Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

/userinfo endpoint returns all the roles assigned to user instead of the token obtained application related roles #23075

Open
AnuradhaSK opened this issue Feb 16, 2025 · 2 comments
Open

/userinfo endpoint returns all the roles assigned to user instead of the token obtained application related roles #23075

AnuradhaSK opened this issue Feb 16, 2025 · 2 comments
Assignees
@shashimalcse
Labels
Severity/Major Team/API Access Mgt & Authorization Type/Bug

Comments

@AnuradhaSK
Copy link
Contributor

AnuradhaSK commented Feb 16, 2025
edited
Loading

Description

  1. Create two applications which consume app audience roles and org audince roles
  2. Create some roles in the system while having the same name for app audience role and org audience role too
  3. Create a user and assign all the roles to him
Image
  1. In a created app enable password grant, request roles as required attribute (I used the app role consuming application)
  2. Get an access token and id token using password grant for the user mentioned in step 3
  3. Decode the id token, you can see the roles assigned to the user related to that application
Image
  1. Invoke /userinfo endpoint with the obtained token. It returns all user assigned roles. If there are more roles with same name(in multiple audiences) it can't be distinguished as well
Image

Steps to Reproduce

Refer to the description

Version

IS-7.1.0-beta2-SNAPSHOT

Environment Details (with versions)

No response
@AnuradhaSK AnuradhaSK changed the title /user-info endpoint returns all the roles assigned to user instead of the token obtained application related roles /userinfo endpoint returns all the roles assigned to user instead of the token obtained application related roles Feb 16, 2025
@shashimalcse shashimalcse self-assigned this Feb 17, 2025
@shashimalcse shashimalcse mentioned this issue Feb 17, 2025
Open
@shashimalcse
Copy link
Contributor

This issue is not reproducible with the code grant because attributes are retrieving from the cache Still we need to fix the role claim resolver for other grants and when the cache attributes are not there. This PR will address the issue but we might have to keep the backward compatibility.

@DMHP
Copy link
Contributor

DMHP commented Feb 18, 2025

Due to the backward incompatibility issue will take off from the IS 7.1 board.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@shashimalcse shashimalcse

Labels
Severity/Major Team/API Access Mgt & Authorization Type/Bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@DMHP @AnuradhaSK @shashimalcse