diff --git a/components/org.wso2.carbon.identity.application.authenticator.oidc/src/main/java/org/wso2/carbon/identity/application/authenticator/oidc/OIDCAuthenticatorConstants.java b/components/org.wso2.carbon.identity.application.authenticator.oidc/src/main/java/org/wso2/carbon/identity/application/authenticator/oidc/OIDCAuthenticatorConstants.java index ed787940..d83aea18 100644 --- a/components/org.wso2.carbon.identity.application.authenticator.oidc/src/main/java/org/wso2/carbon/identity/application/authenticator/oidc/OIDCAuthenticatorConstants.java +++ b/components/org.wso2.carbon.identity.application.authenticator.oidc/src/main/java/org/wso2/carbon/identity/application/authenticator/oidc/OIDCAuthenticatorConstants.java @@ -35,7 +35,6 @@ public class OIDCAuthenticatorConstants { public static final String EXPIRES_IN = "expires_in"; public static final String SHARE_FEDERATED_TOKEN_CONFIG = "ShareFederatedToken"; public static final String SHARE_FEDERATED_TOKEN_PARAM = "share_federated_token"; - public static final String FEDERATED_TOKEN_ALLOWED_SCOPE = "FederatedTokenAllowedScope"; public static final String FEDERATED_TOKEN_SCOPE = "federated_token_scope"; private OIDCAuthenticatorConstants() { diff --git a/components/org.wso2.carbon.identity.application.authenticator.oidc/src/main/java/org/wso2/carbon/identity/application/authenticator/oidc/OpenIDConnectAuthenticator.java b/components/org.wso2.carbon.identity.application.authenticator.oidc/src/main/java/org/wso2/carbon/identity/application/authenticator/oidc/OpenIDConnectAuthenticator.java index 45912358..90d9f8e1 100644 --- a/components/org.wso2.carbon.identity.application.authenticator.oidc/src/main/java/org/wso2/carbon/identity/application/authenticator/oidc/OpenIDConnectAuthenticator.java +++ b/components/org.wso2.carbon.identity.application.authenticator.oidc/src/main/java/org/wso2/carbon/identity/application/authenticator/oidc/OpenIDConnectAuthenticator.java @@ -526,7 +526,7 @@ protected String prepareLoginPage(HttpServletRequest request, AuthenticationCont if (Boolean.parseBoolean(authenticatorProperties.get(SHARE_FEDERATED_TOKEN_CONFIG)) && requestedToShareFederatedToken(context)) { // Adding the scopes requested by the application side for token sharing. - scopes = addValidScopesForFederatedTokenSharing(context, authenticatorProperties, scopes); + scopes = addApplicationRequestedScopesForFederatedTokenSharing(context, scopes); } String queryString = getQueryString(authenticatorProperties); @@ -619,7 +619,7 @@ protected String prepareLoginPage(HttpServletRequest request, AuthenticationCont } /** - * This method is used to append the application side requested scopes after validating. + * This method is used to append the application side requested scopes. * The application can request the scopes for federated token sharing either via adaptive scripts * or via the authorize request query parameters. The adaptive script has the first priority * while the request query parameters will be evaluated later. @@ -637,23 +637,16 @@ protected String prepareLoginPage(HttpServletRequest request, AuthenticationCont * &scope=email profile openid * &federated_token_scope=Google Calender;read write,Microsoft Authenticator;https://googleapis.calender * - * @param context The authentication context. - * @param authenticatorProperties The authenticator properties. - * @param scopes The scopes defined in the authenticator properties. - * @return The IDP defined scope and the validated scopes requested by the application. + * @param context The authentication context. + * @param scopes The scopes defined in the authenticator properties. + * @return The IDP defined scope and the scopes requested by the application. */ - private String addValidScopesForFederatedTokenSharing(AuthenticationContext context, - Map authenticatorProperties, String scopes) { + private String addApplicationRequestedScopesForFederatedTokenSharing(AuthenticationContext context, String scopes) { // Get the application requested scopes for the federated tokens. - String requestedScopesForTokenSharing = getRequestedScopesForTokenSharing(context); - - // Validating the application requested scopes by the authenticator allowed scopes for federated token sharing. - Set validScopesForTokenSharing = validateScopeForTokenSharing( - authenticatorProperties.get(OIDCAuthenticatorConstants.FEDERATED_TOKEN_ALLOWED_SCOPE), - requestedScopesForTokenSharing); + Set requestedScopesForTokenSharing = getRequestedScopesForTokenSharing(context); - if (CollectionUtils.isEmpty(validScopesForTokenSharing)) { + if (CollectionUtils.isEmpty(requestedScopesForTokenSharing)) { if (LOG.isDebugEnabled()) { LOG.debug("No matching scopes found for federated token sharing."); } @@ -661,14 +654,14 @@ private String addValidScopesForFederatedTokenSharing(AuthenticationContext cont } if (LOG.isDebugEnabled()) { - LOG.debug("Valid scopes found for the IDP" + getFederatedAuthenticatorName(context) + - " in federated token sharing: " + validScopesForTokenSharing); + LOG.debug("Requested scopes found for the IDP" + getFederatedAuthenticatorName(context) + + " in federated token sharing: " + requestedScopesForTokenSharing); } /* Remove the duplicate scopes among the validated scopes for federated token sharing and the existing scopes of the authenticators. */ - scopes = removeDuplicateScopes(scopes, validScopesForTokenSharing); + scopes = removeDuplicateScopes(scopes, requestedScopesForTokenSharing); if (LOG.isDebugEnabled()) { LOG.debug("The scopes for the IDP: " + getFederatedAuthenticatorName(context) + " : " + scopes + " after considering federated token sharing."); @@ -701,10 +694,11 @@ private String removeDuplicateScopes(String scopes, Set validScopesForTo * This method returns the scopes requested by the application for the federated tokens. * * @param context The authentication context. - * @return The scopes requested by the application for token sharing. + * @return The set of scopes requested by the application for token sharing. */ - private String getRequestedScopesForTokenSharing(AuthenticationContext context) { + private HashSet getRequestedScopesForTokenSharing(AuthenticationContext context) { + String requestedScopes; // The first priority is given to the parameters passed from the adaptive script. Then the query parameters. String requestedScopesViaAdaptiveScript = getAdaptiveScriptValues(context, OIDCAuthenticatorConstants.FEDERATED_TOKEN_SCOPE); @@ -712,9 +706,10 @@ private String getRequestedScopesForTokenSharing(AuthenticationContext context) if (StringUtils.isNotBlank(requestedScopesViaAdaptiveScript)) { if (LOG.isDebugEnabled()) { LOG.debug("Adaptive script parameter found for " + OIDCAuthenticatorConstants.FEDERATED_TOKEN_SCOPE - + " in federated token sharing, IDP: " + getFederatedAuthenticatorName(context)); + + " in federated token sharing, IDP: " + getFederatedAuthenticatorName(context) + + "value: " + requestedScopesViaAdaptiveScript); } - return requestedScopesViaAdaptiveScript; + requestedScopes = requestedScopesViaAdaptiveScript; } else { String requestedScopesViaQueryParams = getRequestedScopesViaQueryParams(context); if (LOG.isDebugEnabled() && StringUtils.isNotBlank(requestedScopesViaQueryParams)) { @@ -723,8 +718,12 @@ private String getRequestedScopesForTokenSharing(AuthenticationContext context) " value: " + requestedScopesViaQueryParams + " found for federated token sharing, IDP: " + getFederatedAuthenticatorName(context)); } - return requestedScopesViaQueryParams; + requestedScopes = requestedScopesViaQueryParams; + } + if (StringUtils.isNotBlank(requestedScopes)) { + return new HashSet<>(Arrays.asList(requestedScopes.split(SPACE_REGEX))); } + return null; } /** @@ -1119,37 +1118,6 @@ private void addFederatedTokensToContext(AuthenticationContext context, OAuthCli } } - /** - * This returns the intersection of the allowed scopes defined at the IDP configuration and the requested scopes - * from the application side for federated token sharing. - * - * @param allowedScope The administrator defined scopes in the IDP configuration for federated token sharing. - * @param requestedScope The application side requested scopes for federated token sharing. - * @return The intersection of the allowed and the requested scopes for federated token sharing as a set of list. - */ - private Set validateScopeForTokenSharing(String allowedScope, String requestedScope) { - - if (StringUtils.isBlank(allowedScope)) { - if (LOG.isDebugEnabled()) { - LOG.debug("No scopes are allowed for federated token sharing."); - } - return null; - } - if (StringUtils.isBlank(requestedScope)) { - if (LOG.isDebugEnabled()) { - LOG.debug("No scopes are requested for federated token sharing."); - } - return null; - } - Set allowedScopesSet = new HashSet<>(Arrays.asList(allowedScope.split(SPACE_REGEX))); - Set requestedScopesSet = new HashSet<>(Arrays.asList(requestedScope.split(SPACE_REGEX))); - - Set subset = new HashSet<>(requestedScopesSet); - subset.retainAll(allowedScopesSet); - - return subset; - } - /** * Generates OAuth client and returns the oAuthResponse according to the flow supported by the authenticator. * Overridden in Google Authenticator for Google one tap.