Scope insertion during startup doesn't validate API-specific scope mapping

[asha15]

Description

During server startup, the application reads system-api-resource.xml.j2 to check and insert any missing API definitions into the API_Resource and Scope tables.

The current logic checks whether a scope exists only by name, without verifying if it is actually associated with the API being processed. This leads to a problem when introducing a new API version that shares existing scopes with a previous version but also introduces additional scopes. Since scopes are tied to a specific API via a foreign key (API_ID), simply checking for the scope name is not sufficient.

Problem Scenario:

• API v1 has a scope called read-data.
• API v2 (a new version) also uses read-data and adds a new scope write-data.
• During startup, the system sees read-data already exists (from v1) and skips insertion.
• But read-data is not linked to v2 , resulting in not adding the scope against the v2 version and startup errors.

This results in errors like:

[2025-05-09 15:31:15,393] [] ERROR {org.wso2.carbon.identity.api.resource.mgt.util.APIResourceManagementUtil} - Error while registering system API resources in the tenant: carbon.super
[2025-05-09 15:31:15,464] [] ERROR {org.wso2.carbon.identity.api.resource.mgt.util.APIResourceManagementUtil} - Error while registering system API resources in the tenant: carbon.super

Steps to Reproduce

1. Add a new API definition to system-api-resource.xml.j2 that:

• Reuses one or more scopes already defined for a previous API version.
• Introduces one or more new scopes.

2. Restart the server

Version

wso2is-7.2.0-m2-SNAPSHOT

Environment Details (with versions)

No response