OAuth Scopes which were introduced from the API Manager release version 1.7.0 onwards, allow you to have fine grained access control to API resources based on the user roles. It allows you to define scopes per API and associate defined scopes with API Resources. OAuth 2.0 bearer tokens will be obtained for a set of requested scopes and the token obtained will not be allowed to access any API Resources beyond the associated scopes. Refer OAuth Scopes for more information.
API manager uses scopes as a way of defining permissions for a resource. If a resource is assigned a scope, then the token accessing the resource should be generated with that scope. By associating a scope with a role, we can control which users are permitted to have tokens under certain scopes. So in that sense associating a role to a scope seems legitimate.
Validating role of a requester would not make much sense in some scenarios like where the scope is used as a way of making an access token. Scope is not used as a means of securing resource sometimes. e.g openId scope. In such situations to work correctly, scope validation can be extended to skip role validation for certain scopes.
Skipping Role Validation for Scopes
When scopes which cannot be associated to roles are requested, the token should be issues without validating the scope. By providing a white-listed scopes through configuration, WSO2 API Manager has provided this facility. Patterns of the white-listed scopes can be provided via a config under APIKeyValidator section in <APIM_HOME>/repository/conf/api-manager.xml file.
When we specify the pattern of the scope in the white-list, scopes that match the pattern won’t be tested for roles. Simply, anyone requesting a white-listed scope will be given that.
Following example shows a demonstration.
Skipping role validation for certain scopes in API Manager
- Start the server and log into API Store.
- Create an application and click on the generate button to generate keys.
Get the consumer key and consumer secret and create a command to call the token API.
You can simply get this by clicking on cURL button on My Subscription page.
Get the token by calling the token API.
Make sure you include some random scope in the request.
You will get following like response from the server with the token.
You may not see the scope you requested for in this response.
Shut down the server.
Add the following section inside <APIKeyValidator> element of api-manager.xml located in <APIM_HOME>/repository/conf directory and restart the server.
Call the token API using the same request used in step 4. You will get the following like response.
You can see the scope you requested for in this response which is white-listed so that validated.