Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Introduce accessing organization and user resident organization attributes for the authenticated user. #4915

Merged
merged 6 commits into from
Oct 15, 2023
Merged

Introduce accessing organization and user resident organization attributes for the authenticated user. #4915

merged 6 commits into from
Oct 15, 2023

Conversation

sadilchamishka
Copy link
Contributor

@sadilchamishka sadilchamishka commented Sep 13, 2023
edited
Loading

Proposed changes in this pull request

A new attribute called accessingOrganization & userResidentOrganization are introduced to the AuthenticatedUser object, which keeps the ID of the organization where the B2B user is authorized to access and the organization where the user's identity is managed.

For federated users who login via the organization SSO authenticator (for B2B use cases), the user_organization claim is set in the user attributes by the authenticator. That value is taken as the authorizedOrganization as that organization where the B2B user intend to access. For other cases like B2C logins, accessingOrganization will be set to null.

The accessingOrganization is reflected in the token table by the introduced column below.
A new column AUTHORIZED_ORGANIZATION is introduced to the IDN_OAUTH2_ACCESS_TOKEN table. That column implies the organization where the access token is bounded for access.

Related Issues.

Following figure shows how the authenticated user at the framework level propagated to the OAuth layer for persitening and wise versa.
For B2B user logins, the authenticated user is treated as usual federated user. Two new attributes are added called accessingOrganization and userResidentOrganization. Those information are stored in access token, and should be able to build the exact similar authenticated user object from the data stored in the token table.

  • The consumer-key of the token table denotes the tenant-id which should represent in authenticed user object.
  • The tenant ID of the token table is corresponds to the user's resident organization.
Screenshot 2023-10-14 at 23 30 36

@sadilchamishka sadilchamishka marked this pull request as draft September 13, 2023 12:39
@sadilchamishka sadilchamishka force-pushed the add-user-organization-oauth2-access-token-table branch from 16fe20a to d0ccd16 Compare September 14, 2023 01:44
@sadilchamishka sadilchamishka marked this pull request as ready for review September 14, 2023 01:47
@sadilchamishka sadilchamishka force-pushed the add-user-organization-oauth2-access-token-table branch 4 times, most recently from 3ef1ada to de9853e Compare September 14, 2023 03:56
@sadilchamishka sadilchamishka force-pushed the add-user-organization-oauth2-access-token-table branch from de9853e to 69d513f Compare September 22, 2023 12:07
This was referenced Sep 22, 2023
Merged
Merged
@sadilchamishka sadilchamishka force-pushed the add-user-organization-oauth2-access-token-table branch from 69d513f to 17c874a Compare October 6, 2023 11:13
@sadilchamishka sadilchamishka changed the title Store user residing organization in the authenticated user object Introduce authorize organization ID attribute for the authenticated user object and access token table Oct 6, 2023
@jenkins-is-staging
Copy link

PR builder started
Link: https://github.com/wso2/product-is/actions/runs/6430940618

@jenkins-is-staging
Copy link

PR builder completed
Link: https://github.com/wso2/product-is/actions/runs/6430940618
Status: cancelled

@sadilchamishka sadilchamishka force-pushed the add-user-organization-oauth2-access-token-table branch from 17c874a to 737859d Compare October 9, 2023 02:22
@jenkins-is-staging
Copy link

PR builder started
Link: https://github.com/wso2/product-is/actions/runs/6451823764

@jenkins-is-staging
Copy link

PR builder completed
Link: https://github.com/wso2/product-is/actions/runs/6451823764
Status: cancelled

@jenkins-is-staging
Copy link

PR builder started
Link: https://github.com/wso2/product-is/actions/runs/6453734827

@jenkins-is-staging
Copy link

PR builder completed
Link: https://github.com/wso2/product-is/actions/runs/6453734827
Status: success

jenkins-is-staging
jenkins-is-staging approved these changes Oct 9, 2023
View reviewed changes
Copy link

@jenkins-is-staging jenkins-is-staging left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approving the pull request based on the successful pr build https://github.com/wso2/product-is/actions/runs/6453734827

@sadilchamishka sadilchamishka mentioned this pull request Oct 10, 2023
Merged
@sadilchamishka sadilchamishka force-pushed the add-user-organization-oauth2-access-token-table branch 2 times, most recently from 1dc7425 to 7360e49 Compare October 11, 2023 04:24
@jenkins-is-staging
Copy link

PR builder started
Link: https://github.com/wso2/product-is/actions/runs/6478030372

@jenkins-is-staging
Copy link

PR builder completed
Link: https://github.com/wso2/product-is/actions/runs/6478030372
Status: success

jenkins-is-staging
jenkins-is-staging approved these changes Oct 11, 2023
View reviewed changes
Copy link

@jenkins-is-staging jenkins-is-staging left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approving the pull request based on the successful pr build https://github.com/wso2/product-is/actions/runs/6478030372

@sadilchamishka sadilchamishka force-pushed the add-user-organization-oauth2-access-token-table branch 3 times, most recently from 3f7a830 to 35b96bd Compare October 14, 2023 17:27
@sadilchamishka sadilchamishka force-pushed the add-user-organization-oauth2-access-token-table branch from df8e755 to ae978f2 Compare October 15, 2023 06:12
@sadilchamishka sadilchamishka changed the title Introduce authorize organization ID attribute for the authenticated user object and access token table Introduce accessing organization ID attribute for the authenticated user object and access token table Oct 15, 2023
@sadilchamishka sadilchamishka changed the title Introduce accessing organization ID attribute for the authenticated user object and access token table Introduce accessing organization and user resident organization attributes for the authenticated user. Oct 15, 2023
@sadilchamishka sadilchamishka merged commit f0ea368 into wso2:master Oct 15, 2023
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ShanChathusanda93 ShanChathusanda93 ShanChathusanda93 left review comments

@jenkins-is-staging jenkins-is-staging jenkins-is-staging approved these changes

@thanujalk thanujalk thanujalk approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@sadilchamishka @jenkins-is-staging @thanujalk @ShanChathusanda93