如何获取用户在 WSO2 API 管理器中有权访问的所有范围
how to get all the scopes user has access to in WSO2 API manager
我的网络客户端应用程序有不同的菜单,如读取、删除、添加、查看等,具体取决于用户角色。
我有不同的范围,如读取、删除、添加等,以及与它们相关的角色,这些角色是在 WSO2 API 管理器中配置的。
当用户登录时,我通过 WSO2 API 管理器对用户进行身份验证并获取令牌。如何获取该令牌的所有有效范围,以便我可以根据收到的范围向用户显示不同的菜单?
因为我有很多范围,我希望有一些解决方案,而不是在验证时通过所有范围?
使用 WSO2 API 管理器时,根据角色处理 menu/button 可见性的最佳方法是什么。我应该为此使用角色还是范围?如果是这样,我怎样才能在我的客户端应用程序中获得所有 scopes/role?
您必须通过所有范围。然后令牌响应将 return 与该令牌关联的范围列表。
这是来自 this blog post 的一个很好的例子。
A news API has two defined scopes as 'news_read' and 'news_write'. The
'news_read' scope is associated to the user roles 'employee' and
'manager'. The 'news_write' scope is associated to the 'manager' role
only.
The API has two operations. One as /read (GET) and the other as /write
(POST). The GET operation is associated to the 'news_read' scope and
the POST operation is associated to the 'news_write' scope.
There are two users named 'nuwan' and 'john'. User 'nuwan' has the
'employee' role and 'john' has both 'employee' and 'manager' roles.
Both users are requesting a token for both the scopes.
a) User 'nuwan' will be requesting a token through the /token API. His
request would be of the following format.
grant_type=password&username=nuwan&password=xxxx&scope=news_read
news_write
Although 'nuwan' requests a token for both scopes, he will only be
granted a token bearing the 'news_read' scope since 'nuwan' is not in
the 'manager' role. See the response from the /token API for the above
request.
{"scope":"news_read","token_type":"bearer","expires_in":3299,
"refresh_token":"8579facb65d1d3eba74a395a2e78dd6",
"access_token":"eb51eff0b4d85cda1eb1d312c5b6a3b8"}
b) User 'john' will now be requesting a token as below.
grant_type=password&username=john&password=john123&scope=news_read
news_write
Since 'john' has both the 'employee' and the 'manager' role, the token
he gets will bear both the requested scopes. See the response from the
/token API for the above request.
{"scope":"news_read news_write", "token_type":"bearer",
"expires_in":3299, "refresh_token":"4ca244fb321bd555bd3d555df39315",
"access_token":"42a377a0101877d1d9e29c5f30857e"}
This basically means that 'nuwan' can only access the GET operation
of the API while 'john' can access both.
我的网络客户端应用程序有不同的菜单,如读取、删除、添加、查看等,具体取决于用户角色。 我有不同的范围,如读取、删除、添加等,以及与它们相关的角色,这些角色是在 WSO2 API 管理器中配置的。 当用户登录时,我通过 WSO2 API 管理器对用户进行身份验证并获取令牌。如何获取该令牌的所有有效范围,以便我可以根据收到的范围向用户显示不同的菜单? 因为我有很多范围,我希望有一些解决方案,而不是在验证时通过所有范围? 使用 WSO2 API 管理器时,根据角色处理 menu/button 可见性的最佳方法是什么。我应该为此使用角色还是范围?如果是这样,我怎样才能在我的客户端应用程序中获得所有 scopes/role?
您必须通过所有范围。然后令牌响应将 return 与该令牌关联的范围列表。
这是来自 this blog post 的一个很好的例子。
A news API has two defined scopes as 'news_read' and 'news_write'. The 'news_read' scope is associated to the user roles 'employee' and 'manager'. The 'news_write' scope is associated to the 'manager' role only.
The API has two operations. One as /read (GET) and the other as /write (POST). The GET operation is associated to the 'news_read' scope and the POST operation is associated to the 'news_write' scope.
There are two users named 'nuwan' and 'john'. User 'nuwan' has the 'employee' role and 'john' has both 'employee' and 'manager' roles. Both users are requesting a token for both the scopes.
a) User 'nuwan' will be requesting a token through the /token API. His request would be of the following format.
grant_type=password&username=nuwan&password=xxxx&scope=news_read news_write
Although 'nuwan' requests a token for both scopes, he will only be granted a token bearing the 'news_read' scope since 'nuwan' is not in the 'manager' role. See the response from the /token API for the above request.
{"scope":"news_read","token_type":"bearer","expires_in":3299, "refresh_token":"8579facb65d1d3eba74a395a2e78dd6", "access_token":"eb51eff0b4d85cda1eb1d312c5b6a3b8"}
b) User 'john' will now be requesting a token as below.
grant_type=password&username=john&password=john123&scope=news_read news_write
Since 'john' has both the 'employee' and the 'manager' role, the token he gets will bear both the requested scopes. See the response from the /token API for the above request.
{"scope":"news_read news_write", "token_type":"bearer", "expires_in":3299, "refresh_token":"4ca244fb321bd555bd3d555df39315", "access_token":"42a377a0101877d1d9e29c5f30857e"}
This basically means that 'nuwan' can only access the GET operation of the API while 'john' can access both.