From 5dd792ef2866a120d9288540893ea625c4386d46 Mon Sep 17 00:00:00 2001 From: sadilchamishka Date: Tue, 17 Oct 2023 09:09:42 +0530 Subject: [PATCH 1/4] Improve claim provider according to the organization bound token improvements --- .../pom.xml | 4 ++ .../provider/OrganizationClaimProvider.java | 67 +++++++++++++------ pom.xml | 7 +- 3 files changed, 56 insertions(+), 22 deletions(-) diff --git a/components/org.wso2.carbon.identity.organization.management.claim.provider/pom.xml b/components/org.wso2.carbon.identity.organization.management.claim.provider/pom.xml index 734cf277a..cf578a31e 100644 --- a/components/org.wso2.carbon.identity.organization.management.claim.provider/pom.xml +++ b/components/org.wso2.carbon.identity.organization.management.claim.provider/pom.xml @@ -36,6 +36,10 @@ org.apache.felix org.apache.felix.scr.ds-annotations + + org.wso2.carbon.identity.framework + org.wso2.carbon.identity.application.authentication.framework + org.wso2.carbon.identity.inbound.auth.oauth2 org.wso2.carbon.identity.oauth diff --git a/components/org.wso2.carbon.identity.organization.management.claim.provider/src/main/java/org/wso2/carbon/identity/organization/management/claim/provider/OrganizationClaimProvider.java b/components/org.wso2.carbon.identity.organization.management.claim.provider/src/main/java/org/wso2/carbon/identity/organization/management/claim/provider/OrganizationClaimProvider.java index a2a9ebbfd..4d24168d0 100644 --- a/components/org.wso2.carbon.identity.organization.management.claim.provider/src/main/java/org/wso2/carbon/identity/organization/management/claim/provider/OrganizationClaimProvider.java +++ b/components/org.wso2.carbon.identity.organization.management.claim.provider/src/main/java/org/wso2/carbon/identity/organization/management/claim/provider/OrganizationClaimProvider.java @@ -41,8 +41,9 @@ */ public class OrganizationClaimProvider implements ClaimProvider, JWTAccessTokenClaimProvider { - private static final String ORGANIZATION_ID_ATTRIBUTE = "org_id"; - private static final String ORGANIZATION_NAME_ATTRIBUTE = "org_name"; + private static final String AUTHORIZED_ORGANIZATION_ID_ATTRIBUTE = "org_id"; + private static final String AUTHORIZED_ORGANIZATION_NAME_ATTRIBUTE = "org_name"; + private static final String USER_RESIDENT_ORGANIZATION_NAME_ATTRIBUTE = "user_organization"; @Override public Map getAdditionalClaims(OAuthAuthzReqMessageContext oAuthAuthzReqMessageContext, @@ -50,7 +51,8 @@ public Map getAdditionalClaims(OAuthAuthzReqMessageContext oAuth throws IdentityOAuth2Exception { String tenantDomain = oAuthAuthzReqMessageContext.getAuthorizationReqDTO().getLoggedInTenantDomain(); - return getOrganizationInformation(tenantDomain); + String organizationId = resolveOrganizationId(tenantDomain); + return setOrganizationInformation(organizationId, organizationId); } @Override @@ -58,13 +60,13 @@ public Map getAdditionalClaims(OAuthTokenReqMessageContext oAuth OAuth2AccessTokenRespDTO oAuth2AccessTokenRespDTO) throws IdentityOAuth2Exception { - String tenantDomain = oAuthTokenReqMessageContext.getAuthorizedUser().getTenantDomain(); - return getOrganizationInformation(tenantDomain); - } - - private OrganizationManager getOrganizationManager() { - - return OrganizationClaimProviderServiceComponentHolder.getInstance().getOrganizationManager(); + String userResidentOrganization = oAuthTokenReqMessageContext.getAuthorizedUser().getUserResidentOrganization(); + String accessingOrganization = oAuthTokenReqMessageContext.getAuthorizedUser().getAccessingOrganization(); + if (StringUtils.isEmpty(accessingOrganization)) { + accessingOrganization = + resolveOrganizationId(oAuthTokenReqMessageContext.getAuthorizedUser().getTenantDomain()); + } + return setOrganizationInformation(userResidentOrganization, accessingOrganization); } @Override @@ -72,38 +74,61 @@ public Map getAdditionalClaims(OAuthAuthzReqMessageContext oAuth throws IdentityOAuth2Exception { String tenantDomain = oAuthAuthzReqMessageContext.getAuthorizationReqDTO().getLoggedInTenantDomain(); - return getOrganizationInformation(tenantDomain); + String organizationId = resolveOrganizationId(tenantDomain); + return setOrganizationInformation(organizationId, organizationId); } @Override public Map getAdditionalClaims(OAuthTokenReqMessageContext oAuthTokenReqMessageContext) throws IdentityOAuth2Exception { - String tenantDomain = oAuthTokenReqMessageContext.getAuthorizedUser().getTenantDomain(); - return getOrganizationInformation(tenantDomain); + String userResidentOrganization = oAuthTokenReqMessageContext.getAuthorizedUser().getUserResidentOrganization(); + String authorizedOrganization = oAuthTokenReqMessageContext.getAuthorizedUser().getAccessingOrganization(); + if (StringUtils.isEmpty(authorizedOrganization)) { + authorizedOrganization = + resolveOrganizationId(oAuthTokenReqMessageContext.getAuthorizedUser().getTenantDomain()); + } + return setOrganizationInformation(userResidentOrganization, authorizedOrganization); } - private Map getOrganizationInformation(String tenantDomain) throws IdentityOAuth2Exception { + private Map setOrganizationInformation(String userResidentOrganization, + String authorizedOrganization) + throws IdentityOAuth2Exception { Map additionalClaims = new HashMap<>(); if (!OrganizationClaimProviderServiceComponentHolder.getInstance().isOrganizationManagementEnable()) { return additionalClaims; } try { - String organizationId = getOrganizationManager().resolveOrganizationId(tenantDomain); - if (StringUtils.isNotBlank(organizationId)) { - String organizationName = getOrganizationManager().getOrganizationNameById(organizationId); - additionalClaims.put(ORGANIZATION_ID_ATTRIBUTE, organizationId); - additionalClaims.put(ORGANIZATION_NAME_ATTRIBUTE, organizationName); + if (StringUtils.isNotBlank(authorizedOrganization)) { + String authorizedOrganizationName = + getOrganizationManager().getOrganizationNameById(authorizedOrganization); + additionalClaims.put(USER_RESIDENT_ORGANIZATION_NAME_ATTRIBUTE, userResidentOrganization); + additionalClaims.put(AUTHORIZED_ORGANIZATION_ID_ATTRIBUTE, authorizedOrganization); + additionalClaims.put(AUTHORIZED_ORGANIZATION_NAME_ATTRIBUTE, authorizedOrganizationName); } + } catch (OrganizationManagementException e) { + throw new IdentityOAuth2Exception("Error while resolving organization name by ID.", e); + } + return additionalClaims; + } + + private String resolveOrganizationId(String tenantDomain) throws IdentityOAuth2Exception { + + try { + return getOrganizationManager().resolveOrganizationId(tenantDomain); } catch (OrganizationManagementClientException e) { if (ERROR_CODE_ORGANIZATION_NOT_FOUND_FOR_TENANT.getCode().equals(e.getErrorCode())) { - return additionalClaims; + return null; } throw new IdentityOAuth2Exception("Error while resolving organization id.", e); } catch (OrganizationManagementException e) { throw new IdentityOAuth2Exception("Error while resolving organization id.", e); } - return additionalClaims; + } + + private OrganizationManager getOrganizationManager() { + + return OrganizationClaimProviderServiceComponentHolder.getInstance().getOrganizationManager(); } } diff --git a/pom.xml b/pom.xml index a9b24887c..449f95dcb 100644 --- a/pom.xml +++ b/pom.xml @@ -215,6 +215,11 @@ org.wso2.carbon.identity.configuration.mgt.core ${carbon.identity.framework.version} + + org.wso2.carbon.identity.framework + org.wso2.carbon.identity.application.authentication.framework + ${carbon.identity.framework.version} + org.wso2.carbon.identity.inbound.auth.oauth2 org.wso2.carbon.identity.oauth @@ -494,7 +499,7 @@ [4.7.0,5.0.0) - 5.25.369 + 5.25.390-SNAPSHOT [5.20.0, 7.0.0) From dbce554b676f8f45bea2365a485a219eec08bf77 Mon Sep 17 00:00:00 2001 From: sadilchamishka Date: Tue, 17 Oct 2023 09:10:03 +0530 Subject: [PATCH 2/4] Bump framework version --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 449f95dcb..c0106c08c 100644 --- a/pom.xml +++ b/pom.xml @@ -499,7 +499,7 @@ [4.7.0,5.0.0) - 5.25.390-SNAPSHOT + 5.25.396 [5.20.0, 7.0.0) From d228741395877ab328015cc467d0ab4abe581b36 Mon Sep 17 00:00:00 2001 From: sadilchamishka Date: Tue, 17 Oct 2023 10:50:16 +0530 Subject: [PATCH 3/4] Address review comments --- .../provider/OrganizationClaimProvider.java | 43 +++++++++---------- 1 file changed, 20 insertions(+), 23 deletions(-) diff --git a/components/org.wso2.carbon.identity.organization.management.claim.provider/src/main/java/org/wso2/carbon/identity/organization/management/claim/provider/OrganizationClaimProvider.java b/components/org.wso2.carbon.identity.organization.management.claim.provider/src/main/java/org/wso2/carbon/identity/organization/management/claim/provider/OrganizationClaimProvider.java index 4d24168d0..470b680b0 100644 --- a/components/org.wso2.carbon.identity.organization.management.claim.provider/src/main/java/org/wso2/carbon/identity/organization/management/claim/provider/OrganizationClaimProvider.java +++ b/components/org.wso2.carbon.identity.organization.management.claim.provider/src/main/java/org/wso2/carbon/identity/organization/management/claim/provider/OrganizationClaimProvider.java @@ -43,7 +43,7 @@ public class OrganizationClaimProvider implements ClaimProvider, JWTAccessTokenC private static final String AUTHORIZED_ORGANIZATION_ID_ATTRIBUTE = "org_id"; private static final String AUTHORIZED_ORGANIZATION_NAME_ATTRIBUTE = "org_name"; - private static final String USER_RESIDENT_ORGANIZATION_NAME_ATTRIBUTE = "user_organization"; + private static final String USER_RESIDENT_ORGANIZATION_NAME_ATTRIBUTE = "user_org"; @Override public Map getAdditionalClaims(OAuthAuthzReqMessageContext oAuthAuthzReqMessageContext, @@ -52,7 +52,7 @@ public Map getAdditionalClaims(OAuthAuthzReqMessageContext oAuth String tenantDomain = oAuthAuthzReqMessageContext.getAuthorizationReqDTO().getLoggedInTenantDomain(); String organizationId = resolveOrganizationId(tenantDomain); - return setOrganizationInformation(organizationId, organizationId); + return buildOrganizationInformation(organizationId, organizationId); } @Override @@ -60,13 +60,12 @@ public Map getAdditionalClaims(OAuthTokenReqMessageContext oAuth OAuth2AccessTokenRespDTO oAuth2AccessTokenRespDTO) throws IdentityOAuth2Exception { - String userResidentOrganization = oAuthTokenReqMessageContext.getAuthorizedUser().getUserResidentOrganization(); - String accessingOrganization = oAuthTokenReqMessageContext.getAuthorizedUser().getAccessingOrganization(); - if (StringUtils.isEmpty(accessingOrganization)) { - accessingOrganization = - resolveOrganizationId(oAuthTokenReqMessageContext.getAuthorizedUser().getTenantDomain()); + String userResidentOrgId = oAuthTokenReqMessageContext.getAuthorizedUser().getUserResidentOrganization(); + String authorizedOrgId = oAuthTokenReqMessageContext.getAuthorizedUser().getAccessingOrganization(); + if (StringUtils.isEmpty(authorizedOrgId)) { + authorizedOrgId = resolveOrganizationId(oAuthTokenReqMessageContext.getAuthorizedUser().getTenantDomain()); } - return setOrganizationInformation(userResidentOrganization, accessingOrganization); + return buildOrganizationInformation(userResidentOrgId, authorizedOrgId); } @Override @@ -75,24 +74,22 @@ public Map getAdditionalClaims(OAuthAuthzReqMessageContext oAuth String tenantDomain = oAuthAuthzReqMessageContext.getAuthorizationReqDTO().getLoggedInTenantDomain(); String organizationId = resolveOrganizationId(tenantDomain); - return setOrganizationInformation(organizationId, organizationId); + return buildOrganizationInformation(organizationId, organizationId); } @Override public Map getAdditionalClaims(OAuthTokenReqMessageContext oAuthTokenReqMessageContext) throws IdentityOAuth2Exception { - String userResidentOrganization = oAuthTokenReqMessageContext.getAuthorizedUser().getUserResidentOrganization(); - String authorizedOrganization = oAuthTokenReqMessageContext.getAuthorizedUser().getAccessingOrganization(); - if (StringUtils.isEmpty(authorizedOrganization)) { - authorizedOrganization = - resolveOrganizationId(oAuthTokenReqMessageContext.getAuthorizedUser().getTenantDomain()); + String userResidentOrgId = oAuthTokenReqMessageContext.getAuthorizedUser().getUserResidentOrganization(); + String authorizedOrgId = oAuthTokenReqMessageContext.getAuthorizedUser().getAccessingOrganization(); + if (StringUtils.isEmpty(authorizedOrgId)) { + authorizedOrgId = resolveOrganizationId(oAuthTokenReqMessageContext.getAuthorizedUser().getTenantDomain()); } - return setOrganizationInformation(userResidentOrganization, authorizedOrganization); + return buildOrganizationInformation(userResidentOrgId, authorizedOrgId); } - private Map setOrganizationInformation(String userResidentOrganization, - String authorizedOrganization) + private Map buildOrganizationInformation(String userResideOrgId, String authorizedOrgId) throws IdentityOAuth2Exception { Map additionalClaims = new HashMap<>(); @@ -100,12 +97,11 @@ private Map setOrganizationInformation(String userResidentOrgani return additionalClaims; } try { - if (StringUtils.isNotBlank(authorizedOrganization)) { - String authorizedOrganizationName = - getOrganizationManager().getOrganizationNameById(authorizedOrganization); - additionalClaims.put(USER_RESIDENT_ORGANIZATION_NAME_ATTRIBUTE, userResidentOrganization); - additionalClaims.put(AUTHORIZED_ORGANIZATION_ID_ATTRIBUTE, authorizedOrganization); - additionalClaims.put(AUTHORIZED_ORGANIZATION_NAME_ATTRIBUTE, authorizedOrganizationName); + if (StringUtils.isNotBlank(authorizedOrgId)) { + String authorizedOrgName = getOrganizationManager().getOrganizationNameById(authorizedOrgId); + additionalClaims.put(USER_RESIDENT_ORGANIZATION_NAME_ATTRIBUTE, userResideOrgId); + additionalClaims.put(AUTHORIZED_ORGANIZATION_ID_ATTRIBUTE, authorizedOrgId); + additionalClaims.put(AUTHORIZED_ORGANIZATION_NAME_ATTRIBUTE, authorizedOrgName); } } catch (OrganizationManagementException e) { throw new IdentityOAuth2Exception("Error while resolving organization name by ID.", e); @@ -118,6 +114,7 @@ private String resolveOrganizationId(String tenantDomain) throws IdentityOAuth2E try { return getOrganizationManager().resolveOrganizationId(tenantDomain); } catch (OrganizationManagementClientException e) { + // This client error handling should be removed once all the tenants have corresponding organization. if (ERROR_CODE_ORGANIZATION_NOT_FOUND_FOR_TENANT.getCode().equals(e.getErrorCode())) { return null; } From 870b88b8f790760ac392eb982b2166d5fe38422b Mon Sep 17 00:00:00 2001 From: sadilchamishka Date: Tue, 17 Oct 2023 10:52:43 +0530 Subject: [PATCH 4/4] Add a comment --- .../management/claim/provider/OrganizationClaimProvider.java | 1 + 1 file changed, 1 insertion(+) diff --git a/components/org.wso2.carbon.identity.organization.management.claim.provider/src/main/java/org/wso2/carbon/identity/organization/management/claim/provider/OrganizationClaimProvider.java b/components/org.wso2.carbon.identity.organization.management.claim.provider/src/main/java/org/wso2/carbon/identity/organization/management/claim/provider/OrganizationClaimProvider.java index 470b680b0..5c1d21383 100644 --- a/components/org.wso2.carbon.identity.organization.management.claim.provider/src/main/java/org/wso2/carbon/identity/organization/management/claim/provider/OrganizationClaimProvider.java +++ b/components/org.wso2.carbon.identity.organization.management.claim.provider/src/main/java/org/wso2/carbon/identity/organization/management/claim/provider/OrganizationClaimProvider.java @@ -83,6 +83,7 @@ public Map getAdditionalClaims(OAuthTokenReqMessageContext oAuth String userResidentOrgId = oAuthTokenReqMessageContext.getAuthorizedUser().getUserResidentOrganization(); String authorizedOrgId = oAuthTokenReqMessageContext.getAuthorizedUser().getAccessingOrganization(); + // The below condition is not required once console is modeled as B2B app. if (StringUtils.isEmpty(authorizedOrgId)) { authorizedOrgId = resolveOrganizationId(oAuthTokenReqMessageContext.getAuthorizedUser().getTenantDomain()); }