Introduce user organization attribute for the authenticated user object

wso2 · Sep 14, 2023 · de9853e · de9853e
1 parent 50a91f6
commit de9853e
Show file tree

Hide file tree

Showing 10 changed files with 79 additions and 8 deletions.
diff --git a/...n/identity/application/authentication/framework/handler/step/impl/DefaultStepHandler.java b/...n/identity/application/authentication/framework/handler/step/impl/DefaultStepHandler.java
@@ -47,6 +47,7 @@
 import org.wso2.carbon.identity.application.authentication.framework.exception.UserIdNotFoundException;
 import org.wso2.carbon.identity.application.authentication.framework.exception.UserSessionException;
 import org.wso2.carbon.identity.application.authentication.framework.handler.step.StepHandler;
+import org.wso2.carbon.identity.application.authentication.framework.internal.FrameworkServiceDataHolder;
 import org.wso2.carbon.identity.application.authentication.framework.model.AuthenticatedIdPData;
 import org.wso2.carbon.identity.application.authentication.framework.model.AuthenticatedUser;
 import org.wso2.carbon.identity.application.authentication.framework.model.AuthenticatorData;
@@ -66,6 +67,9 @@
 import org.wso2.carbon.identity.core.util.IdentityCoreConstants;
 import org.wso2.carbon.identity.core.util.IdentityTenantUtil;
 import org.wso2.carbon.identity.core.util.IdentityUtil;
+import org.wso2.carbon.identity.organization.management.service.OrganizationManager;
+import org.wso2.carbon.identity.organization.management.service.exception.OrganizationManagementClientException;
+import org.wso2.carbon.identity.organization.management.service.exception.OrganizationManagementException;
 import org.wso2.carbon.idp.mgt.IdentityProviderManagementException;
 import org.wso2.carbon.user.core.UserCoreConstants;
 import org.wso2.carbon.user.core.UserStoreClientException;
@@ -751,6 +755,11 @@ protected void doAuthentication(HttpServletRequest request, HttpServletResponse
                 return;
             }
 
+            if (context.getSubject() != null) {
+                String userOrganization = resolveUserResideOrganization(context.getSubject(), authenticatorConfig);
+                context.getSubject().setUserOrganization(userOrganization);
+            }
+
             if (authenticator instanceof FederatedApplicationAuthenticator) {
 
                 if (context.getSubject().getUserName() == null) {
@@ -1420,4 +1429,36 @@ private void setLoggedInOrgIdInRequest(AuthenticatedIdPData authenticatedIdPData
             }
         }
     }
+
+    private String resolveUserResideOrganization(AuthenticatedUser authenticatedUser,
+                                                 AuthenticatorConfig authenticatorConfig) {
+
+        if (!FrameworkServiceDataHolder.getInstance().isOrganizationManagementEnabled()) {
+            return StringUtils.EMPTY;
+        }
+
+        // Check for user organization claim for the authenticated user via the organization login authenticator.
+        if (authenticatedUser.getUserAttributes() != null && isLoggedInWithOrganizationLogin(authenticatorConfig)) {
+            for (Map.Entry<ClaimMapping, String> userAttributes : authenticatedUser.getUserAttributes().entrySet()) {
+                if (FrameworkConstants.USER_ORGANIZATION_CLAIM.equals(
+                        userAttributes.getKey().getLocalClaim().getClaimUri())) {
+                    return userAttributes.getValue();
+                }
+            }
+        }
+
+        // For other users, the user reside organization is same as the corresponding organization of the tenant domain.
+        try {
+            OrganizationManager organizationManager = FrameworkServiceDataHolder.getInstance().getOrganizationManager();
+            if (organizationManager != null) {
+                return FrameworkServiceDataHolder.getInstance().getOrganizationManager()
+                        .resolveOrganizationId(authenticatedUser.getTenantDomain());
+            }
+        } catch (OrganizationManagementClientException e) {
+            LOG.debug("Organization ID is not found for the given tenant domain");
+        } catch (OrganizationManagementException e) {
+            throw new IdentityRuntimeException("Error while resolving the organization ID using tenant domain");
+        }
+        return StringUtils.EMPTY;
+    }
 }
diff --git a/...rg/wso2/carbon/identity/application/authentication/framework/model/AuthenticatedUser.java b/...rg/wso2/carbon/identity/application/authentication/framework/model/AuthenticatedUser.java
@@ -65,6 +65,7 @@ public class AuthenticatedUser extends User {
     private String authenticatedSubjectIdentifier;
     private String federatedIdPName;
     private boolean isFederatedUser;
+    private String userOrganization;
     private Map<ClaimMapping, String> userAttributes = new HashMap<>();
 
     /**
@@ -101,6 +102,7 @@ public AuthenticatedUser(AuthenticatedUser authenticatedUser) {
         if (!isFederatedUser && StringUtils.isNotEmpty(userStoreDomain) && StringUtils.isNotEmpty(tenantDomain)) {
             updateCaseSensitivity();
         }
+        this.userOrganization = authenticatedUser.getUserOrganization();
     }
 
     public AuthenticatedUser(org.wso2.carbon.user.core.common.User user) {
@@ -504,6 +506,26 @@ public void setFederatedIdPName(String federatedIdPName) {
         this.federatedIdPName = federatedIdPName;
     }
 
+    /**
+     * Returns the ID of the organization where the user identity is managed.
+     *
+     * @return userOrganization
+     */
+    public String getUserOrganization() {
+
+        return userOrganization;
+    }
+
+    /**
+     * Set the organization ID where the user identity is managed.
+     *
+     * @param userOrganization
+     */
+    public void setUserOrganization(String userOrganization) {
+
+        this.userOrganization = userOrganization;
+    }
+
     @Override
     public boolean equals(Object o) {
 

diff --git a/...es/identity-core/org.wso2.carbon.identity.core.server.feature/resources/dbscripts/db2.sql b/...es/identity-core/org.wso2.carbon.identity.core.server.feature/resources/dbscripts/db2.sql
@@ -95,10 +95,11 @@ CREATE TABLE IDN_OAUTH2_ACCESS_TOKEN (
             IDP_ID INTEGER DEFAULT -1 NOT NULL,
             TOKEN_BINDING_REF VARCHAR (32) DEFAULT 'NONE' NOT NULL,
             CONSENTED_TOKEN VARCHAR(6),
+            USER_ORGANIZATION VARCHAR(36),
             PRIMARY KEY (TOKEN_ID),
             FOREIGN KEY (CONSUMER_KEY_ID) REFERENCES IDN_OAUTH_CONSUMER_APPS(ID) ON DELETE CASCADE,
             CONSTRAINT CON_APP_KEY UNIQUE (CONSUMER_KEY_ID,AUTHZ_USER,TENANT_ID,USER_DOMAIN,USER_TYPE,TOKEN_SCOPE_HASH,
-                                 TOKEN_STATE,TOKEN_STATE_ID,IDP_ID,TOKEN_BINDING_REF)) INDEX IN TS32K
+                                 TOKEN_STATE,TOKEN_STATE_ID,IDP_ID,TOKEN_BINDING_REF,USER_ORGANIZATION)) INDEX IN TS32K
 /
 
 CREATE TABLE IDN_OAUTH2_TOKEN_BINDING (

diff --git a/...res/identity-core/org.wso2.carbon.identity.core.server.feature/resources/dbscripts/h2.sql b/...res/identity-core/org.wso2.carbon.identity.core.server.feature/resources/dbscripts/h2.sql
@@ -82,10 +82,11 @@ CREATE TABLE IF NOT EXISTS IDN_OAUTH2_ACCESS_TOKEN (
             IDP_ID INTEGER DEFAULT -1 NOT NULL,
             TOKEN_BINDING_REF VARCHAR (32) DEFAULT 'NONE',
             CONSENTED_TOKEN VARCHAR(6),
+            USER_ORGANIZATION VARCHAR(36),
             PRIMARY KEY (TOKEN_ID),
             FOREIGN KEY (CONSUMER_KEY_ID) REFERENCES IDN_OAUTH_CONSUMER_APPS(ID) ON DELETE CASCADE,
             CONSTRAINT CON_APP_KEY UNIQUE (CONSUMER_KEY_ID,AUTHZ_USER,TENANT_ID,USER_DOMAIN,USER_TYPE,TOKEN_SCOPE_HASH,
-                                           TOKEN_STATE,TOKEN_STATE_ID,IDP_ID,TOKEN_BINDING_REF)
+                                           TOKEN_STATE,TOKEN_STATE_ID,IDP_ID,TOKEN_BINDING_REF,USER_ORGANIZATION)
 );
 
 CREATE TABLE IF NOT EXISTS IDN_OAUTH2_TOKEN_BINDING (

diff --git a/.../identity-core/org.wso2.carbon.identity.core.server.feature/resources/dbscripts/mssql.sql b/.../identity-core/org.wso2.carbon.identity.core.server.feature/resources/dbscripts/mssql.sql
@@ -88,10 +88,11 @@ CREATE TABLE IDN_OAUTH2_ACCESS_TOKEN (
   IDP_ID INTEGER DEFAULT -1 NOT NULL,
   TOKEN_BINDING_REF VARCHAR (32) DEFAULT 'NONE',
   CONSENTED_TOKEN VARCHAR(6),
+  USER_ORGANIZATION VARCHAR(36),
   PRIMARY KEY (TOKEN_ID),
   FOREIGN KEY (CONSUMER_KEY_ID) REFERENCES IDN_OAUTH_CONSUMER_APPS(ID) ON DELETE CASCADE,
   CONSTRAINT CON_APP_KEY UNIQUE (CONSUMER_KEY_ID,AUTHZ_USER,TENANT_ID,USER_DOMAIN,USER_TYPE,TOKEN_SCOPE_HASH,
-                                 TOKEN_STATE,TOKEN_STATE_ID,IDP_ID,TOKEN_BINDING_REF)
+                                 TOKEN_STATE,TOKEN_STATE_ID,IDP_ID,TOKEN_BINDING_REF,USER_ORGANIZATION)
 );
 
 IF NOT  EXISTS (SELECT * FROM SYS.OBJECTS WHERE OBJECT_ID = OBJECT_ID(N'[DBO].[IDN_OAUTH2_TOKEN_BINDING]') AND TYPE IN (N'U'))

diff --git a/...y-core/org.wso2.carbon.identity.core.server.feature/resources/dbscripts/mysql-cluster.sql b/...y-core/org.wso2.carbon.identity.core.server.feature/resources/dbscripts/mysql-cluster.sql
@@ -90,11 +90,12 @@ CREATE TABLE IF NOT EXISTS IDN_OAUTH2_ACCESS_TOKEN (
   IDP_ID                        INTEGER DEFAULT -1 NOT NULL,
   TOKEN_BINDING_REF             VARCHAR(32) DEFAULT 'NONE',
   CONSENTED_TOKEN               VARCHAR(6),
+  USER_ORGANIZATION             VARCHAR(36),
   PRIMARY KEY (TOKEN_ID),
   FOREIGN KEY (CONSUMER_KEY_ID) REFERENCES IDN_OAUTH_CONSUMER_APPS (ID)
     ON DELETE CASCADE,
   CONSTRAINT CON_APP_KEY UNIQUE (CONSUMER_KEY_ID, AUTHZ_USER, TENANT_ID, USER_DOMAIN, USER_TYPE, TOKEN_SCOPE_HASH,
-                                 TOKEN_STATE, TOKEN_STATE_ID, IDP_ID, TOKEN_BINDING_REF)
+                                 TOKEN_STATE, TOKEN_STATE_ID, IDP_ID, TOKEN_BINDING_REF, USER_ORGANIZATION)
 )
   ENGINE NDB;
 

diff --git a/.../identity-core/org.wso2.carbon.identity.core.server.feature/resources/dbscripts/mysql.sql b/.../identity-core/org.wso2.carbon.identity.core.server.feature/resources/dbscripts/mysql.sql
@@ -82,10 +82,11 @@ CREATE TABLE IF NOT EXISTS IDN_OAUTH2_ACCESS_TOKEN (
             IDP_ID INTEGER DEFAULT -1 NOT NULL,
             TOKEN_BINDING_REF VARCHAR (32) DEFAULT 'NONE',
             CONSENTED_TOKEN VARCHAR(6),
+            USER_ORGANIZATION VARCHAR(36),
             PRIMARY KEY (TOKEN_ID),
             FOREIGN KEY (CONSUMER_KEY_ID) REFERENCES IDN_OAUTH_CONSUMER_APPS(ID) ON DELETE CASCADE,
             CONSTRAINT CON_APP_KEY UNIQUE (CONSUMER_KEY_ID,AUTHZ_USER,TENANT_ID,USER_DOMAIN,USER_TYPE,TOKEN_SCOPE_HASH,
-                                           TOKEN_STATE,TOKEN_STATE_ID,IDP_ID,TOKEN_BINDING_REF)
+                                           TOKEN_STATE,TOKEN_STATE_ID,IDP_ID,TOKEN_BINDING_REF,USER_ORGANIZATION)
 )DEFAULT CHARACTER SET latin1 ENGINE INNODB;
 
 CREATE TABLE IF NOT EXISTS IDN_OAUTH2_TOKEN_BINDING (

diff --git a/...identity-core/org.wso2.carbon.identity.core.server.feature/resources/dbscripts/oracle.sql b/...identity-core/org.wso2.carbon.identity.core.server.feature/resources/dbscripts/oracle.sql
@@ -89,10 +89,11 @@ CREATE TABLE IDN_OAUTH2_ACCESS_TOKEN (
             IDP_ID INTEGER DEFAULT -1 NOT NULL,
             TOKEN_BINDING_REF VARCHAR2 (32) DEFAULT 'NONE',
             CONSENTED_TOKEN VARCHAR(6),
+            USER_ORGANIZATION VARCHAR(36),
             PRIMARY KEY (TOKEN_ID),
             FOREIGN KEY (CONSUMER_KEY_ID) REFERENCES IDN_OAUTH_CONSUMER_APPS(ID) ON DELETE CASCADE,
             CONSTRAINT CON_APP_KEY UNIQUE (CONSUMER_KEY_ID,AUTHZ_USER,TENANT_ID,USER_DOMAIN,USER_TYPE,TOKEN_SCOPE_HASH,
-                                           TOKEN_STATE,TOKEN_STATE_ID,IDP_ID,TOKEN_BINDING_REF))
+                                           TOKEN_STATE,TOKEN_STATE_ID,IDP_ID,TOKEN_BINDING_REF,USER_ORGANIZATION))
 /
 CREATE TABLE IDN_OAUTH2_TOKEN_BINDING (
             TOKEN_ID VARCHAR2 (255),

diff --git a/...tity-core/org.wso2.carbon.identity.core.server.feature/resources/dbscripts/oracle_rac.sql b/...tity-core/org.wso2.carbon.identity.core.server.feature/resources/dbscripts/oracle_rac.sql
@@ -90,10 +90,11 @@ CREATE TABLE IDN_OAUTH2_ACCESS_TOKEN (
             IDP_ID INTEGER DEFAULT -1 NOT NULL,
             TOKEN_BINDING_REF VARCHAR2 (32) DEFAULT 'NONE',
             CONSENTED_TOKEN VARCHAR(6),
+            USER_ORGANIZATION VARCHAR(36),
             PRIMARY KEY (TOKEN_ID),
             FOREIGN KEY (CONSUMER_KEY_ID) REFERENCES IDN_OAUTH_CONSUMER_APPS(ID) ON DELETE CASCADE,
             CONSTRAINT CON_APP_KEY UNIQUE (CONSUMER_KEY_ID,AUTHZ_USER,TENANT_ID,USER_DOMAIN,USER_TYPE,TOKEN_SCOPE_HASH,
-            TOKEN_STATE,TOKEN_STATE_ID,IDP_ID,TOKEN_BINDING_REF))
+            TOKEN_STATE,TOKEN_STATE_ID,IDP_ID,TOKEN_BINDING_REF,USER_ORGANIZATION))
 /
 CREATE TABLE IDN_OAUTH2_TOKEN_BINDING (
             TOKEN_ID VARCHAR2 (255),

diff --git a/...tity-core/org.wso2.carbon.identity.core.server.feature/resources/dbscripts/postgresql.sql b/...tity-core/org.wso2.carbon.identity.core.server.feature/resources/dbscripts/postgresql.sql
@@ -90,10 +90,11 @@ CREATE TABLE IDN_OAUTH2_ACCESS_TOKEN (
             IDP_ID INTEGER DEFAULT -1 NOT NULL,
             TOKEN_BINDING_REF VARCHAR (32) DEFAULT 'NONE',
             CONSENTED_TOKEN VARCHAR(6),
+            USER_ORGANIZATION VARCHAR(36),
             PRIMARY KEY (TOKEN_ID),
             FOREIGN KEY (CONSUMER_KEY_ID) REFERENCES IDN_OAUTH_CONSUMER_APPS(ID) ON DELETE CASCADE,
             CONSTRAINT CON_APP_KEY UNIQUE (CONSUMER_KEY_ID,AUTHZ_USER,TENANT_ID,USER_DOMAIN,USER_TYPE,TOKEN_SCOPE_HASH,
-                                           TOKEN_STATE,TOKEN_STATE_ID,IDP_ID,TOKEN_BINDING_REF)
+                                           TOKEN_STATE,TOKEN_STATE_ID,IDP_ID,TOKEN_BINDING_REF,USER_ORGANIZATION)
 );
 
 DROP TABLE IF EXISTS IDN_OAUTH2_TOKEN_BINDING;