Fix token revocation on session expiry for SAML SLO from Federated IDP

wso2-extensions · Jul 26, 2023 · 9003970 · 9003970
1 parent 1c07583
commit 9003970
Showing 1 changed file with 33 additions and 1 deletion.
diff --git a/...g/wso2/carbon/identity/oauth2/token/bindings/handlers/TokenBindingExpiryEventHandler.java b/...g/wso2/carbon/identity/oauth2/token/bindings/handlers/TokenBindingExpiryEventHandler.java
@@ -105,7 +105,7 @@ public void handleEvent(Event event) throws IdentityEventException {
                     revokeTokensForCommonAuthCookie(request, context.getLastAuthenticatedUser());
                 }
             } else {
-                revokeTokensForCommonAuthCookie(request, context.getLastAuthenticatedUser());
+                revokeTokensForCommonAuthCookie(request, getAuthenticatedUser(eventProperties, context));
             }
         } catch (IdentityOAuth2Exception | OAuthSystemException  e) {
             log.error("Error while revoking the tokens on session termination.", e);
@@ -418,4 +418,36 @@ private void revokeFederatedTokens(String consumerKey, AuthenticatedUser user, A
                 .revokeAccessTokens(new String[]{accessTokenDO.getAccessToken()}, OAuth2Util.isHashEnabled());
         OAuthUtil.invokePostRevocationBySystemListeners(accessTokenDO, Collections.emptyMap());
     }
+
+    /**
+     * Retrieve the authenticated user from the session context identifier in the event if it is not available in the
+     * authentication context.
+     *
+     * @param eventProperties Event properties.
+     * @return context Authentication context.
+     */
+    private AuthenticatedUser getAuthenticatedUser(Map<String, Object> eventProperties, AuthenticationContext context) {
+
+        AuthenticatedUser authenticatedUser = context.getLastAuthenticatedUser();
+        if (authenticatedUser != null) {
+            return authenticatedUser;
+        }
+        Map<String, Object> paramMap = (Map<String, Object>) eventProperties.get(IdentityEventConstants
+                .EventProperty.PARAMS);
+        String sessionContextIdentifier = getSessionIdentifier(paramMap);
+        if (StringUtils.isNotBlank(sessionContextIdentifier)) {
+            SessionContext sessionContext = (SessionContext) eventProperties.get(IdentityEventConstants
+                    .EventProperty.SESSION_CONTEXT);
+            if (sessionContext != null) {
+                authenticatedUser = (AuthenticatedUser) sessionContext
+                        .getProperty(FrameworkConstants.AUTHENTICATED_USER);
+            } else {
+                if (log.isDebugEnabled()) {
+                    log.debug("Session context for session context identifier: " + sessionContextIdentifier +
+                            " is not found.");
+                }
+            }
+        }
+        return authenticatedUser;
+    }
 }