Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add tenant domain to jwt payload #2384

Merged
merged 5 commits into from
Mar 12, 2024
Merged

Add tenant domain to jwt payload #2384

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
4c8717f
Add tenant domain to jwt payload
chamilaadhi Feb 27, 2024
5ec7232
Address review comments
chamilaadhi Mar 4, 2024
21cd019
Address review comments
chamilaadhi Mar 4, 2024
1b369f5
Add review comments
chamilaadhi Mar 5, 2024
6085c41
Add review comments
chamilaadhi Mar 8, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
24 changes: 24 additions & 0 deletions ...y.oauth/src/main/java/org/wso2/carbon/identity/oauth/config/OAuthServerConfiguration.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -294,6 +294,7 @@ public class OAuthServerConfiguration {
private int deviceCodePollingInterval = 5000;
private String deviceCodeKeySet = "BCDFGHJKLMNPQRSTVWXYZbcdfghjklmnpqrstvwxyz23456789";
private String deviceAuthzEPUrl = null;
private boolean addTenantDomainToAccessTokenEnabled = false;

private OAuthServerConfiguration() {
buildOAuthServerConfiguration();
Expand Down Expand Up @@ -466,6 +467,9 @@ private void buildOAuthServerConfiguration() {

// Set the availability of oauth_response.jsp page.
setOAuthResponseJspPageAvailable();

// read domain information setting config.
isAddTenantDomainToAccessTokenEnabled(oauthElem);
}

/**
Expand Down Expand Up @@ -641,6 +645,12 @@ public String getDeviceAuthzEPUrl() {

return deviceAuthzEPUrl;
}

public boolean isAddTenantDomainToAccessTokenEnabled() {

return addTenantDomainToAccessTokenEnabled;
}

/**
* instantiate the OAuth token generator. to override the default implementation, one can specify the custom class
* in the identity.xml.
Expand Down Expand Up @@ -3190,6 +3200,18 @@ private void parseTokenRenewalPerRequestConfiguration(OMElement oauthConfigElem)
log.debug("RenewTokenPerRequest was set to : " + isTokenRenewalPerRequestEnabled);
}
}

private void isAddTenantDomainToAccessTokenEnabled(OMElement oauthConfigElem) {

OMElement enableAddDomainElem = oauthConfigElem.getFirstChildWithName(getQNameWithIdentityNS(
janakamarasena marked this conversation as resolved.
Show resolved Hide resolved
ConfigElements.ADD_TENANT_DOMAIN_TO_ACCESS_TOKEN));
if (enableAddDomainElem != null) {
addTenantDomainToAccessTokenEnabled = Boolean.parseBoolean(enableAddDomainElem.getText());
}
if (log.isDebugEnabled()) {
log.debug("AddTenantDomainToAccessTokenEnabled was set to : " + addTenantDomainToAccessTokenEnabled);
}
}

/**
* This method populates oauthTokenIssuerMap by reading the supportedTokenIssuers map. Earlier we only
Expand Down Expand Up @@ -3348,6 +3370,8 @@ private class ConfigElements {
private static final String OPENID_CONNECT_ADD_TENANT_DOMAIN_TO_ID_TOKEN = "AddTenantDomainToIdToken";
// Property to decide whether to add userstore domain to id_token.
private static final String OPENID_CONNECT_ADD_USERSTORE_DOMAIN_TO_ID_TOKEN = "AddUserstoreDomainToIdToken";
// Enable/Disable adding domain information to the token.
private static final String ADD_TENANT_DOMAIN_TO_ACCESS_TOKEN = "AddTenantDomainToAccessToken";
private static final String REQUEST_OBJECT_ENABLED = "RequestObjectEnabled";
private static final String ENABLE_FAPI_CIBA_PROFILE = "EnableCibaProfile";
private static final String ENABLE_FAPI_SECURITY_PROFILE = "EnableSecurityProfile";
Expand Down
7 changes: 7 additions & 0 deletions ...on.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/token/JWTTokenIssuer.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -102,6 +102,8 @@ public class JWTTokenIssuer extends OauthTokenIssuerImpl {

private static final String AUTHORIZATION_PARTY = "azp";
private static final String CLIENT_ID = "client_id";
private static final String APP_TENANT_DOMAIN = "app_td";
private static final String USER_TENANT_DOMAIN = "user_td";
private static final String AUDIENCE = "aud";
private static final String SCOPE = "scope";
private static final String TOKEN_BINDING_REF = "binding_ref";
Expand Down Expand Up @@ -479,6 +481,11 @@ protected JWTClaimsSet createJWTClaimSet(OAuthAuthzReqMessageContext authAuthzRe
jwtClaimsSetBuilder.notBeforeTime(new Date(curTimeInMillis));
jwtClaimsSetBuilder.claim(CLIENT_ID, consumerKey);

if (OAuthServerConfiguration.getInstance().isAddTenantDomainToAccessTokenEnabled()) {
jwtClaimsSetBuilder.claim(APP_TENANT_DOMAIN, spTenantDomain);
jwtClaimsSetBuilder.claim(USER_TENANT_DOMAIN, authenticatedUser.getTenantDomain());
}

setClaimsForNonPersistence(jwtClaimsSetBuilder, authAuthzReqMessageContext, tokenReqMessageContext,
authenticatedUser, oAuthAppDO);
String scope = getScope(authAuthzReqMessageContext, tokenReqMessageContext);
Expand Down