问题
My web client application has different menus like read , delete , add ,view etc depending up on the users roles. I have different scope as read , delete , add etc and associated roles with them which is configured in WSO2 API Manager. when user logs in , I authenticate user via WSO2 API Manager and gets the token .How can i obtain all the valid scopes for that token so that i can show the user different menu's depending on the scopes i received? Since i have many scopes , i hope to have some solution other than passing all the scopes while authenticating? What is the best approach to handling menu/button visibility depending on roles when using WSO2 API Manager..Should i use roles or scopes for this? if so , how can i get all the scopes/role in my client application?
回答1:
You have to pass all scopes. Then the token response will return the list of scopes associated with that token.
Here is a nice example from this blog post.
A news API has two defined scopes as 'news_read' and 'news_write'. The 'news_read' scope is associated to the user roles 'employee' and 'manager'. The 'news_write' scope is associated to the 'manager' role only.
The API has two operations. One as /read (GET) and the other as /write (POST). The GET operation is associated to the 'news_read' scope and the POST operation is associated to the 'news_write' scope.
There are two users named 'nuwan' and 'john'. User 'nuwan' has the 'employee' role and 'john' has both 'employee' and 'manager' roles. Both users are requesting a token for both the scopes.
a) User 'nuwan' will be requesting a token through the /token API. His request would be of the following format.
grant_type=password&username=nuwan&password=xxxx&scope=news_read news_write
Although 'nuwan' requests a token for both scopes, he will only be granted a token bearing the 'news_read' scope since 'nuwan' is not in the 'manager' role. See the response from the /token API for the above request.
{"scope":"news_read","token_type":"bearer","expires_in":3299, "refresh_token":"8579facb65d1d3eba74a395a2e78dd6", "access_token":"eb51eff0b4d85cda1eb1d312c5b6a3b8"}
b) User 'john' will now be requesting a token as below.
grant_type=password&username=john&password=john123&scope=news_read news_write
Since 'john' has both the 'employee' and the 'manager' role, the token he gets will bear both the requested scopes. See the response from the /token API for the above request.
{"scope":"news_read news_write", "token_type":"bearer", "expires_in":3299, "refresh_token":"4ca244fb321bd555bd3d555df39315", "access_token":"42a377a0101877d1d9e29c5f30857e"}
This basically means that 'nuwan' can only access the GET operation of the API while 'john' can access both.
来源:https://stackoverflow.com/questions/41416297/how-to-get-all-the-scopes-user-has-access-to-in-wso2-api-manager