Always set roles claim as a requested claim of the shared application if legacy authz runtime is false

components/org.wso2.carbon.identity.organization.management.application/src/main/java/org/wso2/carbon/identity/organization/management/application/constant/OrgApplicationMgtConstants.java

@@ -37,6 +37,7 @@ public class OrgApplicationMgtConstants {
 
     public static final String USER_ORGANIZATION_CLAIM_URI = "http://wso2.org/claims/runtime/user_organization";
     public static final String APP_ROLES_CLAIM_URI = "http://wso2.org/claims/applicationRoles";
+    public static final String ROLES_CLAIM_URI = "http://wso2.org/claims/roles";
     public static final String USER_ORGANIZATION_CLAIM = "user_organization";
     public static final String OIDC_CLAIM_DIALECT_URI = "http://wso2.org/oidc/claim";
     public static final String RUNTIME_CLAIM_URI_PREFIX = "http://wso2.org/claims/runtime/";

components/org.wso2.carbon.identity.organization.management.application/src/main/java/org/wso2/carbon/identity/organization/management/application/listener/FragmentApplicationMgtListener.java

@@ -22,6 +22,7 @@
 import org.apache.commons.lang.StringUtils;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
+import org.wso2.carbon.CarbonConstants;
 import org.wso2.carbon.context.PrivilegedCarbonContext;
 import org.wso2.carbon.identity.application.common.IdentityApplicationManagementClientException;
 import org.wso2.carbon.identity.application.common.IdentityApplicationManagementException;
@@ -243,6 +244,10 @@ public boolean doPostGetServiceProvider(ServiceProvider serviceProvider, String
                         // Add application roles to the filtered claim mappings (if any
                         filteredClaimMappings = addApplicationRolesToFilteredClaimMappings(filteredClaimMappings);
                     }
+                    if (!CarbonConstants.ENABLE_LEGACY_AUTHZ_RUNTIME) {
+                        // Add roles to the filtered claim mappings.
+                        filteredClaimMappings = addRolesClaimToFilteredClaimMappings(filteredClaimMappings);
+                    }
                     ClaimConfig claimConfig = new ClaimConfig();
                     claimConfig.setClaimMappings(filteredClaimMappings);
                     claimConfig.setAlwaysSendMappedLocalSubjectId(
@@ -279,6 +284,39 @@ public boolean doPostGetServiceProvider(ServiceProvider serviceProvider, String
         return super.doPostGetServiceProvider(serviceProvider, applicationName, tenantDomain);
     }
 
+    /**
+     * Add roles claim mapping to the filtered claim mappings.
+     *
+     * @param filteredClaimMappings ClaimMappings array be used to add roles claim mapping.
+     * @return ClaimMappings array with roles claim mapping.
+     */
+    private ClaimMapping[] addRolesClaimToFilteredClaimMappings(ClaimMapping[] filteredClaimMappings) {
+
+        if (filteredClaimMappings == null) {
+            return null;
+        }
+        for (ClaimMapping claimMapping : filteredClaimMappings) {
+            if (OrgApplicationMgtConstants.ROLES_CLAIM_URI.equals(claimMapping.getLocalClaim().getClaimUri())) {
+                // Return original array if the claim already exists.
+                return filteredClaimMappings;
+            }
+        }
+        ClaimMapping roleClaimMapping = new ClaimMapping();
+        Claim localRoleClaim = new Claim();
+        localRoleClaim.setClaimUri(OrgApplicationMgtConstants.ROLES_CLAIM_URI);
+        Claim fedRoleClaim = new Claim();
+        fedRoleClaim.setClaimUri(OrgApplicationMgtConstants.ROLES_CLAIM_URI);
+        roleClaimMapping.setLocalClaim(localRoleClaim);
+        roleClaimMapping.setRemoteClaim(fedRoleClaim);
+        roleClaimMapping.setRequested(true);
+
+        ClaimMapping[] claimMappings = new ClaimMapping[filteredClaimMappings.length + 1];
+        System.arraycopy(filteredClaimMappings, 0, claimMappings, 0, filteredClaimMappings.length);
+        claimMappings[filteredClaimMappings.length] = roleClaimMapping;
+        // Return the updated array.
+        return claimMappings;
+    }
+
     private AssociatedRolesConfig getAssociatedRolesConfigForSharedApp(
             AssociatedRolesConfig associatedRolesConfigOfMainApp, String tenantDomainOfSharedApp)
             throws IdentityRoleManagementException {

pom.xml

@@ -467,7 +467,7 @@
     <properties>
 
         <!-- Carbon kernel version -->
-        <carbon.kernel.version>4.9.0-m1</carbon.kernel.version>
+        <carbon.kernel.version>4.9.16</carbon.kernel.version>
         <carbon.kernel.package.import.version.range>[4.7.0, 5.0.0)</carbon.kernel.package.import.version.range>
         <carbon.kernel.feature.version>4.6.0</carbon.kernel.feature.version>