Tuesday, August 9, 2016

How to enable consent for scopes when you get oauth2 access token for API Manager applications(authorization code flow) - Identity Server 5.3 and above API Manager 2.0.0

During the process of obtaining an auth code, the end user is prompted with something like after he/she logs in: "user_DefaultApplication_PRODUCTION requests access to your profile information". 
 However it does not mention the scope(s) that the end user is about to grant access to. So users do not know what are the scopes they granted when they generate access tokens.
So we do have identified showing and get user consent for scopes as valid requirement. Then created JIRA to fix this issue in upcoming identity server release(5.3.0). Once identity components release with this feature API Manager can use it and next API Manager release will have that. Once we have that feature you can do following changes in authentication endpoint app and get user consent for scopes.
/repository/deployment/server/webapps/ directory. You'll see the exploded directory authenticationendpoint. Then users can edit web.xml file in authenticationendpoint/WEB-INF directory and displayScopes parameter to true and save the file.

Once the change is done, you'll see an entry in the carbon log similar to Reloaded Context with name: /authenticationendpoint after a couple of seconds. The scopes will be displayed in the consent page afterwards.

No comments:

Post a Comment