Skip to content

Commit

Permalink
resolve shared user profile for JWT tokens and userinfo
Browse files Browse the repository at this point in the history
  • Loading branch information
@AnuradhaSK
AnuradhaSK committed Jan 23, 2025
1 parent c2f0adf commit 6f3740c
Show file tree
Hide file tree
Showing 3 changed files with 75 additions and 6 deletions.
29 changes: 27 additions & 2 deletions ....oauth.endpoint/src/main/java/org/wso2/carbon/identity/oauth/endpoint/util/ClaimUtil.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,7 @@
import org.wso2.carbon.identity.oauth2.dto.OAuth2TokenValidationResponseDTO;
import org.wso2.carbon.identity.oauth2.internal.OAuth2ServiceComponentHolder;
import org.wso2.carbon.identity.oauth2.model.AccessTokenDO;
import org.wso2.carbon.identity.oauth2.util.AuthzUtil;
import org.wso2.carbon.identity.oauth2.util.OAuth2Util;
import org.wso2.carbon.identity.openidconnect.OIDCClaimUtil;
import org.wso2.carbon.user.api.RealmConfiguration;
Expand Down Expand Up @@ -165,8 +166,32 @@ public static Map<String, Object> getClaimsFromUserStore(OAuth2TokenValidationRe
spToLocalClaimMappings = ClaimMetadataHandler.getInstance().getMappingsMapFromOtherDialectToCarbon
(SP_DIALECT, null, userTenantDomain, true);

realm = getUserRealm(null, userTenantDomain);
Map<String, String> userClaims = getUserClaimsFromUserStore(userId, realm, claimURIList);
Map<String, String> userClaims;
AuthenticatedUser authenticatedUser = accessTokenDO.getAuthzUser();
if (!StringUtils.equals(authenticatedUser.getUserResidentOrganization(),
authenticatedUser.getAccessingOrganization()) &&
StringUtils.isNotEmpty(AuthzUtil.getUserIdOfAssociatedUser(authenticatedUser))) {
authenticatedUser.setSharedUserId(AuthzUtil.getUserIdOfAssociatedUser(authenticatedUser));
authenticatedUser.setUserSharedOrganizationId(authenticatedUser
.getAccessingOrganization());
}
if (OIDCClaimUtil.isSharedUserProfileResolverEnabled() &&
OIDCClaimUtil.isSharedUserAccessingSharedOrg(authenticatedUser) &&
StringUtils.isNotEmpty(authenticatedUser.getSharedUserId())) {
String userAccessingTenantDomain =
OIDCClaimUtil.resolveTenantDomain(authenticatedUser.getAccessingOrganization());
String sharedUserId = authenticatedUser.getSharedUserId();
realm = getUserRealm(null, userAccessingTenantDomain);
try {
FrameworkUtils.startTenantFlow(userAccessingTenantDomain);
userClaims = getUserClaimsFromUserStore(sharedUserId, realm, claimURIList);
} finally {
FrameworkUtils.endTenantFlow();
}
} else {
realm = getUserRealm(null, userTenantDomain);
userClaims = getUserClaimsFromUserStore(userId, realm, claimURIList);
}

if (isNotEmpty(userClaims)) {
for (Map.Entry<String, String> entry : userClaims.entrySet()) {
Expand Down
48 changes: 46 additions & 2 deletions ...on.identity.oauth/src/main/java/org/wso2/carbon/identity/openidconnect/OIDCClaimUtil.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,7 @@
import org.wso2.carbon.identity.oauth2.internal.OAuth2ServiceComponentHolder;
import org.wso2.carbon.identity.oauth2.util.OAuth2Util;
import org.wso2.carbon.identity.openidconnect.internal.OpenIDConnectServiceComponentHolder;
import org.wso2.carbon.identity.organization.management.organization.user.sharing.util.OrganizationSharedUserUtil;
import org.wso2.carbon.identity.organization.management.service.exception.OrganizationManagementException;
import org.wso2.carbon.user.api.UserRealm;
import org.wso2.carbon.user.api.UserStoreException;
Expand Down Expand Up @@ -484,7 +485,28 @@ public static Map<String, Object> getUserClaimsInOIDCDialect(ServiceProvider ser
claimURIList.remove(APP_ROLES_CLAIM);
appRoleClaimRequested = true;
}
Map<String, String> userClaims = getUserClaimsInLocalDialect(fullQualifiedUsername, realm, claimURIList);

Map<String, String> userClaims;
if (isSharedUserProfileResolverEnabled() && isSharedUserAccessingSharedOrg(authenticatedUser) &&
StringUtils.isNotEmpty(authenticatedUser.getSharedUserId())) {
String userAccessingTenantDomain = resolveTenantDomain(authenticatedUser.getAccessingOrganization());
AbstractUserStoreManager userStoreManager =
(AbstractUserStoreManager) OAuthComponentServiceHolder.getInstance().getRealmService()
.getTenantUserRealm(IdentityTenantUtil.getTenantId(userAccessingTenantDomain))
.getUserStoreManager();
String fullQualifiedSharedUsername = userStoreManager.getUser(authenticatedUser.getSharedUserId(), null)
.getFullQualifiedUsername();
realm = IdentityTenantUtil.getRealm(userAccessingTenantDomain, fullQualifiedSharedUsername);

try {
FrameworkUtils.startTenantFlow(userAccessingTenantDomain);
userClaims = getUserClaimsInLocalDialect(fullQualifiedUsername, realm, claimURIList);
} finally {
FrameworkUtils.endTenantFlow();
}
} else {
userClaims = getUserClaimsInLocalDialect(fullQualifiedUsername, realm, claimURIList);
}

if (roleClaimRequested || appRoleClaimRequested) {
String[] appAssocatedRolesOfUser = getAppAssociatedRolesOfUser(authenticatedUser,
Expand Down Expand Up @@ -599,14 +621,36 @@ private static void setAppRoleClaimInLocalDialect(Map<String, String> userClaims
}
}

private static boolean isSharedUserAccessingSharedOrg(AuthenticatedUser authenticatedUser) {
public static boolean isSharedUserAccessingSharedOrg(AuthenticatedUser authenticatedUser) {

return StringUtils.isNotEmpty(authenticatedUser.getUserSharedOrganizationId()) &&
StringUtils.isNotEmpty(authenticatedUser.getAccessingOrganization()) &&
StringUtils.equals(authenticatedUser.getUserSharedOrganizationId(),
authenticatedUser.getAccessingOrganization());
}

/**
* Resolve the tenant domain of the organization.
*
* @param organizationId Organization Id.
* @return Tenant domain of the organization.
* @throws OrganizationManagementException If an error occurred while resolving the tenant domain.
*/
public static String resolveTenantDomain(String organizationId) throws OrganizationManagementException {

return OAuthComponentServiceHolder.getInstance().getOrganizationManager().resolveTenantDomain(organizationId);
}

/**
* Check whether the shared user profile resolver is enabled.
*
* @return True if the shared user profile resolver is enabled.
*/
public static boolean isSharedUserProfileResolverEnabled() {

return OrganizationSharedUserUtil.isSharedUserProfileResolverEnabled();
}

private static void addSharedUserGroupsFromSharedOrganization(AuthenticatedUser authenticatedUser,
Map<String, String> userClaims) throws
OrganizationManagementException, UserStoreException, IdentityException {
Expand Down
4 changes: 2 additions & 2 deletions pom.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -967,12 +967,12 @@
<carbon.kernel.registry.imp.pkg.version.range>[1.0.1, 2.0.0)</carbon.kernel.registry.imp.pkg.version.range>

<!-- Carbon Identity Framework version -->
<carbon.identity.framework.version>7.7.112</carbon.identity.framework.version>
<carbon.identity.framework.version>7.7.114</carbon.identity.framework.version>
<carbon.identity.framework.imp.pkg.version.range>[5.25.234, 8.0.0)
</carbon.identity.framework.imp.pkg.version.range>
<identity.oauth.xacml.version.range>[2.0.0, 3.0.0)</identity.oauth.xacml.version.range>

<carbon.identity.organization.management.version>1.4.7
<carbon.identity.organization.management.version>1.4.70-SNAPSHOT
</carbon.identity.organization.management.version>
<carbon.identity.organization.management.version.range>[1.1.14, 2.0.0)
</carbon.identity.organization.management.version.range>
Expand Down

0 comments on commit 6f3740c

Please sign in to comment.