Limit API Access with OAuth Scopes

Products
Technology for your digital platform that you can run yourself, in a private cloud, or as SaaS.
API Management
Integration
Identity & Access Management
Your Digital Platform, as a Service
Platform
- Your internal developer platform as a service to quickly deliver applications.
Solutions
By Technology
- API Management
  Solutions to deliver your APIs in any environment.
- Integration
  Break down data silos, streamline workflows, and unlock insights.
- Identity & Access Management
  Create secure, unique, and compelling digital experiences with ease.
  
  Customer IAM
  
  For Consumers (B2C)
  
  For B2B Applications (B2B CIAM)
  
  For Citizens (G2C)
  
  Workforce IAM
  
  API Access Management
By Industry
- Healthcare
  Provide awesome digital experiences for payers, providers, and patients.
- Finance
  Deliver secure financial experiences at speed.
- Government
  Deliver secure and simplified digital services for governments and citizens.
Featured Blog
- Implementing an Event-Driven GraphQL BFF with Real-Time Notifications
  Read Blog
Resources
- Training and Certification
- Events
Featured Whitepaper
- Transactions in a Microservice World
  Read Whitepaper
Support
- Subscription
  Learn About the Benefits of a WSO2 Subscription for Commercial Use.
- Updates
  Maintain the health and security of your solution.
- Consulting Services
  A full range of services to help you get the most out of your WSO2 project.
Featured Blog
- Self Manage Your WSO2 Support Portal Users
  Read Blog
Company
- About WSO2
  Learn about who we are and our journey.
- Team
  The people behind our innovative technologies.
- Customers
  See how we’ve helped leading enterprises from around the world.
- Careers
  Discover how you can make an impact.
- Partners
  Learn about the benefits of partnering with us.
- News
  The latest updates and insights.
Customer Spotlight
- YOMA x WSO2: Building Better Banking Relationships
  Read Case Study
Community
Contact Us
EN
- French
- German
- Portuguese
- Spanish
Profile

Submitted by dmitry.wso2.com on Thu, 06/15/2017 - 09:28

OAuth scopes are a great way to segregate access to APIs and data. Combined with roles they can also be a powerful way to limit who gets access to what. Let's have a look at how you can implement scopes in WSO2 API Cloud.

Sample API

Let's start with a sample WorldBank API that has two resources: /countries and /indicators - both taking a code parameter:

We have it published in Developer Portal and can invoke either of them with no problem (as long as we are subscribed to the API):

Adding Scopes

Now let's add two different scopes: one that would only give access to /countries and the other one that only gives access to /indicators. To do this:

Open the API for editing,
Go to the third step (Manage),
Scroll down and click the Add Scopes button:
In the Define Scope dialog box, add the wb_geo scope for geographic data:
Repeat the process to add wb_eco scope to the API.
Now you can see both scopes available for the API. Click the + Scope button next to the /countries resource to assign its scope:
Pick Geographic data for /countries and Economic data for /indicators:
That's it: we defined two new scopes and applied them to two different REST resources. Now click Save and Publish to update the API:

Generate scope-limited OAuth token

Now if you open the API in Developer Portal's API Console, you will see two things: resources have notes about the scopes they need and attempts to invoke them with a regular OAuth key fail:

To generate an OAuth token with the OAuth scope included:

In Developer Portal (a.k.a. API Store), click Applications,
In the application list, click the application which you used to subscribe to the API (for example, DefaultApplication),
Click the Production Keys tab,
Scroll down to the Scopes section, select the scopes you want (for example, Geographic data), and click the Re-generate button (I picked "-1" as the validity period to have a non-expiring token):
Now if you go back to the API, you can use the new token and successfully invoke the API:

Adding Roles

If you want to limit scope access to particular groups of users, you follow the same procedure but this time also list the roles when adding your scopes. For example, in the screenshot below, I am limiting the wb_geo scope access to users in the researches role:

Implementing an Event-Driven GraphQL BFF with Real-Time Notifications

Transactions in a Microservice World

Self Manage Your WSO2 Support Portal Users

YOMA x WSO2: Building Better Banking Relationships

Limit API Access with OAuth Scopes

Sample API

Adding Scopes

Generate scope-limited OAuth token

Adding Roles

API Management

Integration

IAM

Internal Developer Platform

Solutions

Resources

Support

Company

Follow us