How to set scope to client application in wso2

Question

I have set the wso2 api manager 1.6 and I have a rest api at the backend to which this is calling.

I know that wso2 provides Oauth 2.0 support. but I am not able to find out how scopes are handled.

This is my specific scenario: I have a client application to which i want to assign scope view Photos. And another client application with a scope to delete photos.

Now in the Api manager I want to restrict access to the delete api only to the client application which has the delete photos scope.

How can this be handled in wso2?.

Answer 1

One approach is to explicitly get information about scopes in your application and perform manual validation (or through some framework, like Spring Security in Java world).

Scope information for oauth token can be found by sending request to validation web service at Identity Server (or Api Manager server, if you do not have separate IS).

Validation service endpoint is: services/OAuth2TokenValidationService/

WSDL file for this SOAP service can be found in their repository

EDIT: Since Api Manager 1.7 you can define this security settings in manager itself. Check out this blogpost for details: http://nuwanzone.blogspot.ru/2014/06/oauth-20-scopes-with-wso2-api-manager.html