-
Notifications
You must be signed in to change notification settings - Fork 8
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Non-Admin users can get unauthorised scopes from KM #2363
Milestone
Comments
Closing the issue as only PR wso2-extensions/apim-km-wso2is#114 needs to be added to the public branch. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description
Non-Admin users can generate Opaque tokens with APIM Rest API admin scopes from IS-as-KM token endpoint. And Non-Admin users can access APIM Rest APIs with the above-generated token. tokens
Steps to Reproduce
(Assume a IS-as-KM setup with APIM 4.1.0 and IS-KM 5.11.0)
Generate Opaque token using Non-Admin user:
curl --location 'https://localhost:9444/oauth2/token'
--header 'Authorization: Basic <base64Encoded(key:secret)>'
--header 'Content-Type: application/x-www-form-urlencoded'
--data-urlencode 'grant_type=password'
--data-urlencode 'username=test'
--data-urlencode 'password=admin'
--data-urlencode 'scope=apim:admin apim:admin_alert_manage apim:admin_application_view apim:admin_operations apim:admin_settings'
Your response contains all the requested APIM Rest API admin scopes.
Use the above-generated token to invoke an APIM Rest API. You will succeed.
Affected Component
APIM
Version
4.1.0
Environment Details (with versions)
No response
Relevant Log Output
No response
Related Issues
No response
Suggested Labels
No response
The text was updated successfully, but these errors were encountered: