Adding user to WSO2 tenant returns 401 Unathorized

Question

I am trying to add user to a tenant. For that I did the following:

1. Created tenant in WSO2 instance
2. Generated access token based on client key and secret for the tenant service provider
3. Use generated token to execute endpoint https://localhost:9443/t/carbon.super/{tenantId}/api/server/v1/scims2/Users, where tenantId is id of the tenant.

After executing the endpoint, I am getting error 401 Unauthorized. Any ideas what am I doing wrong?

I am not sure if it's relevant, but I noticed that when I generate access token from main WSO2 instance (not tenant), I get these scopes

"scope": "internal_list_tenants internal_user_mgt_create"

However, when I generate similar token with tenant client key and secret, with the same scopes, I see only

 "scope": "internal_user_mgt_create"

I suppose this is fine because createUser only needs this scope, but may be 401 comes from inability to get tenant that is needed with internal_list_tenants scope?

Answer 1

An incorrect URL is a cause for 401 response. Here, the URL you used (https://localhost:9443/t/carbon.super/{tenantId}/api/server/v1/scims2/Users) is incorrect.

In order to create a user in a tenant named abc.com, you need to invoke the endpoint

https://localhost:9443/t/abc.com/scim2/Users

In general, if you want to create a user in a tenant, the endpoint is:

https://<host>:<port>/t/<tenant-domain>/scim2/Users

If no tenant is specified in the URL, it is considered as the super tenant (carbon.super) (https://<host>:<port>/scim2/Users equals to https://<host>:<port>/t/carbon.super/scim2/Users).

Having "scope": "internal_user_mgt_create" is sufficient to execute user creation rest API succesully. If the required scope/permissions are absent you will get 403 response.