From 4af0ead6aebd353343518fe528924068a59f87ba Mon Sep 17 00:00:00 2001
From: Madhavi Gayathri <madhavi.17@cse.mrt.ac.lk>
Date: Thu, 18 Jan 2024 14:52:42 +0530
Subject: [PATCH] Do OAuth scope validation before global scope validation only
 for legacy runtime.

---
 .../oauth2/authz/AuthorizationHandlerManager.java | 15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

diff --git a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/authz/AuthorizationHandlerManager.java b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/authz/AuthorizationHandlerManager.java
index 4d2d8fabf00..b5d47da599d 100644
--- a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/authz/AuthorizationHandlerManager.java
+++ b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/authz/AuthorizationHandlerManager.java
@@ -290,18 +290,19 @@ private void validateRequestedScopes(OAuthAuthzReqMessageContext authzReqMsgCtx,
             removeInternalScopesFromRequestedScopes(authzReqMsgCtx);
             // Adding the authorized internal scopes to tokReqMsgCtx for any special validators to use.
             authzReqMsgCtx.setAuthorizedInternalScopes(authorizedInternalScopes);
+            // Drop unregistered scopes before global scope validators.
+            boolean isDropUnregisteredScopes = OAuthServerConfiguration.getInstance().isDropUnregisteredScopes();
+            if (isDropUnregisteredScopes) {
+                if (log.isDebugEnabled()) {
+                    log.debug("DropUnregisteredScopes config is enabled. Attempting to drop unregistered scopes.");
+                }
+                dropUnregisteredScopeFromRequestedScopes(authzReqMsgCtx);
+            }
         } else {
             // Engage new scope validator
             authorizedScopes = getAuthorizedScopes(authzReqMsgCtx);
             removeAuthorizedScopesFromRequestedScopes(authzReqMsgCtx, authorizedScopes);
         }
-        boolean isDropUnregisteredScopes = OAuthServerConfiguration.getInstance().isDropUnregisteredScopes();
-        if (isDropUnregisteredScopes) {
-            if (log.isDebugEnabled()) {
-                log.debug("DropUnregisteredScopes config is enabled. Attempting to drop unregistered scopes.");
-            }
-            dropUnregisteredScopeFromRequestedScopes(authzReqMsgCtx);
-        }
         //Validate scopes using global scope validators.
         boolean isValid = validateScopes(authzReqMsgCtx, authzHandler);
         boolean isValidatedScopesContainsInRequestedScopes = isValidatedScopesContainsInRequestedScopes(authzReqMsgCtx);