Current Limitation

As per the current implementation the default apim:subscribe, apim:api_create etc are not reflected when generating an access token using token-exchange grant type. As a workaround we had to provision the users into the APIM side by login into the portals.

In summary an IDP was created on the APIM side and mapped the external role to a local role. Then we did a scope assignment to the local role. Once the user is provisioned, it’s possible to login to the portals as well as generate a token with required scopes. But there can be users who still need to use a token-exchange grant type who aren’t required/allowed to use portals.

Suggested Improvement

N/A

Version

4.2.0