wso2 · gershom96 · Sep 7, 2022 · Sep 7, 2022 · Sep 8, 2022 · Sep 8, 2022
diff --git a/...g/wso2/carbon/identity/api/server/application/management/v1/AccessTokenConfiguration.java b/...g/wso2/carbon/identity/api/server/application/management/v1/AccessTokenConfiguration.java
@@ -22,6 +22,8 @@
 import com.fasterxml.jackson.annotation.JsonCreator;
 import io.swagger.annotations.ApiModel;
 import io.swagger.annotations.ApiModelProperty;
+import java.util.ArrayList;
+import java.util.List;
 import javax.validation.constraints.*;
 
 
@@ -33,6 +35,8 @@
 public class AccessTokenConfiguration  {
 
     private String type;
+    private List<String> audience = null;
+
     private Long userAccessTokenExpiryInSeconds;
     private Long applicationAccessTokenExpiryInSeconds;
     private String bindingType = "None";
@@ -59,6 +63,32 @@ public void setType(String type) {
 
     /**
     **/
+    public AccessTokenConfiguration audience(List<String> audience) {
+
+        this.audience = audience;
+        return this;
+    }
+
+    @ApiModelProperty(example = "[\"http://idp.xyz.com\"]", value = "")
+    @JsonProperty("audience")
+    @Valid
+    public List<String> getAudience() {
+        return audience;
+    }
+    public void setAudience(List<String> audience) {
+        this.audience = audience;
+    }
+
+    public AccessTokenConfiguration addAudienceItem(String audienceItem) {
+        if (this.audience == null) {
+            this.audience = new ArrayList<>();
+        }
+        this.audience.add(audienceItem);
+        return this;
+    }
+
+        /**
+    **/
     public AccessTokenConfiguration userAccessTokenExpiryInSeconds(Long userAccessTokenExpiryInSeconds) {
 
         this.userAccessTokenExpiryInSeconds = userAccessTokenExpiryInSeconds;
@@ -163,6 +193,7 @@ public boolean equals(java.lang.Object o) {
         }
         AccessTokenConfiguration accessTokenConfiguration = (AccessTokenConfiguration) o;
         return Objects.equals(this.type, accessTokenConfiguration.type) &&
+            Objects.equals(this.audience, accessTokenConfiguration.audience) &&
             Objects.equals(this.userAccessTokenExpiryInSeconds, accessTokenConfiguration.userAccessTokenExpiryInSeconds) &&
             Objects.equals(this.applicationAccessTokenExpiryInSeconds, accessTokenConfiguration.applicationAccessTokenExpiryInSeconds) &&
             Objects.equals(this.bindingType, accessTokenConfiguration.bindingType) &&
@@ -172,7 +203,7 @@ public boolean equals(java.lang.Object o) {
 
     @Override
     public int hashCode() {
-        return Objects.hash(type, userAccessTokenExpiryInSeconds, applicationAccessTokenExpiryInSeconds, bindingType, revokeTokensWhenIDPSessionTerminated, validateTokenBinding);
+        return Objects.hash(type, audience, userAccessTokenExpiryInSeconds, applicationAccessTokenExpiryInSeconds, bindingType, revokeTokensWhenIDPSessionTerminated, validateTokenBinding);
     }
 
     @Override
@@ -182,6 +213,7 @@ public String toString() {
         sb.append("class AccessTokenConfiguration {\n");
 
         sb.append("    type: ").append(toIndentedString(type)).append("\n");
+        sb.append("    audience: ").append(toIndentedString(audience)).append("\n");
         sb.append("    userAccessTokenExpiryInSeconds: ").append(toIndentedString(userAccessTokenExpiryInSeconds)).append("\n");
         sb.append("    applicationAccessTokenExpiryInSeconds: ").append(toIndentedString(applicationAccessTokenExpiryInSeconds)).append("\n");
         sb.append("    bindingType: ").append(toIndentedString(bindingType)).append("\n");

diff --git a/...n/management/v1/core/functions/application/inbound/oauth2/ApiModelToOAuthConsumerApp.java b/...n/management/v1/core/functions/application/inbound/oauth2/ApiModelToOAuthConsumerApp.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2019, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
+ * Copyright (c) 2019, WSO2 LLC. (http://www.wso2.org) All Rights Reserved.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -13,6 +13,7 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
+
 package org.wso2.carbon.identity.api.server.application.management.v1.core.functions.application.inbound.oauth2;
 
 import org.apache.commons.collections.CollectionUtils;
@@ -88,7 +89,7 @@ private void updateIdTokenConfiguration(OAuthConsumerAppDTO consumerAppDTO, IdTo
 
         if (idToken != null) {
             setIfNotNull(idToken.getExpiryInSeconds(), consumerAppDTO::setIdTokenExpiryTime);
-            consumerAppDTO.setAudiences(Optional.ofNullable(idToken.getAudience())
+            consumerAppDTO.setIdTokenAudiences(Optional.ofNullable(idToken.getAudience())
                     .map(audiences -> audiences.toArray(new String[0]))
                     .orElse(new String[0])
             );
@@ -131,6 +132,10 @@ private void updateAccessTokenConfiguration(OAuthConsumerAppDTO consumerAppDTO,
         if (accessToken != null) {
             consumerAppDTO.setTokenType(accessToken.getType());
             consumerAppDTO.setUserAccessTokenExpiryTime(accessToken.getUserAccessTokenExpiryInSeconds());
+            consumerAppDTO.setAccessTokenAudiences(Optional.ofNullable(accessToken.getAudience())
+                    .map(audiences -> audiences.toArray(new String[0]))
+                    .orElse(new String[0])
+            );
             consumerAppDTO.setApplicationAccessTokenExpiryTime(accessToken.getApplicationAccessTokenExpiryInSeconds());
             consumerAppDTO.setTokenBindingType(accessToken.getBindingType());
             if (accessToken.getRevokeTokensWhenIDPSessionTerminated() != null) {

diff --git a/...n/management/v1/core/functions/application/inbound/oauth2/OAuthConsumerAppToApiModel.java b/...n/management/v1/core/functions/application/inbound/oauth2/OAuthConsumerAppToApiModel.java
@@ -1,18 +1,21 @@
 /*
- * Copyright (c) 2019, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
+ * Copyright (c) 2019, WSO2 LLC. (http://www.wso2.org) All Rights Reserved.
  *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
+ * WSO2 LLC. licenses this file to you under the Apache License,
+ * Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License.
  * You may obtain a copy of the License at
  *
  * http://www.apache.org/licenses/LICENSE-2.0
  *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
  */
+
 package org.wso2.carbon.identity.api.server.application.management.v1.core.functions.application.inbound.oauth2;
 
 import org.apache.commons.lang.StringUtils;
@@ -24,6 +27,7 @@
 import org.wso2.carbon.identity.api.server.application.management.v1.OpenIDConnectConfiguration;
 import org.wso2.carbon.identity.api.server.application.management.v1.RefreshTokenConfiguration;
 import org.wso2.carbon.identity.oauth.dto.OAuthConsumerAppDTO;
+import org.wso2.carbon.identity.oauth2.internal.OAuth2ServiceComponentHolder;
 
 import java.util.ArrayList;
 import java.util.Arrays;
@@ -78,14 +82,20 @@ private OAuth2PKCEConfiguration buildPKCEConfiguration(OAuthConsumerAppDTO oAuth
 
     private AccessTokenConfiguration buildTokenConfiguration(OAuthConsumerAppDTO oAuthConsumerAppDTO) {
 
-        return new AccessTokenConfiguration()
+        AccessTokenConfiguration accessTokenConfiguration = new AccessTokenConfiguration()
                 .type(oAuthConsumerAppDTO.getTokenType())
                 .userAccessTokenExpiryInSeconds(oAuthConsumerAppDTO.getUserAccessTokenExpiryTime())
                 .applicationAccessTokenExpiryInSeconds(oAuthConsumerAppDTO.getApplicationAccessTokenExpiryTime())
                 .bindingType(oAuthConsumerAppDTO.getTokenBindingType())
                 .revokeTokensWhenIDPSessionTerminated(oAuthConsumerAppDTO
                         .isTokenRevocationWithIDPSessionTerminationEnabled())
                 .validateTokenBinding(oAuthConsumerAppDTO.isTokenBindingValidationEnabled());
+
+        if (!OAuth2ServiceComponentHolder.isLegacyAudienceEnabled()) {
+            accessTokenConfiguration.audience(getAccessTokenAudiences(oAuthConsumerAppDTO.getAccessTokenAudiences()));
+        }
+
+        return accessTokenConfiguration;
     }
 
     private RefreshTokenConfiguration buildRefreshTokenConfiguration(OAuthConsumerAppDTO oAuthConsumerAppDTO) {
@@ -99,17 +109,18 @@ private IdTokenConfiguration buildIdTokenConfiguration(OAuthConsumerAppDTO oAuth
 
         return new IdTokenConfiguration()
                 .expiryInSeconds(oAuthConsumerAppDTO.getIdTokenExpiryTime())
-                .audience(getAudiences(oAuthConsumerAppDTO))
+                .audience(getIdTokenAudiences(oAuthConsumerAppDTO.getIdTokenAudiences()))
                 .encryption(buildIdTokenEncryptionConfiguration(oAuthConsumerAppDTO));
     }
 
-    private List<String> getAudiences(OAuthConsumerAppDTO oAuthConsumerAppDTO) {
+    private List<String> getIdTokenAudiences(String[] audiences) {
 
-        if (oAuthConsumerAppDTO.getAudiences() == null) {
-            return Collections.emptyList();
-        } else {
-            return Arrays.asList(oAuthConsumerAppDTO.getAudiences());
-        }
+        return (audiences == null) ? Collections.emptyList() : Arrays.asList(audiences);
+    }
+
+    private List<String> getAccessTokenAudiences(String[] audiences) {
+
+        return (audiences == null) ? Collections.emptyList() : Arrays.asList(audiences);
     }
 
     private IdTokenEncryptionConfiguration buildIdTokenEncryptionConfiguration(OAuthConsumerAppDTO appDTO) {

diff --git a/...cation/management/v1/core/functions/application/inbound/oauth2/OAuthInboundFunctions.java b/...cation/management/v1/core/functions/application/inbound/oauth2/OAuthInboundFunctions.java
@@ -36,6 +36,7 @@
 import org.wso2.carbon.identity.oauth.IdentityOAuthClientException;
 import org.wso2.carbon.identity.oauth.common.OAuthConstants;
 import org.wso2.carbon.identity.oauth.dto.OAuthConsumerAppDTO;
+import org.wso2.carbon.identity.oauth2.internal.OAuth2ServiceComponentHolder;
 
 import java.util.List;
 import java.util.UUID;
@@ -89,6 +90,13 @@ public static InboundAuthenticationRequestConfig putOAuthInbound(ServiceProvider
                     throw buildBadRequestError("Invalid ClientSecret provided for update.");
                 }
 
+                if (OAuth2ServiceComponentHolder.isLegacyAudienceEnabled()) {
+                    if (oidcConfigModel.getAccessToken().getAudience() != null) {
+                        throw buildBadRequestError("Cannot set audiences for access token if legacy audiences " +
+                                "are enabled.");
+                    }
+                }
+
                 OAuthConsumerAppDTO appToUpdate = new ApiModelToOAuthConsumerApp().apply(application
                         .getApplicationName(), oidcConfigModel);
                 ApplicationManagementServiceHolder.getOAuthAdminService().updateConsumerApplication(appToUpdate);

diff --git a/...carbon.identity.api.server.application.management.v1/src/main/resources/applications.yaml b/...carbon.identity.api.server.application.management.v1/src/main/resources/applications.yaml
@@ -3079,6 +3079,12 @@ components:
         type:
           type: string
           example: JWT
+        audience:
+          type: array
+          example:
+            - 'http://idp.xyz.com'
+          items:
+            type: string
         userAccessTokenExpiryInSeconds:
           type: integer
           format: int64

diff --git a/pom.xml b/pom.xml
@@ -604,7 +604,7 @@
         <identity.workflow.impl.bps.version>5.2.0</identity.workflow.impl.bps.version>
         <maven.checkstyleplugin.excludes>**/gen/**/*</maven.checkstyleplugin.excludes>
         <identity.event.handler.version>1.4.4</identity.event.handler.version>
-        <identity.inbound.oauth2.version>6.11.51</identity.inbound.oauth2.version>
+        <identity.inbound.oauth2.version>6.11.90</identity.inbound.oauth2.version>
         <identity.inbound.saml2.version>5.11.16</identity.inbound.saml2.version>
         <commons.beanutils.version>1.9.4</commons.beanutils.version>
         <mavan.findbugsplugin.exclude.file>findbugs-exclude-filter.xml</mavan.findbugsplugin.exclude.file>