Enable Authorization Code grant support for sub organization OAuth2 applications

Author: ShanChathusanda93

components/org.wso2.carbon.identity.oauth.endpoint/src/main/java/org/wso2/carbon/identity/oauth/endpoint/util/AuthzUtil.java

@@ -43,6 +43,7 @@
 import org.json.JSONException;
 import org.json.JSONObject;
 import org.owasp.encoder.Encode;
+import org.wso2.carbon.context.PrivilegedCarbonContext;
 import org.wso2.carbon.identity.application.authentication.framework.AuthenticationService;
 import org.wso2.carbon.identity.application.authentication.framework.AuthenticatorFlowStatus;
 import org.wso2.carbon.identity.application.authentication.framework.CommonAuthenticationHandler;
@@ -151,6 +152,7 @@
 import org.wso2.carbon.identity.openidconnect.OIDCRequestObjectUtil;
 import org.wso2.carbon.identity.openidconnect.model.RequestObject;
 import org.wso2.carbon.identity.openidconnect.model.RequestedClaim;
+import org.wso2.carbon.identity.organization.management.service.exception.OrganizationManagementException;
 import org.wso2.carbon.utils.CarbonUtils;
 import org.wso2.carbon.utils.DiagnosticLog;
 
@@ -2429,15 +2431,24 @@ public static void populateValidationResponseWithAppDetail(OAuthMessage oAuthMes
 
         String clientId = oAuthMessage.getRequest().getParameter(CLIENT_ID);
         try {
-            OAuthAppDO appDO = OAuth2Util.getAppInformationByClientId(clientId);
+            OAuthAppDO appDO;
+            String appResidentOrgId = PrivilegedCarbonContext.getThreadLocalCarbonContext()
+                    .getApplicationResidentOrganizationId();
+            if (StringUtils.isNotEmpty(appResidentOrgId)) {
+                String appResidentTenantDomain = OAuth2ServiceComponentHolder.getInstance().getOrganizationManager()
+                        .resolveTenantDomain(appResidentOrgId);
+                appDO = OAuth2Util.getAppInformationByClientId(clientId, appResidentTenantDomain);
+            } else {
+                appDO = OAuth2Util.getAppInformationByClientId(clientId);
+            }
             if (Boolean.TRUE.equals(oAuthMessage.getRequest().getAttribute(OAuthConstants.PKCE_UNSUPPORTED_FLOW))) {
                 validationResponse.setPkceMandatory(false);
             } else {
                 validationResponse.setPkceMandatory(appDO.isPkceMandatory());
             }
             validationResponse.setApplicationName(appDO.getApplicationName());
             validationResponse.setPkceSupportPlain(appDO.isPkceSupportPlain());
-        } catch (InvalidOAuthClientException | IdentityOAuth2Exception e) {
+        } catch (InvalidOAuthClientException | IdentityOAuth2Exception | OrganizationManagementException e) {
             throw new OAuthSystemException("Error while retrieving app information for client_id : " + clientId, e);
         }
     }
@@ -2834,7 +2845,8 @@ private static String getSpTenantDomain(String clientId) throws InvalidRequestEx
         try {
             // At this point we have verified that a valid app exists for the client_id. So we directly get the SP
             // tenantDomain.
-            return OAuth2Util.getTenantDomainOfOauthApp(clientId);
+            String tenantDomain = IdentityTenantUtil.getTenantDomain(IdentityTenantUtil.getLoginTenantId());
+            return OAuth2Util.getTenantDomainOfOauthApp(clientId, tenantDomain);
         } catch (InvalidOAuthClientException | IdentityOAuth2Exception e) {
             throw new InvalidRequestException("Error retrieving Service Provider tenantDomain for client_id: "
                     + clientId, OAuth2ErrorCodes.INVALID_REQUEST, OAuth2ErrorCodes.OAuth2SubErrorCodes
@@ -2851,6 +2863,20 @@ private static String getLoginTenantDomain(OAuthMessage oAuthMessage, String cli
 
         String loginTenantDomain =
                 oAuthMessage.getRequest().getParameter(FrameworkConstants.RequestParams.LOGIN_TENANT_DOMAIN);
+        String appResidentOrgId = PrivilegedCarbonContext.getThreadLocalCarbonContext()
+                .getApplicationResidentOrganizationId();
+        if (StringUtils.isNotEmpty(appResidentOrgId)) {
+            String appResidentTenantDomain;
+            try {
+                appResidentTenantDomain = OAuth2ServiceComponentHolder.getInstance().getOrganizationManager()
+                        .resolveTenantDomain(appResidentOrgId);
+            } catch (OrganizationManagementException e) {
+                throw new InvalidRequestException("Error resolving tenant domain from organization id: "
+                        + appResidentOrgId, OAuth2ErrorCodes.INVALID_REQUEST, OAuth2ErrorCodes.OAuth2SubErrorCodes
+                        .UNEXPECTED_SERVER_ERROR);
+            }
+            return EndpointUtil.getSPTenantDomainFromClientId(clientId, appResidentTenantDomain);
+        }
         if (StringUtils.isBlank(loginTenantDomain)) {
             return EndpointUtil.getSPTenantDomainFromClientId(oAuthMessage.getClientId());
         }

components/org.wso2.carbon.identity.oauth.endpoint/src/main/java/org/wso2/carbon/identity/oauth/endpoint/util/EndpointUtil.java

@@ -1544,6 +1544,29 @@ public static String getSPTenantDomainFromClientId(String clientId) {
         }
     }
 
+    /**
+     * This method retrieves the service provider tenant domain using the client ID.
+     * However, internally it uses the tenant present in the carbon context.
+     *
+     * @param clientId Client id of the application.
+     * @return Tenant domain of the service provider.
+     */
+    public static String getSPTenantDomainFromClientId(String clientId, String tenantDomain) {
+
+        try {
+            OAuthAppDO oAuthAppDO = OAuth2Util.getAppInformationByClientId(clientId, tenantDomain);
+            return OAuth2Util.getTenantDomainOfOauthApp(oAuthAppDO);
+        } catch (IdentityOAuth2Exception e) {
+            log.error("Error while getting oauth app for client Id: " + clientId, e);
+            return MultitenantConstants.SUPER_TENANT_DOMAIN_NAME;
+        } catch (InvalidOAuthClientException e) {
+            if (log.isDebugEnabled()) {
+                log.debug("Error while getting oauth app for client Id: " + clientId, e);
+            }
+            return MultitenantConstants.SUPER_TENANT_DOMAIN_NAME;
+        }
+    }
+
     /**
      * Extract information related to the token request and exception and publish the event to listeners.
      *

components/org.wso2.carbon.identity.oauth.endpoint/src/test/java/org/wso2/carbon/identity/oauth/endpoint/authz/OAuth2AuthzEndpointTest.java

@@ -547,7 +547,8 @@ public void testAuthorize(Object flowStatusObject, String[] clientId, String ses
                  MockedStatic<OAuthAdminServiceFactory> oAuthAdminServiceFactory =
                          mockStatic(OAuthAdminServiceFactory.class);
                  MockedStatic<OAuth2TokenValidatorServiceFactory> oAuth2TokenValidatorServiceFactory =
-                         mockStatic(OAuth2TokenValidatorServiceFactory.class);) {
+                         mockStatic(OAuth2TokenValidatorServiceFactory.class);
+                 MockedStatic<AuthzUtil> authzUtil = mockStatic(AuthzUtil.class)) {
                 AuthenticatorFlowStatus flowStatus = (AuthenticatorFlowStatus) flowStatusObject;
 
                 Map<String, String[]> requestParams = new HashMap<>();
@@ -587,6 +588,7 @@ public void testAuthorize(Object flowStatusObject, String[] clientId, String ses
                         .thenReturn(MultitenantConstants.SUPER_TENANT_ID);
                 identityTenantUtil.when(IdentityTenantUtil::getLoginTenantId)
                         .thenReturn(MultitenantConstants.SUPER_TENANT_ID);
+                authzUtil.when(AuthzUtil::isLegacyAuthzRuntime).thenReturn(false);
                 IdentityEventService eventServiceMock = mock(IdentityEventService.class);
                 centralLogMgtServiceComponentHolder.when(
                                 CentralLogMgtServiceComponentHolder::getInstance)

components/org.wso2.carbon.identity.oauth.endpoint/src/test/java/org/wso2/carbon/identity/oauth/endpoint/par/OAuth2ParEndpointTest.java

@@ -404,6 +404,7 @@ public void testPar(Object requestParamsObj, Object paramMapObj, Object oAuthCli
                 oAuth2ServiceFactory.when(OAuth2ServiceFactory::getOAuth2Service).thenReturn(oAuth2Service);
                 parAuthServiceFactory.when(ParAuthServiceFactory::getParAuthService).thenReturn(parAuthService);
                 identityTenantUtil.when(IdentityTenantUtil::getLoginTenantId).thenReturn(-1234);
+                identityTenantUtil.when(() -> IdentityTenantUtil.getTenantDomain(-1234)).thenReturn("carbon.super");
                 identityTenantUtil.when(() -> IdentityTenantUtil.getTenantId("carbon.super")).thenReturn(-1234);
 
                 loggerUtils.when(LoggerUtils::isDiagnosticLogsEnabled).thenReturn(true);
@@ -412,7 +413,7 @@ public void testPar(Object requestParamsObj, Object paramMapObj, Object oAuthCli
 
                 if (Objects.equals(request.getParameter(OAuthConstants.OAuth20Params.RESPONSE_TYPE),
                         RESPONSE_TYPE_CODE_ID_TOKEN)) {
-                    OAuthAppDO oauthAppDO = OAuth2Util.getAppInformationByClientId(CLIENT_ID_VALUE);
+                    OAuthAppDO oauthAppDO = OAuth2Util.getAppInformationByClientId(CLIENT_ID_VALUE, "carbon.super");
                     oauthAppDO.setHybridFlowEnabled(true);
                     oauthAppDO.setHybridFlowResponseType(RESPONSE_TYPE_CODE_ID_TOKEN);
                 }

components/org.wso2.carbon.identity.oauth.endpoint/src/test/java/org/wso2/carbon/identity/oauth/endpoint/util/AuthzUtilTest.java

@@ -490,6 +490,8 @@ public void testAuthorize(Object flowStatusObject, String[] clientId, String ses
                 OAuthServerConfiguration.class);) {
             mockOAuthServerConfiguration(oAuthServerConfiguration);
             try (MockedStatic<OAuth2Util.OAuthURL> oAuthURL = mockStatic(OAuth2Util.OAuthURL.class);
+                 MockedStatic<OAuth2Util> oAuth2Util = mockStatic(OAuth2Util.class,
+                         Mockito.CALLS_REAL_METHODS);
                  MockedStatic<IdentityTenantUtil> identityTenantUtil = mockStatic(IdentityTenantUtil.class);
                  MockedStatic<LoggerUtils> loggerUtils = mockStatic(LoggerUtils.class);
                  MockedStatic<CentralLogMgtServiceComponentHolder> centralLogMgtServiceComponentHolder =
@@ -537,6 +539,19 @@ public void testAuthorize(Object flowStatusObject, String[] clientId, String ses
                 frameworkUtils.when(() -> FrameworkUtils.startTenantFlow(anyString())).thenAnswer(invocation -> null);
                 frameworkUtils.when(FrameworkUtils::endTenantFlow).thenAnswer(invocation -> null);
 
+                OAuthAppDO appDO = new OAuthAppDO();
+                appDO.setState("ACTIVE");
+                AuthenticatedUser user = new AuthenticatedUser();
+                user.setUserName(USERNAME);
+                user.setTenantDomain(MultitenantConstants.SUPER_TENANT_DOMAIN_NAME);
+                appDO.setUser(user);
+                if (expectedStatus == HttpServletResponse.SC_FOUND) {
+                    oAuth2Util.when(() -> OAuth2Util.getAppInformationByClientId(anyString(), anyString()))
+                            .thenReturn(appDO);
+                } else {
+                    oAuth2Util.when(() -> OAuth2Util.getTenantDomainOfOauthApp(anyString(), anyString()))
+                            .thenReturn(MultitenantConstants.SUPER_TENANT_DOMAIN_NAME);
+                }
                 loggerUtils.when(LoggerUtils::isDiagnosticLogsEnabled).thenReturn(diagnosticLogsEnabled);
                 identityTenantUtil.when(() -> IdentityTenantUtil.getTenantDomain(anyInt()))
                         .thenReturn(MultitenantConstants.SUPER_TENANT_DOMAIN_NAME);

components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/authz/handlers/util/ResponseTypeHandlerUtil.java

@@ -294,6 +294,16 @@ public static AuthzCodeDO generateAuthorizationCode(OAuthAuthzReqMessageContext
                 authorizationReqDTO.getConsumerKey(), authorizationCode, codeId,
                 authorizationReqDTO.getPkceCodeChallenge(), authorizationReqDTO.getPkceCodeChallengeMethod());
         authzCodeDO.setRequestedActor(authorizationReqDTO.getRequestedActor());
+        String appResidentOrganizationId = PrivilegedCarbonContext.getThreadLocalCarbonContext()
+                .getApplicationResidentOrganizationId();
+        if (StringUtils.isNotBlank(appResidentOrganizationId)) {
+            if (log.isDebugEnabled()) {
+                log.debug("Setting accessing organization id: " + appResidentOrganizationId +
+                        " and user resident organization in the authorization code data object.");
+            }
+            authzCodeDO.getAuthorizedUser().setAccessingOrganization(appResidentOrganizationId);
+            authzCodeDO.getAuthorizedUser().setUserResidentOrganization(appResidentOrganizationId);
+        }
         String appTenant = authorizationReqDTO.getTenantDomain();
         if (StringUtils.isNotEmpty(appTenant)) {
             OAuthTokenPersistenceFactory.getInstance().getAuthorizationCodeDAO()

components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/authz/validators/AbstractResponseTypeRequestValidator.java

@@ -104,7 +104,8 @@ public OAuth2ClientValidationResponseDTO validateClientInfo(HttpServletRequest r
         }
 
         try {
-            String appTenantDomain = OAuth2Util.getTenantDomainOfOauthApp(clientId);
+            String tenantDomain = IdentityTenantUtil.getTenantDomain(IdentityTenantUtil.getLoginTenantId());
+            String appTenantDomain = OAuth2Util.getTenantDomainOfOauthApp(clientId, tenantDomain);
             validateRequestTenantDomain(appTenantDomain);
             DiagnosticLog.DiagnosticLogBuilder diagnosticLogBuilder = null;
             if (LoggerUtils.isDiagnosticLogsEnabled()) {
@@ -125,7 +126,7 @@ public OAuth2ClientValidationResponseDTO validateClientInfo(HttpServletRequest r
             if (diagnosticLogBuilder != null) {
                 diagnosticLogBuilder.inputParam(LogConstants.InputKeys.CLIENT_ID, clientId);
             }
-            OAuthAppDO appDO = OAuth2Util.getAppInformationByClientId(clientId);
+            OAuthAppDO appDO = OAuth2Util.getAppInformationByClientId(clientId, appTenantDomain);
             String appState = appDO.getState();
 
             if (StringUtils.isEmpty(appState)) {

components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/dao/AuthorizationCodeDAOImpl.java

@@ -23,6 +23,7 @@
 import org.apache.commons.lang.StringUtils;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
+import org.wso2.carbon.context.PrivilegedCarbonContext;
 import org.wso2.carbon.identity.application.authentication.framework.model.AuthenticatedUser;
 import org.wso2.carbon.identity.application.common.IdentityApplicationManagementException;
 import org.wso2.carbon.identity.application.common.model.ServiceProvider;
@@ -38,6 +39,7 @@
 import org.wso2.carbon.identity.oauth2.model.AuthzCodeDO;
 import org.wso2.carbon.identity.oauth2.util.OAuth2TokenUtil;
 import org.wso2.carbon.identity.oauth2.util.OAuth2Util;
+import org.wso2.carbon.identity.organization.management.service.exception.OrganizationManagementException;
 
 import java.sql.Connection;
 import java.sql.PreparedStatement;
@@ -230,7 +232,14 @@ public AuthorizationCodeValidationResult validateAuthorizationCode(String consum
 
             prepStmt = connection.prepareStatement(sql);
             prepStmt.setString(1, getPersistenceProcessor().getProcessedClientId(consumerKey));
-            prepStmt.setInt(2, IdentityTenantUtil.getLoginTenantId());
+            tenantId = IdentityTenantUtil.getLoginTenantId();
+            String appResidentOrganizationId = PrivilegedCarbonContext.getThreadLocalCarbonContext()
+                    .getApplicationResidentOrganizationId();
+            if (StringUtils.isNotEmpty(appResidentOrganizationId)) {
+                tenantId = IdentityTenantUtil.getTenantId(OAuth2ServiceComponentHolder.getInstance()
+                        .getOrganizationManager().resolveTenantDomain(appResidentOrganizationId));
+            }
+            prepStmt.setInt(2, tenantId);
             //use hash value for search
             prepStmt.setString(3, getHashingPersistenceProcessor().getProcessedAuthzCode(authorizationKey));
             resultSet = prepStmt.executeQuery();
@@ -266,6 +275,12 @@ public AuthorizationCodeValidationResult validateAuthorizationCode(String consum
                             "for client id " + consumerKey, e);
                 }
                 user.setAuthenticatedSubjectIdentifier(subjectIdentifier, serviceProvider);
+                if (StringUtils.isNotEmpty(appResidentOrganizationId)) {
+                    String userOrganizationId = OAuth2ServiceComponentHolder.getInstance().getOrganizationManager()
+                            .resolveOrganizationId(tenantDomain);
+                    user.setAccessingOrganization(appResidentOrganizationId);
+                    user.setUserResidentOrganization(userOrganizationId);
+                }
 
                 String tokenId = resultSet.getString(9);
                 String tokenBindingReference = NONE;
@@ -291,6 +306,8 @@ public AuthorizationCodeValidationResult validateAuthorizationCode(String consum
 
         } catch (SQLException | URLBuilderException e) {
             throw new IdentityOAuth2Exception("Error when validating an authorization code", e);
+        } catch (OrganizationManagementException e) {
+            throw new IdentityOAuth2Exception("Error occurred while resolving tenant id for organization.", e);
         } finally {
             IdentityDatabaseUtil.closeAllConnections(connection, resultSet, prepStmt);
         }

components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/token/handlers/grant/AuthorizationCodeGrantHandler.java

@@ -92,7 +92,7 @@ public boolean validateGrant(OAuthTokenReqMessageContext tokReqMsgCtx) throws Id
             // If redirect_uri was given in the authorization request,
             // token request should send matching redirect_uri value.
             validateCallbackUrlFromRequest(tokenReq.getCallbackURI(), authzCodeBean.getCallbackUrl());
-            validatePKCECode(authzCodeBean, tokenReq.getPkceCodeVerifier());
+            validatePKCECode(authzCodeBean, tokenReq.getPkceCodeVerifier(), tokenReq.getTenantDomain());
             validateRequestedActor(authzCodeBean, tokReqMsgCtx);
             setPropertiesForTokenGeneration(tokReqMsgCtx, tokenReq, authzCodeBean);
         } finally {
@@ -589,12 +589,12 @@ private void markAsExpired(AuthzCodeDO authzCodeBean) throws IdentityOAuth2Excep
      * @return true if PKCE is validated
      * @throws IdentityOAuth2Exception
      */
-    private boolean validatePKCECode(AuthzCodeDO authzCodeBean, String verificationCode)
+    private boolean validatePKCECode(AuthzCodeDO authzCodeBean, String verificationCode, String tenantDomain)
             throws IdentityOAuth2Exception {
 
         String pkceCodeChallenge = authzCodeBean.getPkceCodeChallenge();
         String pkceCodeChallengeMethod = authzCodeBean.getPkceCodeChallengeMethod();
-        OAuthAppDO oAuthApp = getOAuthAppDO(authzCodeBean.getConsumerKey());
+        OAuthAppDO oAuthApp = getOAuthAppDO(authzCodeBean.getConsumerKey(), tenantDomain);
         if (!validatePKCE(pkceCodeChallenge, verificationCode, pkceCodeChallengeMethod, oAuthApp)) {
             //possible malicious oAuthRequest
             log.warn("Failed PKCE Verification for oAuth 2.0 request");
@@ -653,9 +653,9 @@ private void revokeAuthorizationCode(AuthzCodeDO authzCodeBean) throws IdentityO
         }
     }
 
-    private OAuthAppDO getOAuthAppDO(String clientId) throws IdentityOAuth2Exception {
+    private OAuthAppDO getOAuthAppDO(String clientId, String tenantDomain) throws IdentityOAuth2Exception {
         try {
-            return OAuth2Util.getAppInformationByClientId(clientId);
+            return OAuth2Util.getAppInformationByClientId(clientId, tenantDomain);
         } catch (InvalidOAuthClientException e) {
             throw new IdentityOAuth2Exception("Error while retrieving app information for client: " + clientId);
         }