Changes to getAMRValues method

.github/workflows/pr-builder.yml

@@ -34,7 +34,7 @@ jobs:
           distribution: "adopt"
       - name: Cache local Maven repository
         id: cache-maven-m2
-        uses: actions/cache@v2
+        uses: actions/cache@v3
         env:
           cache-name: cache-m2
         with:

components/org.wso2.carbon.identity.api.server.dcr/pom.xml

@@ -23,12 +23,12 @@
     <parent>
         <groupId>org.wso2.carbon.identity.inbound.auth.oauth2</groupId>
         <artifactId>identity-inbound-auth-oauth</artifactId>
-        <version>7.0.245-SNAPSHOT</version>
+        <version>7.0.255-SNAPSHOT</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
 
     <artifactId>org.wso2.carbon.identity.api.server.dcr</artifactId>
-    <version>7.0.245-SNAPSHOT</version>
+    <version>7.0.255-SNAPSHOT</version>
     <name>WSO2 Carbon -  User DCR Rest API</name>
     <description>WSO2 Carbon - User DCR Rest API</description>
 

components/org.wso2.carbon.identity.api.server.oauth.scope/pom.xml

@@ -23,12 +23,12 @@
     <parent>
         <groupId>org.wso2.carbon.identity.inbound.auth.oauth2</groupId>
         <artifactId>identity-inbound-auth-oauth</artifactId>
-        <version>7.0.245-SNAPSHOT</version>
+        <version>7.0.255-SNAPSHOT</version>
         <relativePath>../..</relativePath>
     </parent>
 
     <artifactId>org.wso2.carbon.identity.api.server.oauth.scope</artifactId>
-    <version>7.0.245-SNAPSHOT</version>
+    <version>7.0.255-SNAPSHOT</version>
 
     <name>WSO2 Carbon - Identity OAuth 2.0 Scope Rest APIs</name>
     <description>Rest APIs for OAuth 2.0 Scope Handling</description>

components/org.wso2.carbon.identity.client.attestation.filter/pom.xml

@@ -22,7 +22,7 @@
     <parent>
         <groupId>org.wso2.carbon.identity.inbound.auth.oauth2</groupId>
         <artifactId>identity-inbound-auth-oauth</artifactId>
-        <version>7.0.245-SNAPSHOT</version>
+        <version>7.0.255-SNAPSHOT</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
 

components/org.wso2.carbon.identity.discovery/pom.xml

@@ -21,7 +21,7 @@
         <groupId>org.wso2.carbon.identity.inbound.auth.oauth2</groupId>
         <artifactId>identity-inbound-auth-oauth</artifactId>
         <relativePath>../../pom.xml</relativePath>
-        <version>7.0.245-SNAPSHOT</version>
+        <version>7.0.255-SNAPSHOT</version>
     </parent>
 
     <modelVersion>4.0.0</modelVersion>

components/org.wso2.carbon.identity.oauth.ciba/pom.xml

@@ -20,7 +20,7 @@
     <parent>
         <artifactId>identity-inbound-auth-oauth</artifactId>
         <groupId>org.wso2.carbon.identity.inbound.auth.oauth2</groupId>
-        <version>7.0.245-SNAPSHOT</version>
+        <version>7.0.255-SNAPSHOT</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
 

components/org.wso2.carbon.identity.oauth.client.authn.filter/pom.xml

@@ -22,7 +22,7 @@
         <groupId>org.wso2.carbon.identity.inbound.auth.oauth2</groupId>
         <artifactId>identity-inbound-auth-oauth</artifactId>
         <relativePath>../../pom.xml</relativePath>
-        <version>7.0.245-SNAPSHOT</version>
+        <version>7.0.255-SNAPSHOT</version>
     </parent>
 
     <modelVersion>4.0.0</modelVersion>

components/org.wso2.carbon.identity.oauth.common/pom.xml

@@ -23,7 +23,7 @@
         <groupId>org.wso2.carbon.identity.inbound.auth.oauth2</groupId>
         <artifactId>identity-inbound-auth-oauth</artifactId>
         <relativePath>../../pom.xml</relativePath>
-        <version>7.0.245-SNAPSHOT</version>
+        <version>7.0.255-SNAPSHOT</version>
     </parent>
 
     <modelVersion>4.0.0</modelVersion>

components/org.wso2.carbon.identity.oauth.dcr.endpoint/pom.xml

@@ -6,7 +6,7 @@
         <groupId>org.wso2.carbon.identity.inbound.auth.oauth2</groupId>
         <artifactId>identity-inbound-auth-oauth</artifactId>
         <relativePath>../../pom.xml</relativePath>
-        <version>7.0.245-SNAPSHOT</version>
+        <version>7.0.255-SNAPSHOT</version>
     </parent>
 
     <modelVersion>4.0.0</modelVersion>

components/org.wso2.carbon.identity.oauth.dcr/pom.xml

@@ -22,7 +22,7 @@
         <groupId>org.wso2.carbon.identity.inbound.auth.oauth2</groupId>
         <artifactId>identity-inbound-auth-oauth</artifactId>
         <relativePath>../../pom.xml</relativePath>
-        <version>7.0.245-SNAPSHOT</version>
+        <version>7.0.255-SNAPSHOT</version>
     </parent>
 
     <modelVersion>4.0.0</modelVersion>

components/org.wso2.carbon.identity.oauth.endpoint/pom.xml

@@ -22,7 +22,7 @@
         <groupId>org.wso2.carbon.identity.inbound.auth.oauth2</groupId>
         <artifactId>identity-inbound-auth-oauth</artifactId>
         <relativePath>../../pom.xml</relativePath>
-        <version>7.0.245-SNAPSHOT</version>
+        <version>7.0.255-SNAPSHOT</version>
     </parent>
 
     <modelVersion>4.0.0</modelVersion>

components/org.wso2.carbon.identity.oauth.endpoint/src/main/java/org/wso2/carbon/identity/oauth/endpoint/authz/OAuth2AuthzEndpoint.java

@@ -4206,6 +4206,21 @@ private void associateAuthenticationHistory(SessionDataCacheEntry resultFromLogi
      */
     private List<String> getAMRValues(List<String> authMethods, Map<String, AuthenticatedIdPData> authenticatedIdPs) {
 
+        boolean authenticatorAMREnabled = true;
+        if (authenticatorAMREnabled) {
+            List<String> resultantAuthMethods = new ArrayList<>();
+            for (Map.Entry<String, AuthenticatedIdPData> entry : authenticatedIdPs.entrySet()) {
+                if (entry.getValue() != null && entry.getValue().getAuthenticators() != null) {
+                    for (AuthenticatorConfig authenticatorConfig : entry.getValue().getAuthenticators()) {
+                        if (authenticatorConfig != null && authenticatorConfig.getAmrValue() != null) {
+                            resultantAuthMethods.addAll(Arrays.asList(authenticatorConfig.getAmrValue()));
+                        }
+                    }
+                }
+            }
+            return resultantAuthMethods;
+        }
+
         boolean readAMRValueFromIdp = Boolean.parseBoolean(IdentityUtil.getProperty(
                 OAuthConstants.READ_AMR_VALUE_FROM_IDP));
         if (readAMRValueFromIdp) {

components/org.wso2.carbon.identity.oauth.endpoint/src/main/java/org/wso2/carbon/identity/oauth/endpoint/util/ClaimUtil.java

@@ -18,13 +18,16 @@
 
 package org.wso2.carbon.identity.oauth.endpoint.util;
 
+import org.apache.commons.collections.CollectionUtils;
 import org.apache.commons.lang.ArrayUtils;
 import org.apache.commons.lang.StringUtils;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.apache.oltu.oauth2.common.error.OAuthError;
 import org.wso2.carbon.identity.application.authentication.framework.exception.FrameworkException;
+import org.wso2.carbon.identity.application.authentication.framework.handler.approles.exception.ApplicationRolesException;
 import org.wso2.carbon.identity.application.authentication.framework.model.AuthenticatedUser;
+import org.wso2.carbon.identity.application.authentication.framework.util.FrameworkConstants;
 import org.wso2.carbon.identity.application.authentication.framework.util.FrameworkUtils;
 import org.wso2.carbon.identity.application.common.model.ClaimMapping;
 import org.wso2.carbon.identity.application.common.model.ServiceProvider;
@@ -50,6 +53,8 @@
 import org.wso2.carbon.identity.oauth2.util.AuthzUtil;
 import org.wso2.carbon.identity.oauth2.util.OAuth2Util;
 import org.wso2.carbon.identity.openidconnect.OIDCClaimUtil;
+import org.wso2.carbon.identity.organization.management.service.exception.OrganizationManagementException;
+import org.wso2.carbon.identity.organization.management.service.util.OrganizationManagementUtil;
 import org.wso2.carbon.user.api.RealmConfiguration;
 import org.wso2.carbon.user.api.UserStoreException;
 import org.wso2.carbon.user.core.UserRealm;
@@ -190,13 +195,15 @@ public static Map<String, Object> getClaimsFromUserStore(OAuth2TokenValidationRe
                         realm = getUserRealm(null, userAccessingTenantDomain);
                         try {
                             FrameworkUtils.startTenantFlow(userAccessingTenantDomain);
-                            userClaims = getUserClaimsFromUserStore(sharedUserId, realm, claimURIList);
+                            userClaims = getUserClaimsFromUserStoreWithResolvedRoles(authenticatedUser, serviceProvider,
+                                    sharedUserId, realm, claimURIList);
                         } finally {
                             FrameworkUtils.endTenantFlow();
                         }
                     } else {
                         realm = getUserRealm(null, userTenantDomain);
-                        userClaims = getUserClaimsFromUserStore(userId, realm, claimURIList);
+                        userClaims = getUserClaimsFromUserStoreWithResolvedRoles(authenticatedUser, serviceProvider,
+                                userId, realm, claimURIList);
                     }
 
                     if (isNotEmpty(userClaims)) {
@@ -335,6 +342,42 @@ private static Map<String, String> getUserClaimsFromUserStore(String userId,
         return userClaims;
     }
 
+    private static Map<String, String> getUserClaimsFromUserStoreWithResolvedRoles(AuthenticatedUser authenticatedUser,
+                                                                                   ServiceProvider serviceProvider,
+                                                                                   String resolvedUserId,
+                                                                                   UserRealm realm,
+                                                                                   List<String> claimURIList)
+            throws UserStoreException {
+
+        Map<String, String> userClaims = getUserClaimsFromUserStore(resolvedUserId, realm, claimURIList);
+        try {
+            // Check whether the roles claim is requested.
+            boolean isRoleClaimRequested = CollectionUtils.isNotEmpty(claimURIList) &&
+                    claimURIList.contains(FrameworkConstants.ROLES_CLAIM);
+            String appTenantDomain = serviceProvider.getTenantDomain();
+            // Check whether the application is a shared app or an application created in sub org.
+            boolean isSubOrgApp = OrganizationManagementUtil.isOrganization(appTenantDomain);
+            // Resolving roles claim for sub org apps and shared apps since backward compatibility is not needed.
+            if (isRoleClaimRequested && isSubOrgApp) {
+                String[] appAssociatedRoles = OIDCClaimUtil.getAppAssociatedRolesOfUser(authenticatedUser,
+                        serviceProvider.getApplicationResourceId());
+                if (appAssociatedRoles != null && appAssociatedRoles.length > 0) {
+                    // If application associated roles are returned, set the roles claim using resolved roles.
+                    userClaims.put(FrameworkConstants.ROLES_CLAIM,
+                            String.join(FrameworkUtils.getMultiAttributeSeparator(), appAssociatedRoles));
+                } else {
+                    // If no roles are returned, remove the roles claim from user claims.
+                    userClaims.remove(FrameworkConstants.ROLES_CLAIM);
+                }
+            }
+        } catch (ApplicationRolesException e) {
+            throw new UserStoreException("Error while retrieving application associated roles for user.", e);
+        } catch (OrganizationManagementException e) {
+            throw new UserStoreException("Error while checking whether application tenant domain is an organization.");
+        }
+        return userClaims;
+    }
+
     private static UserRealm getUserRealm(String username,
                                           String userTenantDomain) throws IdentityException, UserInfoEndpointException {