Allow sub organization applications to issue and consume tokens

components/org.wso2.carbon.identity.auth.service/src/main/java/org/wso2/carbon/identity/auth/service/handler/impl/OAuth2AccessTokenHandler.java

@@ -174,7 +174,8 @@ protected AuthenticationResult doAuthenticate(MessageContext messageContext) {
                 String serviceProviderName = null;
                 String serviceProviderUUID = null;
                 try {
-                    serviceProvider = OAuth2Util.getServiceProvider(oAuth2IntrospectionResponseDTO.getClientId());
+                    serviceProvider = OAuth2Util.getServiceProvider(oAuth2IntrospectionResponseDTO.getClientId(),
+                            oAuth2IntrospectionResponseDTO.getAuthorizedUser().getTenantDomain());
                     if (serviceProvider != null) {
                         serviceProviderName = serviceProvider.getApplicationName();
                         serviceProviderUUID = serviceProvider.getApplicationResourceId();
@@ -191,10 +192,31 @@ protected AuthenticationResult doAuthenticate(MessageContext messageContext) {
                     }
                 }
 
+                /*
+                 Set OAuthAppDO to the authentication context to be used when checking the user belongs to the
+                 requested tenant.
+                */
+                OAuthAppDO oAuthAppDO = null;
+                try {
+                    oAuthAppDO = OAuth2Util.getAppInformationByClientId(
+                            oAuth2IntrospectionResponseDTO.getClientId(),
+                            oAuth2IntrospectionResponseDTO.getAuthorizedUser().getTenantDomain());
+                } catch (IdentityOAuth2Exception | InvalidOAuthClientException e) {
+                    if (log.isDebugEnabled()) {
+                        log.debug("Error occurred while getting the OAuth App by Consumer key: "
+                                + oAuth2IntrospectionResponseDTO.getClientId() + " and tenant domain: " +
+                                oAuth2IntrospectionResponseDTO.getAuthorizedUser().getTenantDomain(), e);
+                    }
+                }
+                if (oAuthAppDO != null) {
+                    authenticationContext.addParameter(Constants.AUTH_CONTEXT_OAUTH_APP_PROPERTY, oAuthAppDO);
+                }
+
                 String serviceProviderTenantDomain = null;
                 try {
                     serviceProviderTenantDomain =
-                            OAuth2Util.getTenantDomainOfOauthApp(oAuth2IntrospectionResponseDTO.getClientId());
+                            OAuth2Util.getTenantDomainOfOauthApp(oAuth2IntrospectionResponseDTO.getClientId(),
+                                    oAuth2IntrospectionResponseDTO.getAuthorizedUser().getTenantDomain());
                 } catch (InvalidOAuthClientException | IdentityOAuth2Exception e) {
                     if (log.isDebugEnabled()) {
                         log.debug("Error occurred while getting the OAuth App tenantDomain by Consumer key: "

components/org.wso2.carbon.identity.authz.valve/src/main/java/org/wso2/carbon/identity/authz/valve/util/Utils.java

@@ -94,7 +94,14 @@ public static boolean isUserBelongsToRequestedTenant(AuthenticationContext authe
         // Check request with organization qualified URL is allowed to access.
         String organizationID = getOrganizationIdFromURLMapping(request);
         if (user != null) {
-            return StringUtils.equals(organizationID, ((AuthenticatedUser) user).getAccessingOrganization());
+            if (StringUtils.equals(organizationID, ((AuthenticatedUser) user).getAccessingOrganization())) {
+                return true;
+            } else {
+                OAuthAppDO oAuthAppDO = (OAuthAppDO) authenticationContext.getParameter(
+                        Constants.AUTH_CONTEXT_OAUTH_APP_PROPERTY);
+                tenantDomain = OAuth2Util.getTenantDomainOfOauthApp(oAuthAppDO);
+                return StringUtils.equals(((AuthenticatedUser) user).getAccessingOrganization(), tenantDomain);
+            }
         }
         return false;
     }