wso2 / product-apim

Welcome to the WSO2 API Manager source code! For info on working with the WSO2 API Manager repository and contributing code, click the link below.
http://wso2.github.io/
Apache License 2.0
845 stars 785 forks source link

API invocation under cross tenant scenario gives a 401 response when using Password Grant #11818

Open ashera96 opened 3 years ago

ashera96 commented 3 years ago

Description:

Consider a cross tenant subscription scenario where we try to consume an API from another tenant (let's say the API is created by tenant A, and the admin of tenant B is trying to consume this said API). Assume we are using the password grant option (i.e. resource owner's username and password as an authorization grant) to obtain an access token. When trying to invoke the API using the obtained access token, a 401 unauthorized response is observed.

Steps to reproduce:

  1. Add the following configuration in the deployment.toml file and restart the server
    [apim.devportal]
    enable_cross_tenant_subscriptions = true
  2. Create two tenants such as a.com and b.com
  3. Login to publisher portal as the admin of tenant a.com
  4. Create an API
  5. Select "Available to all the tenants" under Subscriptions and publish the API
  6. Go to the developer portal and select a.com as the tenant domain, and login as the admin of tenant b.com
  7. Create an application and subscribe to the API from step 4
  8. Generate keys and get an access token from the developer portal UI itself. Try invoking the API with this token. It should succeed.
  9. Now generate the access token by invoking the Token API through the steps given in [1]
  10. When invoking the API using this token, we observe the below provided 401 response
Screenshot 2021-10-05 at 10 19 37

[1] https://apim.docs.wso2.com/en/latest/design/api-security/oauth2/grant-types/password-grant/#invoking-the-token-api-to-generate-tokens

Affected Product Version:

4.0.0

chashikajw commented 1 year ago

@ashera96 Adding the following config will resolve the issue.

[oauth.access_token]
generate_with_sp_tenant_domain = "true"