Skip to content

Commit

Permalink
Fix sending user information through userinfo endpoint when using a t…
Browse files Browse the repository at this point in the history 
…oken issued from a sub organization application
  • Loading branch information
@ShanChathusanda93
ShanChathusanda93 committed Feb 3, 2025
1 parent 4e516a5 commit 054a2e3
Show file tree
Hide file tree
Showing 4 changed files with 51 additions and 6 deletions.
15 changes: 12 additions & 3 deletions ...ava/org/wso2/carbon/identity/oauth/endpoint/user/impl/UserInfoISAccessTokenValidator.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,8 +18,10 @@
package org.wso2.carbon.identity.oauth.endpoint.user.impl;

import org.apache.commons.lang.ArrayUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.oltu.oauth2.common.error.OAuthError;
import org.wso2.carbon.identity.oauth.common.exception.InvalidOAuthClientException;
import org.wso2.carbon.identity.oauth.dao.OAuthAppDO;
import org.wso2.carbon.identity.oauth.endpoint.util.factory.OAuth2TokenValidatorServiceFactory;
import org.wso2.carbon.identity.oauth.user.UserInfoAccessTokenValidator;
import org.wso2.carbon.identity.oauth.user.UserInfoEndpointException;
Expand Down Expand Up @@ -96,9 +98,16 @@ public OAuth2TokenValidationResponseDTO validateToken(String accessTokenIdentifi
}

try {
if (accessTokenDO != null && request != null &&
OAuth2Util.getAppInformationByClientId(accessTokenDO.getConsumerKey()).
isTokenBindingValidationEnabled() && !isValidTokenBinding(response.getTokenBinding(), request)) {
OAuthAppDO appDO;
String appResidentTenantDomain = OAuth2Util.getAppResidentTenantDomain();
if (StringUtils.isNotEmpty(appResidentTenantDomain)) {
appDO = OAuth2Util.getAppInformationByClientId(accessTokenDO.getConsumerKey(),
appResidentTenantDomain);
} else {
appDO = OAuth2Util.getAppInformationByClientId(accessTokenDO.getConsumerKey());
}
if (accessTokenDO != null && request != null && appDO.isTokenBindingValidationEnabled() &&
!isValidTokenBinding(response.getTokenBinding(), request)) {
throw new UserInfoEndpointException(OAuthError.ResourceResponse.INVALID_REQUEST,
"Valid token binding value not present in the request.");
}
Expand Down
10 changes: 8 additions & 2 deletions ....oauth.endpoint/src/main/java/org/wso2/carbon/identity/oauth/endpoint/util/ClaimUtil.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -136,8 +136,14 @@ public static Map<String, Object> getClaimsFromUserStore(OAuth2TokenValidationRe

Map<String, String> spToLocalClaimMappings;
String clientId = getClientID(accessTokenDO);
OAuthAppDO oAuthAppDO = OAuth2Util.getAppInformationByClientId(clientId);
String spTenantDomain = OAuth2Util.getTenantDomainOfOauthApp(oAuthAppDO);
String spTenantDomain;
String appResidentTenantDomain = OAuth2Util.getAppResidentTenantDomain();
if (StringUtils.isNotEmpty(appResidentTenantDomain)) {
spTenantDomain = appResidentTenantDomain;
} else {
OAuthAppDO oAuthAppDO = OAuth2Util.getAppInformationByClientId(clientId);
spTenantDomain = OAuth2Util.getTenantDomainOfOauthApp(oAuthAppDO);
}

ServiceProvider serviceProvider = OAuth2Util.getServiceProvider(clientId, spTenantDomain);
ClaimMapping[] requestedLocalClaimMappings = serviceProvider.getClaimConfig().getClaimMappings();
Expand Down
24 changes: 24 additions & 0 deletions ....carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/util/OAuth2Util.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5718,4 +5718,28 @@ private static String getTenantDomain() throws InvalidOAuthClientException {
}
return tenantDomain;
}

/**
* Resolve the tenant domain from the application resident organization id which will be set when the resource
* is accessing from the tenanted endpoint.
*
* @return Application resident tenant domain.
* @throws IdentityOAuth2Exception When an error occurred while resolving the tenant domain.
*/
public static String getAppResidentTenantDomain() throws IdentityOAuth2Exception {

String appResidentTenantDomain = null;
String appResidentOrgId = PrivilegedCarbonContext.getThreadLocalCarbonContext().
getApplicationResidentOrganizationId();
if (StringUtils.isNotEmpty(appResidentOrgId)) {
try {
appResidentTenantDomain = OAuth2ServiceComponentHolder.getInstance().getOrganizationManager().
resolveTenantDomain(appResidentOrgId);
} catch (OrganizationManagementException e) {
throw new IdentityOAuth2Exception("Error occurred while resolving the tenant domain for the " +
"organization id.", e);
}
}
return appResidentTenantDomain;
}
}
8 changes: 7 additions & 1 deletion ...src/main/java/org/wso2/carbon/identity/openidconnect/AbstractUserInfoResponseBuilder.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@
package org.wso2.carbon.identity.openidconnect;

import org.apache.commons.collections.MapUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.oltu.oauth2.common.exception.OAuthSystemException;
Expand Down Expand Up @@ -336,7 +337,12 @@ private String getServiceProviderTenantDomain(OAuth2TokenValidationResponseDTO t
if (optionalAccessTokenDO.isPresent()) {
AccessTokenDO accessTokenDO = optionalAccessTokenDO.get();
clientId = accessTokenDO.getConsumerKey();
oAuthAppDO = OAuth2Util.getAppInformationByClientId(clientId);
String appResidentTenantDomain = OAuth2Util.getAppResidentTenantDomain();
if (StringUtils.isNotEmpty(appResidentTenantDomain)) {
oAuthAppDO = OAuth2Util.getAppInformationByClientId(clientId, appResidentTenantDomain);
} else {
oAuthAppDO = OAuth2Util.getAppInformationByClientId(clientId);
}
} else {
throw new IllegalArgumentException(OAuth2Util.ACCESS_TOKEN_IS_NOT_ACTIVE_ERROR_MESSAGE);
}
Expand Down

0 comments on commit 054a2e3

Please sign in to comment.