fix business admin roles issue

wso2 · Feb 26, 2024 · d2f746f · d2f746f
1 parent d3ce6da
commit d2f746f
Show file tree

Hide file tree

Showing 4 changed files with 15 additions and 3 deletions.
diff --git a/...dentity/application/authentication/framework/handler/claims/impl/DefaultClaimHandler.java b/...dentity/application/authentication/framework/handler/claims/impl/DefaultClaimHandler.java
@@ -47,6 +47,7 @@
 import org.wso2.carbon.identity.application.common.model.IdentityProvider;
 import org.wso2.carbon.identity.application.common.model.ServiceProvider;
 import org.wso2.carbon.identity.application.mgt.ApplicationConstants;
+import org.wso2.carbon.identity.base.IdentityConstants;
 import org.wso2.carbon.identity.central.log.mgt.utils.LoggerUtils;
 import org.wso2.carbon.identity.claim.metadata.mgt.ClaimMetadataHandler;
 import org.wso2.carbon.identity.claim.metadata.mgt.exception.ClaimMetadataException;
@@ -198,7 +199,10 @@ protected Map<String, String> handleFederatedClaims(Map<String, String> remoteCl
         String serviceProviderMappedUserRoles;
 
         boolean useAppAssociatedRoles = isAppRoleResolverExists() || !CarbonConstants.ENABLE_LEGACY_AUTHZ_RUNTIME;
-        if (useAppAssociatedRoles) {
+        boolean excludeSuperTenantForLegacyRolesClaim =
+                MultitenantConstants.SUPER_TENANT_DOMAIN_NAME.equals(context.getTenantDomain()) &&
+                Boolean.parseBoolean(IdentityUtil.getProperty(IdentityConstants.ALLOW_LEGACY_AUTHZ_CLAIMS));
+        if (useAppAssociatedRoles && !excludeSuperTenantForLegacyRolesClaim) {
             // This handles the idp group to local role assignments in the new authz flow.
             String idpGroupClaimUri = FrameworkUtils.getEffectiveIdpGroupClaimUri(stepConfig, context);
             boolean idpGroupsExists = isIdpGroupsExistForIDP(context.getExternalIdP().getIdentityProvider());
@@ -755,7 +759,8 @@ protected Map<String, String> handleLocalClaims(String spStandardDialect,
                             .getMultiAttributeSeparator(), appAssociatedRoles));
                 }
             } else {
-                if (isRoleClaimRequested) {
+                if (isRoleClaimRequested && !Boolean.parseBoolean(IdentityUtil.getProperty(
+                        IdentityConstants.ALLOW_LEGACY_AUTHZ_CLAIMS))) {
                     allLocalClaims.put(rolesClaimURI, String.join(FrameworkUtils.getMultiAttributeSeparator(),
                             StringUtils.EMPTY));
                 }

diff --git a/...2.carbon.identity.base/src/main/java/org/wso2/carbon/identity/base/IdentityConstants.java b/...2.carbon.identity.base/src/main/java/org/wso2/carbon/identity/base/IdentityConstants.java
@@ -166,6 +166,7 @@ public class IdentityConstants {
 
     public static final String IDENTITY_UTIL_ENABLE_SHA256 = "IdentityUtil.EnableSHA256";
     public static final String CERT_THUMBPRINT_ENABLE_SHA256 = "CertThumbprint.EnableSHA256";
+    public static final String ALLOW_LEGACY_AUTHZ_CLAIMS = "AllowLegacyAuthzClaims";
 
     private IdentityConstants() {
     }

diff --git a/...ures/identity-core/org.wso2.carbon.identity.core.server.feature/resources/identity.xml.j2 b/...ures/identity-core/org.wso2.carbon.identity.core.server.feature/resources/identity.xml.j2
@@ -3953,4 +3953,9 @@
 
     <SuperTenantAliasInPublicUrl>{{super_tenant.alias_in_public_url}}</SuperTenantAliasInPublicUrl>
 
+    {% if legacy_claims.allow_roles is defined %}
+    <!-- Config to allow legacy roles claim behaviors -->
+    <AllowLegacyAuthzClaims>{{legacy_claims.allow_roles}}</AllowLegacyAuthzClaims>
+    {% endif %}
+
 </Server>
diff --git a/...y.core.server.feature/resources/org.wso2.carbon.identity.core.server.feature.default.json b/...y.core.server.feature/resources/org.wso2.carbon.identity.core.server.feature.default.json
@@ -1516,5 +1516,6 @@
 
   "super_tenant.alias_in_public_url": "",
   "connector.challenge_questions.enable": false,
-  "tenant_mgt.enable_email_domain": false
+  "tenant_mgt.enable_email_domain": false,
+  "legacy_claims.allow_roles": false
 }