Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Extract only shared roles from the user's role list when login to a shared app #2703

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Extract only shared roles from the user's role list when login to a shared app #2703

wants to merge 1 commit into from

Conversation

ShanChathusanda93
Copy link
Contributor

Proposed changes in this pull request

  • $subject
  • When login with organization SSO flow, the user's role list will be extracted from the userinfo call.
  • When getting the roles, only shared roles will be picked if the accessing app is a shared app

@codecov Codecov
Copy link

codecov bot commented Feb 9, 2025
edited
Loading

Codecov Report

Attention: Patch coverage is 45.45455% with 18 lines in your changes missing coverage. Please review.

Project coverage is 56.53%. Comparing base (3d191a2) to head (64415f6).
Report is 18 commits behind head on master.

Files with missing lines Patch % Lines
...carbon/identity/oauth/endpoint/util/ClaimUtil.java 45.45% 11 Missing and 7 partials ⚠️
Additional details and impacted files 
@@             Coverage Diff              @@
##             master    #2703      +/-   ##
============================================
- Coverage     56.54%   56.53%   -0.02%     
- Complexity     8543     8555      +12     
============================================
  Files           654      654              
  Lines         48522    48607      +85     
  Branches      10131    10144      +13     
============================================
+ Hits          27436    27479      +43     
- Misses        17172    17228      +56     
+ Partials       3914     3900      -14
Flag Coverage Δ
unit 39.93% <45.45%> (+0.16%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@ShanChathusanda93 ShanChathusanda93 mentioned this pull request Feb 9, 2025
Closed
@ShanChathusanda93 ShanChathusanda93 mentioned this pull request Feb 11, 2025
Closed
@ShanChathusanda93 ShanChathusanda93 force-pushed the shared-apps-to-shared-roles-branch branch 5 times, most recently from 2d456eb to 84abe2b Compare February 14, 2025 07:30
@ShanChathusanda93 ShanChathusanda93 force-pushed the shared-apps-to-shared-roles-branch branch from 84abe2b to 64415f6 Compare February 14, 2025 09:04
@AnuradhaSK
Copy link
Contributor

For the ID token is this properly handled ? Hope this is the place

identity-inbound-auth-oauth/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/openidconnect/OIDCClaimUtil.java

Line 512 in 07f4172

String[] appAssocatedRolesOfUser = getAppAssociatedRolesOfUser(authenticatedUser,

@jenkins-is-staging
Copy link

PR builder started
Link: https://github.com/wso2/product-is/actions/runs/13326284949

@jenkins-is-staging
Copy link

PR builder completed
Link: https://github.com/wso2/product-is/actions/runs/13326284949
Status: failure

sadilchamishka
sadilchamishka reviewed Feb 18, 2025
View reviewed changes
...ity.oauth.endpoint/src/main/java/org/wso2/carbon/identity/oauth/endpoint/util/ClaimUtil.java
List<String> userRoles) throws FrameworkException {

List<String> rolesAssociatedWithApp = new ArrayList<>();
if (CollectionUtils.isNotEmpty(userRoles)) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's refactor the code for better readbility.
Ex:
if (CollectionUtils.isEmpty(userRoles)) {
return rolesAssociatedWithApp;
}

sadilchamishka
sadilchamishka reviewed Feb 18, 2025
View reviewed changes
...ity.oauth.endpoint/src/main/java/org/wso2/carbon/identity/oauth/endpoint/util/ClaimUtil.java
Check whether the application is a fragment application and if so, add only the shared roles
to the user's role list.
*/
if (serviceProvider.getSpProperties() != null && Arrays.stream(serviceProvider.getSpProperties()).anyMatch(
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's apply the same comment for here also. Avoiding the code right shifting will increase the readability.

sadilchamishka
sadilchamishka reviewed Feb 18, 2025
View reviewed changes
...ity.oauth.endpoint/src/main/java/org/wso2/carbon/identity/oauth/endpoint/util/ClaimUtil.java
getRoleIdByName(removeInternalDomain(roleName), RoleConstants.ORGANIZATION,
serviceProvider.getTenantDomain(), serviceProvider.getTenantDomain());
if (roleId != null) {
Role role = OAuth2ServiceComponentHolder.getInstance().getRoleManagementServiceV2().
Copy link
Contributor

@sadilchamishka sadilchamishka Feb 18, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We may not need to get the role object in order to decide whether this is shared role or not.
We can try to get the main role, if it exist it is a shared role.
What need to check is whether we have to db calls for both approaches or any approach is backed by cache.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sadilchamishka sadilchamishka sadilchamishka left review comments

@Yasasr1 Yasasr1 Yasasr1 left review comments

@SujanSanjula96 SujanSanjula96 SujanSanjula96 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@ShanChathusanda93 @AnuradhaSK @jenkins-is-staging @sadilchamishka @Yasasr1 @SujanSanjula96