Fix Filter internal organization scopes for root organization users#2999
Open
BashithaShamila wants to merge 6 commits intowso2-extensions:masterfrom
Open
Fix Filter internal organization scopes for root organization users#2999BashithaShamila wants to merge 6 commits intowso2-extensions:masterfrom
BashithaShamila wants to merge 6 commits intowso2-extensions:masterfrom
Conversation
|
BashithaShamila seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account. You have signed the CLA already but the status is still pending? Let us recheck it. |
![wso2-engineering[bot]](https://avatars.githubusercontent.com/in/1856828?s=60&v=4){kind=small}
Comment on lines
+614
to
+623
|
|
||
| private void parseRemoveInternalOrgScopesForRootOrg(OMElement oauthConfigElem) { | ||
|
|
||
| OMElement removeInternalOrgScopesForRootOrgElem = oauthConfigElem.getFirstChildWithName( | ||
| getQNameWithIdentityNS(ConfigElements.REMOVE_INTERNAL_ORG_SCOPES_FOR_ROOT_ORG)); | ||
|
|
||
| if (removeInternalOrgScopesForRootOrgElem != null) { | ||
| removeInternalOrgScopesForRootOrg = Boolean.parseBoolean( | ||
| removeInternalOrgScopesForRootOrgElem.getText().trim()); | ||
| } |
Contributor
There was a problem hiding this comment.
Log Improvement Suggestion No: 1
Suggested change
| private void parseRemoveInternalOrgScopesForRootOrg(OMElement oauthConfigElem) { | |
| OMElement removeInternalOrgScopesForRootOrgElem = oauthConfigElem.getFirstChildWithName( | |
| getQNameWithIdentityNS(ConfigElements.REMOVE_INTERNAL_ORG_SCOPES_FOR_ROOT_ORG)); | |
| if (removeInternalOrgScopesForRootOrgElem != null) { | |
| removeInternalOrgScopesForRootOrg = Boolean.parseBoolean( | |
| removeInternalOrgScopesForRootOrgElem.getText().trim()); | |
| } | |
| private void parseRemoveInternalOrgScopesForRootOrg(OMElement oauthConfigElem) { | |
| OMElement removeInternalOrgScopesForRootOrgElem = oauthConfigElem.getFirstChildWithName( | |
| getQNameWithIdentityNS(ConfigElements.REMOVE_INTERNAL_ORG_SCOPES_FOR_ROOT_ORG)); | |
| if (removeInternalOrgScopesForRootOrgElem != null) { | |
| removeInternalOrgScopesForRootOrg = Boolean.parseBoolean( | |
| removeInternalOrgScopesForRootOrgElem.getText().trim()); | |
| log.info("Remove internal org scopes for root org enabled: " + removeInternalOrgScopesForRootOrg); | |
| } |
Comment on lines
+102
to
104
|
|
||
| if (StringUtils.isNotBlank(scopeValidationContext.getAuthenticatedUser().getAccessingOrganization())) { | ||
| List<String> internalOrgScopes = associatedScopes.stream() |
Contributor
There was a problem hiding this comment.
Log Improvement Suggestion No: 2
Suggested change
| if (StringUtils.isNotBlank(scopeValidationContext.getAuthenticatedUser().getAccessingOrganization())) { | |
| List<String> internalOrgScopes = associatedScopes.stream() | |
| if (StringUtils.isNotBlank(scopeValidationContext.getAuthenticatedUser().getAccessingOrganization())) { | |
| if (log.isDebugEnabled()) { | |
| log.debug("User is accessing organization: " + scopeValidationContext.getAuthenticatedUser().getAccessingOrganization() + ". Filtering internal scopes."); | |
| } | |
| List<String> internalOrgScopes = associatedScopes.stream() |
Comment on lines
+110
to
+111
| if (OAuthServerConfiguration.getInstance().isRemoveInternalOrgScopesForRootOrgEnabled()) { | ||
| // Remove Organization scopes issues for the root organization |
Contributor
There was a problem hiding this comment.
Log Improvement Suggestion No: 3
Suggested change
| if (OAuthServerConfiguration.getInstance().isRemoveInternalOrgScopesForRootOrgEnabled()) { | |
| // Remove Organization scopes issues for the root organization | |
| if (OAuthServerConfiguration.getInstance().isRemoveInternalOrgScopesForRootOrgEnabled()) { | |
| if (log.isDebugEnabled()) { | |
| log.debug("Removing internal organization scopes for root organization access."); | |
| } | |
| // Remove Organization scopes issues for the root organization |
Contributor
There was a problem hiding this comment.
AI Agent Log Improvement Checklist
- The log-related comments and suggestions in this review were generated by an AI tool to assist with identifying potential improvements. Purpose of reviewing the code for log improvements is to improve the troubleshooting capabilities of our products.
- Please make sure to manually review and validate all suggestions before applying any changes. Not every code suggestion would make sense or add value to our purpose. Therefore, you have the freedom to decide which of the suggestions are helpful.
✅ Before merging this pull request:
- Review all AI-generated comments for accuracy and relevance.
- Complete and verify the table below. We need your feedback to measure the accuracy of these suggestions and the value they add. If you are rejecting a certain code suggestion, please mention the reason briefly in the suggestion for us to capture it.
| Comment | Accepted (Y/N) | Reason |
|---|---|---|
| #### Log Improvement Suggestion No: 1 | ||
| #### Log Improvement Suggestion No: 2 | ||
| #### Log Improvement Suggestion No: 3 |
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #2999 +/- ##
============================================
+ Coverage 56.42% 56.49% +0.06%
- Complexity 10142 10234 +92
============================================
Files 677 677
Lines 58487 59388 +901
Branches 13897 14044 +147
============================================
+ Hits 33002 33551 +549
- Misses 20853 21186 +333
- Partials 4632 4651 +19
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
|
|
||
| private final List<String> restrictedQueryParameters = new ArrayList<>(); | ||
|
|
||
| private boolean removeInternalOrgScopesForRootOrg = false; |
Contributor
There was a problem hiding this comment.
Suggested change
| private boolean removeInternalOrgScopesForRootOrg = false; | |
| private boolean disableInternalOrgScopeIssuanceForRootOrg = false; |
| parseRemoveInternalPrefixFromMappedRolesAttributeInToken(oauthElem); | ||
|
|
||
| //Read config for removing internal_org_ scopes for root org | ||
| parseRemoveInternalOrgScopesForRootOrg(oauthElem); |
Contributor
There was a problem hiding this comment.
Suggested change
| parseRemoveInternalOrgScopesForRootOrg(oauthElem); | |
| parseDisableInternalOrgScopeIssuanceForRootOrg(oauthElem); |
| parseRemoveInternalOrgScopesForRootOrg(oauthElem); | ||
| } | ||
|
|
||
| private void parseRemoveInternalOrgScopesForRootOrg(OMElement oauthConfigElem) { |
Contributor
There was a problem hiding this comment.
Suggested change
| private void parseRemoveInternalOrgScopesForRootOrg(OMElement oauthConfigElem) { | |
| private void parseDisableInternalOrgScopeIssuanceForRootOrg(OMElement oauthConfigElem) { |
|
|
||
| private void parseRemoveInternalOrgScopesForRootOrg(OMElement oauthConfigElem) { | ||
|
|
||
| OMElement removeInternalOrgScopesForRootOrgElem = oauthConfigElem.getFirstChildWithName( |
Contributor
There was a problem hiding this comment.
Suggested change
| OMElement removeInternalOrgScopesForRootOrgElem = oauthConfigElem.getFirstChildWithName( | |
| OMElement disableInternalOrgScopeIssuanceForRootOrg Elem = oauthConfigElem.getFirstChildWithName( |
Contributor
There was a problem hiding this comment.
Let's update other places similarly
added 2 commits
December 17, 2025 18:04
...tity.oauth/src/main/java/org/wso2/carbon/identity/oauth/config/OAuthServerConfiguration.java
Show resolved
Hide resolved
...arbon/identity/oauth2/validators/validationhandler/impl/RoleBasedScopeValidationHandler.java
Outdated
Show resolved
Hide resolved
…o2/carbon/identity/oauth2/validators/validationhandler/impl/RoleBasedScopeValidationHandler.java Co-authored-by: Sujan Sanjula <56070320+SujanSanjula96@users.noreply.github.com>
…o2/carbon/identity/oauth/config/OAuthServerConfiguration.java Co-authored-by: Sujan Sanjula <56070320+SujanSanjula96@users.noreply.github.com>
|
PR builder started |
|
PR builder completed |
jenkins-is-staging
approved these changes
Dec 19, 2025
jenkins-is-staging
left a comment
jenkins-is-staging
left a comment
There was a problem hiding this comment.
Approving the pull request based on the successful pr build https://github.com/wso2/product-is/actions/runs/20364792534
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR introduces a mechanism to filter out
internal_org_scopes when a user is accessing the root organization. Currently, these scopes, which are intended for sub-organizations, can appear in the root organization context.Changes
Introduced a new configuration
RemoveInternalOrgScopesForRootOrgin OAuthServerConfiguration.Updated RoleBasedScopeValidationHandler to check this configuration.
If enabled,
internal_org_prefixed scopes are removed from the associated scopes list when the user is in the root organization.Backward Compatibility
The configuration defaults to false.
Existing deployments will retain current behavior (scopes are not removed) unless explicitly enabled in identity.xml.
issue: wso2/product-is#24880