Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

APIs cannot be invoked using a token which is generated with a scope based on userstore role #12584

Open
Menuka-Senevirathne opened this issue Mar 8, 2022 · 1 comment
Open

APIs cannot be invoked using a token which is generated with a scope based on userstore role #12584

Menuka-Senevirathne opened this issue Mar 8, 2022 · 1 comment
Labels
Priority/Normal Type/Bug

Comments

@Menuka-Senevirathne
Copy link

Description:

The scopes can be created without an issue, (ie: no front end validation to check case sensitivity) but once we try to invoke an API with the generated token it fails with a 403 forbidden response.

[2022-03-04 13:53:28,677] WARN - APIAuthenticationHandler API authentication failure due to The access token does not allow you to access the requested resource /sample/v1/

Steps to reproduce:

  1. Get APIM 2.6 pack and update to the latest or level 72.
  2. Get WSO2 IS to be used as the userstore.
  3. Start both IS and APIM server, go to the APIM Management console and configure an userstore.
  4. Them create a role for that userstore (Example:TestRole)
  5. Create an user with that user role.
  6. Go to the publisher and create a new API
  7. Create two scopes as TestRole and testRole. (To identify case sensitive issue)
  8. Then assign those scopes to two different resources.
  9. Generate a token and try to invoke API. One with TestRole would work and the other one with testRole would fail.

Affected Product Version:

APIM 2.6.0

Optional Fields

Related Issues:

#3273

Suggested Labels:

APIM 2.6.0
@msm1992
Copy link
Contributor

msm1992 commented Apr 11, 2022

Above reported issue was fixed by adding [1]. But it leads to below issue due to confusing use of the system property preserveCaseSensitive. This needs to be fixed.

Scenario: We have a role named WSO2.COM/Test in the userstore. And while creating scopes from the store we have mentioned scope role as,

  • WSO2.COM/Test in ScopeOne and
  • WSO2.COM/test in ScopeTwo
  preserveCaseSensitive=true preserveCaseSensitive=false
Token Generation With ScopeOne : Works fineWith ScopeTwo : Blocked(Matches with Expected Behavior) With ScopeOne : Works fineWith ScopeTwo : Works fine(Matches with Expected Behavior)
API Invocation With token generation for ScopeOne: Works fineWith token generation for ScopeTwo: Works fine(Deviates from Expected Behavior) With token generation for ScopeOne: Works fineWith token generation for ScopeTwo: Blocked (403)(Deviates from Expected Behavior)

[1]. wso2-extensions/identity-inbound-auth-oauth@49a816f

@msm1992 msm1992 mentioned this issue Apr 12, 2022
Merged
19 tasks
This was referenced Jun 26, 2024
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Priority/Normal Type/Bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@msm1992 @Menuka-Senevirathne