search

wso2 / product-is

Welcome to the WSO2 Identity Server source code! For info on working with the WSO2 Identity Server repository and contributing code, click the link below.
http://wso2.github.io/
Apache License 2.0
746 stars 724 forks source link

SSO from one application to other application does not work for suborgnization user unless browser is refreshed #19133

Closed amanda-ariyaratne closed 8 months ago

amanda-ariyaratne commented 8 months ago

Describe the issue:

Attempted to SSO from the sample application to console application as a suborganization admin. The UI hangs when loading the console and the following stack trace is printed in the IS terminal. The root cause could be because the two applications have separate application roles and when moving from the first app to the second one, the second app tries to retrieve roles of the first app. However, when the page of the second app is refreshed, the application loads.

[2024-01-23 17:00:54,954] [ca5868b4-cc15-4ce1-89d1-e2ceb9920d29] ERROR {org.wso2.carbon.identity.oauth.endpoint.authz.OAuth2AuthzEndpoint} - Error occurred while validating requested scopes. org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception: Error while validating policies roles from authorization service.
    at org.wso2.carbon.identity.oauth2.validators.DefaultOAuth2ScopeValidator.getAuthorizedScopes(DefaultOAuth2ScopeValidator.java:197)
    at org.wso2.carbon.identity.oauth2.validators.DefaultOAuth2ScopeValidator.validateScope(DefaultOAuth2ScopeValidator.java:97)
    at org.wso2.carbon.identity.oauth2.authz.AuthorizationHandlerManager.getAuthorizedScopes(AuthorizationHandlerManager.java:386)
    at org.wso2.carbon.identity.oauth2.authz.AuthorizationHandlerManager.validateRequestedScopes(AuthorizationHandlerManager.java:295)
    at org.wso2.carbon.identity.oauth2.authz.AuthorizationHandlerManager.validateScopesBeforeConsent(AuthorizationHandlerManager.java:223)
    at org.wso2.carbon.identity.oauth2.OAuth2Service.validateScopesBeforeConsent(OAuth2Service.java:192)
    at org.wso2.carbon.identity.oauth.endpoint.authz.OAuth2AuthzEndpoint.validateScopesBeforeConsent(OAuth2AuthzEndpoint.java:2934)
    at org.wso2.carbon.identity.oauth.endpoint.authz.OAuth2AuthzEndpoint.doUserAuthorization(OAuth2AuthzEndpoint.java:2850)
    at org.wso2.carbon.identity.oauth.endpoint.authz.OAuth2AuthzEndpoint.handleSuccessfulAuthentication(OAuth2AuthzEndpoint.java:1232)
... 

Caused by: org.wso2.carbon.identity.oauth2.validators.validationhandler.ScopeValidationHandlerException: Error while validation scope with RBAC Scope Validation handler
    at org.wso2.carbon.identity.oauth2.validators.validationhandler.impl.RoleBasedScopeValidationHandler.validateScopes(RoleBasedScopeValidationHandler.java:95)
    at org.wso2.carbon.identity.oauth2.validators.DefaultOAuth2ScopeValidator.getAuthorizedScopes(DefaultOAuth2ScopeValidator.java:194)
    ... 68 more
Caused by: org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception: Error while retrieving role ids of  list of role anme : Internal/pet-care-admintenant domain : carbon.super
    at org.wso2.carbon.identity.oauth2.util.AuthzUtil.getRoleIdsFromNames(AuthzUtil.java:350)
    at org.wso2.carbon.identity.oauth2.util.AuthzUtil.getFederatedUserRoles(AuthzUtil.java:164)
    at org.wso2.carbon.identity.oauth2.util.AuthzUtil.getUserRoles(AuthzUtil.java:86)
    at org.wso2.carbon.identity.oauth2.validators.validationhandler.impl.RoleBasedScopeValidationHandler.validateScopes(RoleBasedScopeValidationHandler.java:62)
    ... 69 more
Caused by: org.wso2.carbon.identity.role.v2.mgt.core.exception.IdentityRoleManagementClientException: A role doesn't exist with name: Internal/pet-care-admin in the tenantDomain: carbon.super
    at org.wso2.carbon.identity.role.v2.mgt.core.dao.RoleDAOImpl.getRoleIdByName(RoleDAOImpl.java:2612)
    at org.wso2.carbon.identity.role.v2.mgt.core.RoleManagementServiceImpl.getRoleIdByName(RoleManagementServiceImpl.java:722)
    at org.wso2.carbon.identity.oauth2.util.AuthzUtil.getRoleIdsFromNames(AuthzUtil.java:346)
    ... 72 more

https://github.com/wso2/product-is/assets/28347418/01d9e322-5432-4550-8b06-762ce5e773e2

How to reproduce:

Expected behavior:

Environment information (Please complete the following information; remove any unnecessary fields) :

Optional Fields

Related issues:

Suggested labels:

indeewari commented 8 months ago

Addition to the above issue, I noticed Access Denied for the console SSO without any newly introduced roles. Lets check whether this fix resolves both of the issues.

sadilchamishka commented 8 months ago

Verified kind of a flow where the user has only console administrator role at organization level.

https://github.com/wso2/product-is/assets/35717390/f28954e7-a9f3-4e76-a8f5-2977c137b2c2

indeewari commented 8 months ago

Peer reviewed

Tested in org.wso2.carbon.identity.application.authentication.framework_5.26.20 on top of the patch bd889d9a9d42088fe1cd2c05fccdce8e09fd7e72 in IS 7 snapshot version.

Scenario 1 "Access Denied" for Console SSO for a sub-org admin without introducing a new application role and working as expected. https://github.com/wso2/product-is/assets/4128062/b6b82b2d-83db-4ada-9d25-a6f282423642

Scenario 2 "Exception" for Console SSO for a sub-org admin with a new application role and working as expected.

https://github.com/wso2/product-is/assets/4128062/e8c7d8f1-3a85-4cc5-b0da-1fe4c09bbfa2