This documentation is for WSO2 Open Banking version 1.3.0. View documentation for the latest release.

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: changed to gender-neutral names


  • There is an API with the following resources:
    • GET: This is attached to the payment_read scope.
    • POST: This is attached to the payment_write scope.
  • There are two user roles: Manager and Front Desk.
  • The Manager role is linked to both the payment_read and payment_write scopes, while the Front Desk role is only linked to the payment_read scope.
  • The Manager role is assigned only to JohnCharlie, while the Front Desk role is assigned to both Tom Alex and JohnCharlie.

  • Tom Alex requests a token through the Token API as grantAPI as grant_type=password&username=tomalex&password=xxxx&scope=payment_read payment_write. However, as Tom Alex is not in the Manager role, he will the user will only be granted a token bearing the payment_read scope.

    Code Block
    "scope":"payment_read","token_type":"bearer","expires_in":3299, "refresh_token":"8579facb65d1d3eba74a395a2e78dd6", "access_token":"eb51eff0b4d85cda1eb1d312c5b6a3b8"

    • Next,

    • Charlie requests a

    token as grant
    • token as grant_type=password&username=

    • charlie&password=

    • charlie123&scope=payment_read payment_write. As

    John has
    • Charlie has both the roles assigned, the token will bear both requested scopes.

      Code Block
      "scope":"payment_read payment_write", "token_type":"bearer", "expires_in":3299, "refresh_token":"4ca244fb321bd555bd3d555df39315", "access_token":"42a377a0101877d1d9e29c5f30857e"
    • This means that

    • Alex can only access the GET operation of the API, while

    • Charlie can access both as

    he is
    • the scope is assigned to both the Manager and Front Desk user roles. If

    • Alex tries to access the POST operation, there will be an HTTP 403 Forbidden error as follows:

      Code Block
      <ams:faultxmlns:ams=""> <ams:code>900910</ams:code> <ams:message>The access token does not allow you to access the requested resource</ams:message> <ams:description>Access failure for API: /orgnews, version: 1.0.0 with key: eb51eff0b4d85cda1eb1d312c5b6a3b8 </ams:description> </ams:fault>
Access Tokens