search

wso2 / product-is

Welcome to the WSO2 Identity Server source code! For info on working with the WSO2 Identity Server repository and contributing code, click the link below.
http://wso2.github.io/
Apache License 2.0
743 stars 723 forks source link

Scopes doesn't return for sub organization users when authorization request is initiated without openid scope for a Standard based application #20053

Open AnuradhaSK opened 6 months ago

AnuradhaSK commented 6 months ago

Describe the issue:

  1. Create an OIDC application using Standard based application template and share it with all orgs
  2. Authorize scim2 Users management API and organization API
  3. Create a role for the application with all the permissions of selected APIs in step 2
  4. Create a sub org
  5. Switch to the sub org and create a user
  6. Assign the created user to that application's role in sub org space
  7. Try application login with authorize request Sample: Don't include "openid" scope 
    https://localhost:9443/oauth2/authorize?response_type=code&client_id=Eim_7Wr0qpC6xH5ZO6N_fx4yOpca&redirect_uri=https://example-app.com/redirect&scope=internal_org_user_mgt_delete internal_org_user_mgt_update internal_org_user_mgt_view internal_org_user_mgt_create internal_org_user_mgt_list internal_user_mgt_create internal_user_mgt_view internal_user_mgt_list internal_user_mgt_delete internal_user_mgt_update
  8. Upon recieving the authz code try token request 
    curl --location 'https://localhost:9443/oauth2/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'code=e4cc80bd-0802-3585-9516-358dc0d623d0' \
--data-urlencode 'grant_type=authorization_code' \
--data-urlencode 'client_id=Eim_7Wr0qpC6xH5ZO6N_fx4yOpca' \
--data-urlencode 'client_secret=ZhWuy2Y3Mw1hEqoseSZgfLFQhp6nZgCs6ze_6ZobEKEa' \
--data-urlencode 'redirect_uri=https://example-app.com/redirect'

Scopes will not be returned.

If you try the same step with a applciation created using traditional web app template / SPA, the flow works fine without openid scope

Expected behavior: Return the relevant scopes even if the openid scope is not requested in the initial request

AnuradhaSK commented 5 months ago

This happen only for the started app because, when creating a standard app, the "username" attribute is not set as requested attribute of the application, but for other applications tradintional apps, and SPA "username" attribute is set as requested attribute by default.

The standard app flow works fine for

https://localhost:9443/oauth2/authorize?response_type=code&client_id=Eim_7Wr0qpC6xH5ZO6N_fx4yOpca&redirect_uri=https://example-app.com/redirect&scope=internal_org_user_mgt_delete internal_org_user_mgt_update internal_org_user_mgt_view internal_org_user_mgt_create internal_org_user_mgt_list internal_user_mgt_create internal_user_mgt_view internal_user_mgt_list internal_user_mgt_delete internal_user_mgt_update

kind of only API scopes if the root app has requested at least one claim of the profile scope,