search

wso2 / product-is

Welcome to the WSO2 Identity Server source code! For info on working with the WSO2 Identity Server repository and contributing code, click the link below.
http://wso2.github.io/
Apache License 2.0
727 stars 711 forks source link

Invalid Scope Error at /oauth2/token Endpoint with Role-Based Scope Validator Enabled #20573

Open Pratheesha97 opened 1 week ago

Pratheesha97 commented 1 week ago

Describe the issue: When the Role-Based Scope Validator is enabled for a service provider, the /oauth2/token endpoint returns an "Invalid Scope" error, even though the scope is correctly bound to a valid role assigned to the application owner.

This behavior is caused by the introduction of the system property "preservedCaseSensitive" [1], which is set to 'false' by default. Consequently, when finding an intersection of the user roles and roles bound to the scope, both user roles and scope roles are converted to lowercase before matching.

However, after this matching, the system again attempts to find a common section between the lowercase scope roles and the original user roles which were not converted to lowercase [2]. This results in an empty hashset, causing to succeed only if the bound role is an internal role assigned to the application owner, as per the implemented logic. Removing the specified line of code [2] would resolve the issue.

[1] - https://github.com/wso2-extensions/identity-inbound-auth-oauth/blob/cb0dabe9dc7234d25bfc480e3f669c2a51461bf8/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/validators/JDBCScopeValidator.java#L410

[2] - https://github.com/wso2-extensions/identity-inbound-auth-oauth/blob/cb0dabe9dc7234d25bfc480e3f669c2a51461bf8/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/validators/JDBCScopeValidator.java#L428

How to reproduce:

  1. Log in to the management console and register a Service Provider (SP)
  2. Expand OAuth/OpenID Connect Configuration, create an OAuth based SP and select "Client Credential" as the Allowed Grant Type.
  3. Enable the Role-Based Scope Validator.
  4. Upon registering, an application role will be created. Ensure this application role is correctly assigned to the application owner.
  5. Bind the scope to the above-created application role by invoking the endpoint below:
curl --location 'https://<host>:<port>/api/identity/oauth2/v1.0/scopes' \
--header 'Authorization: Basic YWRtaW46YWRtaW4=' \
--header 'Content-Type: application/json' \
--data '{
    "name": "testScope",
    "displayName": "testScope",
    "description": "testScope",
    "bindings": [
        "Application/testSpRole"
    ]
}'
  1. Try obtaining a token with the client credential grant type using the above-bound scope "testScope" for the configured SP.
  2. A response with status 400 and the error "Invalid Scope!" would be returned.

Expected behavior: An access token should be returned since the scope is correctly bound to a role assigned to the application owner.

Environment information: