wso2-extensions · VivekVinushanth · Feb 1, 2024 · Feb 1, 2024
diff --git a/...on.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/token/JWTTokenIssuer.java b/...on.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/token/JWTTokenIssuer.java
@@ -534,9 +534,8 @@ protected JWTClaimsSet createJWTClaimSet(OAuthAuthzReqMessageContext authAuthzRe
         // Include token binding.
         jwtClaimsSet = handleTokenBinding(jwtClaimsSetBuilder, tokenReqMessageContext);
 
-        if (tokenReqMessageContext != null && tokenReqMessageContext.getProperty(CNF) != null) {
-            jwtClaimsSet = handleCnf(jwtClaimsSetBuilder, tokenReqMessageContext);
-        }
+        // Include cnf.
+        jwtClaimsSet = handleCnf(jwtClaimsSetBuilder, tokenReqMessageContext);
 
         return jwtClaimsSet;
     }
@@ -582,16 +581,22 @@ private String getAuthorizedUserType(OAuthAuthzReqMessageContext authAuthzReqMes
      * @return authenticated subject identifier.
      */
     private String getAuthenticatedSubjectIdentifier(OAuthAuthzReqMessageContext authAuthzReqMessageContext,
-     OAuthTokenReqMessageContext tokenReqMessageContext) throws IdentityOAuth2Exception {
+                                                     OAuthTokenReqMessageContext tokenReqMessageContext) throws IdentityOAuth2Exception {
 
         AuthenticatedUser authenticatedUser = getAuthenticatedUser(authAuthzReqMessageContext, tokenReqMessageContext);
         return authenticatedUser.getAuthenticatedSubjectIdentifier();
     }
 
-    private JWTClaimsSet handleCnf(JWTClaimsSet.Builder jwtClaimsSetBuilder,
-                                   OAuthTokenReqMessageContext tokReqMsgCtx) {
+    private JWTClaimsSet handleCnf(JWTClaimsSet.Builder jwtClaimsSetBuilder, OAuthTokenReqMessageContext tokReqMsgCtx) {
 
-        jwtClaimsSetBuilder.claim(CNF, tokReqMsgCtx.getProperty(CNF));
+        if (tokReqMsgCtx != null && tokReqMsgCtx.getProperty(CNF) != null) {
+            jwtClaimsSetBuilder.claim(CNF, tokReqMsgCtx.getProperty(CNF));
+        } else if (tokReqMsgCtx != null && tokReqMsgCtx.getOauth2AccessTokenReqDTO() != null) {
+            if (tokReqMsgCtx.getOauth2AccessTokenReqDTO().getParameters() != null
+                    && tokReqMsgCtx.getOauth2AccessTokenReqDTO().getParameters().containsKey(CNF)) {
+                jwtClaimsSetBuilder.claim(CNF, tokReqMsgCtx.getOauth2AccessTokenReqDTO().getParameters().get(CNF));
+            }
+        }
         return jwtClaimsSetBuilder.build();
     }
 
@@ -606,7 +611,6 @@ private String getSubjectClaim(String clientId, String spTenantDomain, Authentic
      *
      * @param authAuthzReqMessageContext
      * @param tokenReqMessageContext
-     *
      * @return AuthenticatedUser
      */
     private AuthenticatedUser getAuthenticatedUser(OAuthAuthzReqMessageContext authAuthzReqMessageContext,
@@ -838,6 +842,7 @@ private JWTClaimsSet handleTokenBinding(JWTClaimsSet.Builder jwtClaimsSetBuilder
 
     /**
      * Set tenant domain of user to the JWT token's realm claim if signed with user tenant.
+     *
      * @param tenantDomain
      * @param jwtClaimsSet
      * @return

diff --git a/...in/java/org/wso2/carbon/identity/oauth2/token/bindings/impl/ClientRequestTokenBinder.java b/...in/java/org/wso2/carbon/identity/oauth2/token/bindings/impl/ClientRequestTokenBinder.java
@@ -23,14 +23,13 @@
 import org.wso2.carbon.identity.oauth2.dto.OAuth2AccessTokenReqDTO;
 import org.wso2.carbon.identity.oauth2.model.RequestParameter;
 
-import java.util.List;
-import java.util.Optional;
-import java.util.Set;
+import java.util.*;
 import java.util.stream.Collectors;
 
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
+import static org.wso2.carbon.identity.oauth.common.OAuthConstants.CNF;
 import static org.wso2.carbon.identity.oauth2.OAuth2Constants.TokenBinderType.CLIENT_REQUEST;
 
 
@@ -48,7 +47,16 @@ public Optional<String> getTokenBindingValue(OAuth2AccessTokenReqDTO oAuth2Acces
         for (RequestParameter parameter : parameters) {
             if (TOKEN_BINDING_ID.equals(parameter.getKey())
                     && StringUtils.isNotBlank(parameter.getValue()[0])) {
-                        return Optional.ofNullable(parameter.getValue()[0]);
+                // Adding the cnf parameter to the request parameters to ensure tokenBindingId
+                // will be added to the token.
+                if (oAuth2AccessTokenReqDTO.getParameters() == null) {
+                    Map<String, String> parametersMap = new HashMap<>();
+                    parametersMap.put(CNF, parameter.getValue()[0]);
+                    oAuth2AccessTokenReqDTO.setParameters(parametersMap);
+                } else {
+                    oAuth2AccessTokenReqDTO.getParameters().put(CNF, parameter.getValue()[0]);
+                }
+                return Optional.ofNullable(parameter.getValue()[0]);
             }
         }
         return Optional.empty();