API invocation under cross tenant scenario gives a 401 response when using Password Grant

[ashera96]

Description:

Consider a cross tenant subscription scenario where we try to consume an API from another tenant (let's say the API is created by tenant A, and the admin of tenant B is trying to consume this said API). Assume we are using the password grant option (i.e. resource owner's username and password as an authorization grant) to obtain an access token. When trying to invoke the API using the obtained access token, a 401 unauthorized response is observed.

Steps to reproduce:

1. Add the following configuration in the deployment.toml file and restart the server

[apim.devportal]
enable_cross_tenant_subscriptions = true

2. Create two tenants such as a.com and b.com
3. Login to publisher portal as the admin of tenant a.com
4. Create an API
5. Select "Available to all the tenants" under Subscriptions and publish the API
6. Go to the developer portal and select a.com as the tenant domain, and login as the admin of tenant b.com
7. Create an application and subscribe to the API from step 4
8. Generate keys and get an access token from the developer portal UI itself. Try invoking the API with this token. It should succeed.
9. Now generate the access token by invoking the Token API through the steps given in [1]
10. When invoking the API using this token, we observe the below provided 401 response

[1] https://apim.docs.wso2.com/en/latest/design/api-security/oauth2/grant-types/password-grant/#invoking-the-token-api-to-generate-tokens

Affected Product Version:

4.0.0

[chashikajw]

@ashera96 Adding the following config will resolve the issue.

[oauth.access_token]
generate_with_sp_tenant_domain = "true"