WSO2 Identity Server - SCIM2 API called by other application (client_id and secret)

Question

I'm trying to provision users to WSO2 Identity Server v5.10.0 from another application.

According to documentation I can do it through SCIM2 REST APIs, there are good cURL samples that passes user credentials with appropriate permissions as you can see here.

In my case through, only thing I have is client_id and secret generated by WSO2 API Manager integrated to this WSO2IS.

When I call API passing generated token in header, it returns 403.

How do I call WSO2IS SCIM2 API from another application?

Thanks in advance!

Answer 1

If you navigate to <PRODUCT_HOME>/repository/conf/identity/identity.xml file, you can find content as follows.

<Resource context="(.*)/scim2/Users(.*)" secured="true" http-method="POST">
            <Permissions>/permission/admin/manage/identity/usermgt/create</Permissions>
            <Scopes>internal_user_mgt_create</Scopes>
</Resource>
<Resource context="(.*)/scim2/Users" secured="true" http-method="GET">
            <Permissions>/permission/admin/manage/identity/usermgt/list</Permissions>
            <Scopes>internal_user_mgt_list</Scopes>
</Resource> .....

These configs are related to how each SCIM endpoint is secured. Find more details at https://is.docs.wso2.com/en/latest/develop/authenticating-and-authorizing-rest-apis/#secure-resources

If you use Basic Auth (username and password), the mentioned permission for the relevant endpoint is required for the user who owns credentials. Similarly, if you use access tokens it should be generated with the mentioned scopes. If the access token doesn't have the required scope you will receive 403 Forbidden.

For example: In order to create SCIM users you should use an access token with internal_user_mgt_create scope.