Skip to content

Commit

Permalink
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
fix business admin roles issue
Browse files Browse the repository at this point in the history
Yoshani committed Feb 19, 2024
1 parent d3ce6da commit 78bdaa2
Showing 6 changed files with 16 additions and 3 deletions.
Original file line number Diff line number Diff line change
@@ -47,6 +47,7 @@
import org.wso2.carbon.identity.application.common.model.IdentityProvider;
import org.wso2.carbon.identity.application.common.model.ServiceProvider;
import org.wso2.carbon.identity.application.mgt.ApplicationConstants;
import org.wso2.carbon.identity.base.IdentityConstants;
import org.wso2.carbon.identity.central.log.mgt.utils.LoggerUtils;
import org.wso2.carbon.identity.claim.metadata.mgt.ClaimMetadataHandler;
import org.wso2.carbon.identity.claim.metadata.mgt.exception.ClaimMetadataException;
@@ -198,7 +199,10 @@ protected Map<String, String> handleFederatedClaims(Map<String, String> remoteCl
String serviceProviderMappedUserRoles;

boolean useAppAssociatedRoles = isAppRoleResolverExists() || !CarbonConstants.ENABLE_LEGACY_AUTHZ_RUNTIME;
if (useAppAssociatedRoles) {
boolean excludeSuperTenantForLegacyRolesClaim =
FrameworkConstants.SUPER_TENANT_DOMAIN.equals(context.getTenantDomain()) &&
Boolean.parseBoolean(IdentityUtil.getProperty(IdentityConstants.ALLOW_LEGACY_AUTHZ_CLAIMS));
if (useAppAssociatedRoles && !excludeSuperTenantForLegacyRolesClaim) {
// This handles the idp group to local role assignments in the new authz flow.
String idpGroupClaimUri = FrameworkUtils.getEffectiveIdpGroupClaimUri(stepConfig, context);
boolean idpGroupsExists = isIdpGroupsExistForIDP(context.getExternalIdP().getIdentityProvider());
@@ -755,7 +759,8 @@ protected Map<String, String> handleLocalClaims(String spStandardDialect,
.getMultiAttributeSeparator(), appAssociatedRoles));
}
} else {
if (isRoleClaimRequested) {
if (isRoleClaimRequested && !Boolean.parseBoolean(IdentityUtil.getProperty(
IdentityConstants.ALLOW_LEGACY_AUTHZ_CLAIMS))) {
allLocalClaims.put(rolesClaimURI, String.join(FrameworkUtils.getMultiAttributeSeparator(),
StringUtils.EMPTY));
}
Original file line number Diff line number Diff line change
@@ -254,6 +254,7 @@ public abstract class FrameworkConstants {
public static final String REQ_ATTR_RETRY_STATUS = "retryStatus";
public static final String IDP_MAPPED_USER_ROLES = "identityProviderMappedUserRoles";
public static final String ALLOW_ASSOCIATING_TO_EXISTING_USER = "JITProvisioning.AllowAssociatingToExistingUser";
public static final String SUPER_TENANT_DOMAIN = "carbon.super";

private FrameworkConstants() {

Original file line number Diff line number Diff line change
@@ -166,6 +166,7 @@ public class IdentityConstants {

public static final String IDENTITY_UTIL_ENABLE_SHA256 = "IdentityUtil.EnableSHA256";
public static final String CERT_THUMBPRINT_ENABLE_SHA256 = "CertThumbprint.EnableSHA256";
public static final String ALLOW_LEGACY_AUTHZ_CLAIMS = "AllowLegacyAuthzClaims";

private IdentityConstants() {
}
Original file line number Diff line number Diff line change
@@ -2550,4 +2550,6 @@
when an account is locked. -->
<SetAccountLockAuthFailureReason>false</SetAccountLockAuthFailureReason>
</APIResponse>

<AllowLegacyAuthzClaims>false</AllowLegacyAuthzClaims>
</Server>
Original file line number Diff line number Diff line change
@@ -3953,4 +3953,7 @@

<SuperTenantAliasInPublicUrl>{{super_tenant.alias_in_public_url}}</SuperTenantAliasInPublicUrl>

<!-- Config to allow legacy roles claim behaviors -->
<AllowLegacyAuthzClaims>{{legacy_claims.allow_roles}}</AllowLegacyAuthzClaims>

</Server>
Original file line number Diff line number Diff line change
@@ -1516,5 +1516,6 @@

"super_tenant.alias_in_public_url": "",
"connector.challenge_questions.enable": false,
"tenant_mgt.enable_email_domain": false
"tenant_mgt.enable_email_domain": false,
"legacy_claims.allow_roles": false
}

0 comments on commit 78bdaa2

Please sign in to comment.