From 4b205a490fc6cf0834c7656c1c4aad5dd0fd1db2 Mon Sep 17 00:00:00 2001 From: Shan Chathusanda Jayathilaka Date: Tue, 17 Dec 2024 12:57:58 +0530 Subject: [PATCH] Improve user authorization check when accessing org is different from resident org --- .../org/wso2/carbon/identity/oauth2/util/AuthzUtil.java | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/util/AuthzUtil.java b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/util/AuthzUtil.java index 5811e251c08..29620bd069d 100644 --- a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/util/AuthzUtil.java +++ b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/util/AuthzUtil.java @@ -255,7 +255,13 @@ public static boolean isUserAuthorized(AuthenticatedUser authenticatedUser, List // Application id is not required for basic authentication flow. List roleIds = getUserRoles(authenticatedUser, null); - List permissions = getAssociatedScopesForRoles(roleIds, authenticatedUser.getTenantDomain()); + String tenantDomain = authenticatedUser.getTenantDomain(); + if (StringUtils.isNotBlank(authenticatedUser.getAccessingOrganization()) && + !authenticatedUser.getAccessingOrganization(). + equals(authenticatedUser.getUserResidentOrganization())) { + tenantDomain = getAccessingTenantDomain(authenticatedUser); + } + List permissions = getAssociatedScopesForRoles(roleIds, tenantDomain); if (OAuthServerConfiguration.getInstance().isUseLegacyPermissionAccessForUserBasedAuth()) { // Handling backward compatibility for previous access level. List internalScopes = getInternalScopes(authenticatedUser.getTenantDomain());