wso2-extensions · ShanChathusanda93 · Jan 20, 2025
diff --git a/...rg.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/OAuthUtil.java b/...rg.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/OAuthUtil.java
@@ -763,8 +763,11 @@ private static AuthenticatedUser buildAuthenticatedUser(UserStoreManager userSto
                 return authenticatedUser;
             }
 
-            // Organization SSO user flow
-            authenticatedUser.setUserName(userId);
+            /*
+             Organization SSO user flow. This user id will be used to get the consumer keys which are associated
+             with the user from access tokens.
+            */
+            authenticatedUser.setUserId(userId);
             setOrganizationSSOUserDetails(authenticatedUser);
             authenticatedUser.setUserResidentOrganization(accessingOrg);
             authenticatedUser.setAccessingOrganization(accessingOrg);
@@ -881,7 +884,21 @@ private static boolean processTokenRevocation(Set<String> clientIds, Authenticat
                     // retrieve all ACTIVE or EXPIRED access tokens for particular client authorized by this user
                     accessTokenDOs = OAuthTokenPersistenceFactory.getInstance().getAccessTokenDAO()
                             .getAccessTokens(clientId, authenticatedUser, userStoreDomain, true);
-                } catch (IdentityOAuth2Exception e) {
+                    /*
+                     If the authenticated user's resident organization is an organization, then we need to check
+                     for the access tokens issued directly for the organization as well.
+                    */
+                    if (OrganizationManagementUtil.isOrganization(authenticatedUser.getUserResidentOrganization())) {
+                        AuthenticatedUser orgUser = authenticatedUser;
+                        orgUser.setFederatedUser(false);
+                        orgUser.setUserStoreDomain("PRIMARY");
+                        String userTenantDomain = OAuthComponentServiceHolder.getInstance().getOrganizationManager()
+                                .resolveTenantDomain(authenticatedUser.getUserResidentOrganization());
+                        orgUser.setTenantDomain(userTenantDomain);
+                        accessTokenDOs = OAuthTokenPersistenceFactory.getInstance().getAccessTokenDAO()
+                                .getAccessTokens(clientId, orgUser, "PRIMARY", true);
+                    }
+                } catch (IdentityOAuth2Exception | OrganizationManagementException e) {
                     String errorMsg = "Error occurred while retrieving access tokens issued for " +
                             "Client ID : " + clientId + ", User ID : " + authenticatedUser;
                     LOG.error(errorMsg, e);

diff --git a/...ntity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/dao/TokenManagementDAOImpl.java b/...ntity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/dao/TokenManagementDAOImpl.java
@@ -24,6 +24,7 @@
 import org.apache.commons.lang3.tuple.Pair;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
+import org.wso2.carbon.identity.application.authentication.framework.exception.UserIdNotFoundException;
 import org.wso2.carbon.identity.application.authentication.framework.model.AuthenticatedUser;
 import org.wso2.carbon.identity.application.common.IdentityApplicationManagementException;
 import org.wso2.carbon.identity.application.common.model.ServiceProvider;
@@ -40,6 +41,7 @@
 import org.wso2.carbon.identity.oauth2.model.RefreshTokenValidationDataDO;
 import org.wso2.carbon.identity.oauth2.util.OAuth2Util;
 import org.wso2.carbon.identity.organization.management.service.exception.OrganizationManagementException;
+import org.wso2.carbon.identity.organization.management.service.util.OrganizationManagementUtil;
 
 import java.sql.Connection;
 import java.sql.PreparedStatement;
@@ -860,45 +862,132 @@ public Set<String> getAllTimeAuthorizedClientIds(AuthenticatedUser authzUser) th
         }
 
         PreparedStatement ps = null;
+        PreparedStatement psForPrimary = null;
         Connection connection = IdentityDatabaseUtil.getDBConnection();
         ResultSet rs = null;
+        ResultSet rsForPrimary = null;
         Set<String> distinctConsumerKeys = new HashSet<>();
         boolean isUsernameCaseSensitive = IdentityUtil.isUserStoreInUsernameCaseSensitive(authzUser.toString());
         String tenantDomain = getUserResidentTenantDomain(authzUser);
-        String tenantAwareUsernameWithNoUserDomain = authzUser.getUserName();
-        String userDomain = OAuth2Util.getSanitizedUserStoreDomain(authzUser.getUserStoreDomain());
-        if (log.isDebugEnabled()) {
-            log.debug("Obtain the User's(" + tenantAwareUsernameWithNoUserDomain + ") tenant domain: " + tenantDomain
-                    + "/" + OAuth2Util.getTenantId(tenantDomain) + "and user-domain: " + userDomain);
-        }
+        /*
+         If the tenant domain is an organization, then we need to extract the tokens in both PRIMARY and FEDERATED
+         user stores. For FEDERATED user store we can use the authenticated user's user id and for the PRIMARY domain,
+         we can use the authenticated user's username.
+        */
+        boolean isOrganization = false;
         try {
-            int tenantId = OAuth2Util.getTenantId(tenantDomain);
+            isOrganization = OrganizationManagementUtil.isOrganization(tenantDomain);
+        } catch (OrganizationManagementException e) {
+            throw new IdentityOAuth2Exception("Error occurred while checking whether the tenant domain is an " +
+                    "organization or not.", e);
+        }
+
+        if (isOrganization) {
+            try {
+                // Getting the FEDERATED user domain related consumer keys.
+                String userId = authzUser.getUserId();
+                String userDomain = OAuth2Util.getSanitizedUserStoreDomain(authzUser.getUserStoreDomain());
+
+                if (log.isDebugEnabled()) {
+                    log.debug("Obtain the User's(" + userId + ") tenant domain: " + tenantDomain
+                            + "/" + OAuth2Util.getTenantId(tenantDomain) + "and user-domain: " + userDomain);
+                }
+
+                int tenantId = OAuth2Util.getTenantId(tenantDomain);
+
+                String sqlQuery = OAuth2Util.getTokenPartitionedSqlByUserStore(SQLQueries.
+                        GET_DISTINCT_APPS_AUTHORIZED_BY_USER_ALL_TIME, userId);
+
+                if (!isUsernameCaseSensitive) {
+                    sqlQuery = sqlQuery.replace(AUTHZ_USER, LOWER_AUTHZ_USER);
+                }
+                ps = connection.prepareStatement(sqlQuery);
+                if (isUsernameCaseSensitive) {
+                    ps.setString(1, userId);
+                } else {
+                    ps.setString(1, userId.toLowerCase());
+                }
+                ps.setInt(2, tenantId);
+                ps.setString(3, userDomain);
+                rs = ps.executeQuery();
+                while (rs.next()) {
+                    String consumerKey = getPersistenceProcessor().getPreprocessedClientId(rs.getString(1));
+                    distinctConsumerKeys.add(consumerKey);
+                }
+
+                // Getting the PRIMARY user domain related consumer keys.
+                String tenantAwareUsernameWithNoUserDomain = authzUser.getUserName();
+                if (log.isDebugEnabled()) {
+                    log.debug("Obtain the User's(" + tenantAwareUsernameWithNoUserDomain + ") tenant domain: " +
+                            tenantDomain + "/" + OAuth2Util.getTenantId(tenantDomain) + "and user-domain: " +
+                            userDomain);
+                }
+
+                String sqlQueryForPrimary = OAuth2Util.getTokenPartitionedSqlByUserStore(SQLQueries.
+                        GET_DISTINCT_APPS_AUTHORIZED_BY_USER_ALL_TIME, authzUser.getUserStoreDomain());
 
-            String sqlQuery = OAuth2Util.getTokenPartitionedSqlByUserStore(SQLQueries.
-                    GET_DISTINCT_APPS_AUTHORIZED_BY_USER_ALL_TIME, authzUser.getUserStoreDomain());
+                if (!isUsernameCaseSensitive) {
+                    sqlQueryForPrimary = sqlQuery.replace(AUTHZ_USER, LOWER_AUTHZ_USER);
+                }
 
-            if (!isUsernameCaseSensitive) {
-                sqlQuery = sqlQuery.replace(AUTHZ_USER, LOWER_AUTHZ_USER);
+                psForPrimary = connection.prepareStatement(sqlQueryForPrimary);
+                if (isUsernameCaseSensitive) {
+                    psForPrimary.setString(1, tenantAwareUsernameWithNoUserDomain);
+                } else {
+                    psForPrimary.setString(1, tenantAwareUsernameWithNoUserDomain.toLowerCase());
+                }
+                psForPrimary.setInt(2, tenantId);
+                psForPrimary.setString(3, "PRIMARY");
+                rsForPrimary = psForPrimary.executeQuery();
+                while (rsForPrimary.next()) {
+                    String consumerKey = getPersistenceProcessor().getPreprocessedClientId(rsForPrimary.getString(1));
+                    distinctConsumerKeys.add(consumerKey);
+                }
+            } catch (SQLException | UserIdNotFoundException e) {
+                throw new IdentityOAuth2Exception(
+                        "Error occurred while retrieving all distinct Client IDs authorized by " +
+                                "User ID : " + authzUser + " until now", e);
+            } finally {
+                IdentityDatabaseUtil.closeAllConnections(connection, rs, ps);
+                IdentityDatabaseUtil.closeStatement(psForPrimary);
+                IdentityDatabaseUtil.closeResultSet(rsForPrimary);
             }
-            ps = connection.prepareStatement(sqlQuery);
-            if (isUsernameCaseSensitive) {
-                ps.setString(1, tenantAwareUsernameWithNoUserDomain);
-            } else {
-                ps.setString(1, tenantAwareUsernameWithNoUserDomain.toLowerCase());
+        } else {
+            String tenantAwareUsernameWithNoUserDomain = authzUser.getUserName();
+            String userDomain = OAuth2Util.getSanitizedUserStoreDomain(authzUser.getUserStoreDomain());
+            if (log.isDebugEnabled()) {
+                log.debug("Obtain the User's(" + tenantAwareUsernameWithNoUserDomain + ") tenant domain: " +
+                        tenantDomain + "/" + OAuth2Util.getTenantId(tenantDomain) + "and user-domain: " + userDomain);
             }
-            ps.setInt(2, tenantId);
-            ps.setString(3, userDomain);
-            rs = ps.executeQuery();
-            while (rs.next()) {
-                String consumerKey = getPersistenceProcessor().getPreprocessedClientId(rs.getString(1));
-                distinctConsumerKeys.add(consumerKey);
+            try {
+                int tenantId = OAuth2Util.getTenantId(tenantDomain);
+
+                String sqlQuery = OAuth2Util.getTokenPartitionedSqlByUserStore(SQLQueries.
+                        GET_DISTINCT_APPS_AUTHORIZED_BY_USER_ALL_TIME, authzUser.getUserStoreDomain());
+
+                if (!isUsernameCaseSensitive) {
+                    sqlQuery = sqlQuery.replace(AUTHZ_USER, LOWER_AUTHZ_USER);
+                }
+                ps = connection.prepareStatement(sqlQuery);
+                if (isUsernameCaseSensitive) {
+                    ps.setString(1, tenantAwareUsernameWithNoUserDomain);
+                } else {
+                    ps.setString(1, tenantAwareUsernameWithNoUserDomain.toLowerCase());
+                }
+                ps.setInt(2, tenantId);
+                ps.setString(3, userDomain);
+                rs = ps.executeQuery();
+                while (rs.next()) {
+                    String consumerKey = getPersistenceProcessor().getPreprocessedClientId(rs.getString(1));
+                    distinctConsumerKeys.add(consumerKey);
+                }
+            } catch (SQLException e) {
+                throw new IdentityOAuth2Exception(
+                        "Error occurred while retrieving all distinct Client IDs authorized by " +
+                                "User ID : " + authzUser + " until now", e);
+            } finally {
+                IdentityDatabaseUtil.closeAllConnections(connection, rs, ps);
             }
-        } catch (SQLException e) {
-            throw new IdentityOAuth2Exception(
-                    "Error occurred while retrieving all distinct Client IDs authorized by " +
-                            "User ID : " + authzUser + " until now", e);
-        } finally {
-            IdentityDatabaseUtil.closeAllConnections(connection, rs, ps);
         }
         if (log.isDebugEnabled()) {
             StringBuilder consumerKeys = new StringBuilder();