product-apim icon indicating copy to clipboard operation
product-apim copied to clipboard

Published 20 hours ago verified publisher icon wso2

APIs cannot be invoked using a token which is generated with a scope based on userstore role

Open Menuka-Senevirathne opened this issue 2 years ago • 1 comments

Description:

The scopes can be created without an issue, (ie: no front end validation to check case sensitivity) but once we try to invoke an API with the generated token it fails with a 403 forbidden response.

[2022-03-04 13:53:28,677] WARN - APIAuthenticationHandler API authentication failure due to The access token does not allow you to access the requested resource /sample/v1/

Steps to reproduce:

  1. Get APIM 2.6 pack and update to the latest or level 72.
  2. Get WSO2 IS to be used as the userstore.
  3. Start both IS and APIM server, go to the APIM Management console and configure an userstore.
  4. Them create a role for that userstore (Example:TestRole)
  5. Create an user with that user role.
  6. Go to the publisher and create a new API
  7. Create two scopes as TestRole and testRole. (To identify case sensitive issue)
  8. Then assign those scopes to two different resources.
  9. Generate a token and try to invoke API. One with TestRole would work and the other one with testRole would fail.

Affected Product Version:

APIM 2.6.0

Optional Fields

Related Issues:

https://github.com/wso2/product-apim/issues/3273

Suggested Labels:

APIM 2.6.0

Menuka-Senevirathne avatar Mar 08 '22 07:03 Menuka-Senevirathne

Above reported issue was fixed by adding [1]. But it leads to below issue due to confusing use of the system property preserveCaseSensitive. This needs to be fixed.

Scenario: We have a role named WSO2.COM/Test in the userstore. And while creating scopes from the store we have mentioned scope role as,

  • WSO2.COM/Test in ScopeOne and
  • WSO2.COM/test in ScopeTwo
  preserveCaseSensitive=true preserveCaseSensitive=false
Token Generation With ScopeOne : Works fineWith ScopeTwo : Blocked(Matches with Expected Behavior) With ScopeOne : Works fineWith ScopeTwo : Works fine(Matches with Expected Behavior)
API Invocation With token generation for ScopeOne: Works fineWith token generation for ScopeTwo: Works fine(Deviates from Expected Behavior) With token generation for ScopeOne: Works fineWith token generation for ScopeTwo: Blocked (403)(Deviates from Expected Behavior)

[1]. https://github.com/wso2-extensions/identity-inbound-auth-oauth/commit/49a816f7d0e93f63ec7f25db21857bbdc4bfe046

msm1992 avatar Apr 11 '22 11:04 msm1992