From afe06d5d725f8b43cb6911cc14b722fe221a55c5 Mon Sep 17 00:00:00 2001 From: dhaura Date: Mon, 21 Oct 2024 14:46:24 +0530 Subject: [PATCH 1/3] Implement resolving shared user claims for ID/ JWT access tokens. --- .../identity/openidconnect/OIDCClaimUtil.java | 24 ++++++++++++++++++- 1 file changed, 23 insertions(+), 1 deletion(-) diff --git a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/openidconnect/OIDCClaimUtil.java b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/openidconnect/OIDCClaimUtil.java index 5cee4478ea..1de2886714 100644 --- a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/openidconnect/OIDCClaimUtil.java +++ b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/openidconnect/OIDCClaimUtil.java @@ -484,7 +484,29 @@ public static Map getUserClaimsInOIDCDialect(ServiceProvider ser claimURIList.remove(APP_ROLES_CLAIM); appRoleClaimRequested = true; } - Map userClaims = getUserClaimsInLocalDialect(fullQualifiedUsername, realm, claimURIList); + + Map userClaims; + if (isSharedUserAccessingSharedOrg(authenticatedUser) && + StringUtils.isNotEmpty(authenticatedUser.getSharedUserId())) { + String userAccessingTenantDomain = OAuthComponentServiceHolder.getInstance().getOrganizationManager() + .resolveTenantDomain(authenticatedUser.getAccessingOrganization()); + AbstractUserStoreManager userStoreManager = + (AbstractUserStoreManager) OAuthComponentServiceHolder.getInstance().getRealmService() + .getTenantUserRealm(IdentityTenantUtil.getTenantId(userAccessingTenantDomain)) + .getUserStoreManager(); + String fullQualifiedSharedUsername = userStoreManager.getUser(authenticatedUser.getSharedUserId(), null) + .getFullQualifiedUsername(); + realm = IdentityTenantUtil.getRealm(userAccessingTenantDomain, fullQualifiedSharedUsername); + + try { + FrameworkUtils.startTenantFlow(userAccessingTenantDomain); + userClaims = getUserClaimsInLocalDialect(fullQualifiedUsername, realm, claimURIList); + } finally { + FrameworkUtils.endTenantFlow(); + } + } else { + userClaims = getUserClaimsInLocalDialect(fullQualifiedUsername, realm, claimURIList); + } if (roleClaimRequested || appRoleClaimRequested) { String[] appAssocatedRolesOfUser = getAppAssociatedRolesOfUser(authenticatedUser, From 966f7d072f64feea8db88ee7c38241af43f32532 Mon Sep 17 00:00:00 2001 From: dhaura Date: Mon, 21 Oct 2024 14:57:36 +0530 Subject: [PATCH 2/3] Implement resolving shared user claims for OAuth2 userinfo endpoint. --- .../oauth/endpoint/util/ClaimUtil.java | 34 +++++++++++++++++-- .../identity/openidconnect/OIDCClaimUtil.java | 7 +++- pom.xml | 2 +- 3 files changed, 39 insertions(+), 4 deletions(-) diff --git a/components/org.wso2.carbon.identity.oauth.endpoint/src/main/java/org/wso2/carbon/identity/oauth/endpoint/util/ClaimUtil.java b/components/org.wso2.carbon.identity.oauth.endpoint/src/main/java/org/wso2/carbon/identity/oauth/endpoint/util/ClaimUtil.java index 2d5f52d215..f7138d8181 100644 --- a/components/org.wso2.carbon.identity.oauth.endpoint/src/main/java/org/wso2/carbon/identity/oauth/endpoint/util/ClaimUtil.java +++ b/components/org.wso2.carbon.identity.oauth.endpoint/src/main/java/org/wso2/carbon/identity/oauth/endpoint/util/ClaimUtil.java @@ -23,6 +23,7 @@ import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.apache.oltu.oauth2.common.error.OAuthError; +import org.wso2.carbon.CarbonConstants; import org.wso2.carbon.identity.application.authentication.framework.exception.FrameworkException; import org.wso2.carbon.identity.application.authentication.framework.model.AuthenticatedUser; import org.wso2.carbon.identity.application.authentication.framework.util.FrameworkUtils; @@ -47,6 +48,7 @@ import org.wso2.carbon.identity.oauth2.dto.OAuth2TokenValidationResponseDTO; import org.wso2.carbon.identity.oauth2.internal.OAuth2ServiceComponentHolder; import org.wso2.carbon.identity.oauth2.model.AccessTokenDO; +import org.wso2.carbon.identity.oauth2.util.AuthzUtil; import org.wso2.carbon.identity.oauth2.util.OAuth2Util; import org.wso2.carbon.identity.openidconnect.OIDCClaimUtil; import org.wso2.carbon.user.api.RealmConfiguration; @@ -165,8 +167,36 @@ public static Map getClaimsFromUserStore(OAuth2TokenValidationRe spToLocalClaimMappings = ClaimMetadataHandler.getInstance().getMappingsMapFromOtherDialectToCarbon (SP_DIALECT, null, userTenantDomain, true); - realm = getUserRealm(null, userTenantDomain); - Map userClaims = getUserClaimsFromUserStore(userId, realm, claimURIList); + Map userClaims; + + AuthenticatedUser authenticatedUser = accessTokenDO.getAuthzUser(); + if (!StringUtils.equals(authenticatedUser.getUserResidentOrganization(), + authenticatedUser.getAccessingOrganization()) && + !CarbonConstants.ENABLE_LEGACY_AUTHZ_RUNTIME && + StringUtils.isNotEmpty(AuthzUtil.getUserIdOfAssociatedUser(authenticatedUser))) { + authenticatedUser.setSharedUserId(AuthzUtil.getUserIdOfAssociatedUser(authenticatedUser)); + authenticatedUser.setUserSharedOrganizationId(authenticatedUser + .getAccessingOrganization()); + } + if (OIDCClaimUtil.isSharedUserAccessingSharedOrg(authenticatedUser) && + StringUtils.isNotEmpty(authenticatedUser.getSharedUserId())) { + String userAccessingTenantDomain = + OIDCClaimUtil.resolveTenantDomain(authenticatedUser.getAccessingOrganization()); + String sharedUserId = authenticatedUser.getSharedUserId(); + + realm = getUserRealm(null, userAccessingTenantDomain); + + try { + FrameworkUtils.startTenantFlow(userAccessingTenantDomain); + userClaims = getUserClaimsFromUserStore(sharedUserId, realm, claimURIList); + } finally { + FrameworkUtils.endTenantFlow(); + } + } else { + realm = getUserRealm(null, userTenantDomain); + userClaims = getUserClaimsFromUserStore(userId, realm, claimURIList); + } + if (isNotEmpty(userClaims)) { for (Map.Entry entry : userClaims.entrySet()) { diff --git a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/openidconnect/OIDCClaimUtil.java b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/openidconnect/OIDCClaimUtil.java index 1de2886714..c76509c6e1 100644 --- a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/openidconnect/OIDCClaimUtil.java +++ b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/openidconnect/OIDCClaimUtil.java @@ -621,7 +621,7 @@ private static void setAppRoleClaimInLocalDialect(Map userClaims } } - private static boolean isSharedUserAccessingSharedOrg(AuthenticatedUser authenticatedUser) { + public static boolean isSharedUserAccessingSharedOrg(AuthenticatedUser authenticatedUser) { return StringUtils.isNotEmpty(authenticatedUser.getUserSharedOrganizationId()) && StringUtils.isNotEmpty(authenticatedUser.getAccessingOrganization()) && @@ -629,6 +629,11 @@ private static boolean isSharedUserAccessingSharedOrg(AuthenticatedUser authenti authenticatedUser.getAccessingOrganization()); } + public static String resolveTenantDomain(String organizationId) throws OrganizationManagementException { + + return OAuthComponentServiceHolder.getInstance().getOrganizationManager().resolveTenantDomain(organizationId); + } + private static void addSharedUserGroupsFromSharedOrganization(AuthenticatedUser authenticatedUser, Map userClaims) throws OrganizationManagementException, UserStoreException, IdentityException { diff --git a/pom.xml b/pom.xml index 7145c6e3b8..315988ea4e 100644 --- a/pom.xml +++ b/pom.xml @@ -948,7 +948,7 @@ [1.1.14, 2.0.0) - 1.0.98 + 1.1.16 [1.0.0, 2.0.0) From 0cb7e28a798d883738483347a03e2c095f065e52 Mon Sep 17 00:00:00 2001 From: dhaura Date: Tue, 22 Oct 2024 18:56:05 +0530 Subject: [PATCH 3/3] Revert org mgt core version bump. --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 315988ea4e..7145c6e3b8 100644 --- a/pom.xml +++ b/pom.xml @@ -948,7 +948,7 @@ [1.1.14, 2.0.0) - 1.1.16 + 1.0.98 [1.0.0, 2.0.0)