This documentation is for WSO2 API Manager 1.10.0 View documentation for the latest release.
Extending Scope Validation - API Manager 1.10.0 - WSO2 Documentation
Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 11 Next »

OAuth Scopes which were introduced from the release version 1.7.0, allow to have fine grained access control to API resources based on the user roles. It allows you to define scopes per API and associate defined scopes with API Resources. OAuth 2.0 bearer tokens will be obtained for a set of requested scopes and the token obtained will not be allowed to access any API Resources beyond the associated scopes. Refer OAuth Scopes for more information.

API manager uses scopes as a way of defining permissions for a resource. If a resource is assigned a scope, then the token accessing the resource should be generated with that scope. By associating a scope with a role, we can control which users are permitted to have tokens under certain scopes. So in that sense associating a role to a scope seems legitimate.

Validating role of a requester would not make much sense in some scenarios like where the scope is used as a way of making an access token. Scope is not used as a means of securing  resource sometimes. e.g openId scope. In such situations to work correctly, scope validation can be extended to skip role validation for certain scopes.

Skipping Role Validation for Scopes

When scopes which cannot be associated to roles are requested, the the token should be issues without validating the scope. By providing a white-listed scopes through configuration, WSO2 API Manager has provided this facility. Patterns of the white-listed scopes can be provided via a config under APIKeyValidator section in <APIM_HOME>/repository/conf/api-manager.xml file.


When we specify the pattern of the scope in the white-list, scopes that match the pattern won’t be tested for roles. Simply, anyone requesting a white-listed scope will be given that.

Following example shows a demonstration.

Skipping role validation for certain scopes in API Manager 

  1. Start the server and log into API Store.
  2. Create an application and click on the generate button to generate keys.


  • No labels