api-manager icon indicating copy to clipboard operation
api-manager copied to clipboard

Published 20 hours ago verified publisher icon wso2

Issue Observed When Using Shared Scopes with WSO2 IS as Third-Party Key Manager

Open dumindurox777 opened this issue 6 months ago • 0 comments

Description

By following the steps outlined in the official documentation [1], along with guidance from the related blog post[2], we were able to successfully implement the RBAC setup. We obtained tokens through the Identity Server's token endpoint and were able to access secure resources with the relevant local scopes without any issues. However, when we tried to engage shared scopes, we encountered an issue. While local shared scopes worked as expected, the issue specifically arises when engaging shared scopes with the API after configuring WSO2 IS as the third-party Key Manager. This issue does not occur when IS is not engaged as a third-party KM, which suggests the problem may be related to the integration with the external KM or how shared scopes are handled in that context. It appears to be a potential bug when adding shared scopes to the API definition (Swagger/OpenAPI spec).

This issue can be reproduced with WSO2 API Manager 4.4.0 (Update Level 15) when configured with the following versions of Identity Server as a third-party Key Manager:

  • WSO2 Identity Server 7.1.0 (Update Level 2)
  • WSO2 Identity Server 7.0.0 (Update Level 98)

However once desirable the Identity Server as a third-party Key Manager can’t see any issue while when adding shared scopes to the API resource.

Given that this functionality falls under fundamental RBAC features, we believe this issue should be investigated and resolved with priority.

We would appreciate your assistance in reviewing this issue and advising on any potential workarounds or fixes.

[1] https://apim.docs.wso2.com/en/4.4.0/administer/key-managers/configure-wso2is7-connector/ [2] https://medium.com/@aselapathirage/role-based-access-control-rbac-enhancing-api-management-with-wso2-apim-4-3-wso2-is-7-db329f030ec5 [3] https://apim.docs.wso2.com/en/4.1.0/design/api-security/oauth2/oauth2-scopes/fine-grained-access-control-with-oauth-scopes/#shared-scopes

Thanks, Dumindu

Steps to Reproduce

  • Follow the steps in the documentation [1] to configure WSO2 IS as a third-party Key Manager in APIM.
  • Create a shared scope in IS and assign it to a secured API resource[3].
  • Deploy the API and attempt to access it using a valid token with the assigned shared scope.
  • Observe the error on the APIM side during the API deployment..

Version

wso2am-4.4.0

Environment Details (with versions)

No response

dumindurox777 avatar May 03 '25 13:05 dumindurox777