From e100db65ec8fc0ed816a50026d6689552d6a3ea6 Mon Sep 17 00:00:00 2001
From: ImalshaG <imalsha.sg@gmail.com>
Date: Mon, 6 May 2024 15:20:35 +0530
Subject: [PATCH] Fix callback url resolving logic for api based authn

---
 .../oidc/OpenIDConnectAuthenticator.java      | 46 +++++++++++++++----
 .../oidc/OpenIDConnectAuthenticatorTest.java  |  4 +-
 2 files changed, 38 insertions(+), 12 deletions(-)

diff --git a/components/org.wso2.carbon.identity.application.authenticator.oidc/src/main/java/org/wso2/carbon/identity/application/authenticator/oidc/OpenIDConnectAuthenticator.java b/components/org.wso2.carbon.identity.application.authenticator.oidc/src/main/java/org/wso2/carbon/identity/application/authenticator/oidc/OpenIDConnectAuthenticator.java
index 9fe72fe5..bbc5e045 100644
--- a/components/org.wso2.carbon.identity.application.authenticator.oidc/src/main/java/org/wso2/carbon/identity/application/authenticator/oidc/OpenIDConnectAuthenticator.java
+++ b/components/org.wso2.carbon.identity.application.authenticator.oidc/src/main/java/org/wso2/carbon/identity/application/authenticator/oidc/OpenIDConnectAuthenticator.java
@@ -280,7 +280,9 @@ protected String getAuthorizationServerEndpoint(Map<String, String> authenticato
      *                                configuration.
      * @return Callback URL configured in OIDC federated authenticator configuration. If it is empty returns
      * /commonauth endpoint URL path as the default value.
+     * @deprecated use {@link #getCallbackUrl(Map, AuthenticationContext)}.
      */
+    @Deprecated
     protected String getCallbackUrl(Map<String, String> authenticatorProperties) {
 
         String callbackUrl = authenticatorProperties.get(IdentityApplicationConstants.OAuth2.CALLBACK_URL);
@@ -295,6 +297,33 @@ protected String getCallbackUrl(Map<String, String> authenticatorProperties) {
         return callbackUrl;
     }
 
+    /**
+     * Returns the callback URL of the IdP Hub.
+     *
+     * @param authenticatorProperties Authentication properties configured in OIDC federated authenticator
+     *                                configuration.
+     * @param context                 Authentication context.
+     * @return If API based authn flow, returns the redirect URL from the authentication context. If not returns the
+     * callback URL configured in OIDC federated authenticator configuration and if it is empty returns
+     * /commonauth endpoint URL path as the default value.
+     */
+    protected String getCallbackUrl(Map<String, String> authenticatorProperties, AuthenticationContext context) {
+
+        if (Boolean.parseBoolean((String) context.getProperty(IS_API_BASED))) {
+            return resolveCallBackURLForAPIBasedAuthFlow(context);
+        }
+        String callbackUrl = authenticatorProperties.get(IdentityApplicationConstants.OAuth2.CALLBACK_URL);
+        if (StringUtils.isBlank(callbackUrl)) {
+            try {
+                callbackUrl = ServiceURLBuilder.create().addPath(FrameworkConstants.COMMONAUTH).build()
+                        .getAbsolutePublicURL();
+            } catch (URLBuilderException e) {
+                throw new RuntimeException("Error occurred while building URL in tenant qualified mode.", e);
+            }
+        }
+        return callbackUrl;
+    }
+
     /**
      * Resolve the callback URL from the context properties to use in the API based authentication flow.
      *
@@ -379,6 +408,10 @@ protected String getAuthenticateUser(AuthenticationContext context, Map<String,
         return (String) oidcClaims.get(OIDCAuthenticatorConstants.Claim.SUB);
     }
 
+    /**
+     * @deprecated use {@link #getCallbackUrl(Map, AuthenticationContext)} instead.
+     */
+    @Deprecated
     protected String getCallBackURL(Map<String, String> authenticatorProperties) {
 
         return getCallbackUrl(authenticatorProperties);
@@ -514,11 +547,8 @@ protected String prepareLoginPage(HttpServletRequest request, AuthenticationCont
             if (authenticatorProperties != null) {
                 String clientId = authenticatorProperties.get(OIDCAuthenticatorConstants.CLIENT_ID);
                 String authorizationEP = getOIDCAuthzEndpoint(authenticatorProperties);
-                String callbackurl = getCallbackUrl(authenticatorProperties);
+                String callbackurl = getCallbackUrl(authenticatorProperties, context);
 
-                if (Boolean.parseBoolean((String) context.getProperty(IS_API_BASED))) {
-                    callbackurl = resolveCallBackURLForAPIBasedAuthFlow(context);
-                }
                 String state = getStateParameter(request, context, authenticatorProperties);
                 context.setProperty(OIDCAuthenticatorConstants.AUTHENTICATOR_NAME + STATE_PARAM_SUFFIX, state);
                 String nonce = UUID.randomUUID().toString();
@@ -1321,7 +1351,7 @@ protected void initiateLogoutRequest(HttpServletRequest request, HttpServletResp
                 paramMap.put(OIDCAuthenticatorConstants.ID_TOKEN_HINT, idTokenHint);
             }
 
-            String callback = getCallbackUrl(context.getAuthenticatorProperties());
+            String callback = getCallbackUrl(context.getAuthenticatorProperties(), context);
             paramMap.put(OIDCAuthenticatorConstants.POST_LOGOUT_REDIRECT_URI, callback);
 
             String sessionID = getStateParameter(request, context, context.getAuthenticatorProperties());
@@ -1493,11 +1523,7 @@ protected OAuthClientRequest getAccessTokenRequest(AuthenticationContext context
 
         String callbackUrl = getCallbackUrlFromInitialRequestParamMap(context);
         if (StringUtils.isBlank(callbackUrl)) {
-            if (Boolean.parseBoolean((String) context.getProperty(IS_API_BASED))) {
-                callbackUrl = resolveCallBackURLForAPIBasedAuthFlow(context);
-            } else {
-                callbackUrl = getCallbackUrl(authenticatorProperties);
-            }
+            callbackUrl = getCallbackUrl(authenticatorProperties, context);
         }
 
         boolean isHTTPBasicAuth = Boolean.parseBoolean(authenticatorProperties.get(OIDCAuthenticatorConstants
diff --git a/components/org.wso2.carbon.identity.application.authenticator.oidc/src/test/java/org/wso2/carbon/identity/application/authenticator/oidc/OpenIDConnectAuthenticatorTest.java b/components/org.wso2.carbon.identity.application.authenticator.oidc/src/test/java/org/wso2/carbon/identity/application/authenticator/oidc/OpenIDConnectAuthenticatorTest.java
index 58ecc5e2..5faf536d 100644
--- a/components/org.wso2.carbon.identity.application.authenticator.oidc/src/test/java/org/wso2/carbon/identity/application/authenticator/oidc/OpenIDConnectAuthenticatorTest.java
+++ b/components/org.wso2.carbon.identity.application.authenticator.oidc/src/test/java/org/wso2/carbon/identity/application/authenticator/oidc/OpenIDConnectAuthenticatorTest.java
@@ -316,7 +316,7 @@ public void testGetAuthorizationServerEndpoint() throws IOException {
     @Test
     public void testGetCallbackUrl() throws IOException {
 
-        assertEquals(openIDConnectAuthenticator.getCallBackURL(authenticatorProperties),
+        assertEquals(openIDConnectAuthenticator.getCallbackUrl(authenticatorProperties, mockAuthenticationContext),
                 "http://localhost:8080/playground2/oauth2client",
                 "Callback URL is not valid.");
     }
@@ -359,7 +359,7 @@ public void testRequiredIDToken() throws IOException {
     @Test
     public void testGetCallBackURL() throws IOException {
 
-        assertEquals(openIDConnectAuthenticator.getCallBackURL(authenticatorProperties),
+        assertEquals(openIDConnectAuthenticator.getCallbackUrl(authenticatorProperties, mockAuthenticationContext),
                 "http://localhost:8080/playground2/oauth2client",
                 "Callback URL is not valid.");
     }