components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/config/OAuthServerConfiguration.java

@@ -233,7 +233,7 @@ public class OAuthServerConfiguration {
     private List<String> supportedIdTokenEncryptionMethods = new ArrayList<>();
     private String userInfoJWTSignatureAlgorithm = "SHA256withRSA";
     private boolean userInfoMultiValueSupportEnabled = true;
-    private boolean userInfoInternalPrefixedRolesClaimEnabled = false;
+    private boolean userInfoInternalPrefixedRolesClaimEnabled = true;
 
     private String authContextTTL = "15L";
     // property added to fix IDENTITY-4551 in backward compatible manner

components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/openidconnect/AbstractUserInfoResponseBuilder.java

@@ -25,10 +25,12 @@
 import org.wso2.carbon.identity.application.common.model.ServiceProvider;
 import org.wso2.carbon.identity.application.common.util.IdentityApplicationConstants;
 import org.wso2.carbon.identity.application.mgt.ApplicationManagementService;
+import org.wso2.carbon.identity.core.util.IdentityUtil;
 import org.wso2.carbon.identity.oauth.cache.AuthorizationGrantCache;
 import org.wso2.carbon.identity.oauth.cache.AuthorizationGrantCacheEntry;
 import org.wso2.carbon.identity.oauth.cache.AuthorizationGrantCacheKey;
 import org.wso2.carbon.identity.oauth.common.exception.InvalidOAuthClientException;
+import org.wso2.carbon.identity.oauth.config.OAuthServerConfiguration;
 import org.wso2.carbon.identity.oauth.dao.OAuthAppDO;
 import org.wso2.carbon.identity.oauth.user.UserInfoEndpointException;
 import org.wso2.carbon.identity.oauth.user.UserInfoResponseBuilder;
@@ -40,6 +42,8 @@
 import org.wso2.carbon.identity.oauth2.util.OAuth2Util;
 import org.wso2.carbon.identity.openidconnect.internal.OpenIDConnectServiceComponentHolder;
 import org.wso2.carbon.identity.openidconnect.model.RequestedClaim;
+import org.wso2.carbon.user.core.UserCoreConstants;
+import org.wso2.carbon.user.core.util.UserCoreUtil;
 
 import java.util.ArrayList;
 import java.util.HashMap;
@@ -50,6 +54,7 @@
 import static org.apache.commons.collections.CollectionUtils.isNotEmpty;
 import static org.apache.commons.lang.StringUtils.isNotEmpty;
 import static org.wso2.carbon.identity.oauth.common.OAuthConstants.OAuth20Params.USERINFO;
+import static org.wso2.carbon.identity.oauth.common.OAuthConstants.OIDCClaims.ROLES;
 
 /**
  * Abstract user info response builder.
@@ -76,6 +81,9 @@ public String getResponseString(OAuth2TokenValidationResponseDTO tokenResponse)
         Map<String, Object> userClaims = retrieveUserClaims(tokenResponse);
         Map<String, Object> filteredUserClaims = filterOIDCClaims(tokenResponse, clientId, spTenantDomain, userClaims);
 
+        // Handle roles claim.
+        handleRolesClaim(filteredUserClaims);
+
         // Handle subject claim.
         String subjectClaim = getSubjectClaim(userClaims, clientId, spTenantDomain, tokenResponse);
         subjectClaim = getOIDCSubjectClaim(clientId, spTenantDomain, subjectClaim);
@@ -84,6 +92,22 @@ public String getResponseString(OAuth2TokenValidationResponseDTO tokenResponse)
         return buildResponse(tokenResponse, spTenantDomain, filteredUserClaims);
     }
 
+    private void handleRolesClaim(Map<String, Object> filteredUserClaims) {
+
+        // This check is added for the backward compatibility of userinfo response.
+        if (OAuthServerConfiguration.getInstance().getUserInfoInternalPrefixedRolesClaimEnabled()) {
+            return;
+        }
+        String[] roles = (String[]) filteredUserClaims.get(ROLES);
+        for (int i = 0; i < roles.length; i++) {
+            String role = roles[i];
+            if (UserCoreConstants.INTERNAL_DOMAIN.equalsIgnoreCase(IdentityUtil.extractDomainFromName(role))) {
+                String domainRemovedRole = UserCoreUtil.removeDomainFromName(role);
+                roles[i] = domainRemovedRole;
+            }
+        }
+    }
+
     private String getOIDCSubjectClaim(String clientId, String spTenantDomain, String subjectClaim)
             throws UserInfoEndpointException {
 

components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/openidconnect/OpenIDConnectClaimFilterImpl.java

@@ -1,19 +1,17 @@
 /*
- * Copyright (c) 2017-2025, WSO2 LLC. (http://www.wso2.com).
+ * Copyright (c) 2017, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
  *
- * WSO2 LLC. licenses this file to you under the Apache License,
- * Version 2.0 (the "License"); you may not use this file except
- * in compliance with the License.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
  * http://www.apache.org/licenses/LICENSE-2.0
  *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  */
 
 package org.wso2.carbon.identity.openidconnect;
@@ -37,7 +35,6 @@
 import org.wso2.carbon.identity.core.util.IdentityTenantUtil;
 import org.wso2.carbon.identity.core.util.IdentityUtil;
 import org.wso2.carbon.identity.oauth.common.OAuthConstants;
-import org.wso2.carbon.identity.oauth.config.OAuthServerConfiguration;
 import org.wso2.carbon.identity.oauth.dto.ScopeDTO;
 import org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception;
 import org.wso2.carbon.identity.oauth2.dao.OAuthTokenPersistenceFactory;
@@ -491,34 +488,18 @@ private void handleEmailVerifiedClaim(Map<String, Object> returnClaims) {
 
     private void handleRolesClaim(Map<String, Object> returnClaims) {
 
-        if (!returnClaims.containsKey(ROLES) || !IdentityUtil.isGroupsVsRolesSeparationImprovementsEnabled()) {
-            return;
-        }
-        if (returnClaims.get(ROLES) instanceof String) {
+        if (returnClaims.containsKey(ROLES) && IdentityUtil.isGroupsVsRolesSeparationImprovementsEnabled()
+                && returnClaims.get(ROLES) instanceof String) {
             String multiAttributeSeparator = FrameworkUtils.getMultiAttributeSeparator();
             List<String> roles = Arrays.asList(returnClaims.get(ROLES).toString().split(multiAttributeSeparator));
 
             for (String role : roles) {
                 if (UserCoreConstants.INTERNAL_DOMAIN.equalsIgnoreCase(IdentityUtil.extractDomainFromName(role))) {
-                    String domainRemovedRole = UserCoreUtil.removeDomainFromName(role);
-                    roles.set(roles.indexOf(role), domainRemovedRole);
+                   String domainRemovedRole = UserCoreUtil.removeDomainFromName(role);
+                   roles.set(roles.indexOf(role), domainRemovedRole);
                 }
             }
             returnClaims.put(ROLES, StringUtils.join(roles, multiAttributeSeparator));
-        } else if (returnClaims.get(ROLES) instanceof String[]) {
-            // This check is added for the backward compatibility of userinfo response.
-            if (OAuthServerConfiguration.getInstance().getUserInfoInternalPrefixedRolesClaimEnabled()) {
-                return;
-            }
-            String[] roles = (String[]) returnClaims.get(ROLES);
-            for (int i = 0; i < roles.length; i++) {
-                String role = roles[i];
-                if (UserCoreConstants.INTERNAL_DOMAIN.equalsIgnoreCase(IdentityUtil.extractDomainFromName(role))) {
-                    String domainRemovedRole = UserCoreUtil.removeDomainFromName(role);
-                    roles[i] = domainRemovedRole;
-                }
-            }
-            returnClaims.put(ROLES, roles);
         }
     }