wso2-extensions · sadilchamishka · Dec 22, 2023
diff --git a/....identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/dao/AccessTokenDAOImpl.java b/....identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/dao/AccessTokenDAOImpl.java
@@ -3114,12 +3114,11 @@ public Set<AccessTokenDO> getAccessTokensByBindingRef(String bindingRef) throws
                             if (!OAuthConstants.AuthorizedOrganization.NONE.equals(authorizedOrganization)) {
                                 user.setAccessingOrganization(authorizedOrganization);
                                 user.setUserResidentOrganization(resolveOrganizationId(user.getTenantDomain()));
-                                /* Tenant domain of the application is set as the authenticated user tenant domain
-                                for the organization SSO login users. */
-                                if (user.isFederatedUser()) {
-                                    user.setTenantDomain(
-                                            OAuth2Util.getTenantDomain(IdentityTenantUtil.getLoginTenantId()));
-                                }
+                            }
+                            /* Tenant domain of the application is set as the authenticated user tenant domain for the
+                                users whose identity is managed by an organization. */
+                            if (user.isOrganizationUser()) {
+                                user.setTenantDomain(OAuth2Util.getTenantDomain(IdentityTenantUtil.getLoginTenantId()));
                             }
                             Timestamp issuedTime = resultSet
                                     .getTimestamp("TIME_CREATED", Calendar.getInstance(TimeZone.getTimeZone(UTC)));

diff --git a/...ntity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/dao/TokenManagementDAOImpl.java b/...ntity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/dao/TokenManagementDAOImpl.java
@@ -20,7 +20,6 @@
 
 import org.apache.commons.codec.digest.DigestUtils;
 import org.apache.commons.lang.ArrayUtils;
-import org.apache.commons.lang.StringUtils;
 import org.apache.commons.lang3.tuple.Pair;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
@@ -210,16 +209,14 @@ public RefreshTokenValidationDataDO validateRefreshToken(String consumerKey, Str
                             resultSet.getString(18) != null) {
                         extendedParams.put(resultSet.getString(17), resultSet.getString(18));
                     }
-                    // For B2B users, the users tenant domain and user resident organization should be properly set.
                     if (!OAuthConstants.AuthorizedOrganization.NONE.equals(authorizedOrganization)) {
                         user.setAccessingOrganization(authorizedOrganization);
                         user.setUserResidentOrganization(resolveOrganizationId(user.getTenantDomain()));
-                        /* Setting user's tenant domain as app residing tenant domain is not required once console is
-                            registered in each tenant. */
-                        String appResideOrg = getAppTenantDomain();
-                        if (StringUtils.isNotEmpty(appResideOrg) && user.isFederatedUser()) {
-                            user.setTenantDomain(appResideOrg);
-                        }
+                    }
+                    /* Tenant domain of the application is set as the authenticated user tenant domain for the
+                       users whose identity is managed by an organization. */
+                    if (user.isOrganizationUser()) {
+                        user.setTenantDomain(IdentityTenantUtil.getTenantDomainFromContext());
                     }
                     validationDataDO.setAuthorizedUser(user);
 
@@ -821,11 +818,6 @@ public Set<String> getAllTimeAuthorizedClientIds(AuthenticatedUser authzUser) th
         return distinctConsumerKeys;
     }
 
-    private String getAppTenantDomain() {
-
-        return IdentityTenantUtil.getTenantDomainFromContext();
-    }
-
     private String resolveOrganizationId(String tenantDomain) throws IdentityOAuth2Exception {
 
         try {

diff --git a/...rc/main/java/org/wso2/carbon/identity/openidconnect/DefaultOIDCClaimsCallbackHandler.java b/...rc/main/java/org/wso2/carbon/identity/openidconnect/DefaultOIDCClaimsCallbackHandler.java
@@ -160,7 +160,7 @@ private Map<String, Object> getUserClaimsInOIDCDialect(OAuthTokenReqMessageConte
         // Map<(http://wso2.org/claims/email, email), "[email protected]">
         Map<ClaimMapping, String> userAttributes = getCachedUserAttributes(requestMsgCtx);
         if (userAttributes.isEmpty() && (isLocalUser(requestMsgCtx.getAuthorizedUser())
-                || isOrganizationSsoUserSwitchingOrganization(requestMsgCtx.getAuthorizedUser()))) {
+                || isOrganizationUserSwitchingOrganization(requestMsgCtx.getAuthorizedUser()))) {
             if (log.isDebugEnabled()) {
                 log.debug("User attributes not found in cache against the access token or authorization code. " +
                         "Retrieving claims for local user: " + requestMsgCtx.getAuthorizedUser() + " from userstore.");
@@ -657,20 +657,17 @@ private Map<String, String> getUserClaimsInLocalDialect(String username,
     }
 
     /**
-     * Check whether an organization SSO user is trying to switch the organization.
+     * Check whether a user managed by an organization is trying to switch to another organization.
      *
      * @param authorizedUser authorized user from the token request.
-     * @return true if an organization SSO user is trying to switch the organization.
+     * @return true if an organization user is trying to switch to another organization.
      */
-    private boolean isOrganizationSsoUserSwitchingOrganization(AuthenticatedUser authorizedUser) {
-
-        String accessingOrganization = authorizedUser.getAccessingOrganization();
-        String userResidentOrganization = authorizedUser.getUserResidentOrganization();
-        /* A federated user with resident organization is considered as an organization SSO user. When the accessing
-           organization is different to the resident organization, it means the user is trying to switch the
-           organization. */
-        return authorizedUser.isFederatedUser() && userResidentOrganization != null && !userResidentOrganization.equals
-                (accessingOrganization);
+    private boolean isOrganizationUserSwitchingOrganization(AuthenticatedUser authorizedUser) {
+
+        /* For an organization user, when accessing organization is different to the resident organization,
+           it means the user is trying to switch to different organization. */
+        return authorizedUser.isOrganizationUser() &&
+                !authorizedUser.getUserResidentOrganization().equals(authorizedUser.getAccessingOrganization());
     }
 
     /**