Define and validate custom scopes in WSO2IS

Question

I am using the OAuth2.0 for authentication and authorization with the WSO2IS. I have multiple APIs on the ESB. There, the user may grant access to API1 and API2, but not to API3.

Is it possible to define custom scopes to limit the client from accessing all APIs?

If it is not possible, how do I protect the APIs from unauthorized access?

Side note: currently, I may only limit the access by defining different applications. However, this isn't suitable, because I must then manage multiple clientIDs and clientSecrets on the client side.

Answer 1

Yes.. you can define for that... by default, Identity Server does not validate any scope parameter before granting an access token. For that, you need to implement a new OAuth callback handler class according to your resource server. I guess this blog post explain it. However as i know, WSO2 Identity Server not provides access token based on the scope.. Access tokens are issued per client and resource owner. Not per client, resource owner and scope. This has been already discussed on wso2 public mailing list and it would be fixed for next release.