >>> application, using that they can get an access token for particular >>> scope(add_user) and invoke the resource successfully. * >>> >>> Could you please confirm if above concerns are valid. Any feedback would >>> be appreciated if I've missed anything. >>> >>> References: https://docs.wso2.com/display/AM2xx/Scope+Manage >>> ment+with+OAuth+Scopes >>> Product: apim 2.1.0 update 6 >>> >>> *Thanks and Best Regards,* >>> >>> *Isuru Uyanage* >>> *Software Engineer - QA | WSO2* >>> *Mobile : **+94 77 <+94%2077%20767%201807> 55 30752* >>> *LinkedIn: **https://www.linkedin.com/in/isuru-uyanage/ >>> <https://www.linkedin.com/in/isuru-uyanage/>* >>> >>> >>> >>> >> >> >> -- >> Nuwan Dias >> >> Software Architect - WSO2, Inc. http://wso2.com >> email : nuw...@wso2.com >> Phone : +94 777 775 729 <+94%2077%20777%205729> >> > > > > -- > Chamin Dias > Mobile : 0716097455 > Email : cham...@wso2.com > LinkedIn : https://www.linkedin.com/in/chamindias > >
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev