This documentation is for WSO2 API Manager 1.10.0 View documentation for the latest release.
Extending Scope Validation - API Manager 1.10.0 - WSO2 Documentation
Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 4 Next »

OAuth Scopes which were introduced from the release version 1.7.0 allow to have fine grained access control to API resources based on the user roles. It allows you to define scopes per API and associate defined scopes with API Resources. OAuth 2.0 bearer tokens will be obtained for a set of requested scopes and the token obtained will not be allowed to access any API Resources beyond the associated scopes. Refer OAuth Scopes for more information.

API manager uses scopes as a way of defining permissions for a resource. If a resource is assigned a scope, then the token accessing the resource should be generated with that scope. By associating a scope with a role, we can control which users are permitted to have tokens under certain scopes. So in that sense associating a role to a scope seems legitimate.

Validating role of a requester would not make much sense in some scenarios like where the scope is used as a way of making an access token. Scope is not used as a means of securing  resource sometimes. e.g openId scope.

In such situations to work correctly, scope validation can be extended to skip role validation for certain scopes.

Skipping Role Validation for Scopes

 

  • No labels