From 7e23581fa22283a7eb502f625a4557a5ca2515f4 Mon Sep 17 00:00:00 2001 From: Davids-98 Date: Tue, 21 Mar 2023 14:38:44 +0530 Subject: [PATCH 1/8] Dasith - Issue of OIDC scopes are in the response when requesting access token with client credential --- .../oauth2/validators/OIDCScopeHandler.java | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/validators/OIDCScopeHandler.java b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/validators/OIDCScopeHandler.java index 6f201902e7..e3def1edf1 100644 --- a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/validators/OIDCScopeHandler.java +++ b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/validators/OIDCScopeHandler.java @@ -24,8 +24,10 @@ import org.wso2.carbon.identity.oauth.config.OAuthServerConfiguration; import org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception; import org.wso2.carbon.identity.oauth2.token.OAuthTokenReqMessageContext; +import org.wso2.carbon.identity.oauth2.util.OAuth2Util; import java.util.Arrays; +import java.util.List; import java.util.Set; /** @@ -51,13 +53,27 @@ public boolean validateScope(OAuthTokenReqMessageContext tokReqMsgCtx) throws Id } else { // Remove openid scope from the token message context. String[] scopes = (String[]) ArrayUtils.removeElement(tokReqMsgCtx.getScope(), OAuthConstants.Scope.OPENID); + + //Get all the registered oidc scopes of a tenant + List oidcScopes = OAuth2Util.getOIDCScopes(tokReqMsgCtx.getOauth2AccessTokenReqDTO() + .getTenantDomain()); + + //Check whether the is there any oidc scope in the request + for (String scope : scopes) { + if (oidcScopes.contains(scope)) { + scopes = (String[]) ArrayUtils.removeElement(scopes, scope); + } + } + tokReqMsgCtx.setScope(scopes); + if (log.isDebugEnabled()) { log.debug("id_token is not allowed for requested grant type: " + grantType + ". Removing 'openid' " + "scope."); } // Returning 'true' since we are dropping openid scope and don't need to prevent issuing the token for // remaining scopes. + return true; } } From 253148841c7cd49a80ac0b30f50dcbcfec9e3794 Mon Sep 17 00:00:00 2001 From: Davids-98 Date: Wed, 22 Mar 2023 09:28:29 +0530 Subject: [PATCH 2/8] Dasith(intern) - Issue of OIDC scopes are in the response when requesting access token with client credential --- .../wso2/carbon/identity/oauth2/validators/OIDCScopeHandler.java | 1 + 1 file changed, 1 insertion(+) diff --git a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/validators/OIDCScopeHandler.java b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/validators/OIDCScopeHandler.java index e3def1edf1..266830bad0 100644 --- a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/validators/OIDCScopeHandler.java +++ b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/validators/OIDCScopeHandler.java @@ -51,6 +51,7 @@ public boolean validateScope(OAuthTokenReqMessageContext tokReqMsgCtx) throws Id // if id_token is allowed for requested grant type. return true; } else { + // Remove openid scope from the token message context. String[] scopes = (String[]) ArrayUtils.removeElement(tokReqMsgCtx.getScope(), OAuthConstants.Scope.OPENID); From e030b1341ee4c3f4b96096c4abbd4e4ccd61f334 Mon Sep 17 00:00:00 2001 From: Davids-98 Date: Wed, 5 Apr 2023 14:37:00 +0530 Subject: [PATCH 3/8] OIDC token removing logic updated --- .../oauth2/validators/OIDCScopeHandler.java | 18 +++++++----------- 1 file changed, 7 insertions(+), 11 deletions(-) diff --git a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/validators/OIDCScopeHandler.java b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/validators/OIDCScopeHandler.java index 266830bad0..57227484d5 100644 --- a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/validators/OIDCScopeHandler.java +++ b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/validators/OIDCScopeHandler.java @@ -51,22 +51,18 @@ public boolean validateScope(OAuthTokenReqMessageContext tokReqMsgCtx) throws Id // if id_token is allowed for requested grant type. return true; } else { + //Remove OIDC scopes from the token message context - // Remove openid scope from the token message context. - String[] scopes = (String[]) ArrayUtils.removeElement(tokReqMsgCtx.getScope(), OAuthConstants.Scope.OPENID); - - //Get all the registered oidc scopes of a tenant + String[] scopes = tokReqMsgCtx.getScope(); List oidcScopes = OAuth2Util.getOIDCScopes(tokReqMsgCtx.getOauth2AccessTokenReqDTO() .getTenantDomain()); - //Check whether the is there any oidc scope in the request - for (String scope : scopes) { - if (oidcScopes.contains(scope)) { - scopes = (String[]) ArrayUtils.removeElement(scopes, scope); - } - } + List filteredScopes = Arrays.stream(scopes) + .filter(scope -> !OAuthConstants.Scope.OPENID.equals(scope)) + .filter(scope -> !oidcScopes.contains(scope)) + .collect(Collectors.toList()); - tokReqMsgCtx.setScope(scopes); + tokReqMsgCtx.setScope(filteredScopes.toArray(new String[0])); if (log.isDebugEnabled()) { log.debug("id_token is not allowed for requested grant type: " + grantType + ". Removing 'openid' " + From 660425f30f39d4f651d2e04f6a1677e339bdf622 Mon Sep 17 00:00:00 2001 From: Davids-98 Date: Sun, 9 Apr 2023 17:43:42 +0530 Subject: [PATCH 4/8] debug log updated --- .../carbon/identity/oauth2/validators/OIDCScopeHandler.java | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/validators/OIDCScopeHandler.java b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/validators/OIDCScopeHandler.java index 57227484d5..ff3c5bbdc8 100644 --- a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/validators/OIDCScopeHandler.java +++ b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/validators/OIDCScopeHandler.java @@ -65,8 +65,8 @@ public boolean validateScope(OAuthTokenReqMessageContext tokReqMsgCtx) throws Id tokReqMsgCtx.setScope(filteredScopes.toArray(new String[0])); if (log.isDebugEnabled()) { - log.debug("id_token is not allowed for requested grant type: " + grantType + ". Removing 'openid' " + - "scope."); + log.debug("id_token is not allowed for requested grant type: " + grantType + ". Removing all 'OIDC' " + + "scopes."); } // Returning 'true' since we are dropping openid scope and don't need to prevent issuing the token for // remaining scopes. From 18f2b578c68ac52ff87e162917a3413b95055ede Mon Sep 17 00:00:00 2001 From: Davids-98 Date: Thu, 25 May 2023 17:02:47 +0530 Subject: [PATCH 5/8] added a missing import to the OIDCScopeHandler class --- .../identity/oauth2/validators/OIDCScopeHandler.java | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/validators/OIDCScopeHandler.java b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/validators/OIDCScopeHandler.java index ff3c5bbdc8..4e89d7df64 100644 --- a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/validators/OIDCScopeHandler.java +++ b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/validators/OIDCScopeHandler.java @@ -16,7 +16,6 @@ package org.wso2.carbon.identity.oauth2.validators; -import org.apache.commons.lang.ArrayUtils; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.apache.oltu.oauth2.common.message.types.GrantType; @@ -29,6 +28,7 @@ import java.util.Arrays; import java.util.List; import java.util.Set; +import java.util.stream.Collectors; /** * Scope handler for token requests with openid scope. @@ -52,7 +52,6 @@ public boolean validateScope(OAuthTokenReqMessageContext tokReqMsgCtx) throws Id return true; } else { //Remove OIDC scopes from the token message context - String[] scopes = tokReqMsgCtx.getScope(); List oidcScopes = OAuth2Util.getOIDCScopes(tokReqMsgCtx.getOauth2AccessTokenReqDTO() .getTenantDomain()); @@ -65,8 +64,8 @@ public boolean validateScope(OAuthTokenReqMessageContext tokReqMsgCtx) throws Id tokReqMsgCtx.setScope(filteredScopes.toArray(new String[0])); if (log.isDebugEnabled()) { - log.debug("id_token is not allowed for requested grant type: " + grantType + ". Removing all 'OIDC' " + - "scopes."); + log.debug("id_token is not allowed for requested grant type: " + + grantType + ". Removing all 'OIDC' " + "scopes."); } // Returning 'true' since we are dropping openid scope and don't need to prevent issuing the token for // remaining scopes. From 8a18a62d30fe52959cf1b324e307ea8614fdc914 Mon Sep 17 00:00:00 2001 From: Farasath Ahamed Date: Fri, 30 Jun 2023 12:14:43 +0530 Subject: [PATCH 6/8] Update components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/validators/OIDCScopeHandler.java --- .../carbon/identity/oauth2/validators/OIDCScopeHandler.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/validators/OIDCScopeHandler.java b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/validators/OIDCScopeHandler.java index 4e89d7df64..74dbbafbdb 100644 --- a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/validators/OIDCScopeHandler.java +++ b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/validators/OIDCScopeHandler.java @@ -51,7 +51,7 @@ public boolean validateScope(OAuthTokenReqMessageContext tokReqMsgCtx) throws Id // if id_token is allowed for requested grant type. return true; } else { - //Remove OIDC scopes from the token message context + // Remove OIDC scopes from the token message context. String[] scopes = tokReqMsgCtx.getScope(); List oidcScopes = OAuth2Util.getOIDCScopes(tokReqMsgCtx.getOauth2AccessTokenReqDTO() .getTenantDomain()); From 54d2db33c9ecfd823b73f82542f6b580b50ebeb3 Mon Sep 17 00:00:00 2001 From: Dasith Samarasinghe <89783432+Davids-98@users.noreply.github.com> Date: Fri, 30 Jun 2023 13:56:06 +0530 Subject: [PATCH 7/8] Update OIDCScopeHandler.java Improve the debug log --- .../carbon/identity/oauth2/validators/OIDCScopeHandler.java | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/validators/OIDCScopeHandler.java b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/validators/OIDCScopeHandler.java index 74dbbafbdb..b319a70d5e 100644 --- a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/validators/OIDCScopeHandler.java +++ b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/validators/OIDCScopeHandler.java @@ -65,7 +65,8 @@ public boolean validateScope(OAuthTokenReqMessageContext tokReqMsgCtx) throws Id if (log.isDebugEnabled()) { log.debug("id_token is not allowed for requested grant type: " + - grantType + ". Removing all 'OIDC' " + "scopes."); + grantType + ". Removing all 'OIDC' scopes registered in the tenant " + + "from requested scopes."); } // Returning 'true' since we are dropping openid scope and don't need to prevent issuing the token for // remaining scopes. From 0545d1b6830f4248429eb49e1c5591aa4f1dce3b Mon Sep 17 00:00:00 2001 From: Dasith Samarasinghe <89783432+Davids-98@users.noreply.github.com> Date: Fri, 30 Jun 2023 14:43:26 +0530 Subject: [PATCH 8/8] Remove quotes --- .../carbon/identity/oauth2/validators/OIDCScopeHandler.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/validators/OIDCScopeHandler.java b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/validators/OIDCScopeHandler.java index b319a70d5e..d6e7f7e744 100644 --- a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/validators/OIDCScopeHandler.java +++ b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/validators/OIDCScopeHandler.java @@ -65,7 +65,7 @@ public boolean validateScope(OAuthTokenReqMessageContext tokReqMsgCtx) throws Id if (log.isDebugEnabled()) { log.debug("id_token is not allowed for requested grant type: " + - grantType + ". Removing all 'OIDC' scopes registered in the tenant " + + grantType + ". Removing all OIDC scopes registered in the tenant " + "from requested scopes."); } // Returning 'true' since we are dropping openid scope and don't need to prevent issuing the token for