Enable Authorization Code grant support for sub organization OAuth2 applications

Author: ShanChathusanda93

components/org.wso2.carbon.identity.oauth.endpoint/src/main/java/org/wso2/carbon/identity/oauth/endpoint/util/AuthzUtil.java

@@ -43,6 +43,7 @@
 import org.json.JSONException;
 import org.json.JSONObject;
 import org.owasp.encoder.Encode;
+import org.wso2.carbon.context.PrivilegedCarbonContext;
 import org.wso2.carbon.identity.application.authentication.framework.AuthenticationService;
 import org.wso2.carbon.identity.application.authentication.framework.AuthenticatorFlowStatus;
 import org.wso2.carbon.identity.application.authentication.framework.CommonAuthenticationHandler;
@@ -51,6 +52,7 @@
 import org.wso2.carbon.identity.application.authentication.framework.config.model.graph.js.JsLogger;
 import org.wso2.carbon.identity.application.authentication.framework.context.AuthHistory;
 import org.wso2.carbon.identity.application.authentication.framework.context.SessionContext;
+import org.wso2.carbon.identity.application.authentication.framework.exception.FrameworkException;
 import org.wso2.carbon.identity.application.authentication.framework.exception.UserIdNotFoundException;
 import org.wso2.carbon.identity.application.authentication.framework.exception.auth.service.AuthServiceClientException;
 import org.wso2.carbon.identity.application.authentication.framework.exception.auth.service.AuthServiceException;
@@ -151,6 +153,8 @@
 import org.wso2.carbon.identity.openidconnect.OIDCRequestObjectUtil;
 import org.wso2.carbon.identity.openidconnect.model.RequestObject;
 import org.wso2.carbon.identity.openidconnect.model.RequestedClaim;
+import org.wso2.carbon.identity.organization.management.service.exception.OrganizationManagementException;
+import org.wso2.carbon.identity.organization.management.service.util.OrganizationManagementUtil;
 import org.wso2.carbon.utils.CarbonUtils;
 import org.wso2.carbon.utils.DiagnosticLog;
 
@@ -1523,7 +1527,7 @@ private static void addToAuthenticationResultDetailsToOAuthMessage(OAuthMessage
         addMappedRemoteClaimsToSessionCache(oAuthMessage, authnResult);
     }
 
-    private static void updateAuthTimeInSessionDataCacheEntry(OAuthMessage oAuthMessage) {
+    private static void updateAuthTimeInSessionDataCacheEntry(OAuthMessage oAuthMessage) throws OAuthSystemException {
 
         String commonAuthIdCookieValue = getCommonAuthCookieString(oAuthMessage.getRequest());
         long authTime = getAuthenticatedTimeFromCommonAuthCookieValue(commonAuthIdCookieValue,
@@ -2429,15 +2433,23 @@ public static void populateValidationResponseWithAppDetail(OAuthMessage oAuthMes
 
         String clientId = oAuthMessage.getRequest().getParameter(CLIENT_ID);
         try {
-            OAuthAppDO appDO = OAuth2Util.getAppInformationByClientId(clientId);
+            OAuthAppDO appDO;
+            String appResidentOrgId = PrivilegedCarbonContext.getThreadLocalCarbonContext()
+                    .getApplicationResidentOrganizationId();
+            if (StringUtils.isNotEmpty(appResidentOrgId)) {
+                String appResidentTenantDomain = FrameworkUtils.resolveAppResidentTenantDomain(appResidentOrgId);
+                appDO = OAuth2Util.getAppInformationByClientId(clientId, appResidentTenantDomain);
+            } else {
+                appDO = OAuth2Util.getAppInformationByClientId(clientId);
+            }
             if (Boolean.TRUE.equals(oAuthMessage.getRequest().getAttribute(OAuthConstants.PKCE_UNSUPPORTED_FLOW))) {
                 validationResponse.setPkceMandatory(false);
             } else {
                 validationResponse.setPkceMandatory(appDO.isPkceMandatory());
             }
             validationResponse.setApplicationName(appDO.getApplicationName());
             validationResponse.setPkceSupportPlain(appDO.isPkceSupportPlain());
-        } catch (InvalidOAuthClientException | IdentityOAuth2Exception e) {
+        } catch (InvalidOAuthClientException | IdentityOAuth2Exception | FrameworkException e) {
             throw new OAuthSystemException("Error while retrieving app information for client_id : " + clientId, e);
         }
     }
@@ -2834,7 +2846,8 @@ private static String getSpTenantDomain(String clientId) throws InvalidRequestEx
         try {
             // At this point we have verified that a valid app exists for the client_id. So we directly get the SP
             // tenantDomain.
-            return OAuth2Util.getTenantDomainOfOauthApp(clientId);
+            String tenantDomain = IdentityTenantUtil.getTenantDomain(IdentityTenantUtil.getLoginTenantId());
+            return OAuth2Util.getTenantDomainOfOauthApp(clientId, tenantDomain);
         } catch (InvalidOAuthClientException | IdentityOAuth2Exception e) {
             throw new InvalidRequestException("Error retrieving Service Provider tenantDomain for client_id: "
                     + clientId, OAuth2ErrorCodes.INVALID_REQUEST, OAuth2ErrorCodes.OAuth2SubErrorCodes
@@ -2851,6 +2864,19 @@ private static String getLoginTenantDomain(OAuthMessage oAuthMessage, String cli
 
         String loginTenantDomain =
                 oAuthMessage.getRequest().getParameter(FrameworkConstants.RequestParams.LOGIN_TENANT_DOMAIN);
+        String appResidentOrgId = PrivilegedCarbonContext.getThreadLocalCarbonContext()
+                .getApplicationResidentOrganizationId();
+        if (StringUtils.isNotEmpty(appResidentOrgId)) {
+            String appResidentTenantDomain;
+            try {
+                appResidentTenantDomain = FrameworkUtils.resolveAppResidentTenantDomain(appResidentOrgId);
+            } catch (FrameworkException e) {
+                throw new InvalidRequestException("Error resolving tenant domain from organization id: "
+                        + appResidentOrgId, OAuth2ErrorCodes.INVALID_REQUEST, OAuth2ErrorCodes.OAuth2SubErrorCodes
+                        .INVALID_REQUEST);
+            }
+            return EndpointUtil.getSPTenantDomainFromClientId(clientId, appResidentTenantDomain);
+        }
         if (StringUtils.isBlank(loginTenantDomain)) {
             return EndpointUtil.getSPTenantDomainFromClientId(oAuthMessage.getClientId());
         }
@@ -4351,10 +4377,29 @@ private static String appendAuthenticatedIDPs(SessionDataCacheEntry sessionDataC
      * @param resultFromLogin The session context.
      * @param cookieValue The cookie string which contains the commonAuthId value.
      */
-    private static void associateAuthenticationHistory(SessionDataCacheEntry resultFromLogin, String cookieValue) {
+    private static void associateAuthenticationHistory(SessionDataCacheEntry resultFromLogin, String cookieValue)
+            throws OAuthSystemException {
 
-        SessionContext sessionContext = getSessionContext(cookieValue,
-                resultFromLogin.getoAuth2Parameters().getLoginTenantDomain());
+        String tenantDomain = resultFromLogin.getoAuth2Parameters().getLoginTenantDomain();
+        /*
+         If the app is created in an organization, get the tenant domain of the primary organization since the
+         session is stored against the primary organization.
+        */
+        try {
+            String appTenantDomain = OAuth2Util.getTenantDomainOfOauthApp(
+                    resultFromLogin.getoAuth2Parameters().getClientId(), tenantDomain);
+            if (OrganizationManagementUtil.isOrganization(appTenantDomain)) {
+                String appOrgId = OAuth2ServiceComponentHolder.getInstance().getOrganizationManager()
+                        .resolveOrganizationId(appTenantDomain);
+                String primaryOrgId = OAuth2ServiceComponentHolder.getInstance().getOrganizationManager()
+                        .getPrimaryOrganizationId(appOrgId);
+                tenantDomain = OAuth2ServiceComponentHolder.getInstance().getOrganizationManager()
+                        .resolveTenantDomain(primaryOrgId);
+            }
+        } catch (OrganizationManagementException | IdentityOAuth2Exception | InvalidOAuthClientException e) {
+            throw new OAuthSystemException(e);
+        }
+        SessionContext sessionContext = getSessionContext(cookieValue, tenantDomain);
         if (sessionContext != null && sessionContext.getSessionAuthHistory() != null
                 && sessionContext.getSessionAuthHistory().getHistory() != null) {
             List<String> authMethods = new ArrayList<>();

components/org.wso2.carbon.identity.oauth.endpoint/src/main/java/org/wso2/carbon/identity/oauth/endpoint/util/EndpointUtil.java

@@ -1544,6 +1544,29 @@ public static String getSPTenantDomainFromClientId(String clientId) {
         }
     }
 
+    /**
+     * This method retrieves the service provider tenant domain using the client ID and the tenant domain.
+     *
+     * @param clientId Client id of the application.
+     * @param tenantDomain Tenant domain to which the client ID belongs.
+     * @return tenantDomain domain of the service provider.
+     */
+    public static String getSPTenantDomainFromClientId(String clientId, String tenantDomain) {
+
+        try {
+            OAuthAppDO oAuthAppDO = OAuth2Util.getAppInformationByClientId(clientId, tenantDomain);
+            return OAuth2Util.getTenantDomainOfOauthApp(oAuthAppDO);
+        } catch (IdentityOAuth2Exception e) {
+            log.error("Error while getting oauth app for client Id: " + clientId, e);
+            return MultitenantConstants.SUPER_TENANT_DOMAIN_NAME;
+        } catch (InvalidOAuthClientException e) {
+            if (log.isDebugEnabled()) {
+                log.debug("Error while getting oauth app for client Id: " + clientId, e);
+            }
+            return MultitenantConstants.SUPER_TENANT_DOMAIN_NAME;
+        }
+    }
+
     /**
      * Extract information related to the token request and exception and publish the event to listeners.
      *

components/org.wso2.carbon.identity.oauth.endpoint/src/test/java/org/wso2/carbon/identity/oauth/endpoint/authz/OAuth2AuthzEndpointTest.java

@@ -547,7 +547,8 @@ public void testAuthorize(Object flowStatusObject, String[] clientId, String ses
                  MockedStatic<OAuthAdminServiceFactory> oAuthAdminServiceFactory =
                          mockStatic(OAuthAdminServiceFactory.class);
                  MockedStatic<OAuth2TokenValidatorServiceFactory> oAuth2TokenValidatorServiceFactory =
-                         mockStatic(OAuth2TokenValidatorServiceFactory.class);) {
+                         mockStatic(OAuth2TokenValidatorServiceFactory.class);
+                 MockedStatic<AuthzUtil> authzUtil = mockStatic(AuthzUtil.class)) {
                 AuthenticatorFlowStatus flowStatus = (AuthenticatorFlowStatus) flowStatusObject;
 
                 Map<String, String[]> requestParams = new HashMap<>();
@@ -587,6 +588,7 @@ public void testAuthorize(Object flowStatusObject, String[] clientId, String ses
                         .thenReturn(MultitenantConstants.SUPER_TENANT_ID);
                 identityTenantUtil.when(IdentityTenantUtil::getLoginTenantId)
                         .thenReturn(MultitenantConstants.SUPER_TENANT_ID);
+                authzUtil.when(AuthzUtil::isLegacyAuthzRuntime).thenReturn(false);
                 IdentityEventService eventServiceMock = mock(IdentityEventService.class);
                 centralLogMgtServiceComponentHolder.when(
                                 CentralLogMgtServiceComponentHolder::getInstance)

components/org.wso2.carbon.identity.oauth.endpoint/src/test/java/org/wso2/carbon/identity/oauth/endpoint/par/OAuth2ParEndpointTest.java

@@ -404,6 +404,7 @@ public void testPar(Object requestParamsObj, Object paramMapObj, Object oAuthCli
                 oAuth2ServiceFactory.when(OAuth2ServiceFactory::getOAuth2Service).thenReturn(oAuth2Service);
                 parAuthServiceFactory.when(ParAuthServiceFactory::getParAuthService).thenReturn(parAuthService);
                 identityTenantUtil.when(IdentityTenantUtil::getLoginTenantId).thenReturn(-1234);
+                identityTenantUtil.when(() -> IdentityTenantUtil.getTenantDomain(-1234)).thenReturn("carbon.super");
                 identityTenantUtil.when(() -> IdentityTenantUtil.getTenantId("carbon.super")).thenReturn(-1234);
 
                 loggerUtils.when(LoggerUtils::isDiagnosticLogsEnabled).thenReturn(true);
@@ -412,7 +413,7 @@ public void testPar(Object requestParamsObj, Object paramMapObj, Object oAuthCli
 
                 if (Objects.equals(request.getParameter(OAuthConstants.OAuth20Params.RESPONSE_TYPE),
                         RESPONSE_TYPE_CODE_ID_TOKEN)) {
-                    OAuthAppDO oauthAppDO = OAuth2Util.getAppInformationByClientId(CLIENT_ID_VALUE);
+                    OAuthAppDO oauthAppDO = OAuth2Util.getAppInformationByClientId(CLIENT_ID_VALUE, "carbon.super");
                     oauthAppDO.setHybridFlowEnabled(true);
                     oauthAppDO.setHybridFlowResponseType(RESPONSE_TYPE_CODE_ID_TOKEN);
                 }

components/org.wso2.carbon.identity.oauth.endpoint/src/test/java/org/wso2/carbon/identity/oauth/endpoint/util/AuthzUtilTest.java

@@ -490,6 +490,8 @@ public void testAuthorize(Object flowStatusObject, String[] clientId, String ses
                 OAuthServerConfiguration.class);) {
             mockOAuthServerConfiguration(oAuthServerConfiguration);
             try (MockedStatic<OAuth2Util.OAuthURL> oAuthURL = mockStatic(OAuth2Util.OAuthURL.class);
+                 MockedStatic<OAuth2Util> oAuth2Util = mockStatic(OAuth2Util.class,
+                         Mockito.CALLS_REAL_METHODS);
                  MockedStatic<IdentityTenantUtil> identityTenantUtil = mockStatic(IdentityTenantUtil.class);
                  MockedStatic<LoggerUtils> loggerUtils = mockStatic(LoggerUtils.class);
                  MockedStatic<CentralLogMgtServiceComponentHolder> centralLogMgtServiceComponentHolder =
@@ -537,6 +539,19 @@ public void testAuthorize(Object flowStatusObject, String[] clientId, String ses
                 frameworkUtils.when(() -> FrameworkUtils.startTenantFlow(anyString())).thenAnswer(invocation -> null);
                 frameworkUtils.when(FrameworkUtils::endTenantFlow).thenAnswer(invocation -> null);
 
+                OAuthAppDO appDO = new OAuthAppDO();
+                appDO.setState("ACTIVE");
+                AuthenticatedUser user = new AuthenticatedUser();
+                user.setUserName(USERNAME);
+                user.setTenantDomain(MultitenantConstants.SUPER_TENANT_DOMAIN_NAME);
+                appDO.setUser(user);
+                if (expectedStatus == HttpServletResponse.SC_FOUND) {
+                    oAuth2Util.when(() -> OAuth2Util.getAppInformationByClientId(anyString(), anyString()))
+                            .thenReturn(appDO);
+                } else {
+                    oAuth2Util.when(() -> OAuth2Util.getTenantDomainOfOauthApp(anyString(), anyString()))
+                            .thenReturn(MultitenantConstants.SUPER_TENANT_DOMAIN_NAME);
+                }
                 loggerUtils.when(LoggerUtils::isDiagnosticLogsEnabled).thenReturn(diagnosticLogsEnabled);
                 identityTenantUtil.when(() -> IdentityTenantUtil.getTenantDomain(anyInt()))
                         .thenReturn(MultitenantConstants.SUPER_TENANT_DOMAIN_NAME);

components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/authz/handlers/util/ResponseTypeHandlerUtil.java

@@ -294,6 +294,16 @@ public static AuthzCodeDO generateAuthorizationCode(OAuthAuthzReqMessageContext
                 authorizationReqDTO.getConsumerKey(), authorizationCode, codeId,
                 authorizationReqDTO.getPkceCodeChallenge(), authorizationReqDTO.getPkceCodeChallengeMethod());
         authzCodeDO.setRequestedActor(authorizationReqDTO.getRequestedActor());
+        String appResidentOrganizationId = PrivilegedCarbonContext.getThreadLocalCarbonContext()
+                .getApplicationResidentOrganizationId();
+        if (StringUtils.isNotBlank(appResidentOrganizationId)) {
+            if (log.isDebugEnabled()) {
+                log.debug("Setting accessing organization id: " + appResidentOrganizationId +
+                        " and user resident organization in the authorization code data object.");
+            }
+            authzCodeDO.getAuthorizedUser().setAccessingOrganization(appResidentOrganizationId);
+            authzCodeDO.getAuthorizedUser().setUserResidentOrganization(appResidentOrganizationId);
+        }
         String appTenant = authorizationReqDTO.getTenantDomain();
         if (StringUtils.isNotEmpty(appTenant)) {
             OAuthTokenPersistenceFactory.getInstance().getAuthorizationCodeDAO()

components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/authz/validators/AbstractResponseTypeRequestValidator.java

@@ -104,7 +104,8 @@ public OAuth2ClientValidationResponseDTO validateClientInfo(HttpServletRequest r
         }
 
         try {
-            String appTenantDomain = OAuth2Util.getTenantDomainOfOauthApp(clientId);
+            String tenantDomain = IdentityTenantUtil.getTenantDomain(IdentityTenantUtil.getLoginTenantId());
+            String appTenantDomain = OAuth2Util.getTenantDomainOfOauthApp(clientId, tenantDomain);
             validateRequestTenantDomain(appTenantDomain);
             DiagnosticLog.DiagnosticLogBuilder diagnosticLogBuilder = null;
             if (LoggerUtils.isDiagnosticLogsEnabled()) {
@@ -125,7 +126,7 @@ public OAuth2ClientValidationResponseDTO validateClientInfo(HttpServletRequest r
             if (diagnosticLogBuilder != null) {
                 diagnosticLogBuilder.inputParam(LogConstants.InputKeys.CLIENT_ID, clientId);
             }
-            OAuthAppDO appDO = OAuth2Util.getAppInformationByClientId(clientId);
+            OAuthAppDO appDO = OAuth2Util.getAppInformationByClientId(clientId, appTenantDomain);
             String appState = appDO.getState();
 
             if (StringUtils.isEmpty(appState)) {

components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/dao/AuthorizationCodeDAOImpl.java

@@ -23,6 +23,7 @@
 import org.apache.commons.lang.StringUtils;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
+import org.wso2.carbon.context.PrivilegedCarbonContext;
 import org.wso2.carbon.identity.application.authentication.framework.model.AuthenticatedUser;
 import org.wso2.carbon.identity.application.common.IdentityApplicationManagementException;
 import org.wso2.carbon.identity.application.common.model.ServiceProvider;
@@ -38,6 +39,7 @@
 import org.wso2.carbon.identity.oauth2.model.AuthzCodeDO;
 import org.wso2.carbon.identity.oauth2.util.OAuth2TokenUtil;
 import org.wso2.carbon.identity.oauth2.util.OAuth2Util;
+import org.wso2.carbon.identity.organization.management.service.exception.OrganizationManagementException;
 
 import java.sql.Connection;
 import java.sql.PreparedStatement;
@@ -230,7 +232,14 @@ public AuthorizationCodeValidationResult validateAuthorizationCode(String consum
 
             prepStmt = connection.prepareStatement(sql);
             prepStmt.setString(1, getPersistenceProcessor().getProcessedClientId(consumerKey));
-            prepStmt.setInt(2, IdentityTenantUtil.getLoginTenantId());
+            tenantId = IdentityTenantUtil.getLoginTenantId();
+            String appResidentOrganizationId = PrivilegedCarbonContext.getThreadLocalCarbonContext()
+                    .getApplicationResidentOrganizationId();
+            if (StringUtils.isNotEmpty(appResidentOrganizationId)) {
+                tenantId = IdentityTenantUtil.getTenantId(OAuth2ServiceComponentHolder.getInstance()
+                        .getOrganizationManager().resolveTenantDomain(appResidentOrganizationId));
+            }
+            prepStmt.setInt(2, tenantId);
             //use hash value for search
             prepStmt.setString(3, getHashingPersistenceProcessor().getProcessedAuthzCode(authorizationKey));
             resultSet = prepStmt.executeQuery();
@@ -266,6 +275,12 @@ public AuthorizationCodeValidationResult validateAuthorizationCode(String consum
                             "for client id " + consumerKey, e);
                 }
                 user.setAuthenticatedSubjectIdentifier(subjectIdentifier, serviceProvider);
+                if (StringUtils.isNotEmpty(appResidentOrganizationId)) {
+                    String userOrganizationId = OAuth2ServiceComponentHolder.getInstance().getOrganizationManager()
+                            .resolveOrganizationId(tenantDomain);
+                    user.setAccessingOrganization(appResidentOrganizationId);
+                    user.setUserResidentOrganization(userOrganizationId);
+                }
 
                 String tokenId = resultSet.getString(9);
                 String tokenBindingReference = NONE;
@@ -291,6 +306,8 @@ public AuthorizationCodeValidationResult validateAuthorizationCode(String consum
 
         } catch (SQLException | URLBuilderException e) {
             throw new IdentityOAuth2Exception("Error when validating an authorization code", e);
+        } catch (OrganizationManagementException e) {
+            throw new IdentityOAuth2Exception("Error occurred while resolving tenant id for organization.", e);
         } finally {
             IdentityDatabaseUtil.closeAllConnections(connection, resultSet, prepStmt);
         }