Error 403 is returned when making a request to Get the list of contracts using Exchange API via Connected App

SYMPTOM

• Error 403 is returned when making a request to Get the list of contracts using Exchange API via Connected App

Steps to Illustrate the issue:

1. First Create a connected app and get the bearer token as explained here. Which will be used later to make the Exchange API request.
   Ensure to select all scopes and add them to all environments and organizations
2. Run the following cUrl command to Get the list of contracts:

   curl --location --request GET 'https://anypoint.mulesoft.com/exchange/api/v2/organizations/<orgID>/applications/<API ID>/contracts' \
   --header 'Content-Type: application/json' \
   --header 'Authorization: Bearer <token>

3. Notice Response is 403 Forbidden:

   {
       "status": 403,
       "message": "Unauthorized",
       "details": {}
   }

CAUSE

• As for now it is not possible to Get the list of contracts via Connected App created with the following option: "App acts on its own behalf (client credentials)", which has client credentials as grant type. 
• This is by Design.
• And this is because https://anypoint.mulesoft.com/exchange/api/v2/organizations/<orgID>/applications/<API ID>/contracts API needs the "Organization Administrators" role assigned at the root organization level.
• Similar issue is discussed in this KBA: Client Applications Menu is not visible in API Manager.
• Connected App  created with the following option: "App acts on its own behalf (client credentials)", does not have any scope to provide same permission as “Organization Administrators” role 

SOLUTION

IMPORTANT NOTE: This solution would only work if MFA is disabled for the User. Since August 1st, 2023, MuleSoft customers need to enforce MFA on all users. Refer to SOLUTION 2 below to use Connected App acting as its own (client credentials).

• A workaround would be to create a connected app that acts on behalf of a user with "password" as grant type.
• To obtain a token for the mentioned connected app, this is the cUrl command:

curl --location --request POST 'https://anypoint.mulesoft.com/accounts/api/v2/oauth2/token' \
--header 'Content-Type: application/json' \
--data-raw '{
  "grant_type": "password",
  "response_type": "token",
  "username": <username>,
  "password": <password>,
  "scope": <configured_scope_for_the_client_app>,
  "client_id": <connected_app_client_id>,
  "client_secret": <connected_app_client_secret>
}'

• This token will be used to Get the list of contracts:

curl --location --request GET 'https://anypoint.mulesoft.com/exchange/api/v2/organizations/<orgID>/applications/<API ID>/contracts' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer <token>

SOLUTION 2

Refer to the KB Article ConnectedApps-How to Manage Existing Client Applications and ensure the Connected App has Managing permission on the Client Application.
Once this permission has been given, the call in the SYMPTOM section should be successful.

Note, the minimum Connected App scopes are:

• API Manager - Manage Contracts
• API Manager - View Contracts
• Exchange - Exchange Viewer
• General - View Environment
• General - View Organization
• Open ID - Profile
• + The manual manage:client_application scope added to the Connected App for each Client Application (as per the above KB article).