From 4ee67d06bec24f4a8dfae7a8ecdf046b82ec4485 Mon Sep 17 00:00:00 2001
From: sadilchamishka <sandilchamishka@gmail.com>
Date: Sun, 29 Oct 2023 22:43:22 +0530
Subject: [PATCH 1/2] Fix federated roles resolving issu

---
 .../claims/impl/DefaultClaimHandler.java       | 18 +++++++++++++++++-
 .../framework/util/FrameworkConstants.java     |  2 ++
 2 files changed, 19 insertions(+), 1 deletion(-)

diff --git a/components/authentication-framework/org.wso2.carbon.identity.application.authentication.framework/src/main/java/org/wso2/carbon/identity/application/authentication/framework/handler/claims/impl/DefaultClaimHandler.java b/components/authentication-framework/org.wso2.carbon.identity.application.authentication.framework/src/main/java/org/wso2/carbon/identity/application/authentication/framework/handler/claims/impl/DefaultClaimHandler.java
index 26685f10a4dc..866d04f93729 100644
--- a/components/authentication-framework/org.wso2.carbon.identity.application.authentication.framework/src/main/java/org/wso2/carbon/identity/application/authentication/framework/handler/claims/impl/DefaultClaimHandler.java
+++ b/components/authentication-framework/org.wso2.carbon.identity.application.authentication.framework/src/main/java/org/wso2/carbon/identity/application/authentication/framework/handler/claims/impl/DefaultClaimHandler.java
@@ -368,8 +368,10 @@ private void filterSPClaims(Map<String, String> spRequestedClaimMappings, Map<St
         localToSPClaimMappings.entrySet().stream().filter(entry -> StringUtils.isNotBlank(localUnfilteredClaims.
                 get(entry.getKey()))).forEach(entry -> {
                     spUnfilteredClaims.put(entry.getValue(), localUnfilteredClaims.get(entry.getKey()));
+                    /* Add service provider requested claims to the filtered claims. Add federated roles claims even
+                    not requested by the service provider. */
                     if (StringUtils.isNotBlank(spRequestedClaimMappings.get(entry.getValue())) ||
-                            FrameworkConstants.APP_ROLES_CLAIM.equals(entry.getKey())) {
+                            isRoleClaim(entry.getKey())) {
                         spFilteredClaims.put(entry.getValue(), localUnfilteredClaims.get(entry.getKey()));
                     }
                 }
@@ -1276,4 +1278,18 @@ private static boolean isRemoveUserDomainInRole(SequenceConfig sequenceConfig) {
         return !sequenceConfig.getApplicationConfig().getServiceProvider().getLocalAndOutBoundAuthenticationConfig().
                 isUseUserstoreDomainInRoles();
     }
+
+    /**
+     * Based on the Authz runtime check the given claim is related to the role claim.
+     *
+     * @param roleClaim
+     * @return true if the given claim is related to roles.
+     */
+    private boolean isRoleClaim(String roleClaim) {
+
+        if (CarbonConstants.ENABLE_LEGACY_AUTHZ_RUNTIME) {
+            return FrameworkConstants.APP_ROLES_CLAIM.equals(roleClaim);
+        }
+        return FrameworkConstants.ROLES_CLAIM.equals(roleClaim);
+    }
 }
diff --git a/components/authentication-framework/org.wso2.carbon.identity.application.authentication.framework/src/main/java/org/wso2/carbon/identity/application/authentication/framework/util/FrameworkConstants.java b/components/authentication-framework/org.wso2.carbon.identity.application.authentication.framework/src/main/java/org/wso2/carbon/identity/application/authentication/framework/util/FrameworkConstants.java
index 684d11c26d7d..639f1d65012d 100644
--- a/components/authentication-framework/org.wso2.carbon.identity.application.authentication.framework/src/main/java/org/wso2/carbon/identity/application/authentication/framework/util/FrameworkConstants.java
+++ b/components/authentication-framework/org.wso2.carbon.identity.application.authentication.framework/src/main/java/org/wso2/carbon/identity/application/authentication/framework/util/FrameworkConstants.java
@@ -43,6 +43,8 @@ public abstract class FrameworkConstants {
     public static final String USER_ID_CLAIM = "http://wso2.org/claims/userid";
     public static final String EMAIL_ADDRESS_CLAIM = "http://wso2.org/claims/emailaddress";
     public static final String APP_ROLES_CLAIM = "http://wso2.org/claims/applicationRoles";
+    public static final String ROLES_CLAIM = "http://wso2.org/claims/roles";
+
     public static final String GROUPS_CLAIM = "http://wso2.org/claims/groups";
     public static final String PROVISIONED_SOURCE_ID_CLAIM = "http://wso2.org/claims/identity/userSourceId";
     public static final String IDP_TYPE_CLAIM = "http://wso2.org/claims/identity/idpType";

From 0fe7267e1c18675a8d68211d9cd8d0e4b081300a Mon Sep 17 00:00:00 2001
From: sadilchamishka <sandilchamishka@gmail.com>
Date: Sun, 29 Oct 2023 23:01:09 +0530
Subject: [PATCH 2/2] Address review comments

---
 .../framework/handler/claims/impl/DefaultClaimHandler.java      | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/components/authentication-framework/org.wso2.carbon.identity.application.authentication.framework/src/main/java/org/wso2/carbon/identity/application/authentication/framework/handler/claims/impl/DefaultClaimHandler.java b/components/authentication-framework/org.wso2.carbon.identity.application.authentication.framework/src/main/java/org/wso2/carbon/identity/application/authentication/framework/handler/claims/impl/DefaultClaimHandler.java
index 866d04f93729..d099efa1b518 100644
--- a/components/authentication-framework/org.wso2.carbon.identity.application.authentication.framework/src/main/java/org/wso2/carbon/identity/application/authentication/framework/handler/claims/impl/DefaultClaimHandler.java
+++ b/components/authentication-framework/org.wso2.carbon.identity.application.authentication.framework/src/main/java/org/wso2/carbon/identity/application/authentication/framework/handler/claims/impl/DefaultClaimHandler.java
@@ -1282,7 +1282,7 @@ private static boolean isRemoveUserDomainInRole(SequenceConfig sequenceConfig) {
     /**
      * Based on the Authz runtime check the given claim is related to the role claim.
      *
-     * @param roleClaim
+     * @param roleClaim URI.
      * @return true if the given claim is related to roles.
      */
     private boolean isRoleClaim(String roleClaim) {