Add additional event properties to POST_ISSUE_ACCESS_TOKEN_V2 event.

Author: RushanNanayakkara

components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/internal/util/AccessTokenEventUtil.java

@@ -18,31 +18,39 @@
 
 package org.wso2.carbon.identity.oauth.internal.util;
 
+import org.apache.commons.lang3.StringUtils;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.wso2.carbon.context.PrivilegedCarbonContext;
 import org.wso2.carbon.identity.application.authentication.framework.exception.UserIdNotFoundException;
 import org.wso2.carbon.identity.application.authentication.framework.model.AuthenticatedUser;
 import org.wso2.carbon.identity.application.common.model.ServiceProvider;
+import org.wso2.carbon.identity.core.util.IdentityTenantUtil;
 import org.wso2.carbon.identity.event.IdentityEventConstants;
 import org.wso2.carbon.identity.event.IdentityEventException;
 import org.wso2.carbon.identity.event.event.Event;
+import org.wso2.carbon.identity.oauth.common.OAuthConstants;
 import org.wso2.carbon.identity.oauth.common.exception.InvalidOAuthClientException;
 import org.wso2.carbon.identity.oauth.dao.OAuthAppDO;
+import org.wso2.carbon.identity.oauth.internal.OAuthComponentServiceHolder;
 import org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception;
 import org.wso2.carbon.identity.oauth2.dto.OAuth2AccessTokenReqDTO;
 import org.wso2.carbon.identity.oauth2.internal.OAuth2ServiceComponentHolder;
 import org.wso2.carbon.identity.oauth2.model.AccessTokenDO;
 import org.wso2.carbon.identity.oauth2.token.OAuthTokenReqMessageContext;
 import org.wso2.carbon.identity.oauth2.token.OauthTokenIssuer;
 import org.wso2.carbon.identity.oauth2.util.OAuth2Util;
+import org.wso2.carbon.identity.openidconnect.OIDCConstants;
 import org.wso2.carbon.identity.openidconnect.internal.OpenIDConnectServiceComponentHolder;
+import org.wso2.carbon.identity.organization.management.service.exception.OrganizationManagementException;
 
 import java.util.Collections;
 import java.util.HashMap;
 import java.util.Map;
 import java.util.Set;
 
+import static org.wso2.carbon.identity.openidconnect.OIDCConstants.Event.EXISTING_TOKEN_USED;
+
 /**
  * Utility class for publishing OAuth related events.
  * This class provides methods to publish token revoke events with various parameters.
@@ -241,7 +249,7 @@ private static void publish(Map<String, Object> properties) {
      */
     public static void publishTokenIssueEvent(OAuthTokenReqMessageContext tokReqMsgCtx,
                                               OAuth2AccessTokenReqDTO oAuth2AccessTokenReqDTO)
-            throws UserIdNotFoundException {
+            throws UserIdNotFoundException, OrganizationManagementException, IdentityOAuth2Exception {
 
         HashMap<String, Object> properties = new HashMap<>();
 
@@ -259,6 +267,16 @@ public static void publishTokenIssueEvent(OAuthTokenReqMessageContext tokReqMsgC
         }
 
         if (tokReqMsgCtx != null) {
+
+            String issuerTenant = tokReqMsgCtx.getOauth2AccessTokenReqDTO().getTenantDomain();
+            String issuerOrganizationId = OAuthComponentServiceHolder.getInstance().getOrganizationManager()
+                    .resolveOrganizationId(issuerTenant);
+            String accessingOrganizationId = StringUtils.EMPTY;
+            if (tokReqMsgCtx.getAuthorizedUser() != null
+                    && tokReqMsgCtx.getAuthorizedUser().getAccessingOrganization() != null) {
+                accessingOrganizationId = tokReqMsgCtx.getAuthorizedUser().getAccessingOrganization();
+            }
+
             if (tokReqMsgCtx.getAuthorizedUser() != null) {
                 properties.put(IdentityEventConstants.EventProperty.USER_ID,
                         tokReqMsgCtx.getAuthorizedUser().getUserId());
@@ -272,9 +290,24 @@ public static void publishTokenIssueEvent(OAuthTokenReqMessageContext tokReqMsgC
                         tokReqMsgCtx.getAuthorizedUser().getUserResidentOrganization());
             }
 
+            properties.put(OIDCConstants.Event.USER_TYPE,
+                    tokReqMsgCtx.getProperty(OAuthConstants.UserType.USER_TYPE));
+            properties.put(OIDCConstants.Event.CLIENT_ID,
+                    tokReqMsgCtx.getOauth2AccessTokenReqDTO().getClientId());
+            properties.put(OIDCConstants.Event.ISSUED_TIME,
+                    String.valueOf(tokReqMsgCtx.getAccessTokenIssuedTime()));
+            properties.put(EXISTING_TOKEN_USED,
+                    String.valueOf(existingTokenUsed(tokReqMsgCtx)));
+            properties.put(OIDCConstants.Event.SERVICE_PROVIDER, OAuth2Util.getServiceProvider(
+                    tokReqMsgCtx.getOauth2AccessTokenReqDTO().getClientId(), issuerTenant).getApplicationName());
+            properties.put(OIDCConstants.Event.ISSUER_ORGANIZATION_ID, issuerOrganizationId);
+            properties.put(OIDCConstants.Event.ACCESSING_ORGANIZATION_ID, accessingOrganizationId);
+            properties.put(OIDCConstants.Event.TOKEN_ID, tokReqMsgCtx.getProperty(OIDCConstants.TOKEN_ID)); //review this
+
             properties.put(IdentityEventConstants.EventProperty.IAT, tokReqMsgCtx.getAccessTokenIssuedTime());
             properties.put(IdentityEventConstants.EventProperty.JTI, tokReqMsgCtx.getJWTID());
             properties.put(IdentityEventConstants.EventProperty.GRANT_TYPE, oAuth2AccessTokenReqDTO.getGrantType());
+            properties.put(OIDCConstants.Event.APP_RESIDENT_TENANT_ID, IdentityTenantUtil.getLoginTenantId());
 
             if (tokReqMsgCtx.getProperty(APP_DAO) != null &&
                     tokReqMsgCtx.getProperty(APP_DAO) instanceof OAuthAppDO) {
@@ -298,4 +331,13 @@ public static void publishTokenIssueEvent(OAuthTokenReqMessageContext tokReqMsgC
             LOG.error("Error occurred publishing event " + IdentityEventConstants.Event.POST_ISSUE_ACCESS_TOKEN_V2, e);
         }
     }
+
+    private static Boolean existingTokenUsed(OAuthTokenReqMessageContext tokReqMsgCtx) {
+
+        Boolean existingTokenUsed = (Boolean) tokReqMsgCtx.getProperty(EXISTING_TOKEN_USED);
+        if (existingTokenUsed == null) {
+            existingTokenUsed = false;
+        }
+        return existingTokenUsed;
+    }
 }

components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/token/AccessTokenIssuer.java

@@ -406,7 +406,11 @@ public OAuth2AccessTokenRespDTO issue(OAuth2AccessTokenReqDTO tokenReqDTO)
         }
 
         if (tokenRespDTO != null && !tokenRespDTO.isError() && tokenRespDTO.getAccessToken() != null) {
-            AccessTokenEventUtil.publishTokenIssueEvent(tokReqMsgCtx, tokenReqDTO);
+            try {
+                AccessTokenEventUtil.publishTokenIssueEvent(tokReqMsgCtx, tokenReqDTO);
+            } catch (OrganizationManagementException | IdentityOAuth2Exception | UserIdNotFoundException  e) {
+                log.error("Error while publishing POST_ISSUE_ACCESS_TOKEN_V2 event. Event not published.", e);
+            }
         }
 
         return tokenRespDTO;

components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/token/handlers/grant/AbstractAuthorizationGrantHandler.java

@@ -70,6 +70,7 @@
 import org.wso2.carbon.identity.oauth2.validators.OAuth2ScopeHandler;
 import org.wso2.carbon.identity.oauth2.validators.scope.ScopeValidator;
 import org.wso2.carbon.identity.openidconnect.OIDCClaimUtil;
+import org.wso2.carbon.identity.openidconnect.OIDCConstants;
 import org.wso2.carbon.identity.organization.management.service.exception.OrganizationManagementException;
 import org.wso2.carbon.utils.DiagnosticLog;
 
@@ -251,6 +252,7 @@ private void setDetailsToMessageContext(OAuthTokenReqMessageContext tokReqMsgCtx
         }
 
         tokReqMsgCtx.setRefreshTokenvalidityPeriod(existingToken.getRefreshTokenValidityPeriodInMillis());
+        tokReqMsgCtx.addProperty(OIDCConstants.TOKEN_ID, existingToken.getTokenId());
     }
 
     @Override
@@ -501,6 +503,7 @@ private OAuth2AccessTokenRespDTO generateNewAccessToken(OAuthTokenReqMessageCont
 
         // Update cache with newly added token.
         updateCacheIfEnabled(newTokenBean, OAuth2Util.buildScopeString(tokReqMsgCtx.getScope()), oauthTokenIssuer);
+        tokReqMsgCtx.addProperty(OIDCConstants.TOKEN_ID, existingTokenBean.getTokenId());
         return createResponseWithTokenBean(newTokenBean, newTokenBean.getValidityPeriodInMillis(), scope);
     }
 

components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/openidconnect/OIDCConstants.java

@@ -28,6 +28,7 @@ public class OIDCConstants {
     public static final String IDN_OIDC_REQ_OBJECT_CLAIMS = "STORE_IDN_OIDC_REQ_OBJECT_CLAIMS";
     public static final String HAS_NON_OIDC_CLAIMS = "hasNonOIDCClaims";
     public static final String ID_TOKEN_USER_CLAIMS_PROP_KEY = "IDTokenUserClaims";
+    public static final String TOKEN_ID = "TOKEN_ID";
 
     /**
      * This class is used to define constants related to OIDC event specific features.
@@ -51,6 +52,14 @@ public class Event {
         public static final String OLD_ACCESS_TOKEN = "OLD_ACCESS_TOKEN";
         public static final String POST_REFRESH_TOKEN = "POST_REFRESH_TOKEN";
         public static final String IS_REQUEST_OBJECT_FLOW = "IS_REQUEST_OBJECT_FLOW";
+        public static final String CLIENT_ID = "CLIENT_ID";
+        public static final String USER_TYPE = "USER_TYPE";
+        public static final String APP_RESIDENT_TENANT_ID = "APP_RESIDENT_TENANT_ID";
+        public static final String ISSUED_TIME = "ISSUED_TIME";
+        public static final String ISSUER_ORGANIZATION_ID = "ISSUER_ORGANIZATION_ID";
+        public static final String ACCESSING_ORGANIZATION_ID = "ACCESSING_ORGANIZATION_ID";
+        public static final String EXISTING_TOKEN_USED = "EXISTING_TOKEN_USED";
+        public static final String SERVICE_PROVIDER = "SERVICE_PROVIDER";
     }
 }
 

components/org.wso2.carbon.identity.oauth/src/test/java/org/wso2/carbon/identity/oauth2/util/OAuthEventPublishingUtilTest.java

@@ -29,17 +29,26 @@
 import org.wso2.carbon.context.PrivilegedCarbonContext;
 import org.wso2.carbon.identity.application.authentication.framework.exception.UserIdNotFoundException;
 import org.wso2.carbon.identity.application.authentication.framework.model.AuthenticatedUser;
+import org.wso2.carbon.identity.application.common.IdentityApplicationManagementException;
+import org.wso2.carbon.identity.application.common.model.LocalAndOutboundAuthenticationConfig;
+import org.wso2.carbon.identity.application.common.model.ServiceProvider;
 import org.wso2.carbon.identity.common.testng.WithCarbonHome;
+import org.wso2.carbon.identity.core.util.IdentityTenantUtil;
 import org.wso2.carbon.identity.event.IdentityEventConstants;
 import org.wso2.carbon.identity.event.IdentityEventException;
 import org.wso2.carbon.identity.event.event.Event;
 import org.wso2.carbon.identity.event.services.IdentityEventService;
+import org.wso2.carbon.identity.oauth.common.OAuthConstants;
 import org.wso2.carbon.identity.oauth.dao.OAuthAppDO;
+import org.wso2.carbon.identity.oauth.internal.OAuthComponentServiceHolder;
 import org.wso2.carbon.identity.oauth.internal.util.AccessTokenEventUtil;
+import org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception;
 import org.wso2.carbon.identity.oauth2.dto.OAuth2AccessTokenReqDTO;
 import org.wso2.carbon.identity.oauth2.internal.OAuth2ServiceComponentHolder;
 import org.wso2.carbon.identity.oauth2.token.OAuthTokenReqMessageContext;
 import org.wso2.carbon.identity.oauth2.token.OauthTokenIssuer;
+import org.wso2.carbon.identity.organization.management.service.OrganizationManager;
+import org.wso2.carbon.identity.organization.management.service.exception.OrganizationManagementException;
 
 import java.util.Map;
 
@@ -49,11 +58,14 @@
 import static org.mockito.Mockito.verify;
 import static org.mockito.Mockito.when;
 import static org.mockito.MockitoAnnotations.openMocks;
+import static org.wso2.carbon.identity.openidconnect.OIDCConstants.Event.EXISTING_TOKEN_USED;
 
 @Listeners(MockitoTestNGListener.class)
 @WithCarbonHome
 public class OAuthEventPublishingUtilTest {
 
+    private int TEST_APP_RESIDENT_TENANT_ID = 11;
+
     @Mock
     OAuthTokenReqMessageContext tokReqMsgCtx;
 
@@ -72,12 +84,25 @@ public class OAuthEventPublishingUtilTest {
     @Mock
     IdentityEventService identityEventService;
 
+    @Mock
+    LocalAndOutboundAuthenticationConfig localAndOutboundAuthenticationConfig;
+
+    @Mock
+    ServiceProvider sp;
+
+    @Mock
+    OAuthComponentServiceHolder oAuthComponentServiceHolder;
+
+    @Mock
+    OrganizationManager organizationManager;
+
     @BeforeMethod
-    public void setUp() throws UserIdNotFoundException {
+    public void setUp() throws UserIdNotFoundException, IdentityApplicationManagementException, OrganizationManagementException {
 
         openMocks(this);
         when(oAuth2AccessTokenReqDTO.getClientId()).thenReturn("test-client-id");
         when(oAuth2AccessTokenReqDTO.getGrantType()).thenReturn("authorization_code");
+        when(oAuth2AccessTokenReqDTO.getTenantDomain()).thenReturn("issuer-tenant-domain");
 
         when(tokReqMsgCtx.getAuthorizedUser()).thenReturn(authorizedUser);
         when(authorizedUser.getUserId()).thenReturn("user-id");
@@ -93,24 +118,43 @@ public void setUp() throws UserIdNotFoundException {
         when(oAuthAppDO.getOauthConsumerKey()).thenReturn("test-client-id");
 
         when(tokenIssuer.getAccessTokenType()).thenReturn("Opaque");
+
+        when(tokReqMsgCtx.getProperty(OAuthConstants.UserType.USER_TYPE)).thenReturn("APPLICATION_USER");
+        when(tokReqMsgCtx.getOauth2AccessTokenReqDTO()).thenReturn(oAuth2AccessTokenReqDTO);
+        when(tokReqMsgCtx.getProperty(EXISTING_TOKEN_USED)).thenReturn(Boolean.FALSE);
+
+        when(oAuthComponentServiceHolder.getOrganizationManager()).thenReturn(organizationManager);
+        when(organizationManager.resolveOrganizationId(anyString())).thenReturn("test-org-id");
     }
 
     @Test
-    public void testPublishTokenIssueEvent() throws UserIdNotFoundException, IdentityEventException {
+    public void testPublishTokenIssueEvent() throws UserIdNotFoundException, IdentityEventException,
+            IdentityOAuth2Exception, OrganizationManagementException {
 
         try (MockedStatic<OAuth2Util> mockedOAuth2Util = Mockito.mockStatic(OAuth2Util.class);
              MockedStatic<OAuth2ServiceComponentHolder> mockedServiceHolder = Mockito.mockStatic(
                      OAuth2ServiceComponentHolder.class);
              MockedStatic<PrivilegedCarbonContext> mockedCarbonContext = Mockito.mockStatic(
-                     PrivilegedCarbonContext.class)) {
+                     PrivilegedCarbonContext.class);
+             MockedStatic<OAuthComponentServiceHolder> mockedOAuthComponentServiceHolder = Mockito.mockStatic(
+                     OAuthComponentServiceHolder.class);
+             MockedStatic<IdentityTenantUtil> mockedIdentityTenantUtil = Mockito.mockStatic(
+                     IdentityTenantUtil.class)
+             ) {
 
             mockedOAuth2Util.when(() -> OAuth2Util.getOAuthTokenIssuerForOAuthApp(anyString()))
                     .thenReturn(tokenIssuer);
+            mockedOAuth2Util.when(() -> OAuth2Util.getServiceProvider(anyString(), anyString()))
+                    .thenReturn(sp);
             when(tokenIssuer.getAccessTokenType()).thenReturn("Opaque");
 
             mockedServiceHolder.when(OAuth2ServiceComponentHolder::getIdentityEventService)
                     .thenReturn(identityEventService);
 
+            mockedOAuthComponentServiceHolder.when(OAuthComponentServiceHolder::getInstance)
+                    .thenReturn(oAuthComponentServiceHolder);
+            mockedIdentityTenantUtil.when(IdentityTenantUtil::getLoginTenantId).thenReturn(TEST_APP_RESIDENT_TENANT_ID);
+
             PrivilegedCarbonContext carbonContext = mock(PrivilegedCarbonContext.class);
             mockedCarbonContext.when(PrivilegedCarbonContext::getThreadLocalCarbonContext)
                     .thenReturn(carbonContext);