WSO2 IS and WSO2 APIM - Role change

244 views Asked by At

I followed the steps mentioned in the below WSO2 documentation to use WSO2 IS as an Identity Server with WSO2 APIM.

I use WSO2 IS 5.3.0 and WSO2 APIM 2.1.0.

https://docs.wso2.com/display/AM210/Configuring+WSO2+Identity+Server+as+a+Key+Manager

I am able to access the carbon admin console in both the WSO2 IS and WSO2 APIM (in two ports)

https://localhost:9443/carbon/admin/login.jsp https://localhost:9444/carbon/admin/login.jsp

  1. When I use WSO2 IS console (9443) to change the user roles, most of the times it is getting reflected immediately, using the same access token. How can it be possible ? An access token is provided by WSO2 with some pre configured scopes. Within the same login session, even before the access token expires, If we change the roles of the logged in user, the roles changes are applied immediately and my access rights are changed ? Is it a valid ?

Assume a user "USER1" got an access token with privileged rights and he/she is able to access privileged APIs. Suddenly if the roles are changed and user "USER1" is assigned a normal user rights, and the user is not able to access the privileged APIs within the same login session. Is this how OAuth works ?

Please help me understand.

  1. If I change the roles in WSO2 APIM (9444), the roles are not getting reflected immediately. Some times, it wait for the access token to expire and the gets a new access token. Sometimes, role changes are getting applied even before the access token expire.

What is the synchronization interval between WSO2 IS and WSO2 APIM, to sync the roles?

I couldn't find these roles in mysql db or ldap. Where are they stored in the backend ?

1

There are 1 answers

0
Ruwan Abeykoon On

There are differences in IS as a key manager and the inbuilt key manager of API Manager. The key manager comes with API Manager is not a full fledged Identity solution. Hence its role to scope mapping, access control, etc. are somewhat limited in the point of view of Identity Management aspects. Identity server acting as a key manager provides the full access control mechanism, hence the change in the role should affect fast as possible, even for issues keys. This is one of the reasons of using IS as a key manager.

  1. Question 1

Ans: Lets say a user has an admin right when he got the access token. The enterprise may decide the user has no longer needs this right and changes that on their LDAP. It should be reflected on key validation as fast as possible. Otherwise the user has continued access to the service as privileged user until key expires, which is undesirable. So the behavior is valid.

  1. Question 2

Ans: Yes, API Manager is strong on managing APIs. However, it is not a use/role management system. Hence there will be considerable delay in reflecting the role change. So, make sure you use IS to manage the user/roles, etc. when your API Manager is configured with IS.

  • Where is your configured roles

It should be in WSO2UM_DB configured (UM_ROLE table), if JDBC user store is your primary UserStore.