Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Application/* roles are getting removed upon federated users re-login to servers #4402

Closed
malinthaprasan opened this issue Mar 3, 2019 · 3 comments
Closed

Application/* roles are getting removed upon federated users re-login to servers #4402

malinthaprasan opened this issue Mar 3, 2019 · 3 comments
Labels
2.1.0 DEPRECATED Label; Use Affected/2.1.0 instead 2.2.0 DEPRECATED Label; Use Affected/2.2.0 instead 2.5.0 DEPRECATED Label; Use Affected/2.5.0 instead 2.6.0 DEPRECATED Label; Use Affected/2.6.0 instead Docs/No Impact No impact on the WSO2 Documentation Type/Bug
Milestone
3.0.0-m32

Comments

@malinthaprasan
Copy link
Contributor

Description:
In SSO (federated) setup where user stores are not shared and provisioning is enabled, the Application/* roles are removed from users when they re-login. Due to this, the users are unable to delete/update OAuth applications created in Store after re-login.

The reason for the issue is the current DefaultProvisioningHandler.java doesn't consider skipping Application/* roles when updating roles of user (when re-login).

OS, DB, other environment details and versions:
SSO, Federated, JIT Provisioning

Steps to reproduce:

  1. Created an SSO setup enabling provisioning
  2. Log into Store using a user with SSO
  3. Create an application and generate keys

Now check from the carbon console for the particular user. The application role is assigned to the particular user.

  1. Logout from the Store.
  2. Again login to the store with the same user.

Now check from the carbon console for the particular user. The application role is not assigned to the particular user.
@malinthaprasan malinthaprasan added Type/Bug 2.1.0 DEPRECATED Label; Use Affected/2.1.0 instead 2.2.0 DEPRECATED Label; Use Affected/2.2.0 instead 2.5.0 DEPRECATED Label; Use Affected/2.5.0 instead 2.6.0 DEPRECATED Label; Use Affected/2.6.0 instead labels Mar 3, 2019
praminda added a commit to praminda/carbon-identity-framework that referenced this issue Mar 6, 2019
@praminda
jit: Skip deleting internal roles
87b47de 
Fixes wso2/product-apim#4402

Deleting internal roles such as Application/* causes issues in
APIM SSO setup.
@praminda praminda mentioned this issue Mar 6, 2019
Merged
@praminda
Copy link
Contributor

Fixed with wso2/carbon-identity-framework#2084

@praminda praminda added this to the 3.0.0-m32 milestone Mar 26, 2019
@praminda praminda added the Docs/No Impact No impact on the WSO2 Documentation label Mar 26, 2019
@josecu08
Copy link

I'm having this issues on Apim 4.0.0. I have configured wso2 is using the guide in the docs. However, when I create an application using devportal with api_user I cannot edit the application upon relogin. I've checked in management console that after a login the application/* role is not assigned anymore.

@praminda
Copy link
Contributor

pls configure org.wso2.carbon.identity.application.authentication.framework.handler.provisioning.impl.SystemRolesRetainedProvisionHandler.java as the provisioning handler. It should resolve the issue.

@praminda praminda mentioned this issue Sep 14, 2021
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
2.1.0 DEPRECATED Label; Use Affected/2.1.0 instead 2.2.0 DEPRECATED Label; Use Affected/2.2.0 instead 2.5.0 DEPRECATED Label; Use Affected/2.5.0 instead 2.6.0 DEPRECATED Label; Use Affected/2.6.0 instead Docs/No Impact No impact on the WSO2 Documentation Type/Bug
Projects
None yet
Milestone
3.0.0-m32
Development

No branches or pull requests
3 participants
@malinthaprasan @praminda @josecu08