Improve application access validation in client authentication

Author: ShanChathusanda93

components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/util/OAuth2Util.java

@@ -615,6 +615,9 @@ public static boolean authenticateClient(String clientId, String clientSecretPro
     public static boolean authenticateClient(String clientId, String clientSecretProvided, String appTenant)
             throws IdentityOAuthAdminException, IdentityOAuth2Exception, InvalidOAuthClientException {
 
+        if (!isApplicationAccessible(clientId, appTenant)) {
+            throw new InvalidOAuthClientException("Application is disabled for the client_id: " + clientId);
+        }
         OAuthAppDO appDO = OAuth2Util.getAppInformationByClientId(clientId, appTenant);
         if (appDO == null) {
             if (log.isDebugEnabled()) {
@@ -660,6 +663,30 @@ public static boolean authenticateClient(String clientId, String clientSecretPro
         return true;
     }
 
+    private static boolean isApplicationAccessible(String clientId, String appTenant)
+            throws IdentityOAuth2Exception {
+
+        ServiceProvider serviceProvider = OAuth2Util.getServiceProvider(clientId, appTenant);
+        DiagnosticLog.DiagnosticLogBuilder diagnosticLogBuilder = null;
+        if (LoggerUtils.isDiagnosticLogsEnabled()) {
+            diagnosticLogBuilder = new DiagnosticLog.DiagnosticLogBuilder(
+                    OAuthConstants.LogConstants.OAUTH_INBOUND_SERVICE,
+                    OAuthConstants.LogConstants.ActionIDs.VALIDATE_APPLICATION_ENABLED_STATUS);
+            diagnosticLogBuilder.inputParam(LogConstants.InputKeys.CLIENT_ID, clientId)
+                    .logDetailLevel(DiagnosticLog.LogDetailLevel.APPLICATION);
+        }
+        if (!serviceProvider.isApplicationEnabled()) {
+            if (diagnosticLogBuilder != null) {
+                diagnosticLogBuilder
+                        .resultMessage("Application is disabled.")
+                        .resultStatus(DiagnosticLog.ResultStatus.FAILED);
+                LoggerUtils.triggerDiagnosticLogEvent(diagnosticLogBuilder);
+            }
+            return false;
+        }
+        return true;
+    }
+
     private static boolean isTenantActive(String tenantDomain) throws IdentityOAuth2Exception {
         try {
             TenantManager tenantManager = OAuthComponentServiceHolder.getInstance()

components/org.wso2.carbon.identity.oauth/src/test/java/org/wso2/carbon/identity/oauth2/util/OAuth2UtilTest.java

@@ -581,6 +581,10 @@ public void testAuthenticateClientWithAppTenant() throws Exception {
                     (mock, context) -> {
                         when(mock.getAppInformation(eq(clientId), anyInt())).thenReturn(appDO);
                     })) {
+                ApplicationManagementService applicationManagementService = mock(ApplicationManagementService.class);
+                OAuth2ServiceComponentHolder.setApplicationMgtService(applicationManagementService);
+                when(applicationManagementService.getServiceProviderByClientId(anyString(), anyString(), anyString()))
+                        .thenReturn(new ServiceProvider());
                 identityTenantUtil.when(() -> IdentityTenantUtil.getTenantId(clientTenantDomain))
                         .thenReturn(clientTenantId);