Fix: Add scope-based access control configuration for introspection endpoint (Product IS issue #19615)

[wso2-engineering-bot]

This PR was automatically generated by Claude AI.

• Issue: [Docs] Introspection docs should be updated about the custom configurations  product-is#19615
• Type: Documentation / Suggestions
• Summary: Added scope-based access control configuration for the OAuth2 introspection endpoint, replacing the deprecated permissions-based approach. Documentation now includes the [resource_access_control.introspect] configuration section with the internal_oauth2_introspect scope.

Changes made

• Updated the shared include file at en/includes/guides/authentication/oidc/token-validation-resource-server.md
• Added new configuration section documenting scope-based access control
• Explained the usage of the internal_oauth2_introspect scope
• Provided guidance on configuring multiple scopes for endpoint access
• Documented that users need at least one of the specified scopes when multiple scopes are configured

Affected versions

This change affects the following Identity Server versions through the shared include file:

• 7.0.0 - Uses the shared include file
• 7.1.0 - Uses the shared include file
• 7.2.0 - Uses the shared include file
• next - Uses the shared include file

Verification

• Documentation builds successfully with mkdocs build
• Build completed in 34.48 seconds with no errors related to the changes
• Only pre-existing warnings about plugin configurations (unrelated to this change)

Style Scope Verification

Microsoft Style Guidelines have been applied ONLY to newly added content without modifying existing content style unless specifically requested.

🤖 Generated with Claude Code

Co-Authored-By: Claude [email protected]

Summary by CodeRabbit

• Documentation
  • Updated token validation documentation with guidance on configuring scope-based access control for the token introspection endpoint, including deployment configuration examples and default behavior.

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.

---

wso2-engineering-bot seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[coderabbitai]

Walkthrough

Added documentation notes about access control configuration for token introspection endpoints via scopes in deployment.toml, including default scope behavior and examples for both a general section and the WSO2 Identity Server section.

Changes

Cohort / File(s)	Summary
Documentation: OIDC Token Validation en/includes/guides/authentication/oidc/token-validation-resource-server.md	Added two note blocks documenting scope-based access control for the token introspection endpoint, including deployment.toml configuration examples and default scope behavior (internal_oauth2_introspect). Changes applied to both general and WSO2 Identity Server sections.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

📖 A guide now gleams with scopes so clear,
Token introspection wisdom here,
Configuration notes, aligned just right,
Documentation shining bright! ✨

Pre-merge checks and finishing touches

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	❓ Inconclusive	The description covers the purpose and related issue, but is missing required sections from the template: test environment, and security checks.	Complete the template by adding test environment details and checking the three security verification checkboxes, or confirming they are not applicable.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically describes the main change: adding scope-based access control configuration for the introspection endpoint, and references the related issue.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fixing-product-is-issue-19615-1731417600

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

en/includes/guides/authentication/oidc/token-validation-resource-server.md (1)

98-104: Consider adding an example of multi-scope configuration.

The documentation explains that multiple scopes can be configured and users need at least one of them, but no concrete example is provided. Adding an example of how to configure multiple scopes would improve clarity.

Consider adding an example such as:

    [resource_access_control.introspect]
    scopes = []
+
+    # Example: To restrict introspection to users with either of these scopes:
+    # scopes = ["internal_oauth2_introspect", "admin"]

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between bb37e6d and d29b2ad.

📒 Files selected for processing (1)

• en/includes/guides/authentication/oidc/token-validation-resource-server.md (1 hunks)

🔇 Additional comments (1)

en/includes/guides/authentication/oidc/token-validation-resource-server.md (1)

95-104: Note: No version information provided for this feature.

The documentation does not indicate which product version(s) this scope-based access control feature was introduced in. Given that this shared include affects versions 7.0.0, 7.1.0, 7.2.0, and next (per PR objectives), consider clarifying if this feature is available in all these versions or if there are version-specific requirements.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

Verify scope name and configuration section accuracy.

The new note introduces scope-based access control configuration for the introspection endpoint with internal_oauth2_introspect as the default scope and configuration section [resource_access_control.introspect]. However, I cannot definitively confirm that these identifiers match the actual product implementation.

Please verify that:

1. The scope name internal_oauth2_introspect is correct in the product codebase
2. The configuration section name [resource_access_control.introspect] is the correct format
3. The behavior description (OR logic when multiple scopes are configured) matches the actual implementation

Run this script to search for these identifiers in the codebase:

---

🏁 Script executed:

#!/bin/bash
# Verify scope name, configuration section, and implementation details

# Search for internal_oauth2_introspect scope definition
echo "=== Searching for internal_oauth2_introspect scope ==="
rg -i 'internal_oauth2_introspect' --type-list | head -20

# Search for resource_access_control configuration patterns
echo "=== Searching for resource_access_control configuration ==="
rg -i 'resource_access_control' --type-list | head -20

# Search for introspect endpoint access control
echo "=== Searching for introspect access control implementation ==="
rg -i 'introspect.*scope|scope.*introspect' --type-list | head -20

Length of output: 1347

---

---

🏁 Script executed:

#!/bin/bash
# Corrected verification script - remove --type-list flag

# Search for internal_oauth2_introspect scope definition
echo "=== Searching for internal_oauth2_introspect scope ==="
rg -i 'internal_oauth2_introspect' -n -C2 | head -40

# Search for resource_access_control configuration patterns
echo -e "\n=== Searching for resource_access_control configuration ==="
rg -i 'resource_access_control' -n -C2 | head -40

# Search for introspection endpoint access control/scope configuration
echo -e "\n=== Searching for introspect configuration ==="
rg -i '\bintrospect.*scope|\[resource_access_control\.introspect\]' -n -C2 | head -40

# Search in TOML files specifically for deployment.toml patterns
echo -e "\n=== Searching in TOML files for introspect scope config ==="
fd -e toml | xargs rg -i 'introspect|resource_access_control' -n -C1 2>/dev/null | head -40

Length of output: 13224

---

---

🏁 Script executed:

#!/bin/bash
# Check if scopes configuration exists anywhere in documentation
echo "=== Searching for scopes in resource_access_control context ==="
rg -i 'resource_access_control.*scopes|scopes.*resource_access_control' -n -C3

# Check specifically for scopes = in deployment.toml context
echo -e "\n=== Searching for 'scopes =' configuration anywhere ==="
rg -i 'scopes\s*=' -n -C2 | head -50

# Check the specific file to see full context
echo -e "\n=== Full context of lines 95-110 in reviewed file ==="
cat en/includes/guides/authentication/oidc/token-validation-resource-server.md | sed -n '95,110p'

Length of output: 286333

---

Replace 'scopes = []' with 'permissions = []' and remove/verify the 'internal_oauth2_introspect' claim.

The repository's existing docs use [resource_access_control.introspect] with a permissions array (e.g. permissions = ["/permission/admin/manage/identity/applicationmgt/view","/permission/admin/login"]); I found no occurrences of scopes = [] or of the scope internal_oauth2_introspect. Update the TOML example to use permissions = [] and either remove the default-scope sentence or confirm (with engineering) that scope-based access is a new product feature — if it is, add the implementation/version reference and example. File: en/includes/guides/authentication/oidc/token-validation-resource-server.md (lines 95-104).

🤖 Prompt for AI Agents

en/includes/guides/authentication/oidc/token-validation-resource-server.md
around lines 95 to 104: the TOML example and explanatory text incorrectly
reference a scopes-based configuration and the scope internal_oauth2_introspect,
but the repo uses permissions-based control; update the example to use
permissions = [] instead of scopes = [], remove or revise the sentence that says
"By default, users with the internal_oauth2_introspect scope..." (either remove
it or replace it with the correct default behavior using permissions), and if
scope-based access is a new feature confirm with engineering and, only if
supported, add a note with the implementation/version reference and a scopes
example.