Description

In a scenario where the same username exists in two different user stores configured in APIM, an issue arises with scope validation when using Basic OAuth. Here’s how the behaviour unfolds:

• If the same username appears in both the primary and secondary user stores but has different passwords, and an API is secured with a scope mapped to a role in the primary user store: When the API is invoked using the user from the primary user store, the scope validation works correctly, and the request proceeds as expected. If the API is then invoked using the user from the secondary user store (without specifying the domain) who lacks the necessary role for the secured scope, unexpected behaviour is observed upon subsequent invocations.

Steps to Reproduce

• Create an API and assign a local scope, mapping it to a role in the primary user store.
• Configure a secondary user store.
• Create a user in the secondary user store with the same username as in the primary user store, but without assigning the role and with a different password.
• Invoke the API using the user from the primary user store.
• Invoke the API using basic authentication with the user from the secondary user store, without specifying the domain.
• The issue will be reproduced when invoking the API request with the user from the secondary user store again

Version

wso2am-4.2.0

Environment Details (with versions)

No response