wso2 Getting token for invalid credentials for password grant

Question

I am using the combination of WSO2 API Manager and WSO2 identity server and configured using the following documentation https://docs.wso2.com/display/CLUSTER44x/Configuring+the+Pre-Packaged+Identity+Server+5.2.0+with+API+Manager+2.0.0

In this case ,WSO2 idenity server acts as key manager and API Manager manages scopes.

I have configured and its working. I tried to use the password grant and its giving me a bearer token even if i hit with wrong username and password.It feels as if its only checking the client id which i pass in the url.

curl -X POST \
  https://mycustomwsourl.in:9443/oauth2/token \
  -H 'authorization: Basic TnVMb0tGRmJlZ3hqUThNeW5uYzlHWmE1bkpBYTpKSzRINmp5M3V4Zl8wNFZNX25lbDhncnJwMm9h' \
  -H 'content-type: application/x-www-form-urlencoded' \
  -H 'grant_type: password' \
  -H 'password: testuser' \ 
  -H 'scope: SCOPE_EDIT SCOPE_READ SCOPE_REMOVE' \
  -H 'username: testuser'

If i pass a client code differently it throws me an error. Otherwise it gives back bearer token always.

Can it be because identity server is not acting as key manager? any configuration?

Answer 1

That is very strange. It should actually send an error message because you're sending grant_type as a header which is wrong. All these data should be sent in the POST body like this.

curl -k -d "grant_type=password&username=<username>&password=<password>" -H "Authorization: Basic d1U2MkRqbHlEQm5xODdHbEJ3cGxmcXZtQWJBYTprc2RTZG9lZkREUDd3cGFFbGZxdm1qRHVl" -H "Content-Type: application/x-www-form-urlencoded" https://localhost:8243/token

Reference: https://docs.wso2.com/display/AM200/Password+Grant