Treat APPLICATION type token requests with organization_switch grant same as CC grant at the scope validator level

components/org.wso2.carbon.identity.oauth.common/src/main/java/org/wso2/carbon/identity/oauth/common/OAuthConstants.java

@@ -274,6 +274,7 @@ public static class GrantTypes {
         public static final String JWT_BEARER = "urn:ietf:params:oauth:grant-type:jwt-bearer";
         public static final String REFRESH_TOKEN = "refresh_token";
         public static final String DEVICE_CODE = "device_code";
+        public static final String ORGANIZATION_SWITCH = "organization_switch";
 
         private GrantTypes() {
 

components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/validators/DefaultOAuth2ScopeValidator.java

@@ -128,6 +128,13 @@ public List<String> validateScope(OAuthTokenReqMessageContext tokenReqMessageCon
             appId = SharedAppResolveDAO.resolveSharedApplication(appResideOrgId, appId, orgId);
         }
         String grantType = tokenReqMessageContext.getOauth2AccessTokenReqDTO().getGrantType();
+        /* The APPLICATION type token requests with the organization_switch grant custom grant type will be handled same
+        as client_credentials grant type when scope validation. */
+        if (OAuthConstants.GrantTypes.ORGANIZATION_SWITCH.equals(grantType) &&
+                OAuthConstants.UserType.APPLICATION.equals(
+                        tokenReqMessageContext.getProperty(OAuthConstants.UserType.USER_TYPE))) {
+            grantType = OAuthConstants.GrantTypes.CLIENT_CREDENTIALS;
+        }
         List<String> authorizedScopes = getAuthorizedScopes(requestedScopes, tokenReqMessageContext
                         .getAuthorizedUser(), appId, grantType, tenantDomain);
         removeRegisteredScopes(tokenReqMessageContext);