Add tenant domain to jwt payload

components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/config/OAuthServerConfiguration.java

@@ -317,6 +317,7 @@ public class OAuthServerConfiguration {
     private int deviceCodePollingInterval = 5000;
     private String deviceCodeKeySet = "BCDFGHJKLMNPQRSTVWXYZbcdfghjklmnpqrstvwxyz23456789";
     private String deviceAuthzEPUrl = null;
+    private boolean addTenantDomainToAccessTokenEnabled = false;
     private List<String> supportedTokenEndpointSigningAlgorithms = new ArrayList<>();
     private Boolean roleBasedScopeIssuerEnabledConfig = false;
 
@@ -522,6 +523,9 @@ private void buildOAuthServerConfiguration() {
 
         // Read config for using legacy permission access for user based auth.
         parseUseLegacyPermissionAccessForUserBasedAuth(oauthElem);
+
+        // read domain information setting config.
+        isAddTenantDomainToAccessTokenEnabled(oauthElem);
     }
 
     /**
@@ -748,6 +752,12 @@ public boolean isSkipOIDCClaimsForClientCredentialGrant() {
 
         return skipOIDCClaimsForClientCredentialGrant;
     }
+
+    public boolean isAddTenantDomainToAccessTokenEnabled() {
+
+        return addTenantDomainToAccessTokenEnabled;
+    }
+
     /**
      * instantiate the OAuth token generator. to override the default implementation, one can specify the custom class
      * in the identity.xml.
@@ -3456,6 +3466,19 @@ private void parseTokenRenewalPerRequestConfiguration(OMElement oauthConfigElem)
         }
     }
 
+
+    private void isAddTenantDomainToAccessTokenEnabled(OMElement oauthConfigElem) {
+
+        OMElement enableAddDomainElem = oauthConfigElem.getFirstChildWithName(getQNameWithIdentityNS(
+                ConfigElements.ADD_DOMAIN_TO_ACCESS_TOKEN));
+        if (enableAddDomainElem != null) {
+            addTenantDomainToAccessTokenEnabled  = Boolean.parseBoolean(enableAddDomainElem.getText());
+        }
+        if (log.isDebugEnabled()) {
+            log.debug("AddTenantDomainToAccessTokenEnabled was set to : " + addTenantDomainToAccessTokenEnabled);
+        }
+    }
+
     /**
      * Parses the map federated users to local configuration.
      *
@@ -3778,6 +3801,8 @@ private class ConfigElements {
         private static final String OPENID_CONNECT_ADD_TENANT_DOMAIN_TO_ID_TOKEN = "AddTenantDomainToIdToken";
         // Property to decide whether to add userstore domain to id_token.
         private static final String OPENID_CONNECT_ADD_USERSTORE_DOMAIN_TO_ID_TOKEN = "AddUserstoreDomainToIdToken";
+        // Enable/Disable adding domain information to the token.
+        private static final String ADD_DOMAIN_TO_ACCESS_TOKEN = "AddTenantDomainToAccessToken";
         private static final String REQUEST_OBJECT_ENABLED = "RequestObjectEnabled";
         private static final String ENABLE_FAPI_CIBA_PROFILE = "EnableCibaProfile";
         private static final String ENABLE_FAPI_SECURITY_PROFILE = "EnableSecurityProfile";

components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/token/JWTTokenIssuer.java

@@ -91,6 +91,8 @@ public class JWTTokenIssuer extends OauthTokenIssuerImpl {
 
     private static final String AUTHORIZATION_PARTY = "azp";
     private static final String CLIENT_ID = "client_id";
+    private static final String APP_DOMAIN = "app_td";
+    private static final String USER_DOMAIN = "user_td";
     private static final String AUDIENCE = "aud";
     private static final String SCOPE = "scope";
     private static final String TOKEN_BINDING_REF = "binding_ref";
@@ -494,6 +496,12 @@ protected JWTClaimsSet createJWTClaimSet(OAuthAuthzReqMessageContext authAuthzRe
         jwtClaimsSetBuilder.jwtID(UUID.randomUUID().toString());
         jwtClaimsSetBuilder.notBeforeTime(new Date(curTimeInMillis));
         jwtClaimsSetBuilder.claim(CLIENT_ID, consumerKey);
+
+        if (OAuthServerConfiguration.getInstance().isAddTenantDomainToAccessTokenEnabled()) {
+            jwtClaimsSetBuilder.claim(APP_DOMAIN, oAuthAppDO.getAppOwner().getTenantDomain());
+            jwtClaimsSetBuilder.claim(USER_DOMAIN, authenticatedUser.getTenantDomain());
+        }
+
         setClaimsForNonPersistence(jwtClaimsSetBuilder, authAuthzReqMessageContext, tokenReqMessageContext,
                 authenticatedUser, oAuthAppDO);
         String scope = getScope(authAuthzReqMessageContext, tokenReqMessageContext);