diff --git a/components/org.wso2.carbon.identity.api.server.dcr/pom.xml b/components/org.wso2.carbon.identity.api.server.dcr/pom.xml
index d7efdbe33b9..48466243b5a 100644
--- a/components/org.wso2.carbon.identity.api.server.dcr/pom.xml
+++ b/components/org.wso2.carbon.identity.api.server.dcr/pom.xml
@@ -5,12 +5,12 @@
org.wso2.carbon.identity.inbound.auth.oauth2
identity-inbound-auth-oauth
- 6.11.224-SNAPSHOT
+ 6.11.233-SNAPSHOT
../..
org.wso2.carbon.identity.api.server.dcr
- 6.11.224-SNAPSHOT
+ 6.11.233-SNAPSHOT
WSO2 Carbon - User DCR Rest API
WSO2 Carbon - User DCR Rest API
diff --git a/components/org.wso2.carbon.identity.api.server.oauth.scope/pom.xml b/components/org.wso2.carbon.identity.api.server.oauth.scope/pom.xml
index 3d5b612088a..e0fc6757c2a 100644
--- a/components/org.wso2.carbon.identity.api.server.oauth.scope/pom.xml
+++ b/components/org.wso2.carbon.identity.api.server.oauth.scope/pom.xml
@@ -5,12 +5,12 @@
org.wso2.carbon.identity.inbound.auth.oauth2
identity-inbound-auth-oauth
- 6.11.224-SNAPSHOT
+ 6.11.233-SNAPSHOT
../..
org.wso2.carbon.identity.api.server.oauth.scope
- 6.11.224-SNAPSHOT
+ 6.11.233-SNAPSHOT
WSO2 Carbon - Identity OAuth 2.0 Scope Rest APIs
Rest APIs for OAuth 2.0 Scope Handling
diff --git a/components/org.wso2.carbon.identity.client.attestation.filter/pom.xml b/components/org.wso2.carbon.identity.client.attestation.filter/pom.xml
index e6c324e44bd..833252aab61 100644
--- a/components/org.wso2.carbon.identity.client.attestation.filter/pom.xml
+++ b/components/org.wso2.carbon.identity.client.attestation.filter/pom.xml
@@ -22,7 +22,7 @@
org.wso2.carbon.identity.inbound.auth.oauth2
identity-inbound-auth-oauth
- 6.11.224-SNAPSHOT
+ 6.11.233-SNAPSHOT
../../pom.xml
diff --git a/components/org.wso2.carbon.identity.discovery/pom.xml b/components/org.wso2.carbon.identity.discovery/pom.xml
index 48998f393a4..bb7c385060d 100644
--- a/components/org.wso2.carbon.identity.discovery/pom.xml
+++ b/components/org.wso2.carbon.identity.discovery/pom.xml
@@ -21,7 +21,7 @@
org.wso2.carbon.identity.inbound.auth.oauth2
identity-inbound-auth-oauth
../../pom.xml
- 6.11.224-SNAPSHOT
+ 6.11.233-SNAPSHOT
4.0.0
diff --git a/components/org.wso2.carbon.identity.oauth.ciba/pom.xml b/components/org.wso2.carbon.identity.oauth.ciba/pom.xml
index 44a9055f279..c00f6ecfef5 100644
--- a/components/org.wso2.carbon.identity.oauth.ciba/pom.xml
+++ b/components/org.wso2.carbon.identity.oauth.ciba/pom.xml
@@ -20,7 +20,7 @@
identity-inbound-auth-oauth
org.wso2.carbon.identity.inbound.auth.oauth2
- 6.11.224-SNAPSHOT
+ 6.11.233-SNAPSHOT
../../pom.xml
diff --git a/components/org.wso2.carbon.identity.oauth.client.authn.filter/pom.xml b/components/org.wso2.carbon.identity.oauth.client.authn.filter/pom.xml
index 8ead6e02bf7..90645b4b53d 100644
--- a/components/org.wso2.carbon.identity.oauth.client.authn.filter/pom.xml
+++ b/components/org.wso2.carbon.identity.oauth.client.authn.filter/pom.xml
@@ -22,7 +22,7 @@
org.wso2.carbon.identity.inbound.auth.oauth2
identity-inbound-auth-oauth
../../pom.xml
- 6.11.224-SNAPSHOT
+ 6.11.233-SNAPSHOT
4.0.0
diff --git a/components/org.wso2.carbon.identity.oauth.common/pom.xml b/components/org.wso2.carbon.identity.oauth.common/pom.xml
index 4cde3c2ae55..d738d58bdc3 100644
--- a/components/org.wso2.carbon.identity.oauth.common/pom.xml
+++ b/components/org.wso2.carbon.identity.oauth.common/pom.xml
@@ -23,7 +23,7 @@
org.wso2.carbon.identity.inbound.auth.oauth2
identity-inbound-auth-oauth
../../pom.xml
- 6.11.224-SNAPSHOT
+ 6.11.233-SNAPSHOT
4.0.0
diff --git a/components/org.wso2.carbon.identity.oauth.common/src/main/java/org/wso2/carbon/identity/oauth/common/OAuthConstants.java b/components/org.wso2.carbon.identity.oauth.common/src/main/java/org/wso2/carbon/identity/oauth/common/OAuthConstants.java
index 11953a567f3..a31cfc842f6 100644
--- a/components/org.wso2.carbon.identity.oauth.common/src/main/java/org/wso2/carbon/identity/oauth/common/OAuthConstants.java
+++ b/components/org.wso2.carbon.identity.oauth.common/src/main/java/org/wso2/carbon/identity/oauth/common/OAuthConstants.java
@@ -262,6 +262,7 @@ public static SubjectType fromValue(String text) {
public static final String REQUEST_OBJECT_ENCRYPTION_METHOD = "OAuth.OpenIDConnect." +
"SupportedRequestObjectEncryptionMethods.SupportedRequestObjectEncryptionMethod";
public static final String IS_PUSH_AUTHORIZATION_REQUEST = "isPushAuthorizationRequest";
+ public static final String ALLOWED_SCOPES_PROPERTY = "allowedScopes";
public static final String IS_THIRD_PARTY_APP = "isThirdPartyApp";
diff --git a/components/org.wso2.carbon.identity.oauth.dcr.endpoint/pom.xml b/components/org.wso2.carbon.identity.oauth.dcr.endpoint/pom.xml
index 931d333a408..76266550356 100644
--- a/components/org.wso2.carbon.identity.oauth.dcr.endpoint/pom.xml
+++ b/components/org.wso2.carbon.identity.oauth.dcr.endpoint/pom.xml
@@ -6,7 +6,7 @@
org.wso2.carbon.identity.inbound.auth.oauth2
identity-inbound-auth-oauth
../../pom.xml
- 6.11.224-SNAPSHOT
+ 6.11.233-SNAPSHOT
4.0.0
diff --git a/components/org.wso2.carbon.identity.oauth.dcr/pom.xml b/components/org.wso2.carbon.identity.oauth.dcr/pom.xml
index 6b5c07935db..15a68ed8604 100644
--- a/components/org.wso2.carbon.identity.oauth.dcr/pom.xml
+++ b/components/org.wso2.carbon.identity.oauth.dcr/pom.xml
@@ -22,7 +22,7 @@
org.wso2.carbon.identity.inbound.auth.oauth2
identity-inbound-auth-oauth
../../pom.xml
- 6.11.224-SNAPSHOT
+ 6.11.233-SNAPSHOT
4.0.0
diff --git a/components/org.wso2.carbon.identity.oauth.dcr/src/main/java/org/wso2/carbon/identity/oauth/dcr/service/DCRMService.java b/components/org.wso2.carbon.identity.oauth.dcr/src/main/java/org/wso2/carbon/identity/oauth/dcr/service/DCRMService.java
index 3a05f313da2..5e60296295f 100644
--- a/components/org.wso2.carbon.identity.oauth.dcr/src/main/java/org/wso2/carbon/identity/oauth/dcr/service/DCRMService.java
+++ b/components/org.wso2.carbon.identity.oauth.dcr/src/main/java/org/wso2/carbon/identity/oauth/dcr/service/DCRMService.java
@@ -643,6 +643,8 @@ private OAuthConsumerAppDTO createOAuthApp(ApplicationRegistrationRequest regist
oAuthConsumerApp.setTokenBindingType(OAuth2Constants.TokenBinderType.CERTIFICATE_BASED_TOKEN_BINDER);
oAuthConsumerApp.setTokenBindingValidationEnabled(true);
}
+ } else {
+ oAuthConsumerApp.setTokenBindingType(OAuthConstants.OIDCConfigProperties.TOKEN_BINDING_TYPE_NONE);
}
oAuthConsumerApp.setPkceMandatory(registrationRequest.isExtPkceMandatory());
oAuthConsumerApp.setPkceSupportPlain(registrationRequest.isExtPkceSupportPlain());
diff --git a/components/org.wso2.carbon.identity.oauth.endpoint/pom.xml b/components/org.wso2.carbon.identity.oauth.endpoint/pom.xml
index bca02a1b281..d0361db5017 100644
--- a/components/org.wso2.carbon.identity.oauth.endpoint/pom.xml
+++ b/components/org.wso2.carbon.identity.oauth.endpoint/pom.xml
@@ -22,7 +22,7 @@
org.wso2.carbon.identity.inbound.auth.oauth2
identity-inbound-auth-oauth
../../pom.xml
- 6.11.224-SNAPSHOT
+ 6.11.233-SNAPSHOT
4.0.0
diff --git a/components/org.wso2.carbon.identity.oauth.endpoint/src/main/java/org/wso2/carbon/identity/oauth/endpoint/authz/OAuth2AuthzEndpoint.java b/components/org.wso2.carbon.identity.oauth.endpoint/src/main/java/org/wso2/carbon/identity/oauth/endpoint/authz/OAuth2AuthzEndpoint.java
index 1f030d1af67..ae1585531f6 100644
--- a/components/org.wso2.carbon.identity.oauth.endpoint/src/main/java/org/wso2/carbon/identity/oauth/endpoint/authz/OAuth2AuthzEndpoint.java
+++ b/components/org.wso2.carbon.identity.oauth.endpoint/src/main/java/org/wso2/carbon/identity/oauth/endpoint/authz/OAuth2AuthzEndpoint.java
@@ -212,6 +212,7 @@
import static org.wso2.carbon.identity.oauth.endpoint.util.EndpointUtil.getSSOConsentService;
import static org.wso2.carbon.identity.oauth.endpoint.util.EndpointUtil.retrieveStateForErrorURL;
import static org.wso2.carbon.identity.oauth.endpoint.util.EndpointUtil.validateParams;
+import static org.wso2.carbon.identity.oauth2.OAuth2Constants.TokenBinderType.CLIENT_REQUEST;
import static org.wso2.carbon.identity.oauth2.util.OAuth2Util.ACCESS_TOKEN_JS_OBJECT;
import static org.wso2.carbon.identity.oauth2.util.OAuth2Util.DYNAMIC_TOKEN_DATA_FUNCTION;
import static org.wso2.carbon.identity.openidconnect.model.Constants.AUTH_TIME;
@@ -1732,17 +1733,19 @@ private OAuthResponse handleSuccessAuthorization(OAuthMessage oAuthMessage, OIDC
String tokenBindingValue = null;
if (tokenBinderOptional.isPresent()) {
TokenBinder tokenBinder = tokenBinderOptional.get();
- tokenBindingValue = tokenBinder.getOrGenerateTokenBindingValue(oAuthMessage.getRequest());
- tokenBinder.setTokenBindingValueForResponse(oAuthMessage.getResponse(), tokenBindingValue);
- if (LoggerUtils.isDiagnosticLogsEnabled()) {
- LoggerUtils.triggerDiagnosticLogEvent(new DiagnosticLog.DiagnosticLogBuilder(
- OAuthConstants.LogConstants.OAUTH_INBOUND_SERVICE, "generate-token-binding-value")
- .inputParam(LogConstants.InputKeys.CLIENT_ID, oauth2Params.getClientId())
- .inputParam("token binding value", tokenBindingValue)
- .configParam("token binder type", tokenBinder.getBindingType())
- .resultMessage("Successfully generated token binding value.")
- .logDetailLevel(DiagnosticLog.LogDetailLevel.APPLICATION)
- .resultStatus(DiagnosticLog.ResultStatus.SUCCESS));
+ if (!tokenBinder.getBindingType().equals(CLIENT_REQUEST)) {
+ tokenBindingValue = tokenBinder.getOrGenerateTokenBindingValue(oAuthMessage.getRequest());
+ tokenBinder.setTokenBindingValueForResponse(oAuthMessage.getResponse(), tokenBindingValue);
+ if (LoggerUtils.isDiagnosticLogsEnabled()) {
+ LoggerUtils.triggerDiagnosticLogEvent(new DiagnosticLog.DiagnosticLogBuilder(
+ OAuthConstants.LogConstants.OAUTH_INBOUND_SERVICE, "generate-token-binding-value")
+ .inputParam(LogConstants.InputKeys.CLIENT_ID, oauth2Params.getClientId())
+ .inputParam("token binding value", tokenBindingValue)
+ .configParam("token binder type", tokenBinder.getBindingType())
+ .resultMessage("Successfully generated token binding value.")
+ .logDetailLevel(DiagnosticLog.LogDetailLevel.APPLICATION)
+ .resultStatus(DiagnosticLog.ResultStatus.SUCCESS));
+ }
}
}
setAuthorizationCode(oAuthMessage, authzRespDTO, builder, tokenBindingValue, oauth2Params,
@@ -4434,6 +4437,16 @@ private Response handleApiBasedAuthenticationResponse(OAuthMessage oAuthMessage,
AuthServiceResponse authServiceResponse = (AuthServiceResponse) oAuthMessage.getRequest()
.getAttribute(AUTH_SERVICE_RESPONSE);
+ if (authServiceResponse.getFlowStatus() == AuthServiceConstants.FlowStatus.FAIL_COMPLETED) {
+ if (authServiceResponse.getErrorInfo().isPresent()) {
+ throw new AuthServiceClientException(authServiceResponse.getErrorInfo().get().getErrorCode(),
+ authServiceResponse.getErrorInfo().get().getErrorDescription());
+ } else {
+ throw new AuthServiceClientException(
+ AuthServiceConstants.ErrorMessage.ERROR_INVALID_AUTH_REQUEST.message());
+ }
+ }
+
AuthResponse authResponse = API_AUTHN_HANDLER.handleResponse(authServiceResponse);
ObjectMapper objectMapper = new ObjectMapper();
objectMapper.setSerializationInclusion(JsonInclude.Include.NON_EMPTY);
diff --git a/components/org.wso2.carbon.identity.oauth.endpoint/src/main/java/org/wso2/carbon/identity/oauth/endpoint/util/EndpointUtil.java b/components/org.wso2.carbon.identity.oauth.endpoint/src/main/java/org/wso2/carbon/identity/oauth/endpoint/util/EndpointUtil.java
index 6a08191df78..e6a0f10a6e8 100644
--- a/components/org.wso2.carbon.identity.oauth.endpoint/src/main/java/org/wso2/carbon/identity/oauth/endpoint/util/EndpointUtil.java
+++ b/components/org.wso2.carbon.identity.oauth.endpoint/src/main/java/org/wso2/carbon/identity/oauth/endpoint/util/EndpointUtil.java
@@ -40,6 +40,7 @@
import org.slf4j.MDC;
import org.wso2.carbon.base.ServerConfiguration;
import org.wso2.carbon.context.PrivilegedCarbonContext;
+import org.wso2.carbon.identity.api.resource.mgt.APIResourceMgtException;
import org.wso2.carbon.identity.application.authentication.framework.cache.AuthenticationRequestCacheEntry;
import org.wso2.carbon.identity.application.authentication.framework.config.builder.FileBasedConfigurationBuilder;
import org.wso2.carbon.identity.application.authentication.framework.exception.UserIdNotFoundException;
@@ -95,11 +96,13 @@
import org.wso2.carbon.identity.oauth2.bean.OAuthClientAuthnContext;
import org.wso2.carbon.identity.oauth2.bean.Scope;
import org.wso2.carbon.identity.oauth2.dto.OAuth2ClientValidationResponseDTO;
+import org.wso2.carbon.identity.oauth2.internal.OAuth2ServiceComponentHolder;
import org.wso2.carbon.identity.oauth2.model.CarbonOAuthAuthzRequest;
import org.wso2.carbon.identity.oauth2.model.OAuth2Parameters;
import org.wso2.carbon.identity.oauth2.model.OAuth2ScopeConsentResponse;
import org.wso2.carbon.identity.oauth2.scopeservice.OAuth2Resource;
import org.wso2.carbon.identity.oauth2.scopeservice.ScopeMetadataService;
+import org.wso2.carbon.identity.oauth2.util.AuthzUtil;
import org.wso2.carbon.identity.oauth2.util.OAuth2Util;
import org.wso2.carbon.identity.openidconnect.OIDCRequestObjectUtil;
import org.wso2.carbon.identity.openidconnect.RequestObjectBuilder;
@@ -162,6 +165,7 @@ public class EndpointUtil {
private static final String PROP_RESPONSE_TYPE = "response_type";
private static final String PROP_SCOPE = "scope";
private static final String PROP_OIDC_SCOPE = "requested_oidc_scopes";
+ private static final String PROP_CONSENT_SKIP_SCOPE = "consent_skip_scopes";
private static final String PROP_ERROR = "error";
private static final String PROP_ERROR_DESCRIPTION = "error_description";
private static final String PROP_REDIRECT_URI = "redirect_uri";
@@ -948,19 +952,28 @@ private static String getConsentRequiredScopesAsString(Set consentRequir
private static String getQueryString(OAuth2Parameters params, SessionDataCacheEntry entry) throws
UnsupportedEncodingException, OAuthSystemException {
- String queryString;
- queryString = entry.getQueryString();
- if (queryString.contains(REQUEST_URI) && params != null) {
+ StringBuilder queryStringBuilder = new StringBuilder();
+ queryStringBuilder.append(entry.getQueryString());
+ if (entry.getQueryString().contains(REQUEST_URI) && params != null) {
// When request_uri requests come without redirect_uri, we need to append it to the SPQueryParams
// to be used in storing consent data
- queryString = queryString +
- "&" + PROP_REDIRECT_URI + "=" + URLEncoder.encode(params.getRedirectURI(), UTF_8);
+ queryStringBuilder.append('&').append(PROP_REDIRECT_URI).append('=')
+ .append(URLEncoder.encode(params.getRedirectURI(), UTF_8));
}
if (params != null) {
- queryString = queryString + "&" + PROP_OIDC_SCOPE +
- "=" + URLEncoder.encode(StringUtils.join(getRequestedOIDCScopes(params), " "), UTF_8);
+ queryStringBuilder.append('&').append(PROP_OIDC_SCOPE).append('=')
+ .append(URLEncoder.encode(StringUtils.join(getRequestedOIDCScopes(params), " "), UTF_8));
+ }
+ if (entry.getAuthzReqMsgCtx() != null) {
+ String[] filteredAllowedScopes = (String[]) entry.getAuthzReqMsgCtx()
+ .getProperty(OAuthConstants.ALLOWED_SCOPES_PROPERTY);
+ if (ArrayUtils.isNotEmpty(filteredAllowedScopes)) {
+ queryStringBuilder.append('&').append(PROP_CONSENT_SKIP_SCOPE).append('=')
+ .append(URLEncoder.encode(StringUtils.join(filteredAllowedScopes, " "), UTF_8));
+ }
}
+ String queryString = queryStringBuilder.toString();
entry.setQueryString(queryString);
queryString = URLEncoder.encode(queryString, UTF_8);
return queryString;
@@ -1272,7 +1285,7 @@ private static void startTenantFlow(String tenantDomain) {
private static Set dropUnregisteredScopes(OAuth2Parameters params) throws OAuthSystemException {
Set requestedScopes = new HashSet<>(params.getScopes());
- Set registeredScopes = getRegisteredScopes(requestedScopes);
+ Set registeredScopes = getRegisteredScopes(requestedScopes, params.getTenantDomain());
List allowedScopesFromConfig = oauthServerConfiguration.getAllowedScopes();
Set filteredScopes = new HashSet<>();
@@ -1300,19 +1313,46 @@ private static Set dropUnregisteredScopes(OAuth2Parameters params) throw
return filteredScopes;
}
- private static Set getRegisteredScopes(Set requestedScopes) throws OAuthSystemException {
+ private static Set getRegisteredScopes(Set requestedScopes, String tenantDomain)
+ throws OAuthSystemException {
try {
String requestedScopesStr = StringUtils.join(requestedScopes, " ");
Set registeredScopes = new HashSet<>();
Set registeredScopeSet = oAuth2ScopeService.getScopes(null, null, true, requestedScopesStr);
registeredScopeSet.forEach(scope -> registeredScopes.add(scope.getName()));
+ if (!AuthzUtil.isLegacyAuthzRuntime()) {
+ List registeredAPIScopes = getRegisteredAPIScopes(requestedScopes, tenantDomain);
+ registeredScopes.addAll(registeredAPIScopes);
+ }
return registeredScopes;
- } catch (IdentityOAuth2ScopeServerException e) {
+ } catch (IdentityOAuth2ScopeServerException | IdentityOAuth2Exception e) {
throw new OAuthSystemException("Error occurred while retrieving registered scopes.", e);
}
}
+ /**
+ * Get Scopes of registered API.
+ *
+ * @param tenantDomain Tenant domain.
+ * @return Registered scopes.
+ * @throws IdentityOAuth2Exception if an error occurs while retrieving internal scopes for tenant domain.
+ */
+ private static List getRegisteredAPIScopes(Set requestedScopes, String tenantDomain)
+ throws IdentityOAuth2Exception {
+
+ try {
+ List scopes = OAuth2ServiceComponentHolder
+ .getInstance().getApiResourceManager().getScopesByTenantDomain(tenantDomain, null);
+ return scopes.stream().map(org.wso2.carbon.identity.application.common.model.Scope::getName)
+ .filter(requestedScopes::contains)
+ .collect(Collectors.toList());
+ } catch (APIResourceMgtException e) {
+ throw new IdentityOAuth2Exception("Error while retrieving internal scopes for tenant domain : "
+ + tenantDomain, e);
+ }
+ }
+
public static String getScope(OAuth2Parameters params) {
StringBuilder scopes = new StringBuilder();
diff --git a/components/org.wso2.carbon.identity.oauth.extension/pom.xml b/components/org.wso2.carbon.identity.oauth.extension/pom.xml
index 641b514d3b6..fbe828eadc0 100644
--- a/components/org.wso2.carbon.identity.oauth.extension/pom.xml
+++ b/components/org.wso2.carbon.identity.oauth.extension/pom.xml
@@ -19,7 +19,7 @@
identity-inbound-auth-oauth
org.wso2.carbon.identity.inbound.auth.oauth2
- 6.11.224-SNAPSHOT
+ 6.11.233-SNAPSHOT
../../pom.xml
4.0.0
diff --git a/components/org.wso2.carbon.identity.oauth.par/pom.xml b/components/org.wso2.carbon.identity.oauth.par/pom.xml
index 0c8e1efbb52..7c0afe04adc 100644
--- a/components/org.wso2.carbon.identity.oauth.par/pom.xml
+++ b/components/org.wso2.carbon.identity.oauth.par/pom.xml
@@ -23,7 +23,7 @@
org.wso2.carbon.identity.inbound.auth.oauth2
identity-inbound-auth-oauth
../../pom.xml
- 6.11.224-SNAPSHOT
+ 6.11.233-SNAPSHOT
4.0.0
diff --git a/components/org.wso2.carbon.identity.oauth.scope.endpoint/pom.xml b/components/org.wso2.carbon.identity.oauth.scope.endpoint/pom.xml
index f125f2a1d0a..ef463f81ef1 100644
--- a/components/org.wso2.carbon.identity.oauth.scope.endpoint/pom.xml
+++ b/components/org.wso2.carbon.identity.oauth.scope.endpoint/pom.xml
@@ -22,7 +22,7 @@
org.wso2.carbon.identity.inbound.auth.oauth2
identity-inbound-auth-oauth
../../pom.xml
- 6.11.224-SNAPSHOT
+ 6.11.233-SNAPSHOT
4.0.0
diff --git a/components/org.wso2.carbon.identity.oauth.stub/pom.xml b/components/org.wso2.carbon.identity.oauth.stub/pom.xml
index 40695eae4d2..4086507494d 100644
--- a/components/org.wso2.carbon.identity.oauth.stub/pom.xml
+++ b/components/org.wso2.carbon.identity.oauth.stub/pom.xml
@@ -22,7 +22,7 @@
org.wso2.carbon.identity.inbound.auth.oauth2
identity-inbound-auth-oauth
../../pom.xml
- 6.11.224-SNAPSHOT
+ 6.11.233-SNAPSHOT
4.0.0
diff --git a/components/org.wso2.carbon.identity.oauth.ui/pom.xml b/components/org.wso2.carbon.identity.oauth.ui/pom.xml
index 60aff7d602e..98a6400559e 100644
--- a/components/org.wso2.carbon.identity.oauth.ui/pom.xml
+++ b/components/org.wso2.carbon.identity.oauth.ui/pom.xml
@@ -22,7 +22,7 @@
org.wso2.carbon.identity.inbound.auth.oauth2
identity-inbound-auth-oauth
../../pom.xml
- 6.11.224-SNAPSHOT
+ 6.11.233-SNAPSHOT
4.0.0
diff --git a/components/org.wso2.carbon.identity.oauth/pom.xml b/components/org.wso2.carbon.identity.oauth/pom.xml
index d1166b5332f..291e329bfc5 100644
--- a/components/org.wso2.carbon.identity.oauth/pom.xml
+++ b/components/org.wso2.carbon.identity.oauth/pom.xml
@@ -23,7 +23,7 @@
org.wso2.carbon.identity.inbound.auth.oauth2
identity-inbound-auth-oauth
../../pom.xml
- 6.11.224-SNAPSHOT
+ 6.11.233-SNAPSHOT
4.0.0
diff --git a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/OAuthAdminServiceImpl.java b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/OAuthAdminServiceImpl.java
index 8569db18cd6..a2b20f4e8a1 100644
--- a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/OAuthAdminServiceImpl.java
+++ b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/OAuthAdminServiceImpl.java
@@ -611,7 +611,7 @@ private void validateBindingType(String bindingType) throws IdentityOAuthClientE
private void validateFAPIBindingType(String bindingType)
throws IdentityOAuthClientException {
- if (OAuth2Constants.TokenBinderType.CERTIFICATE_BASED_TOKEN_BINDER.equals(bindingType)) {
+ if (OAuth2Constants.TokenBinderType.CERTIFICATE_BASED_TOKEN_BINDER.equals(bindingType) || bindingType == null) {
return;
} else {
String msg = String.format("Certificate bound access tokens is required. '%s' binding type is found.",
diff --git a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/OAuthUtil.java b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/OAuthUtil.java
index c1356d51ecc..01a4f3acc84 100644
--- a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/OAuthUtil.java
+++ b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/OAuthUtil.java
@@ -467,7 +467,7 @@ public static IdentityOAuthAdminException handleErrorWithExceptionType(String me
handleError(message, exception);
}
if (exception instanceof IdentityOAuth2ClientException) {
- return new IdentityOAuthClientException(exception.getErrorCode(), message, exception);
+ return new IdentityOAuthClientException(exception.getErrorCode(), message);
} else if (exception instanceof IdentityOAuth2ServerException) {
return new IdentityOAuthServerException(exception.getErrorCode(), message, exception);
} else {
diff --git a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/config/OAuthServerConfiguration.java b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/config/OAuthServerConfiguration.java
index dbd840c631a..fcd094d763d 100644
--- a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/config/OAuthServerConfiguration.java
+++ b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/config/OAuthServerConfiguration.java
@@ -316,6 +316,7 @@ public class OAuthServerConfiguration {
private String deviceCodeKeySet = "BCDFGHJKLMNPQRSTVWXYZbcdfghjklmnpqrstvwxyz23456789";
private String deviceAuthzEPUrl = null;
private List supportedTokenEndpointSigningAlgorithms = new ArrayList<>();
+ private Boolean roleBasedScopeIssuerEnabledConfig = false;
private OAuthServerConfiguration() {
buildOAuthServerConfiguration();
@@ -510,6 +511,29 @@ private void buildOAuthServerConfiguration() {
// Set the availability of oauth_response.jsp page.
setOAuthResponseJspPageAvailable();
+
+ // Read config for RoleBasedScopeIssuer in GlobalScopeValidators enabled.
+ parseRoleBasedScopeIssuerEnabled(oauthElem);
+ }
+
+ /**
+ * Parse role based scope issuer enabled configuration under global scope validators.
+ *
+ * @param oauthConfigElem oauthConfigElem.
+ */
+ private void parseRoleBasedScopeIssuerEnabled(OMElement oauthConfigElem) {
+
+ OMElement globalScopeValidatorsElem = oauthConfigElem.getFirstChildWithName(
+ getQNameWithIdentityNS(ConfigElements.GLOBAL_SCOPE_VALIDATORS));
+ if (globalScopeValidatorsElem != null) {
+ OMElement roleBasedScopeIssuerEnabledElem = oauthConfigElem.getFirstChildWithName(
+ getQNameWithIdentityNS(ConfigElements.ROLE_BASED_SCOPE_ISSUER_ENABLED));
+ if (roleBasedScopeIssuerEnabledElem != null) {
+ OMElement enableElem = oauthConfigElem.getFirstChildWithName(
+ getQNameWithIdentityNS(ConfigElements.ENABLE));
+ roleBasedScopeIssuerEnabledConfig = Boolean.parseBoolean(enableElem.getText().trim());
+ }
+ }
}
/**
@@ -707,6 +731,11 @@ public String getDeviceAuthzEPUrl() {
return deviceAuthzEPUrl;
}
+ public boolean isRoleBasedScopeIssuerEnabled() {
+
+ return roleBasedScopeIssuerEnabledConfig;
+ }
+
public boolean isSkipOIDCClaimsForClientCredentialGrant() {
return skipOIDCClaimsForClientCredentialGrant;
@@ -3847,6 +3876,9 @@ private class ConfigElements {
// Filtered Claims For Introspection Response Config.
private static final String FILTERED_CLAIMS = "FilteredClaims";
private static final String FILTERED_CLAIM = "FilteredClaim";
+ private static final String GLOBAL_SCOPE_VALIDATORS = "GlobalScopeValidators";
+ private static final String ROLE_BASED_SCOPE_ISSUER_ENABLED = "RoleBasedScopeIssuer";
+ private static final String ENABLE = "Enable";
private static final String DROP_UNREGISTERED_SCOPES = "DropUnregisteredScopes";
diff --git a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/OAuth2Constants.java b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/OAuth2Constants.java
index 59530a5b99c..6a6565a5c87 100644
--- a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/OAuth2Constants.java
+++ b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/OAuth2Constants.java
@@ -31,6 +31,7 @@ public static class TokenBinderType {
public static final String SSO_SESSION_BASED_TOKEN_BINDER = "sso-session";
public static final String COOKIE_BASED_TOKEN_BINDER = "cookie";
public static final String CERTIFICATE_BASED_TOKEN_BINDER = "certificate";
+ public static final String CLIENT_REQUEST = "client-request";
}
public static final String GROUPS = "groups";
@@ -45,6 +46,8 @@ public static class TokenBinderType {
public static final String MY_ACCOUNT_CALLBACK_URL_FROM_SERVER_CONFIGS = "MyAccount.CallbackURL";
public static final String TENANT_DOMAIN_PLACEHOLDER = "{TENANT_DOMAIN}";
+ public static final int MAX_ALLOWED_LENGTH = 256;
+
/**
* Constants for global role based scope issuer.
*/
diff --git a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/authz/AuthorizationHandlerManager.java b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/authz/AuthorizationHandlerManager.java
index ec24550a8f6..4d2d8fabf00 100644
--- a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/authz/AuthorizationHandlerManager.java
+++ b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/authz/AuthorizationHandlerManager.java
@@ -488,6 +488,7 @@ private void addAllowedScopes(OAuthAuthzReqMessageContext authzReqMsgCtx, String
String[] scopes = authzReqMsgCtx.getApprovedScope();
String[] scopesToReturn = (String[]) ArrayUtils.addAll(scopes, allowedScopes);
authzReqMsgCtx.setApprovedScope(scopesToReturn);
+ authzReqMsgCtx.addProperty(OAuthConstants.ALLOWED_SCOPES_PROPERTY, allowedScopes);
}
private void removeInternalScopes(OAuthAuthzReqMessageContext authzReqMsgCtx) {
diff --git a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/client/authentication/PublicClientAuthenticator.java b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/client/authentication/PublicClientAuthenticator.java
index 7819b4c5740..740976ed3dc 100644
--- a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/client/authentication/PublicClientAuthenticator.java
+++ b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/client/authentication/PublicClientAuthenticator.java
@@ -96,8 +96,10 @@ public boolean canAuthenticate(HttpServletRequest request, Map bod
if (grantTypes != null) {
for (Object grantType : grantTypes) {
if (!publicClientSupportedGrantTypes.contains(grantType.toString())) {
- log.warn("The request contained grant type : '" + grantType + "' which is not " +
- "allowed for public clients.");
+ if (log.isDebugEnabled()) {
+ log.debug("The request contained grant type : '" + grantType + "' which is not " +
+ "allowed for public clients.");
+ }
return false;
}
}
diff --git a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/dao/AccessTokenDAOImpl.java b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/dao/AccessTokenDAOImpl.java
index 2ba9f564611..883a4344c89 100644
--- a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/dao/AccessTokenDAOImpl.java
+++ b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/dao/AccessTokenDAOImpl.java
@@ -2985,7 +2985,10 @@ public Set getAccessTokensByBindingRef(String bindingRef) throws
user.setUserResidentOrganization(resolveOrganizationId(user.getTenantDomain()));
/* Tenant domain of the application is set as the authenticated user tenant domain
for the organization SSO login users. */
- user.setTenantDomain(OAuth2Util.getTenantDomain(IdentityTenantUtil.getLoginTenantId()));
+ if (user.isFederatedUser()) {
+ user.setTenantDomain(
+ OAuth2Util.getTenantDomain(IdentityTenantUtil.getLoginTenantId()));
+ }
}
Timestamp issuedTime = resultSet
.getTimestamp("TIME_CREATED", Calendar.getInstance(TimeZone.getTimeZone(UTC)));
diff --git a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/dao/TokenManagementDAOImpl.java b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/dao/TokenManagementDAOImpl.java
index 316cd74977f..541b65300d7 100644
--- a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/dao/TokenManagementDAOImpl.java
+++ b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/dao/TokenManagementDAOImpl.java
@@ -217,7 +217,7 @@ public RefreshTokenValidationDataDO validateRefreshToken(String consumerKey, Str
/* Setting user's tenant domain as app residing tenant domain is not required once console is
registered in each tenant. */
String appResideOrg = getAppTenantDomain();
- if (StringUtils.isNotEmpty(appResideOrg)) {
+ if (StringUtils.isNotEmpty(appResideOrg) && user.isFederatedUser()) {
user.setTenantDomain(appResideOrg);
}
}
diff --git a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/internal/OAuth2ServiceComponent.java b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/internal/OAuth2ServiceComponent.java
index b3150c8be94..6eb2c0af52d 100644
--- a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/internal/OAuth2ServiceComponent.java
+++ b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/internal/OAuth2ServiceComponent.java
@@ -78,6 +78,7 @@
import org.wso2.carbon.identity.oauth2.token.bindings.TokenBinder;
import org.wso2.carbon.identity.oauth2.token.bindings.handlers.TokenBindingExpiryEventHandler;
import org.wso2.carbon.identity.oauth2.token.bindings.impl.CertificateBasedTokenBinder;
+import org.wso2.carbon.identity.oauth2.token.bindings.impl.ClientRequestTokenBinder;
import org.wso2.carbon.identity.oauth2.token.bindings.impl.CookieBasedTokenBinder;
import org.wso2.carbon.identity.oauth2.token.bindings.impl.DeviceFlowTokenBinder;
import org.wso2.carbon.identity.oauth2.token.bindings.impl.SSOSessionBasedTokenBinder;
@@ -267,6 +268,10 @@ protected void activate(ComponentContext context) {
bundleContext.registerService(TokenBinderInfo.class.getName(), certificateBasedTokenBinder, null);
}
+ // Client instance based access token binder.
+ ClientRequestTokenBinder clientRequestTokenBinder = new ClientRequestTokenBinder();
+ bundleContext.registerService(TokenBinderInfo.class.getName(), clientRequestTokenBinder, null);
+
bundleContext.registerService(ResponseTypeRequestValidator.class.getName(),
new DeviceFlowResponseTypeRequestValidator(), null);
diff --git a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/token/AccessTokenIssuer.java b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/token/AccessTokenIssuer.java
index fda30030a16..fb2543a4b78 100644
--- a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/token/AccessTokenIssuer.java
+++ b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/token/AccessTokenIssuer.java
@@ -97,6 +97,7 @@
import static org.apache.commons.lang.StringUtils.isNotBlank;
import static org.wso2.carbon.identity.oauth.common.OAuthConstants.GrantTypes.REFRESH_TOKEN;
import static org.wso2.carbon.identity.oauth.common.OAuthConstants.OauthAppStates.APP_STATE_ACTIVE;
+import static org.wso2.carbon.identity.oauth2.OAuth2Constants.MAX_ALLOWED_LENGTH;
import static org.wso2.carbon.identity.oauth2.Oauth2ScopeConstants.CONSOLE_SCOPE_PREFIX;
import static org.wso2.carbon.identity.oauth2.Oauth2ScopeConstants.INTERNAL_SCOPE_PREFIX;
import static org.wso2.carbon.identity.oauth2.Oauth2ScopeConstants.SYSTEM_SCOPE;
@@ -1065,11 +1066,22 @@ private void handleTokenBinding(OAuth2AccessTokenReqDTO tokenReqDTO, String gran
throw new IdentityOAuth2ClientException(OAuth2ErrorCodes.INVALID_REQUEST,
"TLS certificate not found in the request.");
}
+ if (OAuth2Constants.TokenBinderType.CLIENT_REQUEST.equals(tokenBinder.getBindingType())) {
+ // Treat as 'None' token binding requests.
+ tokReqMsgCtx.setTokenBinding(null);
+ return;
+ }
throw new IdentityOAuth2Exception(
"Token binding reference cannot be retrieved form the token binder: " + tokenBinder
.getBindingType());
}
+ if (OAuth2Constants.TokenBinderType.CLIENT_REQUEST.equals(tokenBinder.getBindingType()) &&
+ tokenBindingValueOptional.get().length() >= MAX_ALLOWED_LENGTH) {
+ throw new IdentityOAuth2ClientException(OAuth2ErrorCodes.INVALID_REQUEST,
+ "Token binding reference length exceeds limit");
+ }
+
String tokenBindingValue = tokenBindingValueOptional.get();
tokReqMsgCtx.setTokenBinding(
new TokenBinding(tokenBinder.getBindingType(), OAuth2Util.getTokenBindingReference(tokenBindingValue),
diff --git a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/token/bindings/impl/ClientRequestTokenBinder.java b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/token/bindings/impl/ClientRequestTokenBinder.java
new file mode 100644
index 00000000000..7adf1e4f164
--- /dev/null
+++ b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/token/bindings/impl/ClientRequestTokenBinder.java
@@ -0,0 +1,108 @@
+/*
+ * Copyright (c) 2022, WSO2 Inc. (http://www.wso2.com).
+ *
+ * WSO2 Inc. licenses this file to you under the Apache License,
+ * Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.wso2.carbon.identity.oauth2.token.bindings.impl;
+
+import org.apache.commons.lang.StringUtils;
+import org.wso2.carbon.identity.oauth.config.OAuthServerConfiguration;
+import org.wso2.carbon.identity.oauth2.dto.OAuth2AccessTokenReqDTO;
+import org.wso2.carbon.identity.oauth2.model.RequestParameter;
+
+import java.util.List;
+import java.util.Optional;
+import java.util.Set;
+import java.util.stream.Collectors;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import static org.wso2.carbon.identity.oauth2.OAuth2Constants.TokenBinderType.CLIENT_REQUEST;
+
+
+/**
+ * Client Request binding to the token.
+ */
+public class ClientRequestTokenBinder extends AbstractTokenBinder {
+
+ private static final String CLIENT_INSTANCE_REF = "tokenBindingReference";
+
+ @Override
+ public Optional getTokenBindingValue(OAuth2AccessTokenReqDTO oAuth2AccessTokenReqDTO) {
+
+ RequestParameter[] parameters = oAuth2AccessTokenReqDTO.getRequestParameters();
+ for (RequestParameter parameter : parameters) {
+ if (CLIENT_INSTANCE_REF.equals(parameter.getKey())
+ && StringUtils.isNotBlank(parameter.getValue()[0])) {
+ return Optional.ofNullable(parameter.getValue()[0]);
+ }
+ }
+ return Optional.empty();
+ }
+
+ @Override
+ public String getDisplayName() {
+
+ return "Client Request";
+ }
+
+ @Override
+ public String getDescription() {
+
+ return "Client Request Token Binding";
+ }
+
+ @Override
+ public String getBindingType() {
+
+ return CLIENT_REQUEST;
+ }
+
+ @Override
+ public List getSupportedGrantTypes() {
+ Set supportedGrantTypes = OAuthServerConfiguration.getInstance().getSupportedGrantTypes().keySet();
+ return supportedGrantTypes.stream().collect(Collectors.toList());
+ }
+
+ @Override
+ public String getOrGenerateTokenBindingValue(HttpServletRequest request) {
+
+ return null;
+ }
+
+ @Override
+ public void setTokenBindingValueForResponse(HttpServletResponse response, String bindingValue) {
+
+ }
+
+ @Override
+ public void clearTokenBindingElements(HttpServletRequest request, HttpServletResponse response) {
+
+ }
+
+ @Override
+ public boolean isValidTokenBinding(Object request, String bindingReference) {
+
+ return true;
+ }
+
+ @Override
+ public boolean isValidTokenBinding(OAuth2AccessTokenReqDTO oAuth2AccessTokenReqDTO, String bindingReference) {
+
+ return true;
+ }
+}
diff --git a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/token/handlers/grant/AbstractAuthorizationGrantHandler.java b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/token/handlers/grant/AbstractAuthorizationGrantHandler.java
index e8104d39f2e..a3257acb6fd 100644
--- a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/token/handlers/grant/AbstractAuthorizationGrantHandler.java
+++ b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/token/handlers/grant/AbstractAuthorizationGrantHandler.java
@@ -1079,7 +1079,7 @@ private boolean hasValidationByApplicationScopeValidatorsFailed(OAuthTokenReqMes
* @param tokReqMsgCtx OAuthTokenReqMessageContext.
* @return token binding reference.
*/
- private String getTokenBindingReference(OAuthTokenReqMessageContext tokReqMsgCtx) {
+ protected String getTokenBindingReference(OAuthTokenReqMessageContext tokReqMsgCtx) {
if (tokReqMsgCtx.getTokenBinding() == null) {
if (log.isDebugEnabled()) {
diff --git a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/token/handlers/grant/RefreshGrantHandler.java b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/token/handlers/grant/RefreshGrantHandler.java
index 051b2369984..a23952fad78 100644
--- a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/token/handlers/grant/RefreshGrantHandler.java
+++ b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/token/handlers/grant/RefreshGrantHandler.java
@@ -115,22 +115,36 @@ public OAuth2AccessTokenRespDTO issue(OAuthTokenReqMessageContext tokReqMsgCtx)
AccessTokenDO accessTokenBean = getRefreshTokenGrantProcessor()
.createAccessTokenBean(tokReqMsgCtx, tokenReq, validationBean, getTokenType());
- // sets accessToken, refreshToken and validity data
- setTokenData(accessTokenBean, tokReqMsgCtx, validationBean, tokenReq, accessTokenBean.getIssuedTime());
- persistNewToken(tokReqMsgCtx, accessTokenBean, tokenReq.getClientId());
- if (log.isDebugEnabled()) {
- log.debug("Persisted an access token for the refresh token, " +
- "Client ID : " + tokenReq.getClientId() +
- ", Authorized user : " + tokReqMsgCtx.getAuthorizedUser() +
- ", Timestamp : " + accessTokenBean.getIssuedTime() +
- ", Validity period (s) : " + accessTokenBean.getValidityPeriod() +
- ", Scope : " + OAuth2Util.buildScopeString(tokReqMsgCtx.getScope()) +
- ", Token State : " + OAuthConstants.TokenStates.TOKEN_STATE_ACTIVE +
- " and User Type : " + getTokenType());
- }
-
- setTokenDataToMessageContext(tokReqMsgCtx, accessTokenBean);
- addUserAttributesToCache(accessTokenBean, tokReqMsgCtx);
+
+ String scope = OAuth2Util.buildScopeString(tokReqMsgCtx.getScope());
+ String consumerKey = tokReqMsgCtx.getOauth2AccessTokenReqDTO().getClientId();
+ String authorizedUserId;
+ try {
+ authorizedUserId = tokReqMsgCtx.getAuthorizedUser().getUserId();
+ } catch (UserIdNotFoundException e) {
+ throw new IdentityOAuth2Exception("User id is not available for user: "
+ + tokReqMsgCtx.getAuthorizedUser().getLoggableMaskedUserId(), e);
+ }
+ String tokenBindingReference = getTokenBindingReference(tokReqMsgCtx);
+ synchronized ((consumerKey + ":" + authorizedUserId + ":" + scope + ":" + tokenBindingReference).intern()) {
+ // sets accessToken, refreshToken and validity data
+ setTokenData(accessTokenBean, tokReqMsgCtx, validationBean, tokenReq, accessTokenBean.getIssuedTime());
+ persistNewToken(tokReqMsgCtx, accessTokenBean, tokenReq.getClientId());
+
+ if (log.isDebugEnabled()) {
+ log.debug("Persisted an access token for the refresh token, " +
+ "Client ID : " + tokenReq.getClientId() +
+ ", Authorized user : " + tokReqMsgCtx.getAuthorizedUser() +
+ ", Timestamp : " + accessTokenBean.getIssuedTime() +
+ ", Validity period (s) : " + accessTokenBean.getValidityPeriod() +
+ ", Scope : " + OAuth2Util.buildScopeString(tokReqMsgCtx.getScope()) +
+ ", Token State : " + OAuthConstants.TokenStates.TOKEN_STATE_ACTIVE +
+ " and User Type : " + getTokenType());
+ }
+
+ setTokenDataToMessageContext(tokReqMsgCtx, accessTokenBean);
+ addUserAttributesToCache(accessTokenBean, tokReqMsgCtx);
+ }
return buildTokenResponse(tokReqMsgCtx, accessTokenBean);
}
diff --git a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/validators/scope/RoleBasedScopeIssuer.java b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/validators/scope/RoleBasedScopeIssuer.java
index 50eb80cc500..99c7e3731e5 100644
--- a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/validators/scope/RoleBasedScopeIssuer.java
+++ b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/validators/scope/RoleBasedScopeIssuer.java
@@ -107,6 +107,9 @@ public class RoleBasedScopeIssuer extends AbstractRoleBasedScopeIssuer implement
public boolean validateScope(OAuthAuthzReqMessageContext oAuthAuthzReqMessageContext) throws
IdentityOAuth2Exception {
+ if (!OAuthServerConfiguration.getInstance().isRoleBasedScopeIssuerEnabled()) {
+ return true;
+ }
List authScopes = getScopes(oAuthAuthzReqMessageContext);
oAuthAuthzReqMessageContext.setApprovedScope(authScopes.toArray(new String[0]));
return true;
@@ -116,6 +119,9 @@ public boolean validateScope(OAuthAuthzReqMessageContext oAuthAuthzReqMessageCon
public boolean validateScope(OAuthTokenReqMessageContext oAuthTokenReqMessageContext) throws
IdentityOAuth2Exception {
+ if (!OAuthServerConfiguration.getInstance().isRoleBasedScopeIssuerEnabled()) {
+ return true;
+ }
String grantType = oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().getGrantType();
boolean isRefreshRequest = OAuthConstants.GrantTypes.REFRESH_TOKEN.equals(grantType);
boolean isFederatedUser = oAuthTokenReqMessageContext.getAuthorizedUser().isFederatedUser();
@@ -131,6 +137,9 @@ public boolean validateScope(OAuthTokenReqMessageContext oAuthTokenReqMessageCon
public boolean validateScope(OAuth2TokenValidationMessageContext oAuth2TokenValidationMessageContext) throws
IdentityOAuth2Exception {
+ if (!OAuthServerConfiguration.getInstance().isRoleBasedScopeIssuerEnabled()) {
+ return true;
+ }
AccessTokenDO accessTokenDO = (AccessTokenDO) oAuth2TokenValidationMessageContext.getProperty(ACCESS_TOKEN_DO);
if (accessTokenDO == null) {
return false;
diff --git a/components/org.wso2.carbon.identity.oidc.dcr/pom.xml b/components/org.wso2.carbon.identity.oidc.dcr/pom.xml
index 18617f4ef66..7563c47be69 100644
--- a/components/org.wso2.carbon.identity.oidc.dcr/pom.xml
+++ b/components/org.wso2.carbon.identity.oidc.dcr/pom.xml
@@ -22,7 +22,7 @@
org.wso2.carbon.identity.inbound.auth.oauth2
identity-inbound-auth-oauth
../../pom.xml
- 6.11.224-SNAPSHOT
+ 6.11.233-SNAPSHOT
4.0.0
diff --git a/components/org.wso2.carbon.identity.oidc.session/pom.xml b/components/org.wso2.carbon.identity.oidc.session/pom.xml
index 32ab56dcc0c..c2a83eefb70 100644
--- a/components/org.wso2.carbon.identity.oidc.session/pom.xml
+++ b/components/org.wso2.carbon.identity.oidc.session/pom.xml
@@ -22,7 +22,7 @@
org.wso2.carbon.identity.inbound.auth.oauth2
identity-inbound-auth-oauth
../../pom.xml
- 6.11.224-SNAPSHOT
+ 6.11.233-SNAPSHOT
4.0.0
diff --git a/components/org.wso2.carbon.identity.oidc.session/src/main/java/org/wso2/carbon/identity/oidc/session/servlet/OIDCLogoutServlet.java b/components/org.wso2.carbon.identity.oidc.session/src/main/java/org/wso2/carbon/identity/oidc/session/servlet/OIDCLogoutServlet.java
index 0e9c51590d5..db357d94013 100644
--- a/components/org.wso2.carbon.identity.oidc.session/src/main/java/org/wso2/carbon/identity/oidc/session/servlet/OIDCLogoutServlet.java
+++ b/components/org.wso2.carbon.identity.oidc.session/src/main/java/org/wso2/carbon/identity/oidc/session/servlet/OIDCLogoutServlet.java
@@ -357,7 +357,7 @@ private String processLogoutRequest(HttpServletRequest request, HttpServletRespo
return getRedirectURL(redirectURL, request);
} catch (IdentityOAuth2Exception | InvalidOAuthClientException e) {
String msg;
- if (e.getErrorCode().equals(OAuth2ErrorCodes.OAuth2SubErrorCodes.INVALID_ID_TOKEN)) {
+ if (OAuth2ErrorCodes.OAuth2SubErrorCodes.INVALID_ID_TOKEN.equals(e.getErrorCode())) {
msg = e.getMessage();
} else {
msg = "Error occurred while getting application information. Client id not found.";
diff --git a/components/org.wso2.carbon.identity.webfinger/pom.xml b/components/org.wso2.carbon.identity.webfinger/pom.xml
index 6c69ec7625a..1aa2a0a5680 100644
--- a/components/org.wso2.carbon.identity.webfinger/pom.xml
+++ b/components/org.wso2.carbon.identity.webfinger/pom.xml
@@ -21,7 +21,7 @@
org.wso2.carbon.identity.inbound.auth.oauth2
identity-inbound-auth-oauth
../../pom.xml
- 6.11.224-SNAPSHOT
+ 6.11.233-SNAPSHOT
4.0.0
diff --git a/features/org.wso2.carbon.identity.oauth.common.feature/pom.xml b/features/org.wso2.carbon.identity.oauth.common.feature/pom.xml
index fbe60d81029..9883e14c442 100644
--- a/features/org.wso2.carbon.identity.oauth.common.feature/pom.xml
+++ b/features/org.wso2.carbon.identity.oauth.common.feature/pom.xml
@@ -22,7 +22,7 @@
org.wso2.carbon.identity.inbound.auth.oauth2
identity-inbound-auth-oauth
../../pom.xml
- 6.11.224-SNAPSHOT
+ 6.11.233-SNAPSHOT
4.0.0
diff --git a/features/org.wso2.carbon.identity.oauth.dcr.server.feature/pom.xml b/features/org.wso2.carbon.identity.oauth.dcr.server.feature/pom.xml
index 999fc484f3d..be5e5ca80c0 100644
--- a/features/org.wso2.carbon.identity.oauth.dcr.server.feature/pom.xml
+++ b/features/org.wso2.carbon.identity.oauth.dcr.server.feature/pom.xml
@@ -22,7 +22,7 @@
org.wso2.carbon.identity.inbound.auth.oauth2
identity-inbound-auth-oauth
../../pom.xml
- 6.11.224-SNAPSHOT
+ 6.11.233-SNAPSHOT
4.0.0
diff --git a/features/org.wso2.carbon.identity.oauth.feature/pom.xml b/features/org.wso2.carbon.identity.oauth.feature/pom.xml
index 9c287fd2eb8..ae63a41a080 100644
--- a/features/org.wso2.carbon.identity.oauth.feature/pom.xml
+++ b/features/org.wso2.carbon.identity.oauth.feature/pom.xml
@@ -22,7 +22,7 @@
org.wso2.carbon.identity.inbound.auth.oauth2
identity-inbound-auth-oauth
../../pom.xml
- 6.11.224-SNAPSHOT
+ 6.11.233-SNAPSHOT
4.0.0
diff --git a/features/org.wso2.carbon.identity.oauth.server.feature/pom.xml b/features/org.wso2.carbon.identity.oauth.server.feature/pom.xml
index 7bce0c32eb6..b8d51f95eac 100644
--- a/features/org.wso2.carbon.identity.oauth.server.feature/pom.xml
+++ b/features/org.wso2.carbon.identity.oauth.server.feature/pom.xml
@@ -22,7 +22,7 @@
org.wso2.carbon.identity.inbound.auth.oauth2
identity-inbound-auth-oauth
../../pom.xml
- 6.11.224-SNAPSHOT
+ 6.11.233-SNAPSHOT
4.0.0
diff --git a/features/org.wso2.carbon.identity.oauth.ui.feature/pom.xml b/features/org.wso2.carbon.identity.oauth.ui.feature/pom.xml
index 9b574bc0989..20ced573be9 100644
--- a/features/org.wso2.carbon.identity.oauth.ui.feature/pom.xml
+++ b/features/org.wso2.carbon.identity.oauth.ui.feature/pom.xml
@@ -22,7 +22,7 @@
org.wso2.carbon.identity.inbound.auth.oauth2
identity-inbound-auth-oauth
../../pom.xml
- 6.11.224-SNAPSHOT
+ 6.11.233-SNAPSHOT
4.0.0
diff --git a/pom.xml b/pom.xml
index 86b2c123af8..ce089c1c0c7 100644
--- a/pom.xml
+++ b/pom.xml
@@ -28,7 +28,7 @@
4.0.0
org.wso2.carbon.identity.inbound.auth.oauth2
identity-inbound-auth-oauth
- 6.11.224-SNAPSHOT
+ 6.11.233-SNAPSHOT
pom
WSO2 Carbon OAuth module
http://wso2.org
diff --git a/service-stubs/org.wso2.carbon.claim.metadata.mgt.stub/pom.xml b/service-stubs/org.wso2.carbon.claim.metadata.mgt.stub/pom.xml
index f3e78d947b5..75ef3f4c9eb 100644
--- a/service-stubs/org.wso2.carbon.claim.metadata.mgt.stub/pom.xml
+++ b/service-stubs/org.wso2.carbon.claim.metadata.mgt.stub/pom.xml
@@ -21,7 +21,7 @@
org.wso2.carbon.identity.inbound.auth.oauth2
identity-inbound-auth-oauth
- 6.11.224-SNAPSHOT
+ 6.11.233-SNAPSHOT
../../pom.xml
diff --git a/test-utils/org.wso2.carbon.identity.oauth.common.testng/pom.xml b/test-utils/org.wso2.carbon.identity.oauth.common.testng/pom.xml
index 3cc37190922..9ed2154fb79 100644
--- a/test-utils/org.wso2.carbon.identity.oauth.common.testng/pom.xml
+++ b/test-utils/org.wso2.carbon.identity.oauth.common.testng/pom.xml
@@ -23,7 +23,7 @@
org.wso2.carbon.identity.inbound.auth.oauth2
identity-inbound-auth-oauth
../../pom.xml
- 6.11.224-SNAPSHOT
+ 6.11.233-SNAPSHOT
4.0.0