WSO2 Identity server documentation says that to use /t/{tenant-domain}/api/users/v1/me/sessions API i need to get ticket with internal_login
scope.
But i cannot.
Using URL like this to get Implicit grant token
https://localhost/oauth2/authorize?response_type=id_token+token&nonce=abc&scope=openid%20profile%20internal_login&redirect_uri=https://xxxx.com/&client_id=xxxxx
I'm getting a token with "scope": "openid profile",
in response. Therefore, API calls with this token end with 403 error.
EDIT. I turned on debug logging for the identity classes and see these in the logs
TID: [-1234] [oauth2] [2024-07-10 21:28:55,895] [8a103ad6-8239-4ea3-b57b-c73856da4b49] DEBUG {org.wso2.carbon.identity.oauth.callback.OAuthCallbackHandlerRegistry} - OAuthCallbackHandler was found for the callback. Class Name : org.wso2.carbon.identity.oauth.callback.DefaultCallbackHandler Resource Owner : [email protected]@carbon.super Client Id : xxxx Scope : internal_login openid profile
...then
TID: [-1234] [oauth2] [2024-07-10 21:28:55,896] [8a103ad6-8239-4ea3-b57b-c73856da4b49] DEBUG {org.wso2.carbon.identity.oauth2.authz.AuthorizationHandlerManager} - Skipping t
he internal scope validation as the application is not configured as Management App
... and later
TID: [-1234] [oauth2] [2024-07-10 21:28:55,896] [8a103ad6-8239-4ea3-b57b-c73856da4b49] DEBUG {org.wso2.carbon.identity.oauth.callback.OAuthCallbackHandlerRegistry} - OAuthCa
llbackHandler was found for the callback. Class Name : org.wso2.carbon.identity.oauth.callback.DefaultCallbackHandler Resource Owner : [email protected]@carbon.super Client Id : xxxx Scope : openid profile
What configuration settings or permissions are responsible for issuing internal_login
scope?
The version is WSO2 Identity server 6.0.0
On the other VM i have another instance with the same version (but migrated from 5.10.0). That server gives me token with relevant scope. But i cannot see any difference in settings.