From 3eaed0d020b37c18b857fb6385f54653f0290937 Mon Sep 17 00:00:00 2001
From: kanapriya <priyakules9@gmail.com>
Date: Fri, 22 Dec 2023 10:48:08 +0530
Subject: [PATCH] Fix OIDC federated users are not able to get scopes even
 though proper role mapping configurations are added

Improve the code base
---
 .../wso2/carbon/identity/oauth2/Oauth2ScopeConstants.java    | 1 +
 .../JDBCPermissionBasedInternalScopeValidator.java           | 5 +++++
 2 files changed, 6 insertions(+)

diff --git a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/Oauth2ScopeConstants.java b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/Oauth2ScopeConstants.java
index b15639bc493..36d52bdfba0 100644
--- a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/Oauth2ScopeConstants.java
+++ b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/Oauth2ScopeConstants.java
@@ -36,6 +36,7 @@ public class Oauth2ScopeConstants {
     public static final String INTERNAL_SCOPE_PREFIX = "internal_";
     public static final String INTERNAL_ORG_SCOPE_PREFIX = "internal_org_";
     public static final String CORRELATION_ID_MDC = "Correlation-ID";
+    public static final String INTERNAL_ROLE_PREFIX = "INTERNAL/";
 
     /**
      * Enums for error messages.
diff --git a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/validators/JDBCPermissionBasedInternalScopeValidator.java b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/validators/JDBCPermissionBasedInternalScopeValidator.java
index c1accf32d4a..d74ef71cb73 100644
--- a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/validators/JDBCPermissionBasedInternalScopeValidator.java
+++ b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/validators/JDBCPermissionBasedInternalScopeValidator.java
@@ -68,6 +68,7 @@
 import java.util.regex.Pattern;
 import java.util.stream.Collectors;
 
+import static org.wso2.carbon.identity.oauth2.Oauth2ScopeConstants.INTERNAL_ROLE_PREFIX;
 import static org.wso2.carbon.identity.oauth2.Oauth2ScopeConstants.SYSTEM_SCOPE;
 import static org.wso2.carbon.identity.oauth2.util.OAuth2Util.getRolesFromFederatedUserAttributes;
 
@@ -303,8 +304,12 @@ private String[] getAllowedResourcesForNotAssociatedFederatedUser(AuthenticatedU
         if (CollectionUtils.isNotEmpty(valuesOfGroups)) {
             for (RoleMapping roleMapping : identityProvider.getPermissionAndRoleConfig().getRoleMappings()) {
                 if (roleMapping != null && roleMapping.getLocalRole() != null) {
+                    String internalRoleName =  INTERNAL_ROLE_PREFIX + roleMapping.getLocalRole().getLocalRoleName();
                     if (valuesOfGroups.contains(roleMapping.getLocalRole().getLocalRoleName())) {
                         userRolesList.add(roleMapping.getLocalRole().getLocalRoleName());
+                    } else if (StringUtils.isNotBlank(roleMapping.getLocalRole().getUserStoreId()) &&
+                            valuesOfGroups.contains(internalRoleName)) {
+                        userRolesList.add(internalRoleName);
                     }
                 }
             }