wso2-extensions · indeewari · Apr 16, 2024
diff --git a/...a/org/wso2/carbon/identity/application/authenticator/oidc/OIDCAuthenticatorConstants.java b/...a/org/wso2/carbon/identity/application/authenticator/oidc/OIDCAuthenticatorConstants.java
@@ -35,7 +35,6 @@ public class OIDCAuthenticatorConstants {
     public static final String EXPIRES_IN = "expires_in";
     public static final String SHARE_FEDERATED_TOKEN_CONFIG = "ShareFederatedToken";
     public static final String SHARE_FEDERATED_TOKEN_PARAM = "share_federated_token";
-    public static final String FEDERATED_TOKEN_ALLOWED_SCOPE = "FederatedTokenAllowedScope";
     public static final String FEDERATED_TOKEN_SCOPE = "federated_token_scope";
 
     private OIDCAuthenticatorConstants() {

diff --git a/...a/org/wso2/carbon/identity/application/authenticator/oidc/OpenIDConnectAuthenticator.java b/...a/org/wso2/carbon/identity/application/authenticator/oidc/OpenIDConnectAuthenticator.java
@@ -526,7 +526,7 @@ protected String prepareLoginPage(HttpServletRequest request, AuthenticationCont
                 if (Boolean.parseBoolean(authenticatorProperties.get(SHARE_FEDERATED_TOKEN_CONFIG)) &&
                         requestedToShareFederatedToken(context)) {
                     // Adding the scopes requested by the application side for token sharing.
-                    scopes = addValidScopesForFederatedTokenSharing(context, authenticatorProperties, scopes);
+                    scopes = addApplicationRequestedScopesForFederatedTokenSharing(context, scopes);
                 }
 
                 String queryString = getQueryString(authenticatorProperties);
@@ -619,7 +619,7 @@ protected String prepareLoginPage(HttpServletRequest request, AuthenticationCont
     }
 
     /**
-     * This method is used to append the application side requested scopes after validating.
+     * This method is used to append the application side requested scopes.
      * The application can request the scopes for federated token sharing either via adaptive scripts
      * or via the authorize request query parameters. The adaptive script has the first priority
      * while the request query parameters will be evaluated later.
@@ -637,38 +637,31 @@ protected String prepareLoginPage(HttpServletRequest request, AuthenticationCont
      * &scope=email profile openid
      * &federated_token_scope=Google Calender;read write,Microsoft Authenticator;https://googleapis.calender
      *
-     * @param context                 The authentication context.
-     * @param authenticatorProperties The authenticator properties.
-     * @param scopes                  The scopes defined in the authenticator properties.
-     * @return The IDP defined scope and the validated scopes requested by the application.
+     * @param context The authentication context.
+     * @param scopes  The scopes defined in the authenticator properties.
+     * @return The IDP defined scope and the scopes requested by the application.
      */
-    private String addValidScopesForFederatedTokenSharing(AuthenticationContext context,
-                                                          Map<String, String> authenticatorProperties, String scopes) {
+    private String addApplicationRequestedScopesForFederatedTokenSharing(AuthenticationContext context, String scopes) {
 
         // Get the application requested scopes for the federated tokens.
-        String requestedScopesForTokenSharing = getRequestedScopesForTokenSharing(context);
-
-        // Validating the application requested scopes by the authenticator allowed scopes for federated token sharing.
-        Set<String> validScopesForTokenSharing = validateScopeForTokenSharing(
-                authenticatorProperties.get(OIDCAuthenticatorConstants.FEDERATED_TOKEN_ALLOWED_SCOPE),
-                requestedScopesForTokenSharing);
+        Set<String> requestedScopesForTokenSharing = getRequestedScopesForTokenSharing(context);
 
-        if (CollectionUtils.isEmpty(validScopesForTokenSharing)) {
+        if (CollectionUtils.isEmpty(requestedScopesForTokenSharing)) {
             if (LOG.isDebugEnabled()) {
                 LOG.debug("No matching scopes found for federated token sharing.");
             }
             return scopes;
         }
 
         if (LOG.isDebugEnabled()) {
-            LOG.debug("Valid scopes found for the IDP" + getFederatedAuthenticatorName(context) +
-                    " in federated token sharing: " + validScopesForTokenSharing);
+            LOG.debug("Requested scopes found for the IDP" + getFederatedAuthenticatorName(context) +
+                    " in federated token sharing: " + requestedScopesForTokenSharing);
         }
         /*
         Remove the duplicate scopes among the validated scopes for federated token sharing and the existing scopes
         of the authenticators.
          */
-        scopes = removeDuplicateScopes(scopes, validScopesForTokenSharing);
+        scopes = removeDuplicateScopes(scopes, requestedScopesForTokenSharing);
         if (LOG.isDebugEnabled()) {
             LOG.debug("The scopes for the IDP: " + getFederatedAuthenticatorName(context) + " : " + scopes +
                     " after considering federated token sharing.");
@@ -701,20 +694,22 @@ private String removeDuplicateScopes(String scopes, Set<String> validScopesForTo
      * This method returns the scopes requested by the application for the federated tokens.
      *
      * @param context The authentication context.
-     * @return The scopes requested by the application for token sharing.
+     * @return The set of scopes requested by the application for token sharing.
      */
-    private String getRequestedScopesForTokenSharing(AuthenticationContext context) {
+    private HashSet<String> getRequestedScopesForTokenSharing(AuthenticationContext context) {
 
+        String requestedScopes;
         // The first priority is given to the parameters passed from the adaptive script. Then the query parameters.
         String requestedScopesViaAdaptiveScript =
                 getAdaptiveScriptValues(context, OIDCAuthenticatorConstants.FEDERATED_TOKEN_SCOPE);
         // Checks if there exists scopes requested via adaptive script.
         if (StringUtils.isNotBlank(requestedScopesViaAdaptiveScript)) {
             if (LOG.isDebugEnabled()) {
                 LOG.debug("Adaptive script parameter found for " + OIDCAuthenticatorConstants.FEDERATED_TOKEN_SCOPE
-                        + " in federated token sharing, IDP: " + getFederatedAuthenticatorName(context));
+                        + " in federated token sharing, IDP: " + getFederatedAuthenticatorName(context)
+                        + "value: " + requestedScopesViaAdaptiveScript);
             }
-            return requestedScopesViaAdaptiveScript;
+            requestedScopes = requestedScopesViaAdaptiveScript;
         } else {
             String requestedScopesViaQueryParams = getRequestedScopesViaQueryParams(context);
             if (LOG.isDebugEnabled() && StringUtils.isNotBlank(requestedScopesViaQueryParams)) {
@@ -723,8 +718,12 @@ private String getRequestedScopesForTokenSharing(AuthenticationContext context)
                         " value: " + requestedScopesViaQueryParams + " found for federated token sharing, IDP: "
                         + getFederatedAuthenticatorName(context));
             }
-            return requestedScopesViaQueryParams;
+            requestedScopes = requestedScopesViaQueryParams;
+        }
+        if (StringUtils.isNotBlank(requestedScopes)) {
+            return new HashSet<>(Arrays.asList(requestedScopes.split(SPACE_REGEX)));
         }
+        return null;
     }
 
     /**
@@ -1119,37 +1118,6 @@ private void addFederatedTokensToContext(AuthenticationContext context, OAuthCli
         }
     }
 
-    /**
-     * This returns the intersection of the allowed scopes defined at the IDP configuration and the requested scopes
-     * from the application side for federated token sharing.
-     *
-     * @param allowedScope   The administrator defined scopes in the IDP configuration for federated token sharing.
-     * @param requestedScope The application side requested scopes for federated token sharing.
-     * @return The intersection of the allowed and the requested scopes for federated token sharing as a set of list.
-     */
-    private Set<String> validateScopeForTokenSharing(String allowedScope, String requestedScope) {
-
-        if (StringUtils.isBlank(allowedScope)) {
-            if (LOG.isDebugEnabled()) {
-                LOG.debug("No scopes are allowed for federated token sharing.");
-            }
-            return null;
-        }
-        if (StringUtils.isBlank(requestedScope)) {
-            if (LOG.isDebugEnabled()) {
-                LOG.debug("No scopes are requested for federated token sharing.");
-            }
-            return null;
-        }
-        Set<String> allowedScopesSet = new HashSet<>(Arrays.asList(allowedScope.split(SPACE_REGEX)));
-        Set<String> requestedScopesSet = new HashSet<>(Arrays.asList(requestedScope.split(SPACE_REGEX)));
-
-        Set<String> subset = new HashSet<>(requestedScopesSet);
-        subset.retainAll(allowedScopesSet);
-
-        return subset;
-    }
-
     /**
      * Generates OAuth client and returns the oAuthResponse according to the flow supported by the authenticator.
      * Overridden in Google Authenticator for Google one tap.