Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OIDC scopes are in the response when requesting access token with client credentials #2033

Merged
merged 8 commits into from
Jun 30, 2023
Merged

OIDC scopes are in the response when requesting access token with client credentials #2033

merged 8 commits into from
Jun 30, 2023

Conversation

Davids-98
Copy link
Contributor

@Davids-98 Davids-98 commented Mar 21, 2023
edited by mefarazath
Loading

Issue

OIDC scopes are in the response when requesting access token with client credentials #15486( Fixes wso2/product-is#15486) - When requesting access token request with client credentials grant type including OIDC scopes, there are OIDC scopes in the response such as "email", "profile", "phone". These scopes shouldn't be there in the response.

Approach

  1. log in to the Product-IS console application as the admin and create a standard-based OAuth2.0 OpenID Connect management application.
  2. Send an access token request via Postman with client_credentials grant type including scopes: SYSTEM openid email profile
  3. Remote debug the code flow and find the place where the openID scope is removed.
  4. Take all the registered oidc scopes of a tenant
  5. check whether there are openid connect scopes in the tokReqMsgCtx and remove them

The logic for this part is in the "validateScope" method at the "OIDCScopeHandler.java" class

Goal

OIDC scopes should not be in the response.

@CLAassistant
Copy link

CLAassistant commented Mar 21, 2023
edited
Loading

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you all sign our Contributor License Agreement before we can accept your contribution.
1 out of 2 committers have signed the CLA.

✅ mefarazath
❌ Davids-98
You have signed the CLA already but the status is still pending? Let us recheck it.

mefarazath
mefarazath reviewed Mar 24, 2023
View reviewed changes
...dentity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/validators/OIDCScopeHandler.java Outdated
Comment on lines 56 to 67
String[] scopes = (String[]) ArrayUtils.removeElement(tokReqMsgCtx.getScope(), OAuthConstants.Scope.OPENID);

//Get all the registered oidc scopes of a tenant
List<String> oidcScopes = OAuth2Util.getOIDCScopes(tokReqMsgCtx.getOauth2AccessTokenReqDTO()
.getTenantDomain());

//Check whether the is there any oidc scope in the request
for (String scope : scopes) {
if (oidcScopes.contains(scope)) {
scopes = (String[]) ArrayUtils.removeElement(scopes, scope);
}
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we improve this logic to filter the OIDC scopes at once without repeatedly removing the oidc scopes one by one?

@mefarazath mefarazath changed the title Dasith - Issue of OIDC scopes are in the response when requesting acc… OIDC scopes are in the response when requesting access token with client credentials Apr 4, 2023
mefarazath
mefarazath reviewed Apr 4, 2023
View reviewed changes
...dentity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/validators/OIDCScopeHandler.java Outdated
// Remove openid scope from the token message context.
String[] scopes = (String[]) ArrayUtils.removeElement(tokReqMsgCtx.getScope(), OAuthConstants.Scope.OPENID);

//Get all the registered oidc scopes of a tenant
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
//Get all the registered oidc scopes of a tenant
// Get all the registered OIDC scopes of a tenant.

Follow the correct formatting for comments

mefarazath
mefarazath reviewed Apr 7, 2023
View reviewed changes
...dentity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/validators/OIDCScopeHandler.java Outdated
.collect(Collectors.toList());

tokReqMsgCtx.setScope(filteredScopes.toArray(new String[0]));

if (log.isDebugEnabled()) {
log.debug("id_token is not allowed for requested grant type: " + grantType + ". Removing 'openid' " +
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

shall we modify this debug log

@jenkins-is-staging
Copy link

PR builder started
Link: https://github.com/wso2/product-is/actions/runs/4750470991

mefarazath
mefarazath reviewed Apr 20, 2023
View reviewed changes
...dentity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/validators/OIDCScopeHandler.java Outdated
String[] scopes = (String[]) ArrayUtils.removeElement(tokReqMsgCtx.getScope(), OAuthConstants.Scope.OPENID);
tokReqMsgCtx.setScope(scopes);
//Remove OIDC scopes from the token message context

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change

@jenkins-is-staging
Copy link

PR builder completed
Link: https://github.com/wso2/product-is/actions/runs/4750470991
Status: failure

@jenkins-is-staging
Copy link

PR builder started
Link: https://github.com/wso2/product-is/actions/runs/5419309519

@jenkins-is-staging
Copy link

PR builder completed
Link: https://github.com/wso2/product-is/actions/runs/5419309519
Status: success

jenkins-is-staging
jenkins-is-staging approved these changes Jun 30, 2023
View reviewed changes
Copy link

@jenkins-is-staging jenkins-is-staging left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approving the pull request based on the successful pr build https://github.com/wso2/product-is/actions/runs/5419309519

@mefarazath
Update components/org.wso2.carbon.identity.oauth/src/main/java/org/ws…
8a18a62 
…o2/carbon/identity/oauth2/validators/OIDCScopeHandler.java
mefarazath
mefarazath previously approved these changes Jun 30, 2023
View reviewed changes
@Davids-98
Update OIDCScopeHandler.java
54d2db3 
Improve the debug log
@mefarazath mefarazath merged commit e27ea67 into wso2-extensions:master Jun 30, 2023
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mefarazath mefarazath mefarazath approved these changes

@jenkins-is-staging jenkins-is-staging jenkins-is-staging approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

OIDC scopes are in the response when request access token with client credentials
4 participants
@Davids-98 @CLAassistant @jenkins-is-staging @mefarazath