简体繁体 English

联合用户的WSO2 API管理器范围

[英]WSO2 API Manager Scopes for Federated Users

原文 2018-10-08 09:08:18 1 1 wso2/ wso2is/ wso2-am

I have WSO2 API Manager federated setup with Azure AD . 我有带有Azure AD WSO2 API Manager联合设置。 I can use the implicit and code grant type to generate the access tokens. 我可以使用implicit和code授予类型来生成访问令牌。

Now I want to use the WSO2 API Manager scope functionality to limit the access on certain API resources . 现在，我想使用WSO2 API Manager scope功能来limit the access对某些API resources limit the access 。 I have created the role in API manager and added the scope on API publisher for the API resource. 我已经在API管理器中创建了role ，并在API publisher为API资源添加了scope 。 But when I generate the access token using scope value, it doesn't return the token with correct scope . 但是，当我使用scope值生成访问令牌时，它不会返回具有正确scope的令牌。 But if I assign the local user to that role and generate the access token it works fine. 但是，如果我将local user分配给该角色并生成访问令牌，则可以正常工作。

I wonder if WSO2 API manager support scope management for Federated users. 我想知道WSO2 API管理器是否支持Federated用户的scope管理。

Any help would be appreciated. 任何帮助，将不胜感激。

1 个解决方案

By defaut roles are checked against the userstore managers, therefore if federated users are not findable in a local userstore manager, it is difficult to assign roles to them. 通过针对用户商店管理器检查默认角色，因此，如果在本地用户商店管理器中找不到联盟用户，则很难为其分配角色。

You have several options: 您有几种选择：

if you are using SAML, you can specify -DcheckRolesFromSamlAssertion=true it was quite tricky to find this one 如果您使用的是SAML，则可以指定-DcheckRolesFromSamlAssertion=true这很难找到。
create a secondary local (eg jdbc) userstore and setup the outbound provisioning for federated users. 创建辅助本地（例如jdbc）用户存储，并为联合用户设置出站供应。 This way all federated users and their roles will be mirrored in a local userstore and their roles will be findable by the scope provider 这样，所有联盟用户及其角色将被镜像到本地用户存储中，并且作用域提供者可以找到其角色