Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OIDC scopes are in the response when requesting access token with client credentials #2033

Merged
merged 8 commits into from
Jun 30, 2023
Merged

OIDC scopes are in the response when requesting access token with client credentials #2033

Changes from 5 commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
7e23581
Dasith - Issue of OIDC scopes are in the response when requesting acc…
Davids-98 Mar 21, 2023
2531488
Dasith(intern) - Issue of OIDC scopes are in the response when reques…
Davids-98 Mar 22, 2023
e030b13
OIDC token removing logic updated
Davids-98 Apr 5, 2023
660425f
debug log updated
Davids-98 Apr 9, 2023
18f2b57
added a missing import to the OIDCScopeHandler class
Davids-98 May 25, 2023
8a18a62
Update components/org.wso2.carbon.identity.oauth/src/main/java/org/ws…
mefarazath Jun 30, 2023
54d2db3
Update OIDCScopeHandler.java
Davids-98 Jun 30, 2023
0545d1b
Remove quotes
Davids-98 Jun 30, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
24 changes: 18 additions & 6 deletions ...tity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/validators/OIDCScopeHandler.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,17 +16,19 @@

package org.wso2.carbon.identity.oauth2.validators;

import org.apache.commons.lang.ArrayUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.oltu.oauth2.common.message.types.GrantType;
import org.wso2.carbon.identity.oauth.common.OAuthConstants;
import org.wso2.carbon.identity.oauth.config.OAuthServerConfiguration;
import org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception;
import org.wso2.carbon.identity.oauth2.token.OAuthTokenReqMessageContext;
import org.wso2.carbon.identity.oauth2.util.OAuth2Util;

import java.util.Arrays;
import java.util.List;
import java.util.Set;
import java.util.stream.Collectors;

/**
* Scope handler for token requests with openid scope.
Expand All @@ -49,15 +51,25 @@ public boolean validateScope(OAuthTokenReqMessageContext tokReqMsgCtx) throws Id
// if id_token is allowed for requested grant type.
return true;
} else {
// Remove openid scope from the token message context.
String[] scopes = (String[]) ArrayUtils.removeElement(tokReqMsgCtx.getScope(), OAuthConstants.Scope.OPENID);
tokReqMsgCtx.setScope(scopes);
//Remove OIDC scopes from the token message context
mefarazath marked this conversation as resolved.
Show resolved Hide resolved
String[] scopes = tokReqMsgCtx.getScope();
List<String> oidcScopes = OAuth2Util.getOIDCScopes(tokReqMsgCtx.getOauth2AccessTokenReqDTO()
.getTenantDomain());

List<String> filteredScopes = Arrays.stream(scopes)
.filter(scope -> !OAuthConstants.Scope.OPENID.equals(scope))
.filter(scope -> !oidcScopes.contains(scope))
.collect(Collectors.toList());

tokReqMsgCtx.setScope(filteredScopes.toArray(new String[0]));

if (log.isDebugEnabled()) {
log.debug("id_token is not allowed for requested grant type: " + grantType + ". Removing 'openid' " +
"scope.");
log.debug("id_token is not allowed for requested grant type: " +
grantType + ". Removing all 'OIDC' " + "scopes.");
}
// Returning 'true' since we are dropping openid scope and don't need to prevent issuing the token for
// remaining scopes.

return true;
}
}
Expand Down