search

wso2 / product-is

Welcome to the WSO2 Identity Server source code! For info on working with the WSO2 Identity Server repository and contributing code, click the link below.
http://wso2.github.io/
Apache License 2.0
743 stars 723 forks source link

Error when login to B2B application by organization user with no roles in application #20113

Open SujanSanjula96 opened 6 months ago

SujanSanjula96 commented 6 months ago

Describe the issue: When an organization user who does not have any roles for the application logs into a B2B application(with API authorizations) created using Standard Based Application template, following error is thrown and user cannot log successfully.

[2024-03-28 10:41:26,295] [9958118f-eaec-4653-a2ed-6e82aeadb206] ERROR {org.wso2.carbon.identity.oauth.endpoint.authz.OAuth2AuthzEndpoint} - Error occurred while validating requested scopes. org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception: Error while validating policies roles from authorization service.
    at org.wso2.carbon.identity.oauth2.validators.DefaultOAuth2ScopeValidator.getAuthorizedScopes(DefaultOAuth2ScopeValidator.java:209)
    at org.wso2.carbon.identity.oauth2.validators.DefaultOAuth2ScopeValidator.validateScope(DefaultOAuth2ScopeValidator.java:103)
    at org.wso2.carbon.identity.oauth2.authz.AuthorizationHandlerManager.getAuthorizedScopes(AuthorizationHandlerManager.java:395)
    at org.wso2.carbon.identity.oauth2.authz.AuthorizationHandlerManager.validateRequestedScopes(AuthorizationHandlerManager.java:303)
    at org.wso2.carbon.identity.oauth2.authz.AuthorizationHandlerManager.validateScopesBeforeConsent(AuthorizationHandlerManager.java:223)
    at org.wso2.carbon.identity.oauth2.OAuth2Service.validateScopesBeforeConsent(OAuth2Service.java:192)
    at org.wso2.carbon.identity.oauth.endpoint.authz.OAuth2AuthzEndpoint.validateScopesBeforeConsent(OAuth2AuthzEndpoint.java:2934)
    at org.wso2.carbon.identity.oauth.endpoint.authz.OAuth2AuthzEndpoint.doUserAuthorization(OAuth2AuthzEndpoint.java:2850)
    at org.wso2.carbon.identity.oauth.endpoint.authz.OAuth2AuthzEndpoint.handleSuccessfulAuthentication(OAuth2AuthzEndpoint.java:1232)
    at org.wso2.carbon.identity.oauth.endpoint.authz.OAuth2AuthzEndpoint.handleAuthenticationResponse(OAuth2AuthzEndpoint.java:1180)

..............

Caused by: org.wso2.carbon.identity.oauth2.validators.validationhandler.ScopeValidationHandlerException: Error while validation scope with RBAC Scope Validation handler
    at org.wso2.carbon.identity.oauth2.validators.validationhandler.impl.RoleBasedScopeValidationHandler.validateScopes(RoleBasedScopeValidationHandler.java:98)
    at org.wso2.carbon.identity.oauth2.validators.DefaultOAuth2ScopeValidator.getAuthorizedScopes(DefaultOAuth2ScopeValidator.java:206)
    ... 66 more
Caused by: org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception: Error while retrieving role ids of  list of role anme : Internal/everyonetenant domain : carbon.super
    at org.wso2.carbon.identity.oauth2.util.AuthzUtil.getRoleIdsFromNames(AuthzUtil.java:364)
    at org.wso2.carbon.identity.oauth2.util.AuthzUtil.getFederatedUserRoles(AuthzUtil.java:169)
    at org.wso2.carbon.identity.oauth2.util.AuthzUtil.getUserRoles(AuthzUtil.java:91)
    at org.wso2.carbon.identity.oauth2.validators.validationhandler.impl.RoleBasedScopeValidationHandler.validateScopes(RoleBasedScopeValidationHandler.java:66)
    ... 67 more
Caused by: org.wso2.carbon.identity.role.v2.mgt.core.exception.IdentityRoleManagementClientException: A role doesn't exist with name: Internal/everyone in the tenantDomain: carbon.super
    at org.wso2.carbon.identity.role.v2.mgt.core.dao.RoleDAOImpl.getRoleIdByName(RoleDAOImpl.java:2624)
    at org.wso2.carbon.identity.role.v2.mgt.core.RoleManagementServiceImpl.getRoleIdByName(RoleManagementServiceImpl.java:736)
    at org.wso2.carbon.identity.oauth2.util.AuthzUtil.getRoleIdsFromNames(AuthzUtil.java:360)

How to reproduce:

  1. Create a standard based application and authorize an API.
  2. Create an organization and share the application
  3. Try to login to the application by requesting authorized scope using an organization user who does not have any role in the application
  4. Login fails and error is thrown

Expected behavior: Login should not fail

Environment information (Please complete the following information; remove any unnecessary fields) :

Optional Fields

Related issues:

Suggested labels:

SujanSanjula96 commented 6 months ago

This is working fine for Single Page Applications

SujanSanjula96 commented 6 months ago

This issue might be related to https://github.com/wso2/product-is/issues/20053 issue and can get fixed with it.