diff --git a/.github/workflows/pr-builder.yml b/.github/workflows/pr-builder.yml
index d65b2ecdd18..b2d1820bc2c 100644
--- a/.github/workflows/pr-builder.yml
+++ b/.github/workflows/pr-builder.yml
@@ -34,7 +34,7 @@ jobs:
distribution: "adopt"
- name: Cache local Maven repository
id: cache-maven-m2
- uses: actions/cache@v2
+ uses: actions/cache@v3
env:
cache-name: cache-m2
with:
diff --git a/components/org.wso2.carbon.identity.api.server.dcr/pom.xml b/components/org.wso2.carbon.identity.api.server.dcr/pom.xml
index 9acdae41cb0..555a114eda6 100644
--- a/components/org.wso2.carbon.identity.api.server.dcr/pom.xml
+++ b/components/org.wso2.carbon.identity.api.server.dcr/pom.xml
@@ -23,12 +23,12 @@
org.wso2.carbon.identity.inbound.auth.oauth2
identity-inbound-auth-oauth
- 7.0.245-SNAPSHOT
+ 7.0.255-SNAPSHOT
../../pom.xml
org.wso2.carbon.identity.api.server.dcr
- 7.0.245-SNAPSHOT
+ 7.0.255-SNAPSHOT
WSO2 Carbon - User DCR Rest API
WSO2 Carbon - User DCR Rest API
diff --git a/components/org.wso2.carbon.identity.api.server.oauth.scope/pom.xml b/components/org.wso2.carbon.identity.api.server.oauth.scope/pom.xml
index 652b447a9b7..bd09fcdf0d8 100644
--- a/components/org.wso2.carbon.identity.api.server.oauth.scope/pom.xml
+++ b/components/org.wso2.carbon.identity.api.server.oauth.scope/pom.xml
@@ -23,12 +23,12 @@
org.wso2.carbon.identity.inbound.auth.oauth2
identity-inbound-auth-oauth
- 7.0.245-SNAPSHOT
+ 7.0.255-SNAPSHOT
../..
org.wso2.carbon.identity.api.server.oauth.scope
- 7.0.245-SNAPSHOT
+ 7.0.255-SNAPSHOT
WSO2 Carbon - Identity OAuth 2.0 Scope Rest APIs
Rest APIs for OAuth 2.0 Scope Handling
diff --git a/components/org.wso2.carbon.identity.client.attestation.filter/pom.xml b/components/org.wso2.carbon.identity.client.attestation.filter/pom.xml
index cabf5a5f17c..3eec0fcac7c 100644
--- a/components/org.wso2.carbon.identity.client.attestation.filter/pom.xml
+++ b/components/org.wso2.carbon.identity.client.attestation.filter/pom.xml
@@ -22,7 +22,7 @@
org.wso2.carbon.identity.inbound.auth.oauth2
identity-inbound-auth-oauth
- 7.0.245-SNAPSHOT
+ 7.0.255-SNAPSHOT
../../pom.xml
diff --git a/components/org.wso2.carbon.identity.discovery/pom.xml b/components/org.wso2.carbon.identity.discovery/pom.xml
index 3945add1c8a..35df9eaeffe 100644
--- a/components/org.wso2.carbon.identity.discovery/pom.xml
+++ b/components/org.wso2.carbon.identity.discovery/pom.xml
@@ -21,7 +21,7 @@
org.wso2.carbon.identity.inbound.auth.oauth2
identity-inbound-auth-oauth
../../pom.xml
- 7.0.245-SNAPSHOT
+ 7.0.255-SNAPSHOT
4.0.0
diff --git a/components/org.wso2.carbon.identity.oauth.ciba/pom.xml b/components/org.wso2.carbon.identity.oauth.ciba/pom.xml
index 779c2b42474..338e03742f8 100644
--- a/components/org.wso2.carbon.identity.oauth.ciba/pom.xml
+++ b/components/org.wso2.carbon.identity.oauth.ciba/pom.xml
@@ -20,7 +20,7 @@
identity-inbound-auth-oauth
org.wso2.carbon.identity.inbound.auth.oauth2
- 7.0.245-SNAPSHOT
+ 7.0.255-SNAPSHOT
../../pom.xml
diff --git a/components/org.wso2.carbon.identity.oauth.client.authn.filter/pom.xml b/components/org.wso2.carbon.identity.oauth.client.authn.filter/pom.xml
index 22f237106b7..52e3ab365d5 100644
--- a/components/org.wso2.carbon.identity.oauth.client.authn.filter/pom.xml
+++ b/components/org.wso2.carbon.identity.oauth.client.authn.filter/pom.xml
@@ -22,7 +22,7 @@
org.wso2.carbon.identity.inbound.auth.oauth2
identity-inbound-auth-oauth
../../pom.xml
- 7.0.245-SNAPSHOT
+ 7.0.255-SNAPSHOT
4.0.0
diff --git a/components/org.wso2.carbon.identity.oauth.common/pom.xml b/components/org.wso2.carbon.identity.oauth.common/pom.xml
index 49389493611..76d94a7b060 100644
--- a/components/org.wso2.carbon.identity.oauth.common/pom.xml
+++ b/components/org.wso2.carbon.identity.oauth.common/pom.xml
@@ -23,7 +23,7 @@
org.wso2.carbon.identity.inbound.auth.oauth2
identity-inbound-auth-oauth
../../pom.xml
- 7.0.245-SNAPSHOT
+ 7.0.255-SNAPSHOT
4.0.0
diff --git a/components/org.wso2.carbon.identity.oauth.dcr.endpoint/pom.xml b/components/org.wso2.carbon.identity.oauth.dcr.endpoint/pom.xml
index d130e616b86..f819caf1f67 100644
--- a/components/org.wso2.carbon.identity.oauth.dcr.endpoint/pom.xml
+++ b/components/org.wso2.carbon.identity.oauth.dcr.endpoint/pom.xml
@@ -6,7 +6,7 @@
org.wso2.carbon.identity.inbound.auth.oauth2
identity-inbound-auth-oauth
../../pom.xml
- 7.0.245-SNAPSHOT
+ 7.0.255-SNAPSHOT
4.0.0
diff --git a/components/org.wso2.carbon.identity.oauth.dcr/pom.xml b/components/org.wso2.carbon.identity.oauth.dcr/pom.xml
index d1ba71ddb3b..9a6697c8c34 100644
--- a/components/org.wso2.carbon.identity.oauth.dcr/pom.xml
+++ b/components/org.wso2.carbon.identity.oauth.dcr/pom.xml
@@ -22,7 +22,7 @@
org.wso2.carbon.identity.inbound.auth.oauth2
identity-inbound-auth-oauth
../../pom.xml
- 7.0.245-SNAPSHOT
+ 7.0.255-SNAPSHOT
4.0.0
diff --git a/components/org.wso2.carbon.identity.oauth.endpoint/pom.xml b/components/org.wso2.carbon.identity.oauth.endpoint/pom.xml
index ee7db096253..6ebd3f670a7 100644
--- a/components/org.wso2.carbon.identity.oauth.endpoint/pom.xml
+++ b/components/org.wso2.carbon.identity.oauth.endpoint/pom.xml
@@ -22,7 +22,7 @@
org.wso2.carbon.identity.inbound.auth.oauth2
identity-inbound-auth-oauth
../../pom.xml
- 7.0.245-SNAPSHOT
+ 7.0.255-SNAPSHOT
4.0.0
diff --git a/components/org.wso2.carbon.identity.oauth.endpoint/src/main/java/org/wso2/carbon/identity/oauth/endpoint/authz/OAuth2AuthzEndpoint.java b/components/org.wso2.carbon.identity.oauth.endpoint/src/main/java/org/wso2/carbon/identity/oauth/endpoint/authz/OAuth2AuthzEndpoint.java
index 87582e9a246..c64baee318a 100644
--- a/components/org.wso2.carbon.identity.oauth.endpoint/src/main/java/org/wso2/carbon/identity/oauth/endpoint/authz/OAuth2AuthzEndpoint.java
+++ b/components/org.wso2.carbon.identity.oauth.endpoint/src/main/java/org/wso2/carbon/identity/oauth/endpoint/authz/OAuth2AuthzEndpoint.java
@@ -4206,6 +4206,21 @@ private void associateAuthenticationHistory(SessionDataCacheEntry resultFromLogi
*/
private List getAMRValues(List authMethods, Map authenticatedIdPs) {
+ boolean authenticatorAMREnabled = true;
+ if (authenticatorAMREnabled) {
+ List resultantAuthMethods = new ArrayList<>();
+ for (Map.Entry entry : authenticatedIdPs.entrySet()) {
+ if (entry.getValue() != null && entry.getValue().getAuthenticators() != null) {
+ for (AuthenticatorConfig authenticatorConfig : entry.getValue().getAuthenticators()) {
+ if (authenticatorConfig != null && authenticatorConfig.getAmrValue() != null) {
+ resultantAuthMethods.addAll(Arrays.asList(authenticatorConfig.getAmrValue()));
+ }
+ }
+ }
+ }
+ return resultantAuthMethods;
+ }
+
boolean readAMRValueFromIdp = Boolean.parseBoolean(IdentityUtil.getProperty(
OAuthConstants.READ_AMR_VALUE_FROM_IDP));
if (readAMRValueFromIdp) {
diff --git a/components/org.wso2.carbon.identity.oauth.endpoint/src/main/java/org/wso2/carbon/identity/oauth/endpoint/util/ClaimUtil.java b/components/org.wso2.carbon.identity.oauth.endpoint/src/main/java/org/wso2/carbon/identity/oauth/endpoint/util/ClaimUtil.java
index fbb1759a450..71b2d2c1950 100644
--- a/components/org.wso2.carbon.identity.oauth.endpoint/src/main/java/org/wso2/carbon/identity/oauth/endpoint/util/ClaimUtil.java
+++ b/components/org.wso2.carbon.identity.oauth.endpoint/src/main/java/org/wso2/carbon/identity/oauth/endpoint/util/ClaimUtil.java
@@ -18,13 +18,16 @@
package org.wso2.carbon.identity.oauth.endpoint.util;
+import org.apache.commons.collections.CollectionUtils;
import org.apache.commons.lang.ArrayUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.oltu.oauth2.common.error.OAuthError;
import org.wso2.carbon.identity.application.authentication.framework.exception.FrameworkException;
+import org.wso2.carbon.identity.application.authentication.framework.handler.approles.exception.ApplicationRolesException;
import org.wso2.carbon.identity.application.authentication.framework.model.AuthenticatedUser;
+import org.wso2.carbon.identity.application.authentication.framework.util.FrameworkConstants;
import org.wso2.carbon.identity.application.authentication.framework.util.FrameworkUtils;
import org.wso2.carbon.identity.application.common.model.ClaimMapping;
import org.wso2.carbon.identity.application.common.model.ServiceProvider;
@@ -50,6 +53,8 @@
import org.wso2.carbon.identity.oauth2.util.AuthzUtil;
import org.wso2.carbon.identity.oauth2.util.OAuth2Util;
import org.wso2.carbon.identity.openidconnect.OIDCClaimUtil;
+import org.wso2.carbon.identity.organization.management.service.exception.OrganizationManagementException;
+import org.wso2.carbon.identity.organization.management.service.util.OrganizationManagementUtil;
import org.wso2.carbon.user.api.RealmConfiguration;
import org.wso2.carbon.user.api.UserStoreException;
import org.wso2.carbon.user.core.UserRealm;
@@ -190,13 +195,15 @@ public static Map getClaimsFromUserStore(OAuth2TokenValidationRe
realm = getUserRealm(null, userAccessingTenantDomain);
try {
FrameworkUtils.startTenantFlow(userAccessingTenantDomain);
- userClaims = getUserClaimsFromUserStore(sharedUserId, realm, claimURIList);
+ userClaims = getUserClaimsFromUserStoreWithResolvedRoles(authenticatedUser, serviceProvider,
+ sharedUserId, realm, claimURIList);
} finally {
FrameworkUtils.endTenantFlow();
}
} else {
realm = getUserRealm(null, userTenantDomain);
- userClaims = getUserClaimsFromUserStore(userId, realm, claimURIList);
+ userClaims = getUserClaimsFromUserStoreWithResolvedRoles(authenticatedUser, serviceProvider,
+ userId, realm, claimURIList);
}
if (isNotEmpty(userClaims)) {
@@ -335,6 +342,42 @@ private static Map getUserClaimsFromUserStore(String userId,
return userClaims;
}
+ private static Map getUserClaimsFromUserStoreWithResolvedRoles(AuthenticatedUser authenticatedUser,
+ ServiceProvider serviceProvider,
+ String resolvedUserId,
+ UserRealm realm,
+ List claimURIList)
+ throws UserStoreException {
+
+ Map userClaims = getUserClaimsFromUserStore(resolvedUserId, realm, claimURIList);
+ try {
+ // Check whether the roles claim is requested.
+ boolean isRoleClaimRequested = CollectionUtils.isNotEmpty(claimURIList) &&
+ claimURIList.contains(FrameworkConstants.ROLES_CLAIM);
+ String appTenantDomain = serviceProvider.getTenantDomain();
+ // Check whether the application is a shared app or an application created in sub org.
+ boolean isSubOrgApp = OrganizationManagementUtil.isOrganization(appTenantDomain);
+ // Resolving roles claim for sub org apps and shared apps since backward compatibility is not needed.
+ if (isRoleClaimRequested && isSubOrgApp) {
+ String[] appAssociatedRoles = OIDCClaimUtil.getAppAssociatedRolesOfUser(authenticatedUser,
+ serviceProvider.getApplicationResourceId());
+ if (appAssociatedRoles != null && appAssociatedRoles.length > 0) {
+ // If application associated roles are returned, set the roles claim using resolved roles.
+ userClaims.put(FrameworkConstants.ROLES_CLAIM,
+ String.join(FrameworkUtils.getMultiAttributeSeparator(), appAssociatedRoles));
+ } else {
+ // If no roles are returned, remove the roles claim from user claims.
+ userClaims.remove(FrameworkConstants.ROLES_CLAIM);
+ }
+ }
+ } catch (ApplicationRolesException e) {
+ throw new UserStoreException("Error while retrieving application associated roles for user.", e);
+ } catch (OrganizationManagementException e) {
+ throw new UserStoreException("Error while checking whether application tenant domain is an organization.");
+ }
+ return userClaims;
+ }
+
private static UserRealm getUserRealm(String username,
String userTenantDomain) throws IdentityException, UserInfoEndpointException {
diff --git a/components/org.wso2.carbon.identity.oauth.endpoint/src/test/java/org/wso2/carbon/identity/oauth/endpoint/util/ClaimUtilTest.java b/components/org.wso2.carbon.identity.oauth.endpoint/src/test/java/org/wso2/carbon/identity/oauth/endpoint/util/ClaimUtilTest.java
index 653b754b76f..bc973c12142 100644
--- a/components/org.wso2.carbon.identity.oauth.endpoint/src/test/java/org/wso2/carbon/identity/oauth/endpoint/util/ClaimUtilTest.java
+++ b/components/org.wso2.carbon.identity.oauth.endpoint/src/test/java/org/wso2/carbon/identity/oauth/endpoint/util/ClaimUtilTest.java
@@ -18,6 +18,7 @@
package org.wso2.carbon.identity.oauth.endpoint.util;
import org.apache.commons.collections.map.HashedMap;
+import org.apache.commons.lang.StringUtils;
import org.mockito.Mock;
import org.mockito.MockedStatic;
import org.mockito.testng.MockitoTestNGListener;
@@ -51,6 +52,8 @@
import org.wso2.carbon.identity.oauth2.internal.OAuth2ServiceComponentHolder;
import org.wso2.carbon.identity.oauth2.model.AccessTokenDO;
import org.wso2.carbon.identity.oauth2.util.OAuth2Util;
+import org.wso2.carbon.identity.openidconnect.OIDCClaimUtil;
+import org.wso2.carbon.identity.organization.management.service.util.OrganizationManagementUtil;
import org.wso2.carbon.user.api.RealmConfiguration;
import org.wso2.carbon.user.core.UserRealm;
import org.wso2.carbon.user.core.UserStoreException;
@@ -119,8 +122,10 @@ public class ClaimUtilTest {
private RoleMapping[] roleMappings;
private ClaimMapping[] requestedClaimMappings;
+ private ClaimMapping[] requestedClaimMappingsWithRoles;
private Map userClaimsMap;
+ private Map userClaimsMapWithRoles;
private Map spToLocalClaimMappings;
@@ -132,35 +137,48 @@ public class ClaimUtilTest {
private static final String USERNAME_CLAIM_URI = "http://wso2.org/claims/username";
private static final String EMAIL_CLAIM_URI = "http://wso2.org/claims/emailaddress";
private static final String ROLE_CLAIM_URI = "http://wso2.org/claims/role";
+ private static final String ROLES_CLAIM_URI = "http://wso2.org/claims/roles";
@BeforeClass
public void setup() {
//Setting requested claims in SP
requestedClaimMappings = new ClaimMapping[3];
+ requestedClaimMappingsWithRoles = new ClaimMapping[4];
ClaimMapping claimMapping1 = new ClaimMapping();
ClaimMapping claimMapping2 = new ClaimMapping();
ClaimMapping claimMapping3 = new ClaimMapping();
+ ClaimMapping claimMapping4 = new ClaimMapping();
Claim claim1 = new Claim();
Claim claim2 = new Claim();
Claim claim3 = new Claim();
+ Claim claim4 = new Claim();
claim1.setClaimUri(USERNAME_CLAIM_URI);
claimMapping1.setLocalClaim(claim1);
claimMapping1.setRemoteClaim(claim1);
requestedClaimMappings[0] = claimMapping1;
+ requestedClaimMappingsWithRoles[0] = claimMapping1;
claim2.setClaimUri(ROLE_CLAIM_URI);
claimMapping2.setLocalClaim(claim2);
claimMapping2.setRemoteClaim(claim2);
requestedClaimMappings[1] = claimMapping2;
+ requestedClaimMappingsWithRoles[1] = claimMapping2;
claim3.setClaimUri(EMAIL_CLAIM_URI);
claimMapping3.setLocalClaim(claim3);
claimMapping3.setRemoteClaim(claim3);
claimMapping3.setRequested(true);
requestedClaimMappings[2] = claimMapping3;
+ requestedClaimMappingsWithRoles[2] = claimMapping3;
+
+ claim4.setClaimUri(ROLES_CLAIM_URI);
+ claimMapping4.setLocalClaim(claim4);
+ claimMapping4.setRemoteClaim(claim4);
+ claimMapping4.setRequested(true);
+ requestedClaimMappingsWithRoles[3] = claimMapping4;
//Setting returning claims from user store
userClaimsMap = new HashMap<>();
@@ -171,6 +189,10 @@ public void setup() {
userClaimsMapWithSubject = new HashedMap();
userClaimsMap.put(USERNAME_CLAIM_URI, AUTHORIZED_USER);
+ userClaimsMapWithRoles = new HashMap<>();
+ userClaimsMapWithRoles.putAll(userClaimsMap);
+ userClaimsMapWithRoles.put(ROLES_CLAIM_URI, "Internal/Role1,Internal/Role2,Internal/Role3");
+
//Setting SP to local claim mapping
spToLocalClaimMappings = new HashMap<>();
spToLocalClaimMappings.put(USERNAME_CLAIM_URI, USERNAME_CLAIM_URI);
@@ -250,7 +272,9 @@ public void testGetClaimsFromUserStore(boolean mockRealm, boolean mockAccessToke
mockStatic(OAuth2ServiceComponentHolder.class);
MockedStatic claimMetadataHandler =
mockStatic(ClaimMetadataHandler.class);
- MockedStatic identityUtil = mockStatic(IdentityUtil.class)) {
+ MockedStatic identityUtil = mockStatic(IdentityUtil.class);
+ MockedStatic organizationManagementUtil =
+ mockStatic(OrganizationManagementUtil.class)) {
oAuthServerConfiguration.when(OAuthServerConfiguration::getInstance)
.thenReturn(mockedOAuthServerConfiguration);
@@ -289,6 +313,8 @@ public void testGetClaimsFromUserStore(boolean mockRealm, boolean mockAccessToke
mockedApplicationManagementService);
lenient().when(mockedApplicationManagementService.getServiceProviderNameByClientId(
anyString(), anyString(), anyString())).thenReturn("SP1");
+ organizationManagementUtil.when(() -> OrganizationManagementUtil.isOrganization(anyString()))
+ .thenReturn(false);
if (mockServiceProvider) {
lenient().when(
@@ -302,6 +328,7 @@ public void testGetClaimsFromUserStore(boolean mockRealm, boolean mockAccessToke
mockedUserStoreManager = mock(AbstractUserStoreManager.class);
when(mockedUserRealm.getUserStoreManager()).thenReturn(mockedUserStoreManager);
+ lenient().when(mockedServiceProvider.getTenantDomain()).thenReturn("carbon.super");
lenient().when(mockedServiceProvider.getClaimConfig()).thenReturn(mockedClaimConfig);
lenient().when(mockedClaimConfig.getClaimMappings()).thenReturn(claimMappings);
@@ -351,6 +378,121 @@ public void testGetClaimsFromUserStore(boolean mockRealm, boolean mockAccessToke
}
}
+ @DataProvider(name = "provideDataForGetClaimsFromUserForSubOrgUsers")
+ public Object[][] provideDataForGetClaimsFromUserForSubOrgUsers() {
+
+ return new Object[][]{
+ {new String[]{"Internal/Role1", "Internal/Role2"}, "Internal/Role1,Internal/Role2", 3},
+ {new String[0], null, 2}
+ };
+ }
+
+ @Test(dataProvider = "provideDataForGetClaimsFromUserForSubOrgUsers")
+ public void testGetClaimsFromUserStoreForSubOrgUsers(String[] appAssociatedRoles, String expectedRolesClaim,
+ int expectedMapSize) throws Exception {
+
+ try (MockedStatic identityTenantUtil = mockStatic(IdentityTenantUtil.class);
+ MockedStatic oAuthServerConfiguration = mockStatic(
+ OAuthServerConfiguration.class);
+ MockedStatic frameworkUtils = mockStatic(FrameworkUtils.class);
+ MockedStatic oAuth2ServiceComponentHolder =
+ mockStatic(OAuth2ServiceComponentHolder.class);
+ MockedStatic claimMetadataHandler =
+ mockStatic(ClaimMetadataHandler.class);
+ MockedStatic identityUtil = mockStatic(IdentityUtil.class);
+ MockedStatic organizationManagementUtil =
+ mockStatic(OrganizationManagementUtil.class);
+ MockedStatic oidcClaimUtil = mockStatic(OIDCClaimUtil.class);
+ MockedStatic oAuth2Util = mockStatic(OAuth2Util.class)) {
+
+ oAuthServerConfiguration.when(OAuthServerConfiguration::getInstance)
+ .thenReturn(mockedOAuthServerConfiguration);
+ identityTenantUtil.when(() -> IdentityTenantUtil.getRealm(anyString(), isNull()))
+ .thenReturn(mockedUserRealm);
+ lenient().when(mockedOAuthServerConfiguration.isMapFederatedUsersToLocal())
+ .thenReturn(false);
+
+ mockOAuth2Util(oAuth2Util);
+
+ AuthenticatedUser authenticatedUser = getAuthenticatedUser("subOrgTenant", "PRIMARY",
+ "test-user", false, "4b4414e1-916b-4475-aaee-6b0751c29f11");
+
+ frameworkUtils.when(() -> FrameworkUtils.resolveUserIdFromUsername(anyInt(), anyString(), anyString()))
+ .thenReturn("4b4414e1-916b-4475-aaee-6b0751c29f11");
+ frameworkUtils.when(FrameworkUtils::getMultiAttributeSeparator).thenReturn(CLAIM_SEPARATOR);
+
+ AccessTokenDO accessTokenDO = getAccessTokenDO(CLIENT_ID, authenticatedUser);
+ oAuth2Util.when(() -> OAuth2Util.getAccessTokenIdentifier(any())).thenReturn("DummyIdentifier");
+ oAuth2Util.when(() -> OAuth2Util.getAccessTokenDOfromTokenIdentifier(anyString()))
+ .thenReturn(accessTokenDO);
+ oAuth2Util.when(() -> OAuth2Util.findAccessToken(any(), anyBoolean())).thenReturn(accessTokenDO);
+
+ oAuth2ServiceComponentHolder.when(OAuth2ServiceComponentHolder::getApplicationMgtService).thenReturn(
+ mockedApplicationManagementService);
+ lenient().when(mockedApplicationManagementService.getServiceProviderNameByClientId(
+ anyString(), anyString(), anyString())).thenReturn("SP1");
+ organizationManagementUtil.when(() -> OrganizationManagementUtil.isOrganization(anyString()))
+ .thenReturn(true);
+ lenient().when(
+ mockedApplicationManagementService.getServiceProviderByClientId(anyString(), anyString(),
+ anyString())).thenReturn(mockedServiceProvider);
+
+ lenient().when(mockedValidationTokenResponseDTO.getAuthorizedUser()).thenReturn(AUTHORIZED_USER);
+ when(mockedValidationTokenResponseDTO.getAuthorizationContextToken()).thenReturn(
+ mockedAuthzContextToken);
+ mockedUserStoreManager = mock(AbstractUserStoreManager.class);
+ when(mockedUserRealm.getUserStoreManager()).thenReturn(mockedUserStoreManager);
+
+ lenient().when(mockedServiceProvider.getTenantDomain()).thenReturn("subOrgTenant");
+ lenient().when(mockedServiceProvider.getApplicationResourceId()).thenReturn("appUuid");
+ lenient().when(mockedServiceProvider.getClaimConfig()).thenReturn(mockedClaimConfig);
+ lenient().when(mockedClaimConfig.getClaimMappings()).thenReturn(requestedClaimMappingsWithRoles);
+
+ lenient().when(mockedServiceProvider.getLocalAndOutBoundAuthenticationConfig()).thenReturn(
+ mockedLocalAndOutboundConfig);
+ lenient().when(mockedLocalAndOutboundConfig.getSubjectClaimUri()).thenReturn(USERNAME_CLAIM_URI);
+
+ claimMetadataHandler.when(ClaimMetadataHandler::getInstance).thenReturn(mockedClaimMetadataHandler);
+ Map spToLocalClaimMappingsWithRoles = new HashMap<>();
+ spToLocalClaimMappingsWithRoles.put(USERNAME_CLAIM_URI, USERNAME_CLAIM_URI);
+ spToLocalClaimMappingsWithRoles.put(ROLES_CLAIM_URI, ROLES_CLAIM_URI);
+ spToLocalClaimMappingsWithRoles.put(EMAIL_CLAIM_URI, EMAIL_CLAIM_URI);
+ lenient().when(mockedClaimMetadataHandler.getMappingsMapFromOtherDialectToCarbon(
+ anyString(), isNull(), anyString(), anyBoolean())).thenReturn(spToLocalClaimMappingsWithRoles);
+
+ lenient().when(mockedUserStoreManager.getUserClaimValuesWithID(anyString(), any(String[].class),
+ isNull())).
+ thenReturn(userClaimsMapWithRoles);
+
+ identityUtil.when(() -> IdentityUtil.extractDomainFromName(anyString())).thenReturn("PRIMARY");
+
+ lenient().when(mockedUserRealm.getUserStoreManager()).thenReturn(mockedUserStoreManager);
+ lenient().when(mockedUserStoreManager.getSecondaryUserStoreManager(anyString())).thenReturn(
+ mockedUserStoreManager);
+ lenient().when(mockedUserStoreManager.getRealmConfiguration()).thenReturn(mockedRealmConfiguration);
+ lenient().when(mockedRealmConfiguration.getUserStoreProperty(
+ IdentityCoreConstants.MULTI_ATTRIBUTE_SEPARATOR)).thenReturn(CLAIM_SEPARATOR);
+
+ lenient().when(mockedServiceProvider.getPermissionAndRoleConfig())
+ .thenReturn(mockedPermissionAndRoleConfig);
+ lenient().when(mockedPermissionAndRoleConfig.getRoleMappings()).thenReturn(roleMappings);
+
+ oidcClaimUtil.when(() -> OIDCClaimUtil.getAppAssociatedRolesOfUser(any(), anyString()))
+ .thenReturn(appAssociatedRoles);
+
+ OAuth2ServiceComponentHolder oAuth2ServiceComponentHolderInstance =
+ mock(OAuth2ServiceComponentHolder.class);
+ when(OAuth2ServiceComponentHolder.getInstance()).thenReturn(oAuth2ServiceComponentHolderInstance);
+ when(oAuth2ServiceComponentHolderInstance.getTokenProvider())
+ .thenReturn(new DefaultTokenProvider());
+ Map claimsMap = ClaimUtil.getClaimsFromUserStore(mockedValidationTokenResponseDTO);
+ Assert.assertEquals(claimsMap.size(), expectedMapSize);
+ if (StringUtils.isNotBlank(expectedRolesClaim)) {
+ Assert.assertEquals(claimsMap.get(ROLES_CLAIM_URI), expectedRolesClaim);
+ }
+ }
+ }
+
protected void mockOAuth2Util(MockedStatic oAuth2Util)
throws IdentityOAuth2Exception, InvalidOAuthClientException {
diff --git a/components/org.wso2.carbon.identity.oauth.extension/pom.xml b/components/org.wso2.carbon.identity.oauth.extension/pom.xml
index 0ff064dea66..24f5ae20686 100644
--- a/components/org.wso2.carbon.identity.oauth.extension/pom.xml
+++ b/components/org.wso2.carbon.identity.oauth.extension/pom.xml
@@ -19,7 +19,7 @@
identity-inbound-auth-oauth
org.wso2.carbon.identity.inbound.auth.oauth2
- 7.0.245-SNAPSHOT
+ 7.0.255-SNAPSHOT
../../pom.xml
4.0.0
diff --git a/components/org.wso2.carbon.identity.oauth.par/pom.xml b/components/org.wso2.carbon.identity.oauth.par/pom.xml
index e4c960da5ff..e10dd23b3b3 100644
--- a/components/org.wso2.carbon.identity.oauth.par/pom.xml
+++ b/components/org.wso2.carbon.identity.oauth.par/pom.xml
@@ -23,7 +23,7 @@
org.wso2.carbon.identity.inbound.auth.oauth2
identity-inbound-auth-oauth
../../pom.xml
- 7.0.245-SNAPSHOT
+ 7.0.255-SNAPSHOT
4.0.0
diff --git a/components/org.wso2.carbon.identity.oauth.rar/pom.xml b/components/org.wso2.carbon.identity.oauth.rar/pom.xml
index 28a4d06db6c..91ae32975a3 100644
--- a/components/org.wso2.carbon.identity.oauth.rar/pom.xml
+++ b/components/org.wso2.carbon.identity.oauth.rar/pom.xml
@@ -22,7 +22,7 @@
org.wso2.carbon.identity.inbound.auth.oauth2
identity-inbound-auth-oauth
../../pom.xml
- 7.0.245-SNAPSHOT
+ 7.0.255-SNAPSHOT
4.0.0
diff --git a/components/org.wso2.carbon.identity.oauth.scope.endpoint/pom.xml b/components/org.wso2.carbon.identity.oauth.scope.endpoint/pom.xml
index 2a12c6cf885..514a85531b6 100644
--- a/components/org.wso2.carbon.identity.oauth.scope.endpoint/pom.xml
+++ b/components/org.wso2.carbon.identity.oauth.scope.endpoint/pom.xml
@@ -22,7 +22,7 @@
org.wso2.carbon.identity.inbound.auth.oauth2
identity-inbound-auth-oauth
../../pom.xml
- 7.0.245-SNAPSHOT
+ 7.0.255-SNAPSHOT
4.0.0
diff --git a/components/org.wso2.carbon.identity.oauth.stub/pom.xml b/components/org.wso2.carbon.identity.oauth.stub/pom.xml
index fffc43857e5..34cbae075a9 100644
--- a/components/org.wso2.carbon.identity.oauth.stub/pom.xml
+++ b/components/org.wso2.carbon.identity.oauth.stub/pom.xml
@@ -22,7 +22,7 @@
org.wso2.carbon.identity.inbound.auth.oauth2
identity-inbound-auth-oauth
../../pom.xml
- 7.0.245-SNAPSHOT
+ 7.0.255-SNAPSHOT
4.0.0
diff --git a/components/org.wso2.carbon.identity.oauth.ui/pom.xml b/components/org.wso2.carbon.identity.oauth.ui/pom.xml
index 5d8b4b040e9..0fef2d23e79 100644
--- a/components/org.wso2.carbon.identity.oauth.ui/pom.xml
+++ b/components/org.wso2.carbon.identity.oauth.ui/pom.xml
@@ -22,7 +22,7 @@
org.wso2.carbon.identity.inbound.auth.oauth2
identity-inbound-auth-oauth
../../pom.xml
- 7.0.245-SNAPSHOT
+ 7.0.255-SNAPSHOT
4.0.0
diff --git a/components/org.wso2.carbon.identity.oauth/pom.xml b/components/org.wso2.carbon.identity.oauth/pom.xml
index 80116c13137..d49c95c9b6f 100644
--- a/components/org.wso2.carbon.identity.oauth/pom.xml
+++ b/components/org.wso2.carbon.identity.oauth/pom.xml
@@ -23,7 +23,7 @@
org.wso2.carbon.identity.inbound.auth.oauth2
identity-inbound-auth-oauth
../../pom.xml
- 7.0.245-SNAPSHOT
+ 7.0.255-SNAPSHOT
4.0.0
@@ -435,9 +435,9 @@
org.wso2.carbon.identity.application.common.*;version="${carbon.identity.framework.imp.pkg.version.range}",
org.wso2.carbon.identity.application.authentication.framework.*;version="${carbon.identity.framework.imp.pkg.version.range}",
org.wso2.carbon.identity.user.store.configuration.*;version="${carbon.identity.framework.imp.pkg.version.range}",
- org.wso2.carbon.identity.rule.evaluation.model; version="${carbon.identity.framework.imp.pkg.version.range}",
- org.wso2.carbon.identity.rule.evaluation.exception; version="${carbon.identity.framework.imp.pkg.version.range}",
- org.wso2.carbon.identity.rule.evaluation.provider; version="${carbon.identity.framework.imp.pkg.version.range}",
+ org.wso2.carbon.identity.rule.evaluation.api.model; version="${carbon.identity.framework.imp.pkg.version.range}",
+ org.wso2.carbon.identity.rule.evaluation.api.exception; version="${carbon.identity.framework.imp.pkg.version.range}",
+ org.wso2.carbon.identity.rule.evaluation.api.provider; version="${carbon.identity.framework.imp.pkg.version.range}",
org.wso2.carbon.identity.oauth.common.token.bindings.*;version="${identity.inbound.auth.oauth.imp.pkg.version.range}",
org.wso2.carbon.identity.oauth.common.*;version="${identity.inbound.auth.oauth.imp.pkg.version.range}",
diff --git a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/OAuthUtil.java b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/OAuthUtil.java
index ca9d04ae0f0..dcd86dc4616 100755
--- a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/OAuthUtil.java
+++ b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/OAuthUtil.java
@@ -1116,9 +1116,9 @@ public static boolean revokeTokens(String username, UserStoreManager userStoreMa
.getTokenManagementDAO().getAllTimeAuthorizedClientIds(authenticatedOrgUser));
}
- Set mainClientIds = new HashSet<>();
+ Set filteredClientIds = clientIds;
if (role != null && RoleConstants.ORGANIZATION.equals(role.getAudience())) {
- mainClientIds = filterClientIdsWithOrganizationAudience(new ArrayList<>(clientIds),
+ filteredClientIds = filterClientIdsWithOrganizationAudience(new ArrayList<>(clientIds),
authenticatedUser.getTenantDomain());
}
@@ -1129,9 +1129,9 @@ public static boolean revokeTokens(String username, UserStoreManager userStoreMa
organizationClientIds = filterClientIdsWithOrganizationAudience(new ArrayList<>(clientIds),
userResidentTenantDomain);
}
- clientIds.addAll(organizationClientIds);
+ filteredClientIds.addAll(organizationClientIds);
}
- clientIds.addAll(mainClientIds);
+ clientIds = filteredClientIds;
} catch (IdentityOAuth2Exception e) {
LOG.error("Error occurred while retrieving apps authorized by User ID : " + authenticatedUser, e);
diff --git a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/action/execution/PreIssueAccessTokenRequestBuilder.java b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/action/execution/PreIssueAccessTokenRequestBuilder.java
index 0cc016f4244..74147676d9d 100755
--- a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/action/execution/PreIssueAccessTokenRequestBuilder.java
+++ b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/action/execution/PreIssueAccessTokenRequestBuilder.java
@@ -21,18 +21,20 @@
import com.nimbusds.jwt.JWTClaimsSet;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
-import org.wso2.carbon.identity.action.execution.ActionExecutionRequestBuilder;
-import org.wso2.carbon.identity.action.execution.exception.ActionExecutionRequestBuilderException;
-import org.wso2.carbon.identity.action.execution.model.ActionExecutionRequest;
-import org.wso2.carbon.identity.action.execution.model.ActionType;
-import org.wso2.carbon.identity.action.execution.model.AllowedOperation;
-import org.wso2.carbon.identity.action.execution.model.Event;
-import org.wso2.carbon.identity.action.execution.model.Operation;
-import org.wso2.carbon.identity.action.execution.model.Organization;
-import org.wso2.carbon.identity.action.execution.model.Request;
-import org.wso2.carbon.identity.action.execution.model.Tenant;
-import org.wso2.carbon.identity.action.execution.model.User;
-import org.wso2.carbon.identity.action.execution.model.UserStore;
+import org.wso2.carbon.identity.action.execution.api.exception.ActionExecutionRequestBuilderException;
+import org.wso2.carbon.identity.action.execution.api.model.ActionExecutionRequest;
+import org.wso2.carbon.identity.action.execution.api.model.ActionExecutionRequestContext;
+import org.wso2.carbon.identity.action.execution.api.model.ActionType;
+import org.wso2.carbon.identity.action.execution.api.model.AllowedOperation;
+import org.wso2.carbon.identity.action.execution.api.model.Event;
+import org.wso2.carbon.identity.action.execution.api.model.FlowContext;
+import org.wso2.carbon.identity.action.execution.api.model.Operation;
+import org.wso2.carbon.identity.action.execution.api.model.Organization;
+import org.wso2.carbon.identity.action.execution.api.model.Request;
+import org.wso2.carbon.identity.action.execution.api.model.Tenant;
+import org.wso2.carbon.identity.action.execution.api.model.User;
+import org.wso2.carbon.identity.action.execution.api.model.UserStore;
+import org.wso2.carbon.identity.action.execution.api.service.ActionExecutionRequestBuilder;
import org.wso2.carbon.identity.application.authentication.framework.exception.UserIdNotFoundException;
import org.wso2.carbon.identity.application.authentication.framework.model.AuthenticatedUser;
import org.wso2.carbon.identity.core.util.IdentityTenantUtil;
@@ -80,11 +82,12 @@ public ActionType getSupportedActionType() {
}
@Override
- public ActionExecutionRequest buildActionExecutionRequest(Map eventContext)
+ public ActionExecutionRequest buildActionExecutionRequest(FlowContext flowContext,
+ ActionExecutionRequestContext actionExecutionContext)
throws ActionExecutionRequestBuilderException {
OAuthTokenReqMessageContext tokenMessageContext =
- (OAuthTokenReqMessageContext) eventContext.get("tokenMessageContext");
+ flowContext.getValue("tokenMessageContext", OAuthTokenReqMessageContext.class);
Map additionalClaimsToAddToToken = getAdditionalClaimsToAddToToken(tokenMessageContext);
diff --git a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/action/execution/PreIssueAccessTokenResponseProcessor.java b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/action/execution/PreIssueAccessTokenResponseProcessor.java
index 1657577e7cc..35f635bfeaf 100644
--- a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/action/execution/PreIssueAccessTokenResponseProcessor.java
+++ b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/action/execution/PreIssueAccessTokenResponseProcessor.java
@@ -24,22 +24,23 @@
import org.apache.commons.httpclient.HttpStatus;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
-import org.wso2.carbon.identity.action.execution.ActionExecutionLogConstants;
-import org.wso2.carbon.identity.action.execution.ActionExecutionResponseProcessor;
-import org.wso2.carbon.identity.action.execution.exception.ActionExecutionResponseProcessorException;
-import org.wso2.carbon.identity.action.execution.model.ActionExecutionStatus;
-import org.wso2.carbon.identity.action.execution.model.ActionInvocationErrorResponse;
-import org.wso2.carbon.identity.action.execution.model.ActionInvocationFailureResponse;
-import org.wso2.carbon.identity.action.execution.model.ActionInvocationSuccessResponse;
-import org.wso2.carbon.identity.action.execution.model.ActionType;
-import org.wso2.carbon.identity.action.execution.model.Error;
-import org.wso2.carbon.identity.action.execution.model.ErrorStatus;
-import org.wso2.carbon.identity.action.execution.model.Event;
-import org.wso2.carbon.identity.action.execution.model.FailedStatus;
-import org.wso2.carbon.identity.action.execution.model.Failure;
-import org.wso2.carbon.identity.action.execution.model.PerformableOperation;
-import org.wso2.carbon.identity.action.execution.model.Success;
-import org.wso2.carbon.identity.action.execution.model.SuccessStatus;
+import org.wso2.carbon.identity.action.execution.api.constant.ActionExecutionLogConstants;
+import org.wso2.carbon.identity.action.execution.api.exception.ActionExecutionResponseProcessorException;
+import org.wso2.carbon.identity.action.execution.api.model.ActionExecutionResponseContext;
+import org.wso2.carbon.identity.action.execution.api.model.ActionExecutionStatus;
+import org.wso2.carbon.identity.action.execution.api.model.ActionInvocationErrorResponse;
+import org.wso2.carbon.identity.action.execution.api.model.ActionInvocationFailureResponse;
+import org.wso2.carbon.identity.action.execution.api.model.ActionInvocationSuccessResponse;
+import org.wso2.carbon.identity.action.execution.api.model.ActionType;
+import org.wso2.carbon.identity.action.execution.api.model.Error;
+import org.wso2.carbon.identity.action.execution.api.model.ErrorStatus;
+import org.wso2.carbon.identity.action.execution.api.model.FailedStatus;
+import org.wso2.carbon.identity.action.execution.api.model.Failure;
+import org.wso2.carbon.identity.action.execution.api.model.FlowContext;
+import org.wso2.carbon.identity.action.execution.api.model.PerformableOperation;
+import org.wso2.carbon.identity.action.execution.api.model.Success;
+import org.wso2.carbon.identity.action.execution.api.model.SuccessStatus;
+import org.wso2.carbon.identity.action.execution.api.service.ActionExecutionResponseProcessor;
import org.wso2.carbon.identity.central.log.mgt.utils.LoggerUtils;
import org.wso2.carbon.identity.oauth.action.model.AccessToken;
import org.wso2.carbon.identity.oauth.action.model.ClaimPathInfo;
@@ -80,15 +81,16 @@ public ActionType getSupportedActionType() {
}
@Override
- public ActionExecutionStatus processSuccessResponse(Map eventContext, Event event,
- ActionInvocationSuccessResponse
- actionInvocationSuccessResponse)
+ public ActionExecutionStatus processSuccessResponse(FlowContext flowContext,
+ ActionExecutionResponseContext
+
+ responseContext)
throws ActionExecutionResponseProcessorException {
OAuthTokenReqMessageContext tokenMessageContext =
- (OAuthTokenReqMessageContext) eventContext.get("tokenMessageContext");
- PreIssueAccessTokenEvent preIssueAccessTokenEvent = (PreIssueAccessTokenEvent) event;
- List operationsToPerform = actionInvocationSuccessResponse.getOperations();
+ flowContext.getValue("tokenMessageContext", OAuthTokenReqMessageContext.class);
+ PreIssueAccessTokenEvent preIssueAccessTokenEvent = (PreIssueAccessTokenEvent) responseContext.getActionEvent();
+ List operationsToPerform = responseContext.getActionInvocationResponse().getOperations();
AccessToken requestAccessToken = preIssueAccessTokenEvent.getAccessToken();
AccessToken.Builder responseAccessTokenBuilder = preIssueAccessTokenEvent.getAccessToken().copy();
@@ -120,7 +122,7 @@ public ActionExecutionStatus processSuccessResponse(Map
AccessToken responseAccessToken = responseAccessTokenBuilder.build();
updateTokenMessageContext(tokenMessageContext, responseAccessToken);
- return new SuccessStatus.Builder().setResponseContext(eventContext).build();
+ return new SuccessStatus.Builder().setResponseContext(flowContext.getContextData()).build();
}
private void logOperationExecutionResults(ActionType actionType,
@@ -164,10 +166,13 @@ private void logOperationExecutionResults(ActionType actionType,
}
@Override
- public ActionExecutionStatus processFailureResponse(Map eventContext, Event actionEvent,
- ActionInvocationFailureResponse failureResponse) throws
- ActionExecutionResponseProcessorException {
+ public ActionExecutionStatus processFailureResponse(FlowContext flowContext,
+ ActionExecutionResponseContext
+
+ responseContext)
+ throws ActionExecutionResponseProcessorException {
+ ActionInvocationFailureResponse failureResponse = responseContext.getActionInvocationResponse();
handleInvalidErrorCodes(failureResponse.getFailureReason());
return new FailedStatus(new Failure(failureResponse.getFailureReason(),
failureResponse.getFailureDescription()));
@@ -207,9 +212,9 @@ private boolean isServerError(String errorCode) {
}
@Override
- public ActionExecutionStatus processErrorResponse(Map map, Event event,
- ActionInvocationErrorResponse
- actionInvocationErrorResponse)
+ public ActionExecutionStatus processErrorResponse(FlowContext flowContext,
+ ActionExecutionResponseContext
+ responseContext)
throws ActionExecutionResponseProcessorException {
/*
@@ -220,7 +225,7 @@ public ActionExecutionStatus processErrorResponse(Map map
* However, currently this value is not propagated by the endpoint to comply with OAuth specification.
*/
return new ErrorStatus(new Error(OAuth2ErrorCodes.SERVER_ERROR,
- actionInvocationErrorResponse.getErrorDescription()));
+ responseContext.getActionInvocationResponse().getErrorDescription()));
}
private void updateTokenMessageContext(OAuthTokenReqMessageContext tokenMessageContext,
diff --git a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/action/model/OperationExecutionResult.java b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/action/model/OperationExecutionResult.java
index 3d820c4f426..bb9534c7c1a 100644
--- a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/action/model/OperationExecutionResult.java
+++ b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/action/model/OperationExecutionResult.java
@@ -18,7 +18,7 @@
package org.wso2.carbon.identity.oauth.action.model;
-import org.wso2.carbon.identity.action.execution.model.PerformableOperation;
+import org.wso2.carbon.identity.action.execution.api.model.PerformableOperation;
/**
* This class represents the result of the execution of an operation.
diff --git a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/action/model/PreIssueAccessTokenEvent.java b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/action/model/PreIssueAccessTokenEvent.java
index 631451c56cd..189997546a5 100644
--- a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/action/model/PreIssueAccessTokenEvent.java
+++ b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/action/model/PreIssueAccessTokenEvent.java
@@ -18,17 +18,17 @@
package org.wso2.carbon.identity.oauth.action.model;
-import org.wso2.carbon.identity.action.execution.model.Event;
-import org.wso2.carbon.identity.action.execution.model.Organization;
-import org.wso2.carbon.identity.action.execution.model.Request;
-import org.wso2.carbon.identity.action.execution.model.Tenant;
-import org.wso2.carbon.identity.action.execution.model.User;
-import org.wso2.carbon.identity.action.execution.model.UserStore;
+import org.wso2.carbon.identity.action.execution.api.model.Event;
+import org.wso2.carbon.identity.action.execution.api.model.Organization;
+import org.wso2.carbon.identity.action.execution.api.model.Request;
+import org.wso2.carbon.identity.action.execution.api.model.Tenant;
+import org.wso2.carbon.identity.action.execution.api.model.User;
+import org.wso2.carbon.identity.action.execution.api.model.UserStore;
/**
* This class models the event at a pre issue access token trigger.
* PreIssueAccessTokenEvent is the entity that represents the event that is sent to the Action
- * over {@link org.wso2.carbon.identity.action.execution.model.ActionExecutionRequest}.
+ * over {@link org.wso2.carbon.identity.action.execution.api.model.ActionExecutionRequest}.
*/
public class PreIssueAccessTokenEvent extends Event {
diff --git a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/action/model/TokenRequest.java b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/action/model/TokenRequest.java
index 7382e0e1db5..e9f955614fd 100644
--- a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/action/model/TokenRequest.java
+++ b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/action/model/TokenRequest.java
@@ -18,9 +18,9 @@
package org.wso2.carbon.identity.oauth.action.model;
-import org.wso2.carbon.identity.action.execution.model.Header;
-import org.wso2.carbon.identity.action.execution.model.Param;
-import org.wso2.carbon.identity.action.execution.model.Request;
+import org.wso2.carbon.identity.action.execution.api.model.Header;
+import org.wso2.carbon.identity.action.execution.api.model.Param;
+import org.wso2.carbon.identity.action.execution.api.model.Request;
import java.util.ArrayList;
import java.util.List;
@@ -28,7 +28,7 @@
/**
* This class models the request at a pre issue access token trigger.
* TokenRequest is the entity that represents the request that is sent to Action
- * over {@link org.wso2.carbon.identity.action.execution.model.ActionExecutionRequest}.
+ * over {@link org.wso2.carbon.identity.action.execution.api.model.ActionExecutionRequest}.
*/
public class TokenRequest extends Request {
diff --git a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/action/rule/PreIssueAccessTokenRuleEvaluationDataProvider.java b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/action/rule/PreIssueAccessTokenRuleEvaluationDataProvider.java
index e7d23374a55..edb41d9a37c 100644
--- a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/action/rule/PreIssueAccessTokenRuleEvaluationDataProvider.java
+++ b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/action/rule/PreIssueAccessTokenRuleEvaluationDataProvider.java
@@ -23,14 +23,14 @@
import org.wso2.carbon.identity.oauth2.dto.OAuth2AccessTokenReqDTO;
import org.wso2.carbon.identity.oauth2.token.OAuthTokenReqMessageContext;
import org.wso2.carbon.identity.oauth2.util.OAuth2Util;
-import org.wso2.carbon.identity.rule.evaluation.exception.RuleEvaluationDataProviderException;
-import org.wso2.carbon.identity.rule.evaluation.model.Field;
-import org.wso2.carbon.identity.rule.evaluation.model.FieldValue;
-import org.wso2.carbon.identity.rule.evaluation.model.FlowContext;
-import org.wso2.carbon.identity.rule.evaluation.model.FlowType;
-import org.wso2.carbon.identity.rule.evaluation.model.RuleEvaluationContext;
-import org.wso2.carbon.identity.rule.evaluation.model.ValueType;
-import org.wso2.carbon.identity.rule.evaluation.provider.RuleEvaluationDataProvider;
+import org.wso2.carbon.identity.rule.evaluation.api.exception.RuleEvaluationDataProviderException;
+import org.wso2.carbon.identity.rule.evaluation.api.model.Field;
+import org.wso2.carbon.identity.rule.evaluation.api.model.FieldValue;
+import org.wso2.carbon.identity.rule.evaluation.api.model.FlowContext;
+import org.wso2.carbon.identity.rule.evaluation.api.model.FlowType;
+import org.wso2.carbon.identity.rule.evaluation.api.model.RuleEvaluationContext;
+import org.wso2.carbon.identity.rule.evaluation.api.model.ValueType;
+import org.wso2.carbon.identity.rule.evaluation.api.provider.RuleEvaluationDataProvider;
import java.util.ArrayList;
import java.util.List;
diff --git a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/internal/OAuthComponentServiceHolder.java b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/internal/OAuthComponentServiceHolder.java
index bab0212fbd5..37afe5ab4f3 100644
--- a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/internal/OAuthComponentServiceHolder.java
+++ b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/internal/OAuthComponentServiceHolder.java
@@ -20,7 +20,7 @@
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
-import org.wso2.carbon.identity.action.execution.ActionExecutorService;
+import org.wso2.carbon.identity.action.execution.api.service.ActionExecutorService;
import org.wso2.carbon.identity.application.mgt.ApplicationManagementService;
import org.wso2.carbon.identity.application.mgt.AuthorizedAPIManagementService;
import org.wso2.carbon.identity.configuration.mgt.core.ConfigurationManager;
diff --git a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/internal/OAuthServiceComponent.java b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/internal/OAuthServiceComponent.java
index c56215ab765..32bc8ca0116 100644
--- a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/internal/OAuthServiceComponent.java
+++ b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/internal/OAuthServiceComponent.java
@@ -26,9 +26,9 @@
import org.osgi.service.component.annotations.Reference;
import org.osgi.service.component.annotations.ReferenceCardinality;
import org.osgi.service.component.annotations.ReferencePolicy;
-import org.wso2.carbon.identity.action.execution.ActionExecutionRequestBuilder;
-import org.wso2.carbon.identity.action.execution.ActionExecutionResponseProcessor;
-import org.wso2.carbon.identity.action.execution.ActionExecutorService;
+import org.wso2.carbon.identity.action.execution.api.service.ActionExecutionRequestBuilder;
+import org.wso2.carbon.identity.action.execution.api.service.ActionExecutionResponseProcessor;
+import org.wso2.carbon.identity.action.execution.api.service.ActionExecutorService;
import org.wso2.carbon.identity.application.authentication.framework.UserSessionManagementService;
import org.wso2.carbon.identity.application.mgt.ApplicationManagementService;
import org.wso2.carbon.identity.application.mgt.AuthorizedAPIManagementService;
@@ -59,7 +59,7 @@
import org.wso2.carbon.identity.organization.management.service.OrganizationManager;
import org.wso2.carbon.identity.organization.management.service.OrganizationUserResidentResolverService;
import org.wso2.carbon.identity.role.mgt.core.RoleManagementService;
-import org.wso2.carbon.identity.rule.evaluation.provider.RuleEvaluationDataProvider;
+import org.wso2.carbon.identity.rule.evaluation.api.provider.RuleEvaluationDataProvider;
import org.wso2.carbon.idp.mgt.IdpManager;
import org.wso2.carbon.user.core.listener.UserOperationEventListener;
import org.wso2.carbon.user.core.service.RealmService;
diff --git a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/listener/IdentityOathEventListener.java b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/listener/IdentityOathEventListener.java
index 0c518a043cd..fba8eec7380 100644
--- a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/listener/IdentityOathEventListener.java
+++ b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/listener/IdentityOathEventListener.java
@@ -32,6 +32,7 @@
import org.wso2.carbon.identity.oauth.cache.AuthorizationGrantCache;
import org.wso2.carbon.identity.oauth.cache.AuthorizationGrantCacheKey;
import org.wso2.carbon.identity.oauth.common.OAuthConstants;
+import org.wso2.carbon.identity.oauth.internal.OAuthComponentServiceHolder;
import org.wso2.carbon.identity.oauth.util.ClaimCache;
import org.wso2.carbon.identity.oauth.util.ClaimMetaDataCache;
import org.wso2.carbon.identity.oauth.util.ClaimMetaDataCacheEntry;
@@ -41,11 +42,14 @@
import org.wso2.carbon.identity.oauth2.internal.OAuth2ServiceComponentHolder;
import org.wso2.carbon.identity.oauth2.model.AccessTokenDO;
import org.wso2.carbon.identity.oauth2.model.AuthzCodeDO;
+import org.wso2.carbon.identity.organization.management.organization.user.sharing.models.UserAssociation;
+import org.wso2.carbon.identity.organization.management.service.exception.OrganizationManagementException;
import org.wso2.carbon.user.core.UserCoreConstants;
import org.wso2.carbon.user.core.UserStoreException;
import org.wso2.carbon.user.core.UserStoreManager;
import org.wso2.carbon.user.core.common.AbstractUserStoreManager;
import org.wso2.carbon.user.core.common.User;
+import org.wso2.carbon.user.core.service.RealmService;
import org.wso2.carbon.user.core.util.UserCoreUtil;
import java.util.ArrayList;
@@ -156,9 +160,13 @@ public boolean doPostUpdateCredential(String userName, Object credential, UserSt
if (!isEnable()) {
return true;
}
- return OAuth2ServiceComponentHolder.getInstance()
+ boolean isErrorOnRevokeTokens = OAuth2ServiceComponentHolder.getInstance()
.getRevocationProcessor()
.revokeTokens(userName, userStoreManager);
+
+ boolean isErrorOnRevokeAssociateUsersTokens = revokeTokensOfAssociatedUsers(userName, userStoreManager);
+
+ return isErrorOnRevokeTokens || isErrorOnRevokeAssociateUsersTokens;
}
@Override
@@ -168,9 +176,14 @@ public boolean doPostUpdateCredentialByAdmin(String userName, Object credential,
if (!isEnable()) {
return true;
}
- return OAuth2ServiceComponentHolder.getInstance()
+
+ boolean isErrorOnRevokeTokens = OAuth2ServiceComponentHolder.getInstance()
.getRevocationProcessor()
.revokeTokens(userName, userStoreManager);
+
+ boolean isErrorOnRevokeAssociateUsersTokens = revokeTokensOfAssociatedUsers(userName, userStoreManager);
+
+ return isErrorOnRevokeTokens || isErrorOnRevokeAssociateUsersTokens;
}
@Override
@@ -407,4 +420,51 @@ private void removeClaimCacheEntry(String username, UserStoreManager userStoreMa
ClaimCache.getInstance().clearCacheEntry(cacheEntry.getClaimCacheKey(),
IdentityTenantUtil.getTenantDomain(userStoreManager.getTenantId()));
}
+
+ /**
+ * Revoke access tokens of associated users.
+ *
+ * @param username Username of the user.
+ * @param userStoreManager User store manager of the user.
+ * @return boolean true if any error occurred while revoking the tokens.
+ */
+ private boolean revokeTokensOfAssociatedUsers(String username, UserStoreManager userStoreManager) {
+
+ if (log.isDebugEnabled()) {
+ log.debug("Revoking access tokens of associated users of user: " + username);
+ }
+
+ boolean isErrorOnRevoking = false;
+ try {
+ String userId = ((AbstractUserStoreManager) userStoreManager).getUser(null, username).getUserID();
+ String tenantDomain = IdentityTenantUtil.getTenantDomain(userStoreManager.getTenantId());
+ String orgId = OAuthComponentServiceHolder.getInstance().getOrganizationManager()
+ .resolveOrganizationId(tenantDomain);
+ List userAssociationList = OAuthComponentServiceHolder.getInstance()
+ .getOrganizationUserSharingService().getUserAssociationsOfGivenUser(userId, orgId);
+
+ for (UserAssociation userAssociation : userAssociationList) {
+ String orgIdOfUserAssociation = userAssociation.getOrganizationId();
+ String tenantDomainOfUserAssociation = OAuthComponentServiceHolder.getInstance()
+ .getOrganizationManager().resolveTenantDomain(orgIdOfUserAssociation);
+ RealmService realmService = OAuthComponentServiceHolder.getInstance().getRealmService();
+ UserStoreManager userStoreManagerOfUserAssociation = (UserStoreManager)
+ realmService.getTenantUserRealm(
+ IdentityTenantUtil.getTenantId(tenantDomainOfUserAssociation)).getUserStoreManager();
+ String usernameOfUserAssociation = ((AbstractUserStoreManager) userStoreManagerOfUserAssociation)
+ .getUserNameFromUserID(userAssociation.getUserId());
+ boolean isErrorOnSingleRevoke = OAuth2ServiceComponentHolder.getInstance()
+ .getRevocationProcessor()
+ .revokeTokens(usernameOfUserAssociation, userStoreManagerOfUserAssociation);
+ if (isErrorOnSingleRevoke) {
+ isErrorOnRevoking = true;
+ }
+ }
+ } catch (OrganizationManagementException | org.wso2.carbon.user.api.UserStoreException e) {
+ log.error("Error occurred while revoking access tokens of associated users.", e);
+ return true;
+ }
+
+ return isErrorOnRevoking;
+ }
}
diff --git a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/token/JWTTokenIssuer.java b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/token/JWTTokenIssuer.java
index 0bc3cf85f43..f5e279bb68f 100644
--- a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/token/JWTTokenIssuer.java
+++ b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/token/JWTTokenIssuer.java
@@ -934,13 +934,12 @@ private JWTClaimsSet handleCustomClaims(JWTClaimsSet.Builder jwtClaimsSetBuilder
return handleCustomClaimsInPreIssueAccessTokenResponse(jwtClaimsSetBuilder, tokenReqMessageContext);
}
- if (tokenReqMessageContext != null &&
- tokenReqMessageContext.getOauth2AccessTokenReqDTO() != null &&
- StringUtils.equals(tokenReqMessageContext.getOauth2AccessTokenReqDTO().getGrantType(),
- OAuthConstants.GrantTypes.CLIENT_CREDENTIALS) &&
- OAuthServerConfiguration.getInstance().isSkipOIDCClaimsForClientCredentialGrant()) {
-
- // CC grant doesn't involve a user and hence skipping OIDC claims to CC grant type Access token.
+ if (tokenReqMessageContext != null && tokenReqMessageContext.getOauth2AccessTokenReqDTO() != null &&
+ shouldSkipOIDCClaimHandling(tokenReqMessageContext)) {
+ /*
+ CC grant and organization switch done from CC grant based token doesn't involve a user and hence skipping
+ OIDC claims those cases.
+ */
return jwtClaimsSetBuilder.build();
}
@@ -948,6 +947,20 @@ private JWTClaimsSet handleCustomClaims(JWTClaimsSet.Builder jwtClaimsSetBuilder
return claimsCallBackHandler.handleCustomClaims(jwtClaimsSetBuilder, tokenReqMessageContext);
}
+ private boolean shouldSkipOIDCClaimHandling(OAuthTokenReqMessageContext tokenReqMessageContext) {
+
+ String grantType = tokenReqMessageContext.getOauth2AccessTokenReqDTO().getGrantType();
+ // Check if the grant type is CLIENT_CREDENTIALS and the config to skip OIDC claims is enabled.
+ boolean isSkipOIDCClaimsForClientCredentialGrant =
+ OAuthConstants.GrantTypes.CLIENT_CREDENTIALS.equals(grantType) &&
+ OAuthServerConfiguration.getInstance().isSkipOIDCClaimsForClientCredentialGrant();
+ // Check if the grant type is ORGANIZATION_SWITCH and the user type is APPLICATION
+ boolean isOrgSwitchWithAppUser = OAuthConstants.GrantTypes.ORGANIZATION_SWITCH.equals(grantType) &&
+ OAuthConstants.UserType.APPLICATION.equals(getAuthorizedUserType(null, tokenReqMessageContext));
+
+ return isSkipOIDCClaimsForClientCredentialGrant || isOrgSwitchWithAppUser;
+ }
+
private JWTClaimsSet handleCustomClaimsInPreIssueAccessTokenResponse(JWTClaimsSet.Builder jwtClaimsSetBuilder,
OAuthTokenReqMessageContext
tokenReqMessageContext) {
diff --git a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/token/handlers/grant/AbstractAuthorizationGrantHandler.java b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/token/handlers/grant/AbstractAuthorizationGrantHandler.java
index 0b8db898c2e..e1837c2e334 100644
--- a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/token/handlers/grant/AbstractAuthorizationGrantHandler.java
+++ b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/token/handlers/grant/AbstractAuthorizationGrantHandler.java
@@ -26,11 +26,12 @@
import org.apache.oltu.oauth2.common.exception.OAuthSystemException;
import org.apache.oltu.oauth2.common.message.types.GrantType;
import org.wso2.carbon.context.PrivilegedCarbonContext;
-import org.wso2.carbon.identity.action.execution.exception.ActionExecutionException;
-import org.wso2.carbon.identity.action.execution.model.ActionExecutionStatus;
-import org.wso2.carbon.identity.action.execution.model.ActionType;
-import org.wso2.carbon.identity.action.execution.model.Error;
-import org.wso2.carbon.identity.action.execution.model.Failure;
+import org.wso2.carbon.identity.action.execution.api.exception.ActionExecutionException;
+import org.wso2.carbon.identity.action.execution.api.model.ActionExecutionStatus;
+import org.wso2.carbon.identity.action.execution.api.model.ActionType;
+import org.wso2.carbon.identity.action.execution.api.model.Error;
+import org.wso2.carbon.identity.action.execution.api.model.Failure;
+import org.wso2.carbon.identity.action.execution.api.model.FlowContext;
import org.wso2.carbon.identity.application.authentication.framework.exception.UserIdNotFoundException;
import org.wso2.carbon.identity.application.authentication.framework.model.AuthenticatedUser;
import org.wso2.carbon.identity.base.IdentityConstants;
@@ -76,13 +77,10 @@
import java.util.Arrays;
import java.util.Collections;
import java.util.Date;
-import java.util.HashMap;
import java.util.List;
-import java.util.Map;
import java.util.Optional;
import java.util.Set;
import java.util.UUID;
-import java.util.function.Consumer;
import static org.wso2.carbon.identity.oauth.common.OAuthConstants.OAUTH_APP;
import static org.wso2.carbon.identity.oauth.common.OAuthConstants.RENEW_TOKEN_WITHOUT_REVOKING_EXISTING_ENABLE_CONFIG;
@@ -614,15 +612,13 @@ private ActionExecutionStatus executePreIssueAccessTokenActions(
ActionExecutionStatus executionStatus = null;
if (checkExecutePreIssueAccessTokensActions(tokenReqMessageContext)) {
- Map additionalProperties = new HashMap<>();
- Consumer> mapInitializer =
- map -> map.put("tokenMessageContext", tokenReqMessageContext);
- mapInitializer.accept(additionalProperties);
+ FlowContext flowContext = FlowContext.create().add("tokenMessageContext", tokenReqMessageContext);
try {
executionStatus = OAuthComponentServiceHolder.getInstance().getActionExecutorService()
- .execute(ActionType.PRE_ISSUE_ACCESS_TOKEN, additionalProperties,
- IdentityTenantUtil.getTenantDomain(IdentityTenantUtil.getLoginTenantId()));
+ .execute(ActionType.PRE_ISSUE_ACCESS_TOKEN, flowContext,
+ IdentityTenantUtil.getTenantDomain(IdentityTenantUtil.getLoginTenantId()));
+
if (log.isDebugEnabled()) {
log.debug(String.format(
"Invoked pre issue access token action for clientID: %s grant types: %s. Status: %s",
diff --git a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/token/handlers/grant/RefreshGrantHandler.java b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/token/handlers/grant/RefreshGrantHandler.java
index e5f3fb6d82c..0464b9814cb 100644
--- a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/token/handlers/grant/RefreshGrantHandler.java
+++ b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/token/handlers/grant/RefreshGrantHandler.java
@@ -24,11 +24,12 @@
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.oltu.oauth2.common.exception.OAuthSystemException;
-import org.wso2.carbon.identity.action.execution.exception.ActionExecutionException;
-import org.wso2.carbon.identity.action.execution.model.ActionExecutionStatus;
-import org.wso2.carbon.identity.action.execution.model.ActionType;
-import org.wso2.carbon.identity.action.execution.model.Error;
-import org.wso2.carbon.identity.action.execution.model.Failure;
+import org.wso2.carbon.identity.action.execution.api.exception.ActionExecutionException;
+import org.wso2.carbon.identity.action.execution.api.model.ActionExecutionStatus;
+import org.wso2.carbon.identity.action.execution.api.model.ActionType;
+import org.wso2.carbon.identity.action.execution.api.model.Error;
+import org.wso2.carbon.identity.action.execution.api.model.Failure;
+import org.wso2.carbon.identity.action.execution.api.model.FlowContext;
import org.wso2.carbon.identity.application.authentication.framework.exception.FrameworkException;
import org.wso2.carbon.identity.application.authentication.framework.exception.UserIdNotFoundException;
import org.wso2.carbon.identity.application.authentication.framework.inbound.FrameworkClientException;
@@ -77,12 +78,9 @@
import java.sql.Timestamp;
import java.util.Arrays;
-import java.util.HashMap;
import java.util.List;
-import java.util.Map;
import java.util.Optional;
import java.util.concurrent.TimeUnit;
-import java.util.function.Consumer;
import java.util.stream.Collectors;
import java.util.stream.Stream;
@@ -843,14 +841,11 @@ private ActionExecutionStatus executePreIssueAccessTokenActions(
setCustomizedAccessTokenAttributesToMessageContext(refreshTokenValidationDataDO, tokenReqMessageContext);
- Map additionalProperties = new HashMap<>();
- Consumer> mapInitializer =
- map -> map.put("tokenMessageContext", tokenReqMessageContext);
- mapInitializer.accept(additionalProperties);
+ FlowContext flowContext = FlowContext.create().add("tokenMessageContext", tokenReqMessageContext);
try {
executionStatus = OAuthComponentServiceHolder.getInstance().getActionExecutorService()
- .execute(ActionType.PRE_ISSUE_ACCESS_TOKEN, additionalProperties,
+ .execute(ActionType.PRE_ISSUE_ACCESS_TOKEN, flowContext,
IdentityTenantUtil.getTenantDomain(IdentityTenantUtil.getLoginTenantId()));
if (log.isDebugEnabled()) {
log.debug(String.format(
diff --git a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/token/handlers/grant/saml/SAML2BearerGrantHandler.java b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/token/handlers/grant/saml/SAML2BearerGrantHandler.java
index 2d19f02c8a4..f8f5b9c8068 100644
--- a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/token/handlers/grant/saml/SAML2BearerGrantHandler.java
+++ b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/token/handlers/grant/saml/SAML2BearerGrantHandler.java
@@ -175,6 +175,10 @@ public boolean validateGrant(OAuthTokenReqMessageContext tokReqMsgCtx) throws Id
String tenantDomain = getTenantDomain(tokReqMsgCtx);
IdentityProvider identityProvider = getIdentityProvider(assertion, tenantDomain);
+ if (!identityProvider.isEnable()) {
+ throw new IdentityOAuth2Exception("No Active IDP found for the given idp : " + identityProvider
+ .getIdentityProviderName());
+ }
// If SAMLSignKeyStore property defined in the carbon.xml then validate the signature against provided
// SAML Sign KeyStore certificate else validate against the IDP certificate.
if (isSAMLSignKeyStoreConfigured()) {
diff --git a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/openidconnect/OIDCClaimUtil.java b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/openidconnect/OIDCClaimUtil.java
index e1e5af08013..181b3a11c75 100644
--- a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/openidconnect/OIDCClaimUtil.java
+++ b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/openidconnect/OIDCClaimUtil.java
@@ -580,7 +580,7 @@ private static Map getUserClaimsInLocalDialect(String username,
* @return App associated roles of the user.
* @throws ApplicationRolesException If an error occurred while getting app associated roles.
*/
- private static String[] getAppAssociatedRolesOfUser(AuthenticatedUser authenticatedUser, String applicationId)
+ public static String[] getAppAssociatedRolesOfUser(AuthenticatedUser authenticatedUser, String applicationId)
throws ApplicationRolesException {
ApplicationRolesResolver appRolesResolver =
diff --git a/components/org.wso2.carbon.identity.oauth/src/test/java/org/wso2/carbon/identity/oauth/action/execution/PreIssueAccessTokenRequestBuilderTest.java b/components/org.wso2.carbon.identity.oauth/src/test/java/org/wso2/carbon/identity/oauth/action/execution/PreIssueAccessTokenRequestBuilderTest.java
index fe8cf0a16cd..a3428973aa2 100644
--- a/components/org.wso2.carbon.identity.oauth/src/test/java/org/wso2/carbon/identity/oauth/action/execution/PreIssueAccessTokenRequestBuilderTest.java
+++ b/components/org.wso2.carbon.identity.oauth/src/test/java/org/wso2/carbon/identity/oauth/action/execution/PreIssueAccessTokenRequestBuilderTest.java
@@ -23,16 +23,16 @@
import org.testng.Assert;
import org.testng.annotations.AfterClass;
import org.testng.annotations.BeforeClass;
-import org.testng.annotations.DataProvider;
import org.testng.annotations.Test;
-import org.wso2.carbon.identity.action.execution.exception.ActionExecutionRequestBuilderException;
-import org.wso2.carbon.identity.action.execution.model.ActionExecutionRequest;
-import org.wso2.carbon.identity.action.execution.model.ActionType;
-import org.wso2.carbon.identity.action.execution.model.AllowedOperation;
-import org.wso2.carbon.identity.action.execution.model.Header;
-import org.wso2.carbon.identity.action.execution.model.Operation;
-import org.wso2.carbon.identity.action.execution.model.Param;
-import org.wso2.carbon.identity.action.execution.model.Tenant;
+import org.wso2.carbon.identity.action.execution.api.exception.ActionExecutionRequestBuilderException;
+import org.wso2.carbon.identity.action.execution.api.model.ActionExecutionRequest;
+import org.wso2.carbon.identity.action.execution.api.model.ActionType;
+import org.wso2.carbon.identity.action.execution.api.model.AllowedOperation;
+import org.wso2.carbon.identity.action.execution.api.model.FlowContext;
+import org.wso2.carbon.identity.action.execution.api.model.Header;
+import org.wso2.carbon.identity.action.execution.api.model.Operation;
+import org.wso2.carbon.identity.action.execution.api.model.Param;
+import org.wso2.carbon.identity.action.execution.api.model.Tenant;
import org.wso2.carbon.identity.application.authentication.framework.model.AuthenticatedUser;
import org.wso2.carbon.identity.central.log.mgt.utils.LoggerUtils;
import org.wso2.carbon.identity.core.util.IdentityTenantUtil;
@@ -146,20 +146,13 @@ public void testGetSupportedActionType() {
Assert.assertEquals(actionType, ActionType.PRE_ISSUE_ACCESS_TOKEN);
}
- @DataProvider(name = "BuildTokenRequestMessageContext")
- public Object[][] buildTokenRequestMessageContext() {
-
- return new Object[][]{
- {mockTokenMessageContext()},
- };
- }
-
- @Test(dataProvider = "BuildTokenRequestMessageContext")
- public void testBuildActionExecutionRequest(Map eventContext)
+ @Test
+ public void testBuildActionExecutionRequest()
throws ActionExecutionRequestBuilderException {
ActionExecutionRequest actionExecutionRequest = preIssueAccessTokenRequestBuilder.
- buildActionExecutionRequest(eventContext);
+ buildActionExecutionRequest(
+ FlowContext.create().add("tokenMessageContext", getMockTokenMessageContext()), null);
Assert.assertNotNull(actionExecutionRequest);
Assert.assertEquals(actionExecutionRequest.getActionType(), ActionType.PRE_ISSUE_ACCESS_TOKEN);
assertEvent((PreIssueAccessTokenEvent) actionExecutionRequest.getEvent(), getExpectedEvent());
@@ -254,21 +247,11 @@ private void assertAllowedOperations(List actual, List mockTokenMessageContext() {
-
- Map eventContext = new HashMap<>();
+ private OAuthTokenReqMessageContext getMockTokenMessageContext() {
OAuth2AccessTokenReqDTO tokenReqDTO = mockTokenRequestDTO();
AuthenticatedUser authenticatedUser = mockAuthenticatedUser();
- OAuthTokenReqMessageContext tokenMessageContext = mockMessageContext(tokenReqDTO, authenticatedUser);
- eventContext.put("tokenMessageContext", tokenMessageContext);
-
- return eventContext;
+ return mockMessageContext(tokenReqDTO, authenticatedUser);
}
/**
diff --git a/components/org.wso2.carbon.identity.oauth/src/test/java/org/wso2/carbon/identity/oauth/action/rule/PreIssueAccessTokenRuleEvaluationDataProviderTest.java b/components/org.wso2.carbon.identity.oauth/src/test/java/org/wso2/carbon/identity/oauth/action/rule/PreIssueAccessTokenRuleEvaluationDataProviderTest.java
index 8f3fb2b767b..5817bda3a8e 100644
--- a/components/org.wso2.carbon.identity.oauth/src/test/java/org/wso2/carbon/identity/oauth/action/rule/PreIssueAccessTokenRuleEvaluationDataProviderTest.java
+++ b/components/org.wso2.carbon.identity.oauth/src/test/java/org/wso2/carbon/identity/oauth/action/rule/PreIssueAccessTokenRuleEvaluationDataProviderTest.java
@@ -30,13 +30,13 @@
import org.wso2.carbon.identity.oauth2.dto.OAuth2AccessTokenReqDTO;
import org.wso2.carbon.identity.oauth2.token.OAuthTokenReqMessageContext;
import org.wso2.carbon.identity.oauth2.util.OAuth2Util;
-import org.wso2.carbon.identity.rule.evaluation.exception.RuleEvaluationDataProviderException;
-import org.wso2.carbon.identity.rule.evaluation.model.Field;
-import org.wso2.carbon.identity.rule.evaluation.model.FieldValue;
-import org.wso2.carbon.identity.rule.evaluation.model.FlowContext;
-import org.wso2.carbon.identity.rule.evaluation.model.FlowType;
-import org.wso2.carbon.identity.rule.evaluation.model.RuleEvaluationContext;
-import org.wso2.carbon.identity.rule.evaluation.model.ValueType;
+import org.wso2.carbon.identity.rule.evaluation.api.exception.RuleEvaluationDataProviderException;
+import org.wso2.carbon.identity.rule.evaluation.api.model.Field;
+import org.wso2.carbon.identity.rule.evaluation.api.model.FieldValue;
+import org.wso2.carbon.identity.rule.evaluation.api.model.FlowContext;
+import org.wso2.carbon.identity.rule.evaluation.api.model.FlowType;
+import org.wso2.carbon.identity.rule.evaluation.api.model.RuleEvaluationContext;
+import org.wso2.carbon.identity.rule.evaluation.api.model.ValueType;
import java.util.Arrays;
import java.util.Collections;
diff --git a/components/org.wso2.carbon.identity.oauth/src/test/java/org/wso2/carbon/identity/oauth/listener/IdentityOathEventListenerTest.java b/components/org.wso2.carbon.identity.oauth/src/test/java/org/wso2/carbon/identity/oauth/listener/IdentityOathEventListenerTest.java
index c30e7211c1b..b338f4fee3b 100644
--- a/components/org.wso2.carbon.identity.oauth/src/test/java/org/wso2/carbon/identity/oauth/listener/IdentityOathEventListenerTest.java
+++ b/components/org.wso2.carbon.identity.oauth/src/test/java/org/wso2/carbon/identity/oauth/listener/IdentityOathEventListenerTest.java
@@ -17,80 +17,139 @@
*/
package org.wso2.carbon.identity.oauth.listener;
-import org.apache.commons.lang.StringUtils;
import org.mockito.Mock;
+import org.mockito.MockedStatic;
+import org.testng.annotations.AfterMethod;
import org.testng.annotations.BeforeMethod;
-import org.testng.annotations.DataProvider;
import org.testng.annotations.Test;
-import org.wso2.carbon.identity.application.authentication.framework.model.AuthenticatedUser;
-import org.wso2.carbon.identity.core.model.IdentityCacheConfig;
-import org.wso2.carbon.identity.core.model.IdentityEventListenerConfig;
-import org.wso2.carbon.identity.core.util.IdentityCoreConstants;
import org.wso2.carbon.identity.core.util.IdentityTenantUtil;
-import org.wso2.carbon.identity.core.util.IdentityUtil;
-import org.wso2.carbon.identity.oauth.cache.AuthorizationGrantCache;
-import org.wso2.carbon.identity.oauth.config.OAuthServerConfiguration;
-import org.wso2.carbon.identity.oauth.util.ClaimCache;
-import org.wso2.carbon.identity.oauth.util.ClaimMetaDataCache;
-import org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception;
-import org.wso2.carbon.identity.oauth2.model.AccessTokenDO;
-import org.wso2.carbon.identity.oauth2.util.OAuth2Util;
+import org.wso2.carbon.identity.oauth.internal.OAuthComponentServiceHolder;
+import org.wso2.carbon.identity.oauth.tokenprocessor.OAuth2RevocationProcessor;
+import org.wso2.carbon.identity.oauth2.internal.OAuth2ServiceComponentHolder;
+import org.wso2.carbon.identity.organization.management.organization.user.sharing.OrganizationUserSharingService;
+import org.wso2.carbon.identity.organization.management.organization.user.sharing.models.UserAssociation;
+import org.wso2.carbon.identity.organization.management.service.OrganizationManager;
+import org.wso2.carbon.identity.organization.management.service.exception.OrganizationManagementException;
import org.wso2.carbon.identity.testutil.IdentityBaseTest;
-import org.wso2.carbon.user.core.UserStoreManager;
-import org.wso2.carbon.user.core.util.UserCoreUtil;
+import org.wso2.carbon.user.api.UserRealm;
+import org.wso2.carbon.user.api.UserStoreException;
+import org.wso2.carbon.user.core.common.AbstractUserStoreManager;
+import org.wso2.carbon.user.core.common.User;
+import org.wso2.carbon.user.core.service.RealmService;
-import java.util.HashSet;
-import java.util.Map;
-import java.util.Set;
+import java.util.ArrayList;
+import java.util.List;
-import static org.mockito.ArgumentMatchers.any;
-import static org.mockito.ArgumentMatchers.anyInt;
-import static org.mockito.ArgumentMatchers.anyString;
-import static org.mockito.Mockito.mock;
-import static org.mockito.MockitoAnnotations.initMocks;
-import static org.testng.Assert.assertEquals;
-import static org.testng.AssertJUnit.assertTrue;
+import static org.mockito.Mockito.mockStatic;
+import static org.mockito.Mockito.when;
+import static org.mockito.MockitoAnnotations.openMocks;
-public class IdentityOathEventListenerTest extends IdentityBaseTest {
- private IdentityOathEventListener identityOathEventListener = new IdentityOathEventListener();
- private String username = "USER_NAME";
- private String claimUri = "CLAIM_URI";
- private String claimValue = "CLAIM_VALUE";
- private String profileName = "PROFILE_NAME";
+public class IdentityOathEventListenerTest extends IdentityBaseTest {
+ private final String credentialUpdateUsername = "testUsername";
+ private final String newCredential = "newPassword1$";
+ @Mock
+ OAuth2ServiceComponentHolder oAuth2ServiceComponentHolder;
+ private IdentityOathEventListener identityOathEventListener;
@Mock
- private UserStoreManager userStoreManager;
+ private AbstractUserStoreManager abstractUserStoreManager;
+ @Mock
+ private OAuth2RevocationProcessor oAuth2RevocationProcessor;
+ @Mock
+ private OrganizationManager organizationManager;
+ private MockedStatic oAuth2ServiceComponentHolderMockedStatic;
+ private MockedStatic oAuthComponentServiceHolderMockedStatic;
@Mock
- private AuthenticatedUser authenticatedUser;
+ private OAuthComponentServiceHolder oAuthComponentServiceHolder;
+
+ private MockedStatic identityTenantUtilMockedStatic;
@Mock
- private Map mockedMapClaims;
+ private OrganizationUserSharingService organizationUserSharingService;
@Mock
- private ClaimMetaDataCache claimMetaDataCache;
+ private RealmService realmService;
@Mock
- private OAuthServerConfiguration oauthServerConfigurationMock;
+ private UserRealm userRealm;
+
+ @BeforeMethod
+ public void setUp() {
+
+ openMocks(this);
+ identityOathEventListener = new IdentityOathEventListener();
+
+ identityTenantUtilMockedStatic = mockStatic(IdentityTenantUtil.class);
+
+ oAuth2ServiceComponentHolderMockedStatic = mockStatic(OAuth2ServiceComponentHolder.class);
+ when(OAuth2ServiceComponentHolder.getInstance()).thenReturn(oAuth2ServiceComponentHolder);
+
+ oAuthComponentServiceHolderMockedStatic = mockStatic(OAuthComponentServiceHolder.class);
+ when(OAuthComponentServiceHolder.getInstance()).thenReturn(oAuthComponentServiceHolder);
+
+ }
+
+ @AfterMethod
+ public void clear() {
+
+ identityTenantUtilMockedStatic.close();
+ oAuth2ServiceComponentHolderMockedStatic.close();
+ oAuthComponentServiceHolderMockedStatic.close();
+ }
+
+ private void prepareForCredentialUpdate() throws UserStoreException, OrganizationManagementException {
+
+ String userID = "testId";
+ int tenantId = 1234;
+ String tenant = "testTenant";
+ String orgId = "testOrg";
+ String orgIdUserAssociation = "TestAssociateOrg";
+ String tenantUserAssociation = "TestAssociateTenant";
+ int userAssociationTenantId = 3245;
+ User user = new User(userID);
+ List userAssociationList = new ArrayList<>();
+ UserAssociation userAssociation = new UserAssociation();
+ userAssociation.setOrganizationId(orgIdUserAssociation);
+ userAssociationList.add(userAssociation);
+
+ when(oAuth2ServiceComponentHolder.getRevocationProcessor()).thenReturn(oAuth2RevocationProcessor);
+ when(oAuth2RevocationProcessor.revokeTokens(credentialUpdateUsername, abstractUserStoreManager)).thenReturn(
+ false);
+ when(abstractUserStoreManager.getUser(null, credentialUpdateUsername)).thenReturn(user);
+ when(abstractUserStoreManager.getTenantId()).thenReturn(tenantId);
+ when(IdentityTenantUtil.getTenantDomain(tenantId)).thenReturn(tenant);
+ when(organizationManager.resolveOrganizationId(tenant)).thenReturn(orgId);
+ when(oAuthComponentServiceHolder.getOrganizationUserSharingService()).thenReturn(
+ organizationUserSharingService);
+ when(organizationUserSharingService.getUserAssociationsOfGivenUser(userID, orgId)).thenReturn(
+ userAssociationList);
+ when(oAuthComponentServiceHolder.getOrganizationManager()).thenReturn(organizationManager);
+ when(organizationManager.resolveTenantDomain(orgIdUserAssociation)).thenReturn(tenantUserAssociation);
+ when(oAuthComponentServiceHolder.getRealmService()).thenReturn(realmService);
+ when(IdentityTenantUtil.getTenantId(tenantUserAssociation)).thenReturn(userAssociationTenantId);
+ when(realmService.getTenantUserRealm(userAssociationTenantId)).thenReturn(userRealm);
+ when(userRealm.getUserStoreManager()).thenReturn(abstractUserStoreManager);
+ }
+
+ @Test
+ public void testDoPostUpdateCredential() throws UserStoreException, OrganizationManagementException {
+
+ prepareForCredentialUpdate();
+ identityOathEventListener.doPostUpdateCredential(credentialUpdateUsername, newCredential,
+ abstractUserStoreManager);
+ }
+
+ @Test
+ public void testDoPostUpdateCredentialByAdmin() throws UserStoreException, OrganizationManagementException {
+
+ prepareForCredentialUpdate();
+ identityOathEventListener.doPostUpdateCredentialByAdmin(credentialUpdateUsername, newCredential,
+ abstractUserStoreManager);
+
+ }
-// @BeforeMethod
-// public void setUp() throws Exception {
-// initMocks(this);
-//
-// mockStatic(OAuthServerConfiguration.class);
-// when(OAuthServerConfiguration.getInstance()).thenReturn(oauthServerConfigurationMock);
-// when(oauthServerConfigurationMock.getTimeStampSkewInSeconds()).thenReturn(3600L);
-//
-// mockStatic(UserCoreUtil.class);
-// mockStatic(IdentityTenantUtil.class);
-// mockStatic(AuthorizationGrantCache.class);
-// mockStatic(IdentityUtil.class);
-// mockStatic(StringUtils.class);
-// mockStatic(ClaimMetaDataCache.class);
-// mockStatic(OAuth2Util.class);
-//
-// }
//
// @DataProvider(name = "testGetExecutionOrderIdData")
// public Object[][] testGetExecutionOrderIdData() {
diff --git a/components/org.wso2.carbon.identity.oauth/src/test/java/org/wso2/carbon/identity/oauth2/token/handlers/grant/AbstractAuthorizationGrantHandlerTest.java b/components/org.wso2.carbon.identity.oauth/src/test/java/org/wso2/carbon/identity/oauth2/token/handlers/grant/AbstractAuthorizationGrantHandlerTest.java
index b3628248953..92686709121 100644
--- a/components/org.wso2.carbon.identity.oauth/src/test/java/org/wso2/carbon/identity/oauth2/token/handlers/grant/AbstractAuthorizationGrantHandlerTest.java
+++ b/components/org.wso2.carbon.identity.oauth/src/test/java/org/wso2/carbon/identity/oauth2/token/handlers/grant/AbstractAuthorizationGrantHandlerTest.java
@@ -29,10 +29,10 @@
import org.testng.annotations.Test;
import org.wso2.carbon.base.MultitenantConstants;
import org.wso2.carbon.context.PrivilegedCarbonContext;
-import org.wso2.carbon.identity.action.execution.ActionExecutorService;
-import org.wso2.carbon.identity.action.execution.exception.ActionExecutionException;
-import org.wso2.carbon.identity.action.execution.model.ActionType;
-import org.wso2.carbon.identity.action.execution.model.SuccessStatus;
+import org.wso2.carbon.identity.action.execution.api.exception.ActionExecutionException;
+import org.wso2.carbon.identity.action.execution.api.model.ActionType;
+import org.wso2.carbon.identity.action.execution.api.model.SuccessStatus;
+import org.wso2.carbon.identity.action.execution.api.service.ActionExecutorService;
import org.wso2.carbon.identity.application.authentication.framework.model.AuthenticatedUser;
import org.wso2.carbon.identity.base.IdentityException;
import org.wso2.carbon.identity.central.log.mgt.internal.CentralLogMgtServiceComponentHolder;
@@ -80,7 +80,6 @@
import java.util.UUID;
import static org.mockito.ArgumentMatchers.any;
-import static org.mockito.ArgumentMatchers.anyMap;
import static org.mockito.ArgumentMatchers.anyString;
import static org.mockito.ArgumentMatchers.eq;
import static org.mockito.Mockito.doNothing;
@@ -128,7 +127,7 @@ public void setUp() throws IdentityOAuth2Exception, IdentityOAuthAdminException,
OAuthComponentServiceHolder.getInstance().setActionExecutorService(mockActionExecutionService);
MockitoAnnotations.initMocks(this);
- when(mockActionExecutionService.execute(any(ActionType.class), anyMap(), any())).thenReturn(
+ when(mockActionExecutionService.execute(any(ActionType.class), any(), any())).thenReturn(
new SuccessStatus.Builder().build());
authenticatedUser.setUserName("randomUser");
diff --git a/components/org.wso2.carbon.identity.oauth/src/test/java/org/wso2/carbon/identity/oauth2/token/handlers/grant/saml/SAML2BearerGrantHandlerTest.java b/components/org.wso2.carbon.identity.oauth/src/test/java/org/wso2/carbon/identity/oauth2/token/handlers/grant/saml/SAML2BearerGrantHandlerTest.java
index e2879687c62..0b38637a791 100644
--- a/components/org.wso2.carbon.identity.oauth/src/test/java/org/wso2/carbon/identity/oauth2/token/handlers/grant/saml/SAML2BearerGrantHandlerTest.java
+++ b/components/org.wso2.carbon.identity.oauth/src/test/java/org/wso2/carbon/identity/oauth2/token/handlers/grant/saml/SAML2BearerGrantHandlerTest.java
@@ -198,16 +198,16 @@ public void tearDown() {
@DataProvider (name = "provideValidData")
public Object[][] provideValidData() {
return new Object[][] {
- {OAuthConstants.UserType.FEDERATED_USER_DOMAIN_PREFIX, "LOCAL"},
- {OAuthConstants.UserType.LOCAL_USER_TYPE, "LOCAL"},
- {OAuthConstants.UserType.LEGACY_USER_TYPE, "LOCAL"},
- {"unknown", "LOCAL"},
- {"unknown", "FED"}
+ {OAuthConstants.UserType.FEDERATED_USER_DOMAIN_PREFIX, "LOCAL", true},
+ {OAuthConstants.UserType.LOCAL_USER_TYPE, "LOCAL", true},
+ {OAuthConstants.UserType.LEGACY_USER_TYPE, "LOCAL", true},
+ {"unknown", "LOCAL", true},
+ {"unknown", "FED", true}
};
}
@Test (dataProvider = "provideValidData")
- public void testValidateGrant(String userType, String idpName) throws Exception {
+ public void testValidateGrant(String userType, String idpName, boolean isIDPEnabled) throws Exception {
try (MockedStatic signatureValidator = mockStatic(SignatureValidator.class);
MockedStatic identityApplicationManagementUtil =
@@ -220,7 +220,7 @@ public void testValidateGrant(String userType, String idpName) throws Exception
MockedStatic ssoServiceProviderConfigManager =
mockStatic(SSOServiceProviderConfigManager.class);
MockedStatic identityTenantUtil = mockStatic(IdentityTenantUtil.class)) {
- initSAMLGrant(userType, idpName, signatureValidator, identityApplicationManagementUtil,
+ initSAMLGrant(userType, idpName, isIDPEnabled, signatureValidator, identityApplicationManagementUtil,
identityProviderManager, ssoServiceProviderConfigManager, identityTenantUtil);
mockOAuthComponents(oAuthComponentServiceHolder, oAuth2ServiceComponentHolder);
lenient().when(realmService.getTenantUserRealm(anyInt())).thenReturn(userRealm);
@@ -258,40 +258,45 @@ public Object[][] validateGrantExceptionDataProvider() throws Exception {
DateTime expiredOnOrAfter = new DateTime(System.currentTimeMillis() - 10000000L);
return new Object[][]{
{validOnOrAfter, "LOCAL", true, true, TestConstants.OAUTH2_TOKEN_EP, TestConstants.LOACALHOST_DOMAIN,
- new IdentityUnmarshallingException("Error"), "Error while unmashalling"},
+ true, new IdentityUnmarshallingException("Error"), "Error while unmashalling"},
{validOnOrAfter, "FED", true, true, TestConstants.OAUTH2_TOKEN_EP, TestConstants.LOACALHOST_DOMAIN,
- new IdentityProviderManagementException("Error"), "Error while retrieving identity provider"},
+ true, new IdentityProviderManagementException("Error"),
+ "Error while retrieving identity provider"},
{validOnOrAfter, "FED", true, true, TestConstants.OAUTH2_TOKEN_EP, TestConstants.LOACALHOST_DOMAIN,
- new SignatureException(), "Error while validating the signature"},
+ true, new SignatureException(), "Error while validating the signature"},
{validOnOrAfter, "LOCAL", true, true, TestConstants.OAUTH2_TOKEN_EP, TestConstants.LOACALHOST_DOMAIN,
- new IdentityApplicationManagementException("Error"), "Error while retrieving service provider"},
+ true, new IdentityApplicationManagementException("Error"),
+ "Error while retrieving service provider"},
{validOnOrAfter, "LOCAL", true, true, TestConstants.OAUTH2_TOKEN_EP, TestConstants.LOACALHOST_DOMAIN,
- new UserStoreException(), "Error while building local user"},
+ true, new UserStoreException(), "Error while building local user"},
{validOnOrAfter, "FED", true, true, TestConstants.OAUTH2_TOKEN_EP, TestConstants.LOACALHOST_DOMAIN,
- new CertificateException(), "Error occurred while decoding public certificate"},
+ true, new CertificateException(), "Error occurred while decoding public certificate"},
{validOnOrAfter, "LOCAL", true, false, TestConstants.OAUTH2_TOKEN_EP, TestConstants.LOACALHOST_DOMAIN,
- null, "User not found"},
+ true, null, "User not found"},
{validOnOrAfter, "LOCAL", false, true, TestConstants.OAUTH2_TOKEN_EP, TestConstants.LOACALHOST_DOMAIN,
- null, "Non SaaS app"},
- {validOnOrAfter, "LOCAL", true, true, "invalidAudience", TestConstants.LOACALHOST_DOMAIN, null,
+ true, null, "Non SaaS app"},
+ {validOnOrAfter, "LOCAL", true, true, "invalidAudience", TestConstants.LOACALHOST_DOMAIN, true, null,
"Audience Restriction validation failed"},
- {validOnOrAfter, "LOCAL", true, true, "", TestConstants.LOACALHOST_DOMAIN, null,
+ {validOnOrAfter, "LOCAL", true, true, "", TestConstants.LOACALHOST_DOMAIN, true, null,
"Token Endpoint alias has not been configured"},
- {validOnOrAfter, "FED", true, true, "invalidAudience", TestConstants.LOACALHOST_DOMAIN, null,
+ {validOnOrAfter, "FED", true, true, "invalidAudience", TestConstants.LOACALHOST_DOMAIN, true, null,
"Audience Restriction validation failed"},
- {validOnOrAfter, null, true, true, TestConstants.OAUTH2_TOKEN_EP, TestConstants.LOACALHOST_DOMAIN, null,
- "Identity provider is null"},
+ {validOnOrAfter, null, true, true, TestConstants.OAUTH2_TOKEN_EP, TestConstants.LOACALHOST_DOMAIN, true,
+ null, "Identity provider is null"},
{expiredOnOrAfter, "LOCAL", true, true, TestConstants.OAUTH2_TOKEN_EP, TestConstants.LOACALHOST_DOMAIN,
- null, "Assertion is not valid"},
- {null, "LOCAL", true, true, TestConstants.OAUTH2_TOKEN_EP, TestConstants.LOACALHOST_DOMAIN, null,
+ true, null, "Assertion is not valid"},
+ {null, "LOCAL", true, true, TestConstants.OAUTH2_TOKEN_EP, TestConstants.LOACALHOST_DOMAIN, true, null,
"Cannot find valid NotOnOrAfter"},
+ {validOnOrAfter, "FED", true, true, TestConstants.OAUTH2_TOKEN_EP, TestConstants.LOACALHOST_DOMAIN,
+ false, new IdentityOAuth2Exception("No Active IDP found for the given idp : FED"),
+ "No Active IDP found for the given idp"},
};
}
@Test (dataProvider = "validateGrantExceptionDataProvider")
public void testValidateGrantException(Object dateTimeObj, String idpName, boolean isSaas, boolean isUserExist,
- String audience, String idpEntityId, Exception e, String expected)
- throws Exception {
+ String audience, String idpEntityId, boolean isIDPEnabled, Exception e,
+ String expected) throws Exception {
try (MockedStatic oAuthComponentServiceHolder =
mockStatic(OAuthComponentServiceHolder.class);
@@ -308,7 +313,8 @@ public void testValidateGrantException(Object dateTimeObj, String idpName, boole
DateTime notOnOrAfter = (DateTime) dateTimeObj;
initAssertion(OAuthConstants.UserType.LEGACY_USER_TYPE, idpName, notOnOrAfter, identityProviderManager,
ssoServiceProviderConfigManager, identityTenantUtil);
- IdentityProvider idp = initIdentityProviderManager(idpName, audience, identityProviderManager);
+ IdentityProvider idp = initIdentityProviderManager(idpName, audience, isIDPEnabled,
+ identityProviderManager);
initFederatedAuthConfig(idp, identityApplicationManagementUtil);
initSignatureValidator(signatureValidator, identityApplicationManagementUtil);
mockOAuthComponents(oAuthComponentServiceHolder, oAuth2ServiceComponentHolder);
@@ -443,7 +449,7 @@ private void prepareForGetIssuer(MockedStatic identityP
TestConstants.LOACALHOST_DOMAIN)});
federatedAuthenticatorConfig.setName(IdentityApplicationConstants.Authenticator.SAML2SSO.NAME);
FederatedAuthenticatorConfig[] fedAuthConfs = {federatedAuthenticatorConfig};
- IdentityProvider identityProvider = getIdentityProvider("LOCAL", TestConstants.OAUTH2_TOKEN_EP);
+ IdentityProvider identityProvider = getIdentityProvider("LOCAL", TestConstants.OAUTH2_TOKEN_EP, true);
identityProvider.setFederatedAuthenticatorConfigs(fedAuthConfs);
identityProviderManager.when(IdentityProviderManager::getInstance).thenReturn(mockIdentityProviderManager);
@@ -541,7 +547,7 @@ private void mockOAuthComponents(MockedStatic oAuth
.thenReturn(serviceProvider);
}
- private IdentityProvider getIdentityProvider(String name, String alias) {
+ private IdentityProvider getIdentityProvider(String name, String alias, boolean isIDPEnabled) {
if (name == null) {
return null;
@@ -549,15 +555,16 @@ private IdentityProvider getIdentityProvider(String name, String alias) {
IdentityProvider identityProvider = new IdentityProvider();
identityProvider.setIdentityProviderName(name);
identityProvider.setAlias(alias);
+ identityProvider.setEnable(isIDPEnabled);
identityProvider.setCertificate("[{\"thumbPrint\":\"\",\"certValue\":\"\"}]");
return identityProvider;
}
- private IdentityProvider initIdentityProviderManager(String idpName, String alias,
+ private IdentityProvider initIdentityProviderManager(String idpName, String alias, boolean isIDPEnabled,
MockedStatic identityProviderManager)
throws Exception {
- IdentityProvider identityProviderIns = getIdentityProvider(idpName, alias);
+ IdentityProvider identityProviderIns = getIdentityProvider(idpName, alias, isIDPEnabled);
identityProviderManager.when(IdentityProviderManager::getInstance)
.thenReturn(mockIdentityProviderManager);
when(mockIdentityProviderManager
@@ -628,7 +635,8 @@ private void initSignatureValidator(MockedStatic signatureVa
.thenAnswer((Answer) invocation -> null);
}
- private void initSAMLGrant(String userType, String idpName, MockedStatic signatureValidator,
+ private void initSAMLGrant(String userType, String idpName, boolean isIDPEnabled,
+ MockedStatic signatureValidator,
MockedStatic identityApplicationManagementUtil,
MockedStatic identityProviderManager,
MockedStatic ssoServiceProviderConfigManager,
@@ -637,8 +645,8 @@ private void initSAMLGrant(String userType, String idpName, MockedStatic openIDConnectServiceComponentHolder =
+ mockStatic(OpenIDConnectServiceComponentHolder.class);) {
+ AuthenticatedUser authenticatedUser = mock(AuthenticatedUser.class);
+ String applicationId = "testAppId";
+
+ ApplicationRolesResolver appRolesResolver = mock(ApplicationRolesResolver.class);
+ Mockito.when(appRolesResolver.getRoles(authenticatedUser, applicationId))
+ .thenReturn(new String[]{"role1", "role2"});
+
+ OpenIDConnectServiceComponentHolder mockOpenIDConnectServiceComponentHolder =
+ mock(OpenIDConnectServiceComponentHolder.class);
+ openIDConnectServiceComponentHolder.when(OpenIDConnectServiceComponentHolder::getInstance)
+ .thenReturn(mockOpenIDConnectServiceComponentHolder);
+ when(mockOpenIDConnectServiceComponentHolder.getHighestPriorityApplicationRolesResolver())
+ .thenReturn(appRolesResolver);
+
+ String[] roles = OIDCClaimUtil.getAppAssociatedRolesOfUser(authenticatedUser, applicationId);
+
+ assertNotNull(roles);
+ assertEquals(roles.length, 2);
+ assertTrue(roles[0].equals("role1") && roles[1].equals("role2"));
+ }
+ }
+}
diff --git a/components/org.wso2.carbon.identity.oauth/src/test/resources/testng.xml b/components/org.wso2.carbon.identity.oauth/src/test/resources/testng.xml
index 4ea7b033b99..eeebaa3fa3e 100755
--- a/components/org.wso2.carbon.identity.oauth/src/test/resources/testng.xml
+++ b/components/org.wso2.carbon.identity.oauth/src/test/resources/testng.xml
@@ -207,6 +207,7 @@
+
diff --git a/components/org.wso2.carbon.identity.oidc.dcr/pom.xml b/components/org.wso2.carbon.identity.oidc.dcr/pom.xml
index 1c5edbb5d8d..b4c2fdc1dbd 100644
--- a/components/org.wso2.carbon.identity.oidc.dcr/pom.xml
+++ b/components/org.wso2.carbon.identity.oidc.dcr/pom.xml
@@ -22,7 +22,7 @@
org.wso2.carbon.identity.inbound.auth.oauth2
identity-inbound-auth-oauth
../../pom.xml
- 7.0.245-SNAPSHOT
+ 7.0.255-SNAPSHOT
4.0.0
diff --git a/components/org.wso2.carbon.identity.oidc.session/pom.xml b/components/org.wso2.carbon.identity.oidc.session/pom.xml
index d92489cdedd..06b6087ef07 100644
--- a/components/org.wso2.carbon.identity.oidc.session/pom.xml
+++ b/components/org.wso2.carbon.identity.oidc.session/pom.xml
@@ -22,7 +22,7 @@
org.wso2.carbon.identity.inbound.auth.oauth2
identity-inbound-auth-oauth
../../pom.xml
- 7.0.245-SNAPSHOT
+ 7.0.255-SNAPSHOT
4.0.0
diff --git a/components/org.wso2.carbon.identity.webfinger/pom.xml b/components/org.wso2.carbon.identity.webfinger/pom.xml
index 17eea17e483..46401dc9585 100644
--- a/components/org.wso2.carbon.identity.webfinger/pom.xml
+++ b/components/org.wso2.carbon.identity.webfinger/pom.xml
@@ -21,7 +21,7 @@
org.wso2.carbon.identity.inbound.auth.oauth2
identity-inbound-auth-oauth
../../pom.xml
- 7.0.245-SNAPSHOT
+ 7.0.255-SNAPSHOT
4.0.0
diff --git a/features/org.wso2.carbon.identity.oauth.common.feature/pom.xml b/features/org.wso2.carbon.identity.oauth.common.feature/pom.xml
index 040aaf8c599..7c07d08f3c8 100644
--- a/features/org.wso2.carbon.identity.oauth.common.feature/pom.xml
+++ b/features/org.wso2.carbon.identity.oauth.common.feature/pom.xml
@@ -22,7 +22,7 @@
org.wso2.carbon.identity.inbound.auth.oauth2
identity-inbound-auth-oauth
../../pom.xml
- 7.0.245-SNAPSHOT
+ 7.0.255-SNAPSHOT
4.0.0
diff --git a/features/org.wso2.carbon.identity.oauth.dcr.server.feature/pom.xml b/features/org.wso2.carbon.identity.oauth.dcr.server.feature/pom.xml
index 7891d5fb872..cf38b2a7345 100644
--- a/features/org.wso2.carbon.identity.oauth.dcr.server.feature/pom.xml
+++ b/features/org.wso2.carbon.identity.oauth.dcr.server.feature/pom.xml
@@ -22,7 +22,7 @@
org.wso2.carbon.identity.inbound.auth.oauth2
identity-inbound-auth-oauth
../../pom.xml
- 7.0.245-SNAPSHOT
+ 7.0.255-SNAPSHOT
4.0.0
diff --git a/features/org.wso2.carbon.identity.oauth.feature/pom.xml b/features/org.wso2.carbon.identity.oauth.feature/pom.xml
index fe2df98af8e..fc84f18f312 100644
--- a/features/org.wso2.carbon.identity.oauth.feature/pom.xml
+++ b/features/org.wso2.carbon.identity.oauth.feature/pom.xml
@@ -22,7 +22,7 @@
org.wso2.carbon.identity.inbound.auth.oauth2
identity-inbound-auth-oauth
../../pom.xml
- 7.0.245-SNAPSHOT
+ 7.0.255-SNAPSHOT
4.0.0
diff --git a/features/org.wso2.carbon.identity.oauth.server.feature/pom.xml b/features/org.wso2.carbon.identity.oauth.server.feature/pom.xml
index 929a523ca77..dc7e630d693 100644
--- a/features/org.wso2.carbon.identity.oauth.server.feature/pom.xml
+++ b/features/org.wso2.carbon.identity.oauth.server.feature/pom.xml
@@ -22,7 +22,7 @@
org.wso2.carbon.identity.inbound.auth.oauth2
identity-inbound-auth-oauth
../../pom.xml
- 7.0.245-SNAPSHOT
+ 7.0.255-SNAPSHOT
4.0.0
diff --git a/features/org.wso2.carbon.identity.oauth.ui.feature/pom.xml b/features/org.wso2.carbon.identity.oauth.ui.feature/pom.xml
index 468cf9ef632..355cf4cc63c 100644
--- a/features/org.wso2.carbon.identity.oauth.ui.feature/pom.xml
+++ b/features/org.wso2.carbon.identity.oauth.ui.feature/pom.xml
@@ -22,7 +22,7 @@
org.wso2.carbon.identity.inbound.auth.oauth2
identity-inbound-auth-oauth
../../pom.xml
- 7.0.245-SNAPSHOT
+ 7.0.255-SNAPSHOT
4.0.0
diff --git a/pom.xml b/pom.xml
index 8f69ee5ca0e..361481fa69c 100644
--- a/pom.xml
+++ b/pom.xml
@@ -28,7 +28,7 @@
4.0.0
org.wso2.carbon.identity.inbound.auth.oauth2
identity-inbound-auth-oauth
- 7.0.245-SNAPSHOT
+ 7.0.255-SNAPSHOT
pom
WSO2 Carbon OAuth module
http://wso2.org
@@ -967,7 +967,7 @@
[1.0.1, 2.0.0)
- 7.7.221
+ 7.8.3
[5.25.234, 8.0.0)
[2.0.0, 3.0.0)
@@ -1067,7 +1067,7 @@
9.2
4.5.11.wso2v1
[4.5.11, 5.0.0)
- 4.1.115.wso2v1
+ 4.1.115.wso2v2
5.1.2
diff --git a/service-stubs/org.wso2.carbon.claim.metadata.mgt.stub/pom.xml b/service-stubs/org.wso2.carbon.claim.metadata.mgt.stub/pom.xml
index e4c5b9fa24d..5d62ccc9b6f 100644
--- a/service-stubs/org.wso2.carbon.claim.metadata.mgt.stub/pom.xml
+++ b/service-stubs/org.wso2.carbon.claim.metadata.mgt.stub/pom.xml
@@ -21,7 +21,7 @@
org.wso2.carbon.identity.inbound.auth.oauth2
identity-inbound-auth-oauth
- 7.0.245-SNAPSHOT
+ 7.0.255-SNAPSHOT
../../pom.xml
diff --git a/test-utils/org.wso2.carbon.identity.oauth.common.testng/pom.xml b/test-utils/org.wso2.carbon.identity.oauth.common.testng/pom.xml
index cb51fe010f5..3635fb7d8ce 100644
--- a/test-utils/org.wso2.carbon.identity.oauth.common.testng/pom.xml
+++ b/test-utils/org.wso2.carbon.identity.oauth.common.testng/pom.xml
@@ -23,7 +23,7 @@
org.wso2.carbon.identity.inbound.auth.oauth2
identity-inbound-auth-oauth
../../pom.xml
- 7.0.245-SNAPSHOT
+ 7.0.255-SNAPSHOT
4.0.0