Improve cleaning issued tokens of an organization user when user is d…

…eleting

components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/OAuthUtil.java

@@ -757,8 +757,11 @@ private static AuthenticatedUser buildAuthenticatedUser(UserStoreManager userSto
                 return authenticatedUser;
             }
 
-            // Organization SSO user flow
-            authenticatedUser.setUserName(userId);
+            /*
+             Organization SSO user flow. This user id will be used to get the consumer keys which are associated
+             with the user from access tokens.
+            */
+            authenticatedUser.setUserId(userId);
             setOrganizationSSOUserDetails(authenticatedUser);
             authenticatedUser.setUserResidentOrganization(accessingOrg);
             authenticatedUser.setAccessingOrganization(accessingOrg);
@@ -875,7 +878,21 @@ private static boolean processTokenRevocation(Set<String> clientIds, Authenticat
                     // retrieve all ACTIVE or EXPIRED access tokens for particular client authorized by this user
                     accessTokenDOs = OAuthTokenPersistenceFactory.getInstance().getAccessTokenDAO()
                             .getAccessTokens(clientId, authenticatedUser, userStoreDomain, true);
-                } catch (IdentityOAuth2Exception e) {
+                    /*
+                     If the authenticated user's resident organization is an organization, then we need to check
+                     for the access tokens issued directly for the organization as well.
+                    */
+                    if (OrganizationManagementUtil.isOrganization(authenticatedUser.getUserResidentOrganization())) {
+                        AuthenticatedUser orgUser = authenticatedUser;
+                        orgUser.setFederatedUser(false);
+                        orgUser.setUserStoreDomain("PRIMARY");
+                        String userTenantDomain = OAuthComponentServiceHolder.getInstance().getOrganizationManager()
+                                .resolveTenantDomain(authenticatedUser.getUserResidentOrganization());
+                        orgUser.setTenantDomain(userTenantDomain);
+                        accessTokenDOs = OAuthTokenPersistenceFactory.getInstance().getAccessTokenDAO()
+                                .getAccessTokens(clientId, orgUser, "PRIMARY", true);
+                    }
+                } catch (IdentityOAuth2Exception | OrganizationManagementException e) {
                     String errorMsg = "Error occurred while retrieving access tokens issued for " +
                             "Client ID : " + clientId + ", User ID : " + authenticatedUser;
                     LOG.error(errorMsg, e);

components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/dao/TokenManagementDAOImpl.java

@@ -41,6 +41,7 @@
 import org.wso2.carbon.identity.oauth2.model.RefreshTokenValidationDataDO;
 import org.wso2.carbon.identity.oauth2.util.OAuth2Util;
 import org.wso2.carbon.identity.organization.management.service.exception.OrganizationManagementException;
+import org.wso2.carbon.identity.organization.management.service.util.OrganizationManagementUtil;
 
 import java.sql.Connection;
 import java.sql.PreparedStatement;
@@ -879,20 +880,21 @@ public Set<String> getAllTimeAuthorizedClientIds(AuthenticatedUser authzUser) th
         }
 
         PreparedStatement ps = null;
+        PreparedStatement psForPrimary = null;
         Connection connection = IdentityDatabaseUtil.getDBConnection();
         ResultSet rs = null;
+        ResultSet rsForPrimary = null;
         Set<String> distinctConsumerKeys = new HashSet<>();
         boolean isUsernameCaseSensitive = IdentityUtil.isUserStoreInUsernameCaseSensitive(authzUser.toString());
         String tenantDomain = getUserResidentTenantDomain(authzUser);
         String tenantAwareUsernameWithNoUserDomain = authzUser.getUserName();
         String userDomain = OAuth2Util.getSanitizedUserStoreDomain(authzUser.getUserStoreDomain());
         if (log.isDebugEnabled()) {
-            log.debug("Obtain the User's(" + tenantAwareUsernameWithNoUserDomain + ") tenant domain: " + tenantDomain
-                    + "/" + OAuth2Util.getTenantId(tenantDomain) + "and user-domain: " + userDomain);
+            log.debug("Obtain the User's(" + tenantAwareUsernameWithNoUserDomain + ") tenant domain: " +
+                    tenantDomain + "/" + OAuth2Util.getTenantId(tenantDomain) + "and user-domain: " + userDomain);
         }
+        int tenantId = OAuth2Util.getTenantId(tenantDomain);
         try {
-            int tenantId = OAuth2Util.getTenantId(tenantDomain);
-
             String sqlQuery = OAuth2Util.getTokenPartitionedSqlByUserStore(SQLQueries.
                     GET_DISTINCT_APPS_AUTHORIZED_BY_USER_ALL_TIME, authzUser.getUserStoreDomain());
 
@@ -919,6 +921,58 @@ public Set<String> getAllTimeAuthorizedClientIds(AuthenticatedUser authzUser) th
         } finally {
             IdentityDatabaseUtil.closeAllConnections(connection, rs, ps);
         }
+        /*
+         If the tenant domain is an organization, then we need to extract the tokens in both PRIMARY and FEDERATED
+         user domains. For FEDERATED user domain, we can use the authenticated user's user id and for the PRIMARY
+         user domain, we can use the authenticated user's username.
+        */
+        boolean isOrganization = false;
+        try {
+            isOrganization = OrganizationManagementUtil.isOrganization(tenantDomain);
+        } catch (OrganizationManagementException e) {
+            throw new IdentityOAuth2Exception("Error occurred while checking whether the tenant domain is an " +
+                    "organization or not.", e);
+        }
+
+        Connection connectionForPrimary = IdentityDatabaseUtil.getDBConnection(false);
+        if (isOrganization) {
+            try {
+                // Getting the PRIMARY user domain related consumer keys.
+                tenantAwareUsernameWithNoUserDomain = authzUser.getUserName();
+                if (log.isDebugEnabled()) {
+                    log.debug("Obtain the User's(" + tenantAwareUsernameWithNoUserDomain + ") tenant domain: " +
+                            tenantDomain + "/" + OAuth2Util.getTenantId(tenantDomain) + "and user-domain: " +
+                            userDomain);
+                }
+
+                String sqlQueryForPrimary = OAuth2Util.getTokenPartitionedSqlByUserStore(SQLQueries.
+                        GET_DISTINCT_APPS_AUTHORIZED_BY_USER_ALL_TIME, "PRIMARY");
+
+                if (!isUsernameCaseSensitive) {
+                    sqlQueryForPrimary = sqlQueryForPrimary.replace(AUTHZ_USER, LOWER_AUTHZ_USER);
+                }
+
+                psForPrimary = connectionForPrimary.prepareStatement(sqlQueryForPrimary);
+                if (isUsernameCaseSensitive) {
+                    psForPrimary.setString(1, tenantAwareUsernameWithNoUserDomain);
+                } else {
+                    psForPrimary.setString(1, tenantAwareUsernameWithNoUserDomain.toLowerCase());
+                }
+                psForPrimary.setInt(2, tenantId);
+                psForPrimary.setString(3, "PRIMARY");
+                rsForPrimary = psForPrimary.executeQuery();
+                while (rsForPrimary.next()) {
+                    String consumerKey = getPersistenceProcessor().getPreprocessedClientId(rsForPrimary.getString(1));
+                    distinctConsumerKeys.add(consumerKey);
+                }
+            } catch (SQLException e) {
+                throw new IdentityOAuth2Exception(
+                        "Error occurred while retrieving all distinct Client IDs authorized by " +
+                                "User ID : " + authzUser + " until now", e);
+            } finally {
+                IdentityDatabaseUtil.closeAllConnections(connectionForPrimary, rsForPrimary, psForPrimary);
+            }
+        }
         if (log.isDebugEnabled()) {
             StringBuilder consumerKeys = new StringBuilder();
             for (String consumerKey : distinctConsumerKeys) {