Welcome to the WSO2 Identity Server source code! For info on working with the WSO2 Identity Server repository and contributing code, click the link below.
Describe the issue:
When the Role-Based Scope Validator is enabled for a service provider, the /oauth2/token endpoint returns an "Invalid Scope" error, even though the scope is correctly bound to a valid role assigned to the application owner.
This behavior is caused by the introduction of the system property "preservedCaseSensitive" [1], which is set to 'false' by default. Consequently, when finding an intersection of the user roles and roles bound to the scope, both user roles and scope roles are converted to lowercase before matching.
However, after this matching, the system again attempts to find a common section between the lowercase scope roles and the original user roles which were not converted to lowercase [2]. This results in an empty hashset, causing to succeed only if the bound role is an internal role assigned to the application owner, as per the implemented logic. Removing the specified line of code [2] would resolve the issue.
Describe the issue: When the Role-Based Scope Validator is enabled for a service provider, the /oauth2/token endpoint returns an "Invalid Scope" error, even though the scope is correctly bound to a valid role assigned to the application owner.
This behavior is caused by the introduction of the system property "preservedCaseSensitive" [1], which is set to 'false' by default. Consequently, when finding an intersection of the user roles and roles bound to the scope, both user roles and scope roles are converted to lowercase before matching.
However, after this matching, the system again attempts to find a common section between the lowercase scope roles and the original user roles which were not converted to lowercase [2]. This results in an empty hashset, causing to succeed only if the bound role is an internal role assigned to the application owner, as per the implemented logic. Removing the specified line of code [2] would resolve the issue.
[1] - https://github.com/wso2-extensions/identity-inbound-auth-oauth/blob/cb0dabe9dc7234d25bfc480e3f669c2a51461bf8/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/validators/JDBCScopeValidator.java#L410
[2] - https://github.com/wso2-extensions/identity-inbound-auth-oauth/blob/cb0dabe9dc7234d25bfc480e3f669c2a51461bf8/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/validators/JDBCScopeValidator.java#L428
How to reproduce:
Expected behavior: An access token should be returned since the scope is correctly bound to a role assigned to the application owner.
Environment information: