From 5323bb8ee425a4f13e09dafeb3733ebb0ce7f7c4 Mon Sep 17 00:00:00 2001 From: Chamila Adhikarinayake Date: Mon, 4 Mar 2024 12:20:20 +0530 Subject: [PATCH 1/4] Add tenant domain to jwt payload --- .../config/OAuthServerConfiguration.java | 24 +++++++++++++++++++ .../identity/oauth2/token/JWTTokenIssuer.java | 8 +++++++ 2 files changed, 32 insertions(+) diff --git a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/config/OAuthServerConfiguration.java b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/config/OAuthServerConfiguration.java index a19e99b9927..72118567b6d 100644 --- a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/config/OAuthServerConfiguration.java +++ b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/config/OAuthServerConfiguration.java @@ -317,6 +317,7 @@ public class OAuthServerConfiguration { private int deviceCodePollingInterval = 5000; private String deviceCodeKeySet = "BCDFGHJKLMNPQRSTVWXYZbcdfghjklmnpqrstvwxyz23456789"; private String deviceAuthzEPUrl = null; + private boolean addTenantDomainToTokenEnabled = false; private List supportedTokenEndpointSigningAlgorithms = new ArrayList<>(); private Boolean roleBasedScopeIssuerEnabledConfig = false; @@ -522,6 +523,9 @@ private void buildOAuthServerConfiguration() { // Read config for using legacy permission access for user based auth. parseUseLegacyPermissionAccessForUserBasedAuth(oauthElem); + + // read domain information setting config. + isAddTenantDomainToTokenEnabled(oauthElem); } /** @@ -748,6 +752,12 @@ public boolean isSkipOIDCClaimsForClientCredentialGrant() { return skipOIDCClaimsForClientCredentialGrant; } + + public boolean isAddTenantDomainToTokenEnabled() { + + return addTenantDomainToTokenEnabled; + } + /** * instantiate the OAuth token generator. to override the default implementation, one can specify the custom class * in the identity.xml. @@ -3456,6 +3466,18 @@ private void parseTokenRenewalPerRequestConfiguration(OMElement oauthConfigElem) } } + + private void isAddTenantDomainToTokenEnabled(OMElement oauthConfigElem) { + OMElement enableAddDomainElem = oauthConfigElem.getFirstChildWithName(getQNameWithIdentityNS( + ConfigElements.ADD_DOMAIN_TO_TOKEN)); + if (enableAddDomainElem != null) { + addTenantDomainToTokenEnabled = Boolean.parseBoolean(enableAddDomainElem.getText()); + } + if (log.isDebugEnabled()) { + log.debug("AddTenantDomainToTokenEnabled was set to : " + addTenantDomainToTokenEnabled); + } + } + /** * Parses the map federated users to local configuration. * @@ -3778,6 +3800,8 @@ private class ConfigElements { private static final String OPENID_CONNECT_ADD_TENANT_DOMAIN_TO_ID_TOKEN = "AddTenantDomainToIdToken"; // Property to decide whether to add userstore domain to id_token. private static final String OPENID_CONNECT_ADD_USERSTORE_DOMAIN_TO_ID_TOKEN = "AddUserstoreDomainToIdToken"; + // Enable/Disable adding domain information to the token + private static final String ADD_DOMAIN_TO_TOKEN = "AddTenantDomainToAccessToken"; private static final String REQUEST_OBJECT_ENABLED = "RequestObjectEnabled"; private static final String ENABLE_FAPI_CIBA_PROFILE = "EnableCibaProfile"; private static final String ENABLE_FAPI_SECURITY_PROFILE = "EnableSecurityProfile"; diff --git a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/token/JWTTokenIssuer.java b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/token/JWTTokenIssuer.java index 06d9ba7f190..0c931e344aa 100644 --- a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/token/JWTTokenIssuer.java +++ b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/token/JWTTokenIssuer.java @@ -91,6 +91,8 @@ public class JWTTokenIssuer extends OauthTokenIssuerImpl { private static final String AUTHORIZATION_PARTY = "azp"; private static final String CLIENT_ID = "client_id"; + private static final String APP_DOMAIN = "app_domain"; + private static final String USER_DOMAIN = "user_domain"; private static final String AUDIENCE = "aud"; private static final String SCOPE = "scope"; private static final String TOKEN_BINDING_REF = "binding_ref"; @@ -494,6 +496,12 @@ protected JWTClaimsSet createJWTClaimSet(OAuthAuthzReqMessageContext authAuthzRe jwtClaimsSetBuilder.jwtID(UUID.randomUUID().toString()); jwtClaimsSetBuilder.notBeforeTime(new Date(curTimeInMillis)); jwtClaimsSetBuilder.claim(CLIENT_ID, consumerKey); + + if (OAuthServerConfiguration.getInstance().isAddTenantDomainToTokenEnabled()) { + jwtClaimsSetBuilder.claim(APP_DOMAIN, oAuthAppDO.getAppOwner().getTenantDomain()); + jwtClaimsSetBuilder.claim(USER_DOMAIN, authenticatedUser.getTenantDomain()); + } + setClaimsForNonPersistence(jwtClaimsSetBuilder, authAuthzReqMessageContext, tokenReqMessageContext, authenticatedUser, oAuthAppDO); String scope = getScope(authAuthzReqMessageContext, tokenReqMessageContext); From 863a0193ecdebf8e6bbb70471c9ae3cb9423f04f Mon Sep 17 00:00:00 2001 From: Chamila Adhikarinayake Date: Mon, 4 Mar 2024 14:09:54 +0530 Subject: [PATCH 2/4] Address review comments --- .../oauth/config/OAuthServerConfiguration.java | 18 +++++++++--------- .../identity/oauth2/token/JWTTokenIssuer.java | 2 +- 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/config/OAuthServerConfiguration.java b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/config/OAuthServerConfiguration.java index 72118567b6d..fae7f83758d 100644 --- a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/config/OAuthServerConfiguration.java +++ b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/config/OAuthServerConfiguration.java @@ -317,7 +317,7 @@ public class OAuthServerConfiguration { private int deviceCodePollingInterval = 5000; private String deviceCodeKeySet = "BCDFGHJKLMNPQRSTVWXYZbcdfghjklmnpqrstvwxyz23456789"; private String deviceAuthzEPUrl = null; - private boolean addTenantDomainToTokenEnabled = false; + private boolean addTenantDomainToAccessTokenEnabled = false; private List supportedTokenEndpointSigningAlgorithms = new ArrayList<>(); private Boolean roleBasedScopeIssuerEnabledConfig = false; @@ -525,7 +525,7 @@ private void buildOAuthServerConfiguration() { parseUseLegacyPermissionAccessForUserBasedAuth(oauthElem); // read domain information setting config. - isAddTenantDomainToTokenEnabled(oauthElem); + isAddTenantDomainToAccessTokenEnabled(oauthElem); } /** @@ -753,9 +753,9 @@ public boolean isSkipOIDCClaimsForClientCredentialGrant() { return skipOIDCClaimsForClientCredentialGrant; } - public boolean isAddTenantDomainToTokenEnabled() { + public boolean isAddTenantDomainToAccessTokenEnabled() { - return addTenantDomainToTokenEnabled; + return addTenantDomainToAccessTokenEnabled; } /** @@ -3467,14 +3467,14 @@ private void parseTokenRenewalPerRequestConfiguration(OMElement oauthConfigElem) } - private void isAddTenantDomainToTokenEnabled(OMElement oauthConfigElem) { + private void isAddTenantDomainToAccessTokenEnabled(OMElement oauthConfigElem) { OMElement enableAddDomainElem = oauthConfigElem.getFirstChildWithName(getQNameWithIdentityNS( - ConfigElements.ADD_DOMAIN_TO_TOKEN)); + ConfigElements.ADD_DOMAIN_TO_ACCESS_TOKEN)); if (enableAddDomainElem != null) { - addTenantDomainToTokenEnabled = Boolean.parseBoolean(enableAddDomainElem.getText()); + addTenantDomainToAccessTokenEnabled = Boolean.parseBoolean(enableAddDomainElem.getText()); } if (log.isDebugEnabled()) { - log.debug("AddTenantDomainToTokenEnabled was set to : " + addTenantDomainToTokenEnabled); + log.debug("AddTenantDomainToAccessTokenEnabled was set to : " + addTenantDomainToAccessTokenEnabled); } } @@ -3801,7 +3801,7 @@ private class ConfigElements { // Property to decide whether to add userstore domain to id_token. private static final String OPENID_CONNECT_ADD_USERSTORE_DOMAIN_TO_ID_TOKEN = "AddUserstoreDomainToIdToken"; // Enable/Disable adding domain information to the token - private static final String ADD_DOMAIN_TO_TOKEN = "AddTenantDomainToAccessToken"; + private static final String ADD_DOMAIN_TO_ACCESS_TOKEN = "AddTenantDomainToAccessToken"; private static final String REQUEST_OBJECT_ENABLED = "RequestObjectEnabled"; private static final String ENABLE_FAPI_CIBA_PROFILE = "EnableCibaProfile"; private static final String ENABLE_FAPI_SECURITY_PROFILE = "EnableSecurityProfile"; diff --git a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/token/JWTTokenIssuer.java b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/token/JWTTokenIssuer.java index 0c931e344aa..59e9bebd1d6 100644 --- a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/token/JWTTokenIssuer.java +++ b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/token/JWTTokenIssuer.java @@ -497,7 +497,7 @@ protected JWTClaimsSet createJWTClaimSet(OAuthAuthzReqMessageContext authAuthzRe jwtClaimsSetBuilder.notBeforeTime(new Date(curTimeInMillis)); jwtClaimsSetBuilder.claim(CLIENT_ID, consumerKey); - if (OAuthServerConfiguration.getInstance().isAddTenantDomainToTokenEnabled()) { + if (OAuthServerConfiguration.getInstance().isAddTenantDomainToAccessTokenEnabled()) { jwtClaimsSetBuilder.claim(APP_DOMAIN, oAuthAppDO.getAppOwner().getTenantDomain()); jwtClaimsSetBuilder.claim(USER_DOMAIN, authenticatedUser.getTenantDomain()); } From 083e5de2f86602e83e9bcef28c455793c5904c14 Mon Sep 17 00:00:00 2001 From: Chamila Adhikarinayake Date: Tue, 5 Mar 2024 11:19:41 +0530 Subject: [PATCH 3/4] Add review changes --- .../identity/oauth/config/OAuthServerConfiguration.java | 3 ++- .../org/wso2/carbon/identity/oauth2/token/JWTTokenIssuer.java | 4 ++-- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/config/OAuthServerConfiguration.java b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/config/OAuthServerConfiguration.java index fae7f83758d..8ced79017d5 100644 --- a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/config/OAuthServerConfiguration.java +++ b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/config/OAuthServerConfiguration.java @@ -3468,6 +3468,7 @@ private void parseTokenRenewalPerRequestConfiguration(OMElement oauthConfigElem) private void isAddTenantDomainToAccessTokenEnabled(OMElement oauthConfigElem) { + OMElement enableAddDomainElem = oauthConfigElem.getFirstChildWithName(getQNameWithIdentityNS( ConfigElements.ADD_DOMAIN_TO_ACCESS_TOKEN)); if (enableAddDomainElem != null) { @@ -3800,7 +3801,7 @@ private class ConfigElements { private static final String OPENID_CONNECT_ADD_TENANT_DOMAIN_TO_ID_TOKEN = "AddTenantDomainToIdToken"; // Property to decide whether to add userstore domain to id_token. private static final String OPENID_CONNECT_ADD_USERSTORE_DOMAIN_TO_ID_TOKEN = "AddUserstoreDomainToIdToken"; - // Enable/Disable adding domain information to the token + // Enable/Disable adding domain information to the token. private static final String ADD_DOMAIN_TO_ACCESS_TOKEN = "AddTenantDomainToAccessToken"; private static final String REQUEST_OBJECT_ENABLED = "RequestObjectEnabled"; private static final String ENABLE_FAPI_CIBA_PROFILE = "EnableCibaProfile"; diff --git a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/token/JWTTokenIssuer.java b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/token/JWTTokenIssuer.java index 59e9bebd1d6..96b4825361c 100644 --- a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/token/JWTTokenIssuer.java +++ b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/token/JWTTokenIssuer.java @@ -91,8 +91,8 @@ public class JWTTokenIssuer extends OauthTokenIssuerImpl { private static final String AUTHORIZATION_PARTY = "azp"; private static final String CLIENT_ID = "client_id"; - private static final String APP_DOMAIN = "app_domain"; - private static final String USER_DOMAIN = "user_domain"; + private static final String APP_DOMAIN = "app_td"; + private static final String USER_DOMAIN = "user_td"; private static final String AUDIENCE = "aud"; private static final String SCOPE = "scope"; private static final String TOKEN_BINDING_REF = "binding_ref"; From e65e3cc65786c147a2de260ae5bfc3cb6b08c358 Mon Sep 17 00:00:00 2001 From: Chamila Adhikarinayake Date: Fri, 8 Mar 2024 14:34:41 +0530 Subject: [PATCH 4/4] Add review comments --- .../identity/oauth/config/OAuthServerConfiguration.java | 4 ++-- .../wso2/carbon/identity/oauth2/token/JWTTokenIssuer.java | 8 ++++---- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/config/OAuthServerConfiguration.java b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/config/OAuthServerConfiguration.java index 8ced79017d5..dc9fefddff3 100644 --- a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/config/OAuthServerConfiguration.java +++ b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/config/OAuthServerConfiguration.java @@ -3470,7 +3470,7 @@ private void parseTokenRenewalPerRequestConfiguration(OMElement oauthConfigElem) private void isAddTenantDomainToAccessTokenEnabled(OMElement oauthConfigElem) { OMElement enableAddDomainElem = oauthConfigElem.getFirstChildWithName(getQNameWithIdentityNS( - ConfigElements.ADD_DOMAIN_TO_ACCESS_TOKEN)); + ConfigElements.ADD_TENANT_DOMAIN_TO_ACCESS_TOKEN)); if (enableAddDomainElem != null) { addTenantDomainToAccessTokenEnabled = Boolean.parseBoolean(enableAddDomainElem.getText()); } @@ -3802,7 +3802,7 @@ private class ConfigElements { // Property to decide whether to add userstore domain to id_token. private static final String OPENID_CONNECT_ADD_USERSTORE_DOMAIN_TO_ID_TOKEN = "AddUserstoreDomainToIdToken"; // Enable/Disable adding domain information to the token. - private static final String ADD_DOMAIN_TO_ACCESS_TOKEN = "AddTenantDomainToAccessToken"; + private static final String ADD_TENANT_DOMAIN_TO_ACCESS_TOKEN = "AddTenantDomainToAccessToken"; private static final String REQUEST_OBJECT_ENABLED = "RequestObjectEnabled"; private static final String ENABLE_FAPI_CIBA_PROFILE = "EnableCibaProfile"; private static final String ENABLE_FAPI_SECURITY_PROFILE = "EnableSecurityProfile"; diff --git a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/token/JWTTokenIssuer.java b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/token/JWTTokenIssuer.java index 96b4825361c..580b7b151ae 100644 --- a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/token/JWTTokenIssuer.java +++ b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/token/JWTTokenIssuer.java @@ -91,8 +91,8 @@ public class JWTTokenIssuer extends OauthTokenIssuerImpl { private static final String AUTHORIZATION_PARTY = "azp"; private static final String CLIENT_ID = "client_id"; - private static final String APP_DOMAIN = "app_td"; - private static final String USER_DOMAIN = "user_td"; + private static final String APP_TENANT_DOMAIN = "app_td"; + private static final String USER_TENANT_DOMAIN = "user_td"; private static final String AUDIENCE = "aud"; private static final String SCOPE = "scope"; private static final String TOKEN_BINDING_REF = "binding_ref"; @@ -498,8 +498,8 @@ protected JWTClaimsSet createJWTClaimSet(OAuthAuthzReqMessageContext authAuthzRe jwtClaimsSetBuilder.claim(CLIENT_ID, consumerKey); if (OAuthServerConfiguration.getInstance().isAddTenantDomainToAccessTokenEnabled()) { - jwtClaimsSetBuilder.claim(APP_DOMAIN, oAuthAppDO.getAppOwner().getTenantDomain()); - jwtClaimsSetBuilder.claim(USER_DOMAIN, authenticatedUser.getTenantDomain()); + jwtClaimsSetBuilder.claim(APP_TENANT_DOMAIN, spTenantDomain); + jwtClaimsSetBuilder.claim(USER_TENANT_DOMAIN, authenticatedUser.getTenantDomain()); } setClaimsForNonPersistence(jwtClaimsSetBuilder, authAuthzReqMessageContext, tokenReqMessageContext,