0

I am trying to add user to a tenant. For that I did the following:

  1. Created tenant in WSO2 instance
  2. Generated access token based on client key and secret for the tenant service provider
  3. Use generated token to execute endpoint https://localhost:9443/t/carbon.super/{tenantId}/api/server/v1/scims2/Users, where tenantId is id of the tenant.

After executing the endpoint, I am getting error 401 Unauthorized. Any ideas what am I doing wrong?

I am not sure if it's relevant, but I noticed that when I generate access token from main WSO2 instance (not tenant), I get these scopes

"scope": "internal_list_tenants internal_user_mgt_create"

However, when I generate similar token with tenant client key and secret, with the same scopes, I see only

 "scope": "internal_user_mgt_create"

I suppose this is fine because createUser only needs this scope, but may be 401 comes from inability to get tenant that is needed with internal_list_tenants scope?

Community
  • 1
  • 1
positron
  • 3,643
  • 3
  • 22
  • 26

1 Answers1

1

An incorrect URL is a cause for 401 response. Here, the URL you used (https://localhost:9443/t/carbon.super/{tenantId}/api/server/v1/scims2/Users) is incorrect.

In order to create a user in a tenant named abc.com, you need to invoke the endpoint

https://localhost:9443/t/abc.com/scim2/Users

In general, if you want to create a user in a tenant, the endpoint is:

https://<host>:<port>/t/<tenant-domain>/scim2/Users

If no tenant is specified in the URL, it is considered as the super tenant (carbon.super) (https://<host>:<port>/scim2/Users equals to https://<host>:<port>/t/carbon.super/scim2/Users).

Having "scope": "internal_user_mgt_create" is sufficient to execute user creation rest API succesully. If the required scope/permissions are absent you will get 403 response.

Anuradha Karunarathna
  • 2,717
  • 2
  • 9
  • 17