Merge pull request #5102 from sadilchamishka/fix-b2b-roles-resolving-…

…issue Fix federated roles resolving issue
wso2 · Oct 29, 2023 · 43d1345 · 43d1345
2 parents ce5628f + 0fe7267
commit 43d1345
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 1 deletion.
diff --git a/...dentity/application/authentication/framework/handler/claims/impl/DefaultClaimHandler.java b/...dentity/application/authentication/framework/handler/claims/impl/DefaultClaimHandler.java
@@ -368,8 +368,10 @@ private void filterSPClaims(Map<String, String> spRequestedClaimMappings, Map<St
         localToSPClaimMappings.entrySet().stream().filter(entry -> StringUtils.isNotBlank(localUnfilteredClaims.
                 get(entry.getKey()))).forEach(entry -> {
                     spUnfilteredClaims.put(entry.getValue(), localUnfilteredClaims.get(entry.getKey()));
+                    /* Add service provider requested claims to the filtered claims. Add federated roles claims even
+                    not requested by the service provider. */
                     if (StringUtils.isNotBlank(spRequestedClaimMappings.get(entry.getValue())) ||
-                            FrameworkConstants.APP_ROLES_CLAIM.equals(entry.getKey())) {
+                            isRoleClaim(entry.getKey())) {
                         spFilteredClaims.put(entry.getValue(), localUnfilteredClaims.get(entry.getKey()));
                     }
                 }
@@ -1276,4 +1278,18 @@ private static boolean isRemoveUserDomainInRole(SequenceConfig sequenceConfig) {
         return !sequenceConfig.getApplicationConfig().getServiceProvider().getLocalAndOutBoundAuthenticationConfig().
                 isUseUserstoreDomainInRoles();
     }
+
+    /**
+     * Based on the Authz runtime check the given claim is related to the role claim.
+     *
+     * @param roleClaim URI.
+     * @return true if the given claim is related to roles.
+     */
+    private boolean isRoleClaim(String roleClaim) {
+
+        if (CarbonConstants.ENABLE_LEGACY_AUTHZ_RUNTIME) {
+            return FrameworkConstants.APP_ROLES_CLAIM.equals(roleClaim);
+        }
+        return FrameworkConstants.ROLES_CLAIM.equals(roleClaim);
+    }
 }
diff --git a/...rg/wso2/carbon/identity/application/authentication/framework/util/FrameworkConstants.java b/...rg/wso2/carbon/identity/application/authentication/framework/util/FrameworkConstants.java
@@ -43,6 +43,8 @@ public abstract class FrameworkConstants {
     public static final String USER_ID_CLAIM = "http://wso2.org/claims/userid";
     public static final String EMAIL_ADDRESS_CLAIM = "http://wso2.org/claims/emailaddress";
     public static final String APP_ROLES_CLAIM = "http://wso2.org/claims/applicationRoles";
+    public static final String ROLES_CLAIM = "http://wso2.org/claims/roles";
+
     public static final String GROUPS_CLAIM = "http://wso2.org/claims/groups";
     public static final String PROVISIONED_SOURCE_ID_CLAIM = "http://wso2.org/claims/identity/userSourceId";
     public static final String IDP_TYPE_CLAIM = "http://wso2.org/claims/identity/idpType";