WSO2 IS missing internal_login scope from obtained token

Question

WSO2 Identity server documentation says that to use /t/{tenant-domain}/api/users/v1/me/sessions API i need to get ticket with internal_login scope.

But i cannot.

Using URL like this to get Implicit grant token

https://localhost/oauth2/authorize?response_type=id_token+token&nonce=abc&scope=openid%20profile%20internal_login&redirect_uri=https://xxxx.com/&client_id=xxxxx

I'm getting a token with "scope": "openid profile", in response. Therefore, API calls with this token end with 403 error.

EDIT. I turned on debug logging for the identity classes and see these in the logs

TID: [-1234] [oauth2] [2024-07-10 21:28:55,895] [8a103ad6-8239-4ea3-b57b-c73856da4b49] DEBUG {org.wso2.carbon.identity.oauth.callback.OAuthCallbackHandlerRegistry} - OAuthCallbackHandler was found for the callback. Class Name : org.wso2.carbon.identity.oauth.callback.DefaultCallbackHandler Resource Owner : [email protected]@carbon.super Client Id : xxxx Scope : internal_login openid profile
...then
TID: [-1234] [oauth2] [2024-07-10 21:28:55,896] [8a103ad6-8239-4ea3-b57b-c73856da4b49] DEBUG {org.wso2.carbon.identity.oauth2.authz.AuthorizationHandlerManager} - Skipping t
he internal scope validation as the application is not configured as Management App
... and later
TID: [-1234] [oauth2] [2024-07-10 21:28:55,896] [8a103ad6-8239-4ea3-b57b-c73856da4b49] DEBUG {org.wso2.carbon.identity.oauth.callback.OAuthCallbackHandlerRegistry} - OAuthCa
llbackHandler was found for the callback. Class Name : org.wso2.carbon.identity.oauth.callback.DefaultCallbackHandler Resource Owner : [email protected]@carbon.super Client Id : xxxx Scope : openid profile

What configuration settings or permissions are responsible for issuing internal_login scope?

The version is WSO2 Identity server 6.0.0

On the other VM i have another instance with the same version (but migrated from 5.10.0). That server gives me token with relevant scope. But i cannot see any difference in settings.

Answer 1

In IS-6.0.0, there is a concept introduced as "Management Application" which restricts returning IS managed API scopes for application (internal_*). So as mentioned in the guide https://is.docs.wso2.com/en/6.0.0/apis/overview/#oauth-based-authentication You need to create an application with Management Application enabled to request the IS management API scopes starting with internal_*.

Even though internal_login matches to the pattern that particular scope ideally returned in any authenticated user token obtained from any application (management app/non management app) if the scope is requested. However, that logic is not added in IS-6.0.0. This bug is fixed in IS-7.0.0

Seems you have created a non management application, and therefore internal_login scope is not returned even requested.

You can try creating a new app with enabling management app check box and try the request as you have done in IS-6.0.0. (If you are using the react console for app creation, this option is available only for standard based application template in the UI.)

 same version (but migrated from 5.10.0). That server gives me token with relevant scope

This happens because to keep the backward compatibility of the behavior of application issuing tokens, all the earlier created apps will be treated as management applications.

Answer 2

After reading the logs that i posted in the question. It turned out that Management Application checkbox in the Service Provider options enables internal scopes and internal_login scope in particular.

N.B. I've created SP by importing an xml-config saved earlier. Because of the bug in the management console (/carbon) the "Management Application" checkbox hadn't been set. Also this option cannot be reset after creating SP. So I had to manually recreate SP from scratch.