Restricting grant types for an application in WSO2 API Manager

WSO2 API Manager has the capability of restricting which grant types are enabled to a given application. This functionality is provided via the management console of the API Manager. Given below are the steps required

1. App developers should have the required permission in order to restrict the grant types available for an application. Permission given below should be set to a user role associate to the App developer.

2. Once this is done please log out and log into the API Manager’s admin console

3. Now you would see the OAuth URL available in the left navigation, click on this.

4. Here you would see all the applications that are created by the App developer, from this menu select the relevant application to which the grant types should be restricted.

5. Once you are inside the selected application you can define which grant types should be allowed to a given application. By default all grant types are ‘un-checked’ and all grant types are allowed. If you want to override this default configuration select on the required grant types that should be allowed to a given application.

6. Once you are done click on the update button and the configuration would be updated.


3 thoughts on “Restricting grant types for an application in WSO2 API Manager

  1. Hi, This is good information. However, the implications of giving the manage permission to the subscriber role sounds scary. I tried it on latest 1.10 release. Granting a manage permission gives a lot of privileges to a subscriber like access to all the running applications such as store and ability to stop/start the application, ability to deploy other applications, lots of other system configs. Is there any other way to achieve this?

    If the management console admin needs to do the same, is there a way to do it? As a admin I don’t see all my subscriber’s applications under service providers section.


    • Hi Nikesh, Thank you for taking time to make a comment on my post. Would you tell me what your requirement is so that I can tell you what solutions are possible with WSO2 API Manager.


      • There were a few things I was trying to understand:
        1. As an API provider, is there a way I can restrict my API(s) to specific oauth grant type(s)? I know while provisioning an API I can specify application or application user or both but is there a way to control it at a more granular level i.e. specific grant type.

        2. As an API subscriber / app developer / service provider, how can I do what you described above without requiring an Admin to provide the complete Manage permissions? Frankly, in real world, an Admin won’t provide such a permission to a subscriber role.

        3. As an Admin, how can I do what you described above on behalf of a specific subscriber?


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s