wso2-extensions · dhaura · Oct 21, 2024 · Oct 21, 2024 · Oct 22, 2024
diff --git a/....oauth.endpoint/src/main/java/org/wso2/carbon/identity/oauth/endpoint/util/ClaimUtil.java b/....oauth.endpoint/src/main/java/org/wso2/carbon/identity/oauth/endpoint/util/ClaimUtil.java
@@ -23,6 +23,7 @@
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.apache.oltu.oauth2.common.error.OAuthError;
+import org.wso2.carbon.CarbonConstants;
 import org.wso2.carbon.identity.application.authentication.framework.exception.FrameworkException;
 import org.wso2.carbon.identity.application.authentication.framework.model.AuthenticatedUser;
 import org.wso2.carbon.identity.application.authentication.framework.util.FrameworkUtils;
@@ -47,6 +48,7 @@
 import org.wso2.carbon.identity.oauth2.dto.OAuth2TokenValidationResponseDTO;
 import org.wso2.carbon.identity.oauth2.internal.OAuth2ServiceComponentHolder;
 import org.wso2.carbon.identity.oauth2.model.AccessTokenDO;
+import org.wso2.carbon.identity.oauth2.util.AuthzUtil;
 import org.wso2.carbon.identity.oauth2.util.OAuth2Util;
 import org.wso2.carbon.identity.openidconnect.OIDCClaimUtil;
 import org.wso2.carbon.user.api.RealmConfiguration;
@@ -165,8 +167,36 @@ public static Map<String, Object> getClaimsFromUserStore(OAuth2TokenValidationRe
                     spToLocalClaimMappings = ClaimMetadataHandler.getInstance().getMappingsMapFromOtherDialectToCarbon
                             (SP_DIALECT, null, userTenantDomain, true);
 
-                    realm = getUserRealm(null, userTenantDomain);
-                    Map<String, String> userClaims = getUserClaimsFromUserStore(userId, realm, claimURIList);
+                    Map<String, String> userClaims;
+
+                    AuthenticatedUser authenticatedUser = accessTokenDO.getAuthzUser();
+                    if (!StringUtils.equals(authenticatedUser.getUserResidentOrganization(),
+                            authenticatedUser.getAccessingOrganization()) &&
+                            !CarbonConstants.ENABLE_LEGACY_AUTHZ_RUNTIME &&
+                            StringUtils.isNotEmpty(AuthzUtil.getUserIdOfAssociatedUser(authenticatedUser))) {
+                        authenticatedUser.setSharedUserId(AuthzUtil.getUserIdOfAssociatedUser(authenticatedUser));
+                        authenticatedUser.setUserSharedOrganizationId(authenticatedUser
+                                .getAccessingOrganization());
+                    }
+                    if (OIDCClaimUtil.isSharedUserAccessingSharedOrg(authenticatedUser) &&
+                            StringUtils.isNotEmpty(authenticatedUser.getSharedUserId())) {
+                        String userAccessingTenantDomain =
+                                OIDCClaimUtil.resolveTenantDomain(authenticatedUser.getAccessingOrganization());
+                        String sharedUserId = authenticatedUser.getSharedUserId();
+
+                        realm = getUserRealm(null, userAccessingTenantDomain);
+
+                        try {
+                            FrameworkUtils.startTenantFlow(userAccessingTenantDomain);
+                            userClaims = getUserClaimsFromUserStore(sharedUserId, realm, claimURIList);
+                        } finally {
+                            FrameworkUtils.endTenantFlow();
+                        }
+                    } else {
+                        realm = getUserRealm(null, userTenantDomain);
+                        userClaims = getUserClaimsFromUserStore(userId, realm, claimURIList);
+                    }
+
 
                     if (isNotEmpty(userClaims)) {
                         for (Map.Entry<String, String> entry : userClaims.entrySet()) {

diff --git a/...on.identity.oauth/src/main/java/org/wso2/carbon/identity/openidconnect/OIDCClaimUtil.java b/...on.identity.oauth/src/main/java/org/wso2/carbon/identity/openidconnect/OIDCClaimUtil.java
@@ -484,7 +484,29 @@ public static Map<String, Object> getUserClaimsInOIDCDialect(ServiceProvider ser
             claimURIList.remove(APP_ROLES_CLAIM);
             appRoleClaimRequested = true;
         }
-        Map<String, String> userClaims = getUserClaimsInLocalDialect(fullQualifiedUsername, realm, claimURIList);
+
+        Map<String, String> userClaims;
+        if (isSharedUserAccessingSharedOrg(authenticatedUser) &&
+                StringUtils.isNotEmpty(authenticatedUser.getSharedUserId())) {
+            String userAccessingTenantDomain = OAuthComponentServiceHolder.getInstance().getOrganizationManager()
+                    .resolveTenantDomain(authenticatedUser.getAccessingOrganization());
+            AbstractUserStoreManager userStoreManager =
+                    (AbstractUserStoreManager) OAuthComponentServiceHolder.getInstance().getRealmService()
+                            .getTenantUserRealm(IdentityTenantUtil.getTenantId(userAccessingTenantDomain))
+                            .getUserStoreManager();
+            String fullQualifiedSharedUsername = userStoreManager.getUser(authenticatedUser.getSharedUserId(), null)
+                    .getFullQualifiedUsername();
+            realm = IdentityTenantUtil.getRealm(userAccessingTenantDomain, fullQualifiedSharedUsername);
+
+            try {
+                FrameworkUtils.startTenantFlow(userAccessingTenantDomain);
+                userClaims = getUserClaimsInLocalDialect(fullQualifiedUsername, realm, claimURIList);
+            } finally {
+                FrameworkUtils.endTenantFlow();
+            }
+        } else {
+            userClaims = getUserClaimsInLocalDialect(fullQualifiedUsername, realm, claimURIList);
+        }
 
         if (roleClaimRequested || appRoleClaimRequested) {
             String[] appAssocatedRolesOfUser = getAppAssociatedRolesOfUser(authenticatedUser,
@@ -599,14 +621,19 @@ private static void setAppRoleClaimInLocalDialect(Map<String, String> userClaims
         }
     }
 
-    private static boolean isSharedUserAccessingSharedOrg(AuthenticatedUser authenticatedUser) {
+    public static boolean isSharedUserAccessingSharedOrg(AuthenticatedUser authenticatedUser) {
 
         return StringUtils.isNotEmpty(authenticatedUser.getUserSharedOrganizationId()) &&
                 StringUtils.isNotEmpty(authenticatedUser.getAccessingOrganization()) &&
                 StringUtils.equals(authenticatedUser.getUserSharedOrganizationId(),
                         authenticatedUser.getAccessingOrganization());
     }
 
+    public static String resolveTenantDomain(String organizationId) throws OrganizationManagementException {
+
+        return OAuthComponentServiceHolder.getInstance().getOrganizationManager().resolveTenantDomain(organizationId);
+    }
+
     private static void addSharedUserGroupsFromSharedOrganization(AuthenticatedUser authenticatedUser,
                                                            Map<String, String> userClaims) throws
             OrganizationManagementException, UserStoreException, IdentityException {