Access Delegation — OAuth 2.0 sample WSO2

Recently I was working through one of is-samples — Access Deligation- Oauth 2.0

I was using wso2is-5.11.0. In order for the sample to be compatible with the IS version I am using, there were few steps I had to perform in addition to the tutorial. Thought of updating those here.

The scenario of the sample is as below (extracted from the WSO2 tutorial)

Steps instruct you to;

  1. Set up Tomcat and install a web App (pickup-dispatch).

6. Run the application and test out the scenario


  1. You get this error from the Catelina console when invoking the service. Basically, it fails after reading admin credentials (as user consent).

26-Jun-2022 22:40:31.723 INFO [localhost-startStop-1] org.wso2.sample.identity.jks.JKSLoader.contextInitialized Setting trust store path to : <Home>/apache-tomcat-8.5.81/webapps/pickup-dispatch/WEB-INF/classes/wso2carbon.jks

This is because the sample was bundled with older security files, but I was using the latest IS.

As a quick hack we replaced above wso2carbon.jks with the same in IS.

cp <IS_HOME>/repository/resources/security/wso2carbon.jks <Tomcat_ Home>/webapps/pickup-dispatch/WEB-INF/classes

2. First time my app accessed the back-end service I got this NoClassDefFoundError

I was on jdk11 and had to switch to jdk8



export JAVA_HOME=/Library/Java/JavaVirtualMachines/jdk1.8.0_331.jdk/Contents/Home

3. After above, you get below error as you click the ‘add’ booking with backend-service enabled.

Reason is again the backend-service.jar is using an older jks. We checked-out the sample from samples-is/etc/backend-service, copied the latest jks to samples-is/etc/resources/ and built the jar again. Problem was resolved.

4. After fixing above, you get another error while you add a booking; In the back-end it is generated while calling token introspection endpoint.

2022–06–27 18:08:20 ERROR IntrospectionHandler:107 — Error while calling token introspection endpoint Server returned HTTP response code: 403 for URL: https://localhost:9443/oauth2/introspect

Reason being — In the wso2is-5.11.0 we have a scope requirement as well when using a bearer token to invoke APIs. The token generated from pickup-dispatch does not have a scope.

To overcome this we added below to the deployment.toml file. With this config, that requirement is removed. So anyone with any active access token can call the endpoint now and no need to obtain the token with that scope


permissions = []



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store