-
Notifications
You must be signed in to change notification settings - Fork 375
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Inherit parent user domain in shared token revoke flow #2664
Inherit parent user domain in shared token revoke flow #2664
Conversation
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #2664 +/- ##
============================================
- Coverage 55.79% 55.70% -0.09%
+ Complexity 8446 8320 -126
============================================
Files 632 632
Lines 48587 48631 +44
Branches 9300 9313 +13
============================================
- Hits 27109 27092 -17
- Misses 17601 17660 +59
- Partials 3877 3879 +2
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
...s/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/OAuthUtil.java
Outdated
Show resolved
Hide resolved
...s/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/OAuthUtil.java
Outdated
Show resolved
Hide resolved
c534d4f
87b1244
to
c534d4f
Compare
PR builder started |
PR builder completed |
PR builder started |
PR builder completed |
PR builder started |
PR builder completed |
e534b83
to
c81096d
Compare
PR builder started |
c81096d
to
23ff236
Compare
PR builder completed |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Approving the pull request based on the successful pr build https://github.com/wso2/product-is/actions/runs/12826300018
Proposed changes in this pull request
Purpose
When revoking an access token in a shared user flow, the authorized user's User Store Domain is set to the shared user's domain. Therefore, when retrieving the clientIDs from here, it will only retrieve the clientIDs associated with the shared user's User Store Domain.
However, when creating access tokens for shared users the User Store Domain of the parent user is used here and here. Hence these tokens are not getting revoked.
Approach
Hence the access token revoke logic for shared user flow has to be improved to handle the user's domain correctly which will eventually detect all the clientIDs issued.
This is an alternative approach to the fix wso2-extensions/identity-oauth2-grant-organization-switch#38. In which we amend the user store domain when the token is issued. Which would lead to user store mismatch between the token and the actual user. Here, we change the logic in the token revoke method.
Tested Flows (Unit test added for the relevant flows)
*The access token issued by the shared application to the parent application. This doesn't get deleted from the database when the user logs out.