Merge branch 'master' into issue-26702

components/org.wso2.carbon.identity.api.server.dcr/pom.xml

@@ -23,12 +23,12 @@
     <parent>
         <groupId>org.wso2.carbon.identity.inbound.auth.oauth2</groupId>
         <artifactId>identity-inbound-auth-oauth</artifactId>
-        <version>7.0.172-SNAPSHOT</version>
+        <version>7.0.176-SNAPSHOT</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
 
     <artifactId>org.wso2.carbon.identity.api.server.dcr</artifactId>
-    <version>7.0.172-SNAPSHOT</version>
+    <version>7.0.176-SNAPSHOT</version>
     <name>WSO2 Carbon -  User DCR Rest API</name>
     <description>WSO2 Carbon - User DCR Rest API</description>
 

components/org.wso2.carbon.identity.api.server.oauth.scope/pom.xml

@@ -23,12 +23,12 @@
     <parent>
         <groupId>org.wso2.carbon.identity.inbound.auth.oauth2</groupId>
         <artifactId>identity-inbound-auth-oauth</artifactId>
-        <version>7.0.172-SNAPSHOT</version>
+        <version>7.0.176-SNAPSHOT</version>
         <relativePath>../..</relativePath>
     </parent>
 
     <artifactId>org.wso2.carbon.identity.api.server.oauth.scope</artifactId>
-    <version>7.0.172-SNAPSHOT</version>
+    <version>7.0.176-SNAPSHOT</version>
 
     <name>WSO2 Carbon - Identity OAuth 2.0 Scope Rest APIs</name>
     <description>Rest APIs for OAuth 2.0 Scope Handling</description>

components/org.wso2.carbon.identity.client.attestation.filter/pom.xml

@@ -22,7 +22,7 @@
     <parent>
         <groupId>org.wso2.carbon.identity.inbound.auth.oauth2</groupId>
         <artifactId>identity-inbound-auth-oauth</artifactId>
-        <version>7.0.172-SNAPSHOT</version>
+        <version>7.0.176-SNAPSHOT</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
 

components/org.wso2.carbon.identity.discovery/pom.xml

@@ -21,7 +21,7 @@
         <groupId>org.wso2.carbon.identity.inbound.auth.oauth2</groupId>
         <artifactId>identity-inbound-auth-oauth</artifactId>
         <relativePath>../../pom.xml</relativePath>
-        <version>7.0.172-SNAPSHOT</version>
+        <version>7.0.176-SNAPSHOT</version>
     </parent>
 
     <modelVersion>4.0.0</modelVersion>

components/org.wso2.carbon.identity.oauth.ciba/pom.xml

@@ -20,7 +20,7 @@
     <parent>
         <artifactId>identity-inbound-auth-oauth</artifactId>
         <groupId>org.wso2.carbon.identity.inbound.auth.oauth2</groupId>
-        <version>7.0.172-SNAPSHOT</version>
+        <version>7.0.176-SNAPSHOT</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
 

components/org.wso2.carbon.identity.oauth.client.authn.filter/pom.xml

@@ -22,7 +22,7 @@
         <groupId>org.wso2.carbon.identity.inbound.auth.oauth2</groupId>
         <artifactId>identity-inbound-auth-oauth</artifactId>
         <relativePath>../../pom.xml</relativePath>
-        <version>7.0.172-SNAPSHOT</version>
+        <version>7.0.176-SNAPSHOT</version>
     </parent>
 
     <modelVersion>4.0.0</modelVersion>

components/org.wso2.carbon.identity.oauth.common/pom.xml

@@ -23,7 +23,7 @@
         <groupId>org.wso2.carbon.identity.inbound.auth.oauth2</groupId>
         <artifactId>identity-inbound-auth-oauth</artifactId>
         <relativePath>../../pom.xml</relativePath>
-        <version>7.0.172-SNAPSHOT</version>
+        <version>7.0.176-SNAPSHOT</version>
     </parent>
 
     <modelVersion>4.0.0</modelVersion>

components/org.wso2.carbon.identity.oauth.common/src/main/java/org/wso2/carbon/identity/oauth/common/OAuthConstants.java

@@ -643,8 +643,6 @@ public static class OIDCConfigProperties {
         public static final String IS_SUBJECT_TOKEN_ENABLED = "isSubjectTokenEnabled";
         public static final String SUBJECT_TOKEN_EXPIRY_TIME = "subjectTokenExpiryTime";
         public static final int SUBJECT_TOKEN_EXPIRY_TIME_VALUE = 180;
-        public static final String IS_ACCESS_TOKEN_CLAIMS_SEPARATION_ENABLED =
-                "isAccessTokenClaimsSeparationEnabled";
         public static final String PREVENT_TOKEN_REUSE = "PreventTokenReuse";
         public static final boolean DEFAULT_VALUE_FOR_PREVENT_TOKEN_REUSE = true;
         // Name of the {@code  JWTClientAuthenticatorConfig} resource type in the Configuration Management API.

components/org.wso2.carbon.identity.oauth.dcr.endpoint/pom.xml

@@ -6,7 +6,7 @@
         <groupId>org.wso2.carbon.identity.inbound.auth.oauth2</groupId>
         <artifactId>identity-inbound-auth-oauth</artifactId>
         <relativePath>../../pom.xml</relativePath>
-        <version>7.0.172-SNAPSHOT</version>
+        <version>7.0.176-SNAPSHOT</version>
     </parent>
 
     <modelVersion>4.0.0</modelVersion>

components/org.wso2.carbon.identity.oauth.dcr/pom.xml

@@ -22,7 +22,7 @@
         <groupId>org.wso2.carbon.identity.inbound.auth.oauth2</groupId>
         <artifactId>identity-inbound-auth-oauth</artifactId>
         <relativePath>../../pom.xml</relativePath>
-        <version>7.0.172-SNAPSHOT</version>
+        <version>7.0.176-SNAPSHOT</version>
     </parent>
 
     <modelVersion>4.0.0</modelVersion>

components/org.wso2.carbon.identity.oauth.endpoint/pom.xml

@@ -22,7 +22,7 @@
         <groupId>org.wso2.carbon.identity.inbound.auth.oauth2</groupId>
         <artifactId>identity-inbound-auth-oauth</artifactId>
         <relativePath>../../pom.xml</relativePath>
-        <version>7.0.172-SNAPSHOT</version>
+        <version>7.0.176-SNAPSHOT</version>
     </parent>
 
     <modelVersion>4.0.0</modelVersion>

components/org.wso2.carbon.identity.oauth.extension/pom.xml

@@ -19,7 +19,7 @@
     <parent>
         <artifactId>identity-inbound-auth-oauth</artifactId>
         <groupId>org.wso2.carbon.identity.inbound.auth.oauth2</groupId>
-        <version>7.0.172-SNAPSHOT</version>
+        <version>7.0.176-SNAPSHOT</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
     <modelVersion>4.0.0</modelVersion>

components/org.wso2.carbon.identity.oauth.par/pom.xml

@@ -23,7 +23,7 @@
         <groupId>org.wso2.carbon.identity.inbound.auth.oauth2</groupId>
         <artifactId>identity-inbound-auth-oauth</artifactId>
         <relativePath>../../pom.xml</relativePath>
-        <version>7.0.172-SNAPSHOT</version>
+        <version>7.0.176-SNAPSHOT</version>
     </parent>
 
     <modelVersion>4.0.0</modelVersion>

components/org.wso2.carbon.identity.oauth.scope.endpoint/pom.xml

@@ -22,7 +22,7 @@
         <groupId>org.wso2.carbon.identity.inbound.auth.oauth2</groupId>
         <artifactId>identity-inbound-auth-oauth</artifactId>
         <relativePath>../../pom.xml</relativePath>
-        <version>7.0.172-SNAPSHOT</version>
+        <version>7.0.176-SNAPSHOT</version>
     </parent>
 
     <modelVersion>4.0.0</modelVersion>

components/org.wso2.carbon.identity.oauth.stub/pom.xml

@@ -22,7 +22,7 @@
         <groupId>org.wso2.carbon.identity.inbound.auth.oauth2</groupId>
         <artifactId>identity-inbound-auth-oauth</artifactId>
         <relativePath>../../pom.xml</relativePath>
-        <version>7.0.172-SNAPSHOT</version>
+        <version>7.0.176-SNAPSHOT</version>
     </parent>
 
     <modelVersion>4.0.0</modelVersion>

components/org.wso2.carbon.identity.oauth.stub/src/main/resources/OAuthAdminService.wsdl

@@ -395,7 +395,6 @@
                 <xs:sequence>
                     <xs:element minOccurs="0" name="OAuthVersion" nillable="true" type="xs:string"/>
                     <xs:element maxOccurs="unbounded" minOccurs="0" name="accessTokenClaims" nillable="true" type="xs:string"/>
-                    <xs:element minOccurs="0" name="accessTokenClaimsSeparationEnabled" type="xs:boolean"/>
                     <xs:element minOccurs="0" name="applicationAccessTokenExpiryTime" type="xs:long"/>
                     <xs:element minOccurs="0" name="applicationName" nillable="true" type="xs:string"/>
                     <xs:element maxOccurs="unbounded" minOccurs="0" name="audiences" nillable="true" type="xs:string"/>

components/org.wso2.carbon.identity.oauth.ui/pom.xml

@@ -22,7 +22,7 @@
         <groupId>org.wso2.carbon.identity.inbound.auth.oauth2</groupId>
         <artifactId>identity-inbound-auth-oauth</artifactId>
         <relativePath>../../pom.xml</relativePath>
-        <version>7.0.172-SNAPSHOT</version>
+        <version>7.0.176-SNAPSHOT</version>
     </parent>
 
     <modelVersion>4.0.0</modelVersion>

components/org.wso2.carbon.identity.oauth/pom.xml

@@ -23,7 +23,7 @@
         <groupId>org.wso2.carbon.identity.inbound.auth.oauth2</groupId>
         <artifactId>identity-inbound-auth-oauth</artifactId>
         <relativePath>../../pom.xml</relativePath>
-        <version>7.0.172-SNAPSHOT</version>
+        <version>7.0.176-SNAPSHOT</version>
     </parent>
 
     <modelVersion>4.0.0</modelVersion>

components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/OAuthAdminServiceImpl.java

@@ -234,7 +234,7 @@ public OAuthConsumerAppDTO getOAuthApplicationData(String consumerKey, String te
             OAuthAppDO app = getOAuthApp(consumerKey, tenantDomain);
             if (app != null) {
                 if (isAccessTokenClaimsSeparationFeatureEnabled() &&
-                        !app.isAccessTokenClaimsSeparationEnabled()) {
+                        !isAccessTokenClaimsSeparationEnabledForApp(consumerKey, tenantDomain)) {
                     // Add requested claims as access token claims if the app is not in the new access token
                     // claims feature.
                     addAccessTokenClaims(app, tenantDomain);
@@ -538,7 +538,6 @@ OAuthConsumerAppDTO registerAndRetrieveOAuthApplicationData(OAuthConsumerAppDTO
                         if (isAccessTokenClaimsSeparationFeatureEnabled()) {
                             validateAccessTokenClaims(application, tenantDomain);
                             app.setAccessTokenClaims(application.getAccessTokenClaims());
-                            app.setAccessTokenClaimsSeparationEnabled(true);
                         }
                     }
                     dao.addOAuthApplication(app);
@@ -979,27 +978,32 @@ void updateConsumerApplication(OAuthConsumerAppDTO consumerAppDTO, boolean enabl
             if (isAccessTokenClaimsSeparationFeatureEnabled()) {
                 // We check if the AT claims separation enabled at server level and
                 // the app level. If both are enabled, we validate the claims and update the app.
-                if (oAuthAppDO.isAccessTokenClaimsSeparationEnabled()) {
-                    validateAccessTokenClaims(consumerAppDTO, tenantDomain);
-                    oAuthAppDO.setAccessTokenClaims(consumerAppDTO.getAccessTokenClaims());
+                try {
+                    if (isAccessTokenClaimsSeparationEnabledForApp(oAuthAppDO.getOauthConsumerKey(), tenantDomain)) {
+                        validateAccessTokenClaims(consumerAppDTO, tenantDomain);
+                        oAuthAppDO.setAccessTokenClaims(consumerAppDTO.getAccessTokenClaims());
+                    }
+                } catch (IdentityOAuth2Exception e) {
+                    throw new IdentityOAuthAdminException("Error while updating existing OAuth application to " +
+                            "the new JWT access token OIDC claims separation model. Application : " +
+                            oAuthAppDO.getApplicationName() + " Tenant : " + tenantDomain, e);
                 }
                 // We only trigger the access token claims migration if the following conditions are met.
                 // 1. The AT claims separation is enabled at server level.
                 // 2. The AT claims separation is not enabled at app level.
-                // 3. User tries to enable AT claims separation at app level with update app.
-                if (!oAuthAppDO.isAccessTokenClaimsSeparationEnabled() &&
-                        consumerAppDTO.isAccessTokenClaimsSeparationEnabled()) {
-                    // Add requested claims as access token claims.
-                    try {
+                // 3. The access token claims are empty.
+                try {
+                    if (!isAccessTokenClaimsSeparationEnabledForApp(oAuthAppDO.getOauthConsumerKey(),
+                            tenantDomain) && oAuthAppDO.getAccessTokenClaims().length == 0) {
+                        // Add requested claims as access token claims.
                         addAccessTokenClaims(oAuthAppDO, tenantDomain);
-                    } catch (IdentityOAuth2Exception e) {
-                        throw new IdentityOAuthAdminException("Error while updating existing OAuth application to " +
-                                "the new JWT access token OIDC claims separation model. Application : " +
-                                oAuthAppDO.getApplicationName() + " Tenant : " + tenantDomain, e);
                     }
+
+                } catch (IdentityOAuth2Exception e) {
+                    throw new IdentityOAuthAdminException("Error while updating existing OAuth application to " +
+                            "the new JWT access token OIDC claims separation model. Application : " +
+                            oAuthAppDO.getApplicationName() + " Tenant : " + tenantDomain, e);
                 }
-                oAuthAppDO.setAccessTokenClaimsSeparationEnabled(consumerAppDTO
-                        .isAccessTokenClaimsSeparationEnabled());
             }
         }
         dao.updateConsumerApplication(oAuthAppDO);
@@ -2898,4 +2902,12 @@ private boolean isAccessTokenClaimsSeparationFeatureEnabled() {
 
         return Boolean.parseBoolean(IdentityUtil.getProperty(ENABLE_CLAIMS_SEPARATION_FOR_ACCESS_TOKEN));
     }
+
+    private boolean isAccessTokenClaimsSeparationEnabledForApp(String consumerKey, String tenantDomain)
+            throws IdentityOAuth2Exception {
+
+        ServiceProvider serviceProvider = OAuth2Util.getServiceProvider(consumerKey, tenantDomain);
+        return OAuth2Util.isAppVersionAllowed(serviceProvider.getApplicationVersion(),
+                ApplicationConstants.ApplicationVersion.APP_VERSION_V2);
+    }
 }

components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/OAuthUtil.java

@@ -94,6 +94,7 @@
 import static org.wso2.carbon.identity.application.authentication.framework.util.FrameworkConstants.CURRENT_SESSION_IDENTIFIER;
 import static org.wso2.carbon.identity.application.authentication.framework.util.FrameworkConstants.CURRENT_TOKEN_IDENTIFIER;
 import static org.wso2.carbon.identity.application.authentication.framework.util.FrameworkConstants.Config.PRESERVE_LOGGED_IN_SESSION_AT_PASSWORD_UPDATE;
+import static org.wso2.carbon.identity.application.authentication.framework.util.FrameworkConstants.OAUTH2;
 import static org.wso2.carbon.identity.application.authentication.framework.util.FrameworkConstants.ORGANIZATION_LOGIN_HOME_REALM_IDENTIFIER;
 import static org.wso2.carbon.identity.oauth.common.OAuthConstants.OIDCConfigProperties.DEFAULT_VALUE_FOR_PREVENT_TOKEN_REUSE;
 import static org.wso2.carbon.identity.oauth.common.OAuthConstants.OIDCConfigProperties.ENABLE_TOKEN_REUSE;
@@ -562,7 +563,6 @@ public static OAuthConsumerAppDTO buildConsumerAppDTO(OAuthAppDO appDO) {
         dto.setSubjectTokenEnabled(appDO.isSubjectTokenEnabled());
         dto.setSubjectTokenExpiryTime(appDO.getSubjectTokenExpiryTime());
         dto.setAccessTokenClaims(appDO.getAccessTokenClaims());
-        dto.setAccessTokenClaimsSeparationEnabled(appDO.isAccessTokenClaimsSeparationEnabled());
         return dto;
     }
 
@@ -822,6 +822,27 @@ private static Set<String> getClientIdsOfAssociatedApplications(Role role, Authe
         return clientIds;
     }
 
+    private static Set<String> filterClientIdsWithOrganizationAudience(List<String> clientIds, String tenantDomain) {
+
+        Set<String> clientIdsWithOrganizationAudience = new HashSet<>();
+        ApplicationManagementService applicationManagementService =
+                OAuthComponentServiceHolder.getInstance().getApplicationManagementService();
+        for (String clientId : clientIds) {
+            try {
+                String applicationId = applicationManagementService.getApplicationResourceIDByInboundKey(clientId,
+                        OAUTH2, tenantDomain);
+                String audience = applicationManagementService.getAllowedAudienceForRoleAssociation(applicationId,
+                        tenantDomain);
+                if (RoleConstants.ORGANIZATION.equalsIgnoreCase(audience)) {
+                    clientIdsWithOrganizationAudience.add(clientId);
+                }
+            } catch (IdentityApplicationManagementException e) {
+                LOG.error("Error occurred while retrieving application information for client id: " + clientId, e);
+            }
+        }
+        return clientIdsWithOrganizationAudience;
+    }
+
     /**
      * This method will retrieve the role details of the given role id.
      * @param roleId        Role Id.
@@ -991,7 +1012,7 @@ public static boolean revokeTokens(String username, UserStoreManager userStoreMa
 
         // Get details about the role to identify the audience and associated applications.
         Set<String> clientIds = null;
-        Role role;
+        Role role = null;
         boolean getClientIdsFromUser = false;
         if (roleId != null) {
             role = getRole(roleId, IdentityTenantUtil.getTenantDomain(userStoreManager.getTenantId()));
@@ -1009,6 +1030,7 @@ public static boolean revokeTokens(String username, UserStoreManager userStoreMa
                             "an organization role: " + role.getName());
                 }
                 getClientIdsFromUser = true;
+
             }
         } else {
             // Get all the distinct client Ids authorized by this user since no role is specified.
@@ -1022,7 +1044,12 @@ public static boolean revokeTokens(String username, UserStoreManager userStoreMa
             }
             try {
                 clientIds = OAuthTokenPersistenceFactory.getInstance()
-                        .getTokenManagementDAO().getAllTimeAuthorizedClientIds(authenticatedUser);
+                            .getTokenManagementDAO().getAllTimeAuthorizedClientIds(authenticatedUser);
+
+                if (role != null && RoleConstants.ORGANIZATION.equals(role.getAudience())) {
+                    clientIds = filterClientIdsWithOrganizationAudience(new ArrayList<>(clientIds), tenantDomain);
+                }
+
             } catch (IdentityOAuth2Exception e) {
                 LOG.error("Error occurred while retrieving apps authorized by User ID : " + authenticatedUser, e);
                 throw new UserStoreException(e);

components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/action/PreIssueAccessTokenResponseProcessor.java

@@ -23,6 +23,7 @@
 import com.fasterxml.jackson.databind.ObjectMapper;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
+import org.wso2.carbon.identity.action.execution.ActionExecutionLogConstants;
 import org.wso2.carbon.identity.action.execution.ActionExecutionResponseProcessor;
 import org.wso2.carbon.identity.action.execution.exception.ActionExecutionResponseProcessorException;
 import org.wso2.carbon.identity.action.execution.model.ActionExecutionStatus;
@@ -31,11 +32,13 @@
 import org.wso2.carbon.identity.action.execution.model.ActionType;
 import org.wso2.carbon.identity.action.execution.model.Event;
 import org.wso2.carbon.identity.action.execution.model.PerformableOperation;
+import org.wso2.carbon.identity.central.log.mgt.utils.LoggerUtils;
 import org.wso2.carbon.identity.oauth.action.model.AccessToken;
 import org.wso2.carbon.identity.oauth.action.model.ClaimPathInfo;
 import org.wso2.carbon.identity.oauth.action.model.OperationExecutionResult;
 import org.wso2.carbon.identity.oauth.action.model.PreIssueAccessTokenEvent;
 import org.wso2.carbon.identity.oauth2.token.OAuthTokenReqMessageContext;
+import org.wso2.carbon.utils.DiagnosticLog;
 
 import java.util.ArrayList;
 import java.util.Collections;
@@ -113,7 +116,29 @@ public ActionExecutionStatus processSuccessResponse(Map<String, Object> eventCon
     private void logOperationExecutionResults(ActionType actionType,
                                               List<OperationExecutionResult> operationExecutionResultList) {
 
-        //todo: need to add to diagnostic logs
+        if (LoggerUtils.isDiagnosticLogsEnabled()) {
+
+            List<Map<String, String>> operationDetailsList = new ArrayList<>();
+            operationExecutionResultList.forEach(performedOperation -> {
+                operationDetailsList.add(Map.of(
+                        "operation", performedOperation.getOperation().getOp() + " path: " +
+                                performedOperation.getOperation().getPath(),
+                        "status", performedOperation.getStatus().toString(),
+                        "message", performedOperation.getMessage()
+                ));
+            });
+
+            DiagnosticLog.DiagnosticLogBuilder diagLogBuilder = new DiagnosticLog.DiagnosticLogBuilder(
+                    ActionExecutionLogConstants.ACTION_EXECUTION_COMPONENT_ID,
+                    ActionExecutionLogConstants.ActionIDs.EXECUTE_ACTION_OPERATIONS);
+            diagLogBuilder
+                    .inputParam("executed operations", operationDetailsList.isEmpty() ? "empty" : operationDetailsList)
+                    .resultMessage("Allowed operations are executed for " + actionType.getDisplayName() + " action.")
+                    .logDetailLevel(DiagnosticLog.LogDetailLevel.APPLICATION)
+                    .resultStatus(DiagnosticLog.ResultStatus.SUCCESS)
+                    .build();
+            LoggerUtils.triggerDiagnosticLogEvent(diagLogBuilder);
+        }
         if (LOG.isDebugEnabled()) {
             ObjectMapper objectMapper = new ObjectMapper();
             objectMapper.setSerializationInclusion(JsonInclude.Include.NON_NULL);