search

wso2 / product-apim

Welcome to the WSO2 API Manager source code! For info on working with the WSO2 API Manager repository and contributing code, click the link below.
http://wso2.github.io/
Apache License 2.0
848 stars 786 forks source link

APIs cannot be invoked using a token which is generated with a scope based on userstore role #12584

Open Menuka-Senevirathne opened 2 years ago

Menuka-Senevirathne commented 2 years ago

Description:

The scopes can be created without an issue, (ie: no front end validation to check case sensitivity) but once we try to invoke an API with the generated token it fails with a 403 forbidden response.

[2022-03-04 13:53:28,677] WARN - APIAuthenticationHandler API authentication failure due to The access token does not allow you to access the requested resource /sample/v1/

Steps to reproduce:

  1. Get APIM 2.6 pack and update to the latest or level 72.
  2. Get WSO2 IS to be used as the userstore.
  3. Start both IS and APIM server, go to the APIM Management console and configure an userstore.
  4. Them create a role for that userstore (Example:TestRole)
  5. Create an user with that user role.
  6. Go to the publisher and create a new API
  7. Create two scopes as TestRole and testRole. (To identify case sensitive issue)
  8. Then assign those scopes to two different resources.
  9. Generate a token and try to invoke API. One with TestRole would work and the other one with testRole would fail.

Affected Product Version:

APIM 2.6.0

Optional Fields

Related Issues:

https://github.com/wso2/product-apim/issues/3273

Suggested Labels:

APIM 2.6.0

msm1992 commented 2 years ago

Above reported issue was fixed by adding [1]. But it leads to below issue due to confusing use of the system property preserveCaseSensitive. This needs to be fixed.

Scenario: We have a role named WSO2.COM/Test in the userstore. And while creating scopes from the store we have mentioned scope role as,

  preserveCaseSensitive=true preserveCaseSensitive=false
Token Generation With ScopeOne : Works fineWith ScopeTwo : Blocked(Matches with Expected Behavior) With ScopeOne : Works fineWith ScopeTwo : Works fine(Matches with Expected Behavior)
API Invocation With token generation for ScopeOne: Works fineWith token generation for ScopeTwo: Works fine(Deviates from Expected Behavior) With token generation for ScopeOne: Works fineWith token generation for ScopeTwo: Blocked (403)(Deviates from Expected Behavior)

[1]. https://github.com/wso2-extensions/identity-inbound-auth-oauth/commit/49a816f7d0e93f63ec7f25db21857bbdc4bfe046