Welcome to the WSO2 Identity Server source code! For info on working with the WSO2 Identity Server repository and contributing code, click the link below.
Describe the issue:
We've noticed that the 'locale' claim is not honoured in the Email OTP flow for federated users even if the claim was provided (present in the IdP response or set in the SP adaptive script).
Additionally, when we enabled JIT provisioning and ticked on the 'Assert identity using mapped local subject identifier' checkbox, the output was the same even if the associated local user had a value for the Locality claim (http://wso2.org/claims/locality).
Further investigation revealed that we're only trying to retrieve the user attributes from the user store using the username and user store domain shared in the event properties [1][2], which would only work if we passed the username and user store domain from the associated local user when creating the event [3].
We attempted to overcome this limitation by trying different things in the adaptive scripts (e.g., setting the remote/local claim value or changing the subject name to the same as the local user's) with no success.
I think we should allow the retrieval of federated user data since some IdPs can provide their language preferences in their response [4] or the use of the attribute values from the associated local user.
How to reproduce:
Set up an Identity Server instance with mail-sending capabilities.
Configure the Email OTP feature and add templates in a different language
Add a federated authenticator (e.g., Google) and enable JIT provisioning
Enable 'Supported by Default' for the 'Locality' local claim to allow changing the user claim values trough the User Profile
Set up a Service Provider and add one step with both the federated and basic authentication, and another step with EmailOTP.
Tick the 'Assert identity using mapped local subject identifier' checkbox under Local & Outbound Authentication
Log in once to create the user locally. The email sent in this step will be in English if the IdP didn't send a value for the user's locale
Change the newly created user's locale value in the User Profile with the email template's locality
Log in again and observe the email language
Expected behavior:
The emails or SMS sent triggered by a federated authentication flow should honour the user's locale.
Describe the issue: We've noticed that the 'locale' claim is not honoured in the Email OTP flow for federated users even if the claim was provided (present in the IdP response or set in the SP adaptive script).
Additionally, when we enabled JIT provisioning and ticked on the 'Assert identity using mapped local subject identifier' checkbox, the output was the same even if the associated local user had a value for the Locality claim (http://wso2.org/claims/locality).
Further investigation revealed that we're only trying to retrieve the user attributes from the user store using the username and user store domain shared in the event properties [1][2], which would only work if we passed the username and user store domain from the associated local user when creating the event [3].
We attempted to overcome this limitation by trying different things in the adaptive scripts (e.g., setting the remote/local claim value or changing the subject name to the same as the local user's) with no success.
I think we should allow the retrieval of federated user data since some IdPs can provide their language preferences in their response [4] or the use of the attribute values from the associated local user.
How to reproduce:
Expected behavior: The emails or SMS sent triggered by a federated authentication flow should honour the user's locale.
Environment information: