...
Alex requests a token through the Token API as grantAPI as
grant_type=password&username=tomalex&password=xxxx&scope=payment_read payment_write. However, as Alex is not in theManagerrole, the user will only be granted a token bearing thepayment_readscope.Code Block "scope":"payment_read","token_type":"bearer","expires_in":3299, "refresh_token":"8579facb65d1d3eba74a395a2e78dd6", "access_token":"eb51eff0b4d85cda1eb1d312c5b6a3b8"
Next, Charlie requests a token as
grant_type=password&username=charlie&password=charlie123&scope=payment_read payment_write. As Charlie has both the roles assigned, the token will bear both requested scopes.Code Block "scope":"payment_read payment_write", "token_type":"bearer", "expires_in":3299, "refresh_token":"4ca244fb321bd555bd3d555df39315", "access_token":"42a377a0101877d1d9e29c5f30857e"
This means that Alex can only access the GET operation of the API, while Charlie can access both as the scope is assigned to both the
ManagerandFront Deskuser roles. If Alex tries to access the POST operation, there will be an HTTP 403 Forbidden error as follows:Code Block <ams:faultxmlns:ams="http://wso2.org/apimanager/security"> <ams:code>900910</ams:code> <ams:message>The access token does not allow you to access the requested resource</ams:message> <ams:description>Access failure for API: /orgnews, version: 1.0.0 with key: eb51eff0b4d85cda1eb1d312c5b6a3b8 </ams:description> </ams:fault>
...