diff --git a/components/authentication-framework/org.wso2.carbon.identity.application.authentication.framework/src/main/java/org/wso2/carbon/identity/application/authentication/framework/handler/claims/impl/DefaultClaimHandler.java b/components/authentication-framework/org.wso2.carbon.identity.application.authentication.framework/src/main/java/org/wso2/carbon/identity/application/authentication/framework/handler/claims/impl/DefaultClaimHandler.java index 9ab73b01cd01..6c8ad0b67b93 100644 --- a/components/authentication-framework/org.wso2.carbon.identity.application.authentication.framework/src/main/java/org/wso2/carbon/identity/application/authentication/framework/handler/claims/impl/DefaultClaimHandler.java +++ b/components/authentication-framework/org.wso2.carbon.identity.application.authentication.framework/src/main/java/org/wso2/carbon/identity/application/authentication/framework/handler/claims/impl/DefaultClaimHandler.java @@ -84,6 +84,7 @@ import static org.wso2.carbon.identity.application.authentication.framework.util.FrameworkConstants.AdaptiveAuthentication.ALLOW_AUTHENTICATED_SUB_UPDATE; import static org.wso2.carbon.identity.application.authentication.framework.util.FrameworkConstants.Config.SEND_ONLY_LOCALLY_MAPPED_ROLES_OF_IDP; import static org.wso2.carbon.identity.application.authentication.framework.util.FrameworkConstants.JSAttributes.PROP_USERNAME_UPDATED_EXTERNALLY; +import static org.wso2.carbon.identity.application.authentication.framework.util.FrameworkConstants.RETURN_ROLES_IN_SAAS_APPS_IN_ID_TOKEN; import static org.wso2.carbon.identity.core.util.IdentityUtil.getLocalGroupsClaimURI; /** @@ -429,6 +430,12 @@ protected List getAppAssociatedRolesOfLocalUser(StepConfig stepConfig, A if (serviceProvider == null) { return null; } + /* If the application and user are in different tenant domains and the ReturnRolesInSaaSAppsInIDToken config + is disabled, return an empty list. */ + if (!StringUtils.equals(serviceProvider.getTenantDomain(), authenticatedUser.getTenantDomain()) && + !Boolean.parseBoolean(IdentityUtil.getProperty(RETURN_ROLES_IN_SAAS_APPS_IN_ID_TOKEN))) { + return new ArrayList<>(); + } String applicationId = serviceProvider.getApplicationResourceId(); return FrameworkUtils.getAppAssociatedRolesOfLocalUser(authenticatedUser, applicationId); } diff --git a/components/authentication-framework/org.wso2.carbon.identity.application.authentication.framework/src/main/java/org/wso2/carbon/identity/application/authentication/framework/util/FrameworkConstants.java b/components/authentication-framework/org.wso2.carbon.identity.application.authentication.framework/src/main/java/org/wso2/carbon/identity/application/authentication/framework/util/FrameworkConstants.java index a55d500b2ac2..8642eef5b533 100644 --- a/components/authentication-framework/org.wso2.carbon.identity.application.authentication.framework/src/main/java/org/wso2/carbon/identity/application/authentication/framework/util/FrameworkConstants.java +++ b/components/authentication-framework/org.wso2.carbon.identity.application.authentication.framework/src/main/java/org/wso2/carbon/identity/application/authentication/framework/util/FrameworkConstants.java @@ -303,6 +303,8 @@ public abstract class FrameworkConstants { public static final String AMR = "amr"; public static final String USER_ASSERTION = "userAssertion"; + public static final String RETURN_ROLES_IN_SAAS_APPS_IN_ID_TOKEN = "ReturnRolesInSaaSAppsInIDToken"; + // Authentication entity constants. public static final String AUTH_ENTITY = "auth_entity"; public static final String AUTH_ENTITY_AGENT = "agent"; diff --git a/features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/identity.xml b/features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/identity.xml index dfd05c92dde5..f6c8ab1b0a77 100644 --- a/features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/identity.xml +++ b/features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/identity.xml @@ -3049,6 +3049,7 @@ -1 true + false true true diff --git a/features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/identity.xml.j2 b/features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/identity.xml.j2 index 3d5bc9166322..0b215f6d41a0 100644 --- a/features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/identity.xml.j2 +++ b/features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/identity.xml.j2 @@ -5298,6 +5298,7 @@ {{pastr_cookie.max_age}} {{resolve_tenant_domain_from_username.enabled | default(false)}} {{authentication.mark_step_completed_on_interrupt}} + {{saas_apps.return_roles_in_id_token}} diff --git a/features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/org.wso2.carbon.identity.core.server.feature.default.json b/features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/org.wso2.carbon.identity.core.server.feature.default.json index f3dfb5766796..998a5bbd7769 100644 --- a/features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/org.wso2.carbon.identity.core.server.feature.default.json +++ b/features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/org.wso2.carbon.identity.core.server.feature.default.json @@ -2405,5 +2405,7 @@ "circuit_breaker.min_calls_to_evaluate": 15, "circuit_breaker.failure_rate_threshold": 0.5, "circuit_breaker.open_duration": 60000, - "circuit_breaker.max_in_flight": 20 + "circuit_breaker.max_in_flight": 20, + + "saas_apps.return_roles_in_id_token": false }