This documentation is for WSO2 API Manager 1.10.0 View documentation for the latest release.
Extending Scope Validation - API Manager 1.10.0 - WSO2 Documentation
Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 27 Next »

OAuth Scopes which were introduced from the API Manager release version 1.7.0 onwards, allow you to have fine grained access control to API resources based on the user roles. It allows you to define scopes per API and associate defined scopes with API Resources. OAuth 2.0 bearer tokens will be obtained for a set of requested scopes and the token obtained will not be allowed to access any API Resources beyond the associated scopes. Refer OAuth Scopes for more information.

API manager uses scopes as a way of defining permissions for a resource. If a resource is assigned a scope, then the token accessing the resource should be generated with that scope. By associating a scope with a role, we can control which users are permitted to have tokens under certain scopes. So in that sense associating a role to a scope seems legitimate.

Validating role of a requester would not make much sense in some scenarios like where the scope is used as a way of making an access token. Scope is not used as a means of securing  resource sometimes. e.g openId scope. In such situations to work correctly, scope validation can be extended to skip role validation for certain scopes.

Skipping Role Validation for Scopes

When scopes which cannot be associated to roles are requested, the the token should be issues without validating the scope. By providing a white-listed scopes through configuration, WSO2 API Manager has provided this facility. Patterns of the white-listed scopes can be provided via a config under APIKeyValidator section in <APIM_HOME>/repository/conf/api-manager.xml file.

When we specify the pattern of the scope in the white-list, scopes that match the pattern won’t be tested for roles. Simply, anyone requesting a white-listed scope will be given that.

Following example shows a demonstration.

Skipping role validation for certain scopes in API Manager 

  1. Start the server and log into API Store.
  2. Create an application and click on the generate button to generate keys.
  3. Get the consumer key and consumer secret and create a command to call the token API.

    You can simply get this by clicking on cURL button on  My Subscription page.



  4. Get the token by calling the token API.

    Make sure you include some random scope in the request.

    curl -k -d "grant_type=password&username=admin&password=admin&scope=some_random_scope" -H "Authorization: Basic WmRFUFBvZmZwYVFnR25ScG5iZldtcUtSS3IwYTpSaG5ocEVJYUVCMEN3T1FReWpiZTJwaDBzc1Vh, Content-Type: application/x-www-form-urlencoded"

    You will get following like response from the server with the token.


    You may not see the scope you requested for in this response.

  5. Shut down the server.

  6. Add the following section inside <APIKeyValidator> element of  api-manager.xml located in <APIM_HOME>/repository/conf directory and restart the server.

  7. Call the token API using the same request used in step 4. You will get the following like response.


    You can see the scope you requested for in this response which is white-listed so that validated.

  • No labels