Introduce POST_TOKEN_ISSUANCE event and fire it after access token issuance.

Author: RushanNanayakkara

components/org.wso2.carbon.identity.oauth.stub/src/main/resources/OAuth2TokenValidationService.wsdl

@@ -102,7 +102,7 @@
                 <xs:sequence>
                     <xs:element minOccurs="0" name="identifier" nillable="true" type="xs:string"/>
                     <xs:element minOccurs="0" name="issuer" nillable="true" type="xs:string"/>
-                    <xs:element minOccurs="0" name="tokenType" nillable="true" type="xs:string"/>
+                    <xs:element minOccurs="0" name="tokenCategory" nillable="true" type="xs:string"/>
                 </xs:sequence>
             </xs:complexType>
             <xs:complexType name="OAuth2TokenValidationRequestDTO_TokenValidationContextParam">
@@ -131,7 +131,7 @@
             <xs:complexType name="OAuth2TokenValidationResponseDTO_AuthorizationContextToken">
                 <xs:sequence>
                     <xs:element minOccurs="0" name="tokenString" nillable="true" type="xs:string"/>
-                    <xs:element minOccurs="0" name="tokenType" nillable="true" type="xs:string"/>
+                    <xs:element minOccurs="0" name="tokenCategory" nillable="true" type="xs:string"/>
                 </xs:sequence>
             </xs:complexType>
             <xs:complexType name="OAuth2IntrospectionResponseDTO">
@@ -152,7 +152,7 @@
                     <xs:element maxOccurs="unbounded" minOccurs="0" name="properties" nillable="true" type="xs:string"/>
                     <xs:element minOccurs="0" name="scope" nillable="true" type="xs:string"/>
                     <xs:element minOccurs="0" name="sub" nillable="true" type="xs:string"/>
-                    <xs:element minOccurs="0" name="tokenType" nillable="true" type="xs:string"/>
+                    <xs:element minOccurs="0" name="tokenCategory" nillable="true" type="xs:string"/>
                     <xs:element minOccurs="0" name="userContext" nillable="true" type="xs:string"/>
                     <xs:element minOccurs="0" name="username" nillable="true" type="xs:string"/>
                 </xs:sequence>

components/org.wso2.carbon.identity.oauth.stub/src/main/resources/OAuthAdminService.wsdl

@@ -437,7 +437,7 @@
                     <xs:element minOccurs="0" name="tokenEndpointAuthMethod" nillable="true" type="xs:string"/>
                     <xs:element minOccurs="0" name="tokenEndpointAuthSignatureAlgorithm" nillable="true" type="xs:string"/>
                     <xs:element minOccurs="0" name="tokenRevocationWithIDPSessionTerminationEnabled" type="xs:boolean"/>
-                    <xs:element minOccurs="0" name="tokenType" nillable="true" type="xs:string"/>
+                    <xs:element minOccurs="0" name="tokenCategory" nillable="true" type="xs:string"/>
                     <xs:element minOccurs="0" name="userAccessTokenExpiryTime" type="xs:long"/>
                     <xs:element minOccurs="0" name="username" nillable="true" type="xs:string"/>
                 </xs:sequence>

components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/model/TokenIssuanceDO.java

@@ -0,0 +1,169 @@
+/*
+ *  Copyright (c) 2025, WSO2 LLC. (http://www.wso2.com).
+ *
+ *  WSO2 LLC. licenses this file to you under the Apache License,
+ *  Version 2.0 (the "License"); you may not use this file except
+ *  in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing,
+ *  software distributed under the License is distributed on an
+ *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *  KIND, either express or implied.  See the License for the
+ *  specific language governing permissions and limitations
+ *  under the License.
+ */
+package org.wso2.carbon.identity.oauth2.model;
+
+import org.wso2.carbon.identity.openidconnect.OIDCConstants;
+
+/**
+ * Data object to contain information related to token issuance.
+ */
+public class TokenIssuanceDO {
+
+    private final String tokenId;
+    private final String tokenType;
+    private final String tenantDomain;
+    private final String clientId;
+    private final String grantType;
+    private final OIDCConstants.TokenBillingCategory tokenBillingCategory;
+    private final int appResidentTenantId;
+    private final String issuedTime;
+    private final String authorizedOrganizationId;
+
+    private TokenIssuanceDO(Builder builder) {
+
+        this.tokenId = builder.tokenId;
+        this.tokenType = builder.tokenType;
+        this.tenantDomain = builder.tenantDomain;
+        this.clientId = builder.clientId;
+        this.grantType = builder.grantType;
+        this.tokenBillingCategory = builder.tokenBillingCategory;
+        this.appResidentTenantId = builder.appResidentTenantId;
+        this.issuedTime = builder.issuedTime;
+        this.authorizedOrganizationId = builder.authorizedOrganizationId;
+    }
+
+    public String getTokenId() {
+
+        return tokenId;
+    }
+
+    public String getTokenType() {
+
+        return tokenType;
+    }
+
+    public String getTenantDomain() {
+
+        return tenantDomain;
+    }
+
+    public String getClientId() {
+
+        return clientId;
+    }
+
+    public String getGrantType() {
+
+        return grantType;
+    }
+
+    public OIDCConstants.TokenBillingCategory getTokenBillingCategory() {
+
+        return tokenBillingCategory;
+    }
+
+    public int getAppResidentTenantId() {
+
+        return appResidentTenantId;
+    }
+
+    public String getIssuedTime() {
+
+        return issuedTime;
+    }
+
+    public String getAuthorizedOrganizationId() {
+
+        return authorizedOrganizationId;
+    }
+
+    /**
+     * Builder class for TokenIssuanceDO.
+     */
+    public static class Builder {
+
+        private String tokenId;
+        private String tokenType;
+        private String tenantDomain;
+        private String clientId;
+        private String grantType;
+        private OIDCConstants.TokenBillingCategory tokenBillingCategory;
+        private int appResidentTenantId;
+        private String issuedTime;
+        private String authorizedOrganizationId;
+
+        public Builder tokenId(String tokenId) {
+
+            this.tokenId = tokenId;
+            return this;
+        }
+
+        public Builder tokenType(String tokenType) {
+
+            this.tokenType = tokenType;
+            return this;
+        }
+
+        public Builder tenantDomain(String tenantDomain) {
+
+            this.tenantDomain = tenantDomain;
+            return this;
+        }
+
+        public Builder clientId(String clientId) {
+
+            this.clientId = clientId;
+            return this;
+        }
+
+        public Builder grantType(String grantType) {
+
+            this.grantType = grantType;
+            return this;
+        }
+
+        public Builder tokenBillingCategory(OIDCConstants.TokenBillingCategory tokenCategory) {
+
+            this.tokenBillingCategory = tokenCategory;
+            return this;
+        }
+
+        public Builder appResidentTenantId(int appResidentTenantId) {
+
+            this.appResidentTenantId = appResidentTenantId;
+            return this;
+        }
+
+        public Builder issuedTime(String issuedTime) {
+
+            this.issuedTime = issuedTime;
+            return this;
+        }
+
+        public Builder authorizedOrganizationId(String authorizedOrganizationId) {
+
+            this.authorizedOrganizationId = authorizedOrganizationId;
+            return this;
+        }
+
+        public TokenIssuanceDO build() {
+
+            return new TokenIssuanceDO(this);
+        }
+    }
+}

components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/token/AccessTokenIssuer.java

@@ -49,6 +49,8 @@
 import org.wso2.carbon.identity.oauth.cache.AuthorizationGrantCache;
 import org.wso2.carbon.identity.oauth.cache.AuthorizationGrantCacheEntry;
 import org.wso2.carbon.identity.oauth.cache.AuthorizationGrantCacheKey;
+import org.wso2.carbon.identity.oauth.cache.OAuthCache;
+import org.wso2.carbon.identity.oauth.cache.OAuthCacheKey;
 import org.wso2.carbon.identity.oauth.common.OAuth2ErrorCodes;
 import org.wso2.carbon.identity.oauth.common.OAuthConstants;
 import org.wso2.carbon.identity.oauth.common.exception.InvalidOAuthClientException;
@@ -62,6 +64,7 @@
 import org.wso2.carbon.identity.oauth2.IDTokenValidationFailureException;
 import org.wso2.carbon.identity.oauth2.IdentityOAuth2ClientException;
 import org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception;
+import org.wso2.carbon.identity.oauth2.IdentityOAuth2ServerException;
 import org.wso2.carbon.identity.oauth2.OAuth2Constants;
 import org.wso2.carbon.identity.oauth2.ResponseHeader;
 import org.wso2.carbon.identity.oauth2.bean.OAuthClientAuthnContext;
@@ -75,7 +78,9 @@
 import org.wso2.carbon.identity.oauth2.impersonation.services.ImpersonationNotificationMgtService;
 import org.wso2.carbon.identity.oauth2.impersonation.services.ImpersonationNotificationMgtServiceImpl;
 import org.wso2.carbon.identity.oauth2.internal.OAuth2ServiceComponentHolder;
+import org.wso2.carbon.identity.oauth2.model.AccessTokenDO;
 import org.wso2.carbon.identity.oauth2.model.RequestParameter;
+import org.wso2.carbon.identity.oauth2.model.TokenIssuanceDO;
 import org.wso2.carbon.identity.oauth2.rar.util.AuthorizationDetailsUtils;
 import org.wso2.carbon.identity.oauth2.rar.validator.AuthorizationDetailsValidator;
 import org.wso2.carbon.identity.oauth2.rar.validator.DefaultAuthorizationDetailsValidator;
@@ -84,12 +89,14 @@
 import org.wso2.carbon.identity.oauth2.token.handlers.grant.AuthorizationGrantHandler;
 import org.wso2.carbon.identity.oauth2.token.handlers.response.AccessTokenResponseHandler;
 import org.wso2.carbon.identity.oauth2.util.AuthzUtil;
+import org.wso2.carbon.identity.oauth2.util.JWTUtils;
 import org.wso2.carbon.identity.oauth2.util.OAuth2TokenUtil;
 import org.wso2.carbon.identity.oauth2.util.OAuth2Util;
 import org.wso2.carbon.identity.oauth2.validators.DefaultOAuth2ScopeValidator;
 import org.wso2.carbon.identity.oauth2.validators.JDBCPermissionBasedInternalScopeValidator;
 import org.wso2.carbon.identity.oauth2.validators.RoleBasedInternalScopeValidator;
 import org.wso2.carbon.identity.openidconnect.IDTokenBuilder;
+import org.wso2.carbon.identity.openidconnect.OIDCConstants;
 import org.wso2.carbon.identity.organization.management.service.exception.OrganizationManagementException;
 import org.wso2.carbon.user.api.UserStoreException;
 import org.wso2.carbon.user.core.common.AbstractUserStoreManager;
@@ -98,6 +105,7 @@
 import org.wso2.carbon.utils.CarbonUtils;
 import org.wso2.carbon.utils.DiagnosticLog;
 
+import java.text.ParseException;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Collections;
@@ -127,7 +135,7 @@
 import static org.wso2.carbon.identity.oauth2.device.constants.Constants.DEVICE_FLOW_GRANT_TYPE;
 import static org.wso2.carbon.identity.oauth2.util.OAuth2Util.EXTENDED_REFRESH_TOKEN_DEFAULT_TIME;
 import static org.wso2.carbon.identity.oauth2.util.OAuth2Util.INTERNAL_LOGIN_SCOPE;
-import static org.wso2.carbon.identity.oauth2.util.OAuth2Util.validateRequestTenantDomain;
+import static org.wso2.carbon.identity.openidconnect.OIDCConstants.EXISTING_TOKEN_USED;
 import static org.wso2.carbon.identity.openidconnect.OIDCConstants.ID_TOKEN_USER_CLAIMS_PROP_KEY;
 
 /**
@@ -328,7 +336,7 @@ public OAuth2AccessTokenRespDTO issue(OAuth2AccessTokenReqDTO tokenReqDTO)
         // Indirectly we can say that the tenantDomain of the SP is the tenantDomain of the user who created SP.
         // This is done to avoid having to send the tenantDomain as a query param to the token endpoint
         String tenantDomainOfApp = OAuth2Util.getTenantDomainOfOauthApp(oAuthAppDO);
-        validateRequestTenantDomain(tenantDomainOfApp, tokenReqDTO);
+        OAuth2Util.validateRequestTenantDomain(tenantDomainOfApp, tokenReqDTO);
 
         tokenReqDTO.setTenantDomain(tenantDomainOfApp);
 
@@ -1364,6 +1372,11 @@ private void triggerPostListeners(OAuth2AccessTokenReqDTO tokenReqDTO,
 
         OAuthEventInterceptor oAuthEventInterceptorProxy = OAuthComponentServiceHolder.getInstance()
                 .getOAuthEventInterceptorProxy();
+        try {
+            triggerPostIssueTokenEvent(tokenReqDTO, tokenRespDTO, tokReqMsgCtx);
+        } catch (IdentityOAuth2Exception e) {
+            log.error("Error while triggering post issue token event.", e);
+        }
 
         if (isRefresh) {
             if (oAuthEventInterceptorProxy != null && oAuthEventInterceptorProxy.isEnabled()) {
@@ -1394,6 +1407,64 @@ private void triggerPostListeners(OAuth2AccessTokenReqDTO tokenReqDTO,
         }
     }
 
+    private static void triggerPostIssueTokenEvent(OAuth2AccessTokenReqDTO tokenReqDTO,
+                                                   OAuth2AccessTokenRespDTO tokenRespDTO,
+                                                   OAuthTokenReqMessageContext tokReqMsgCtx)
+            throws IdentityOAuth2Exception {
+
+        String cacheKey;
+        if (JWTUtils.isJWT(tokenRespDTO.getAccessToken())) {
+            Optional<JWTClaimsSet> jwtClaimSet;
+            try {
+                jwtClaimSet = JWTUtils.getJWTClaimSet(
+                        JWTUtils.parseJWT(tokenRespDTO.getAccessToken()));
+            } catch (ParseException e) {
+                throw new IdentityOAuth2ServerException("Error while parsing the JWT access token.", e);
+            }
+            jwtClaimSet.orElseThrow(() -> new IdentityOAuth2ServerException("Empty JWT claims set found."));
+            cacheKey = jwtClaimSet.get().getJWTID();
+        } else {
+            cacheKey = tokenRespDTO.getAccessToken();
+        }
+        if (StringUtils.isBlank(cacheKey)) {
+            throw new IdentityOAuth2ServerException("Token cache key not found.");
+        }
+        AccessTokenDO accessTokenDO = (AccessTokenDO) OAuthCache.getInstance().getValueFromCache(
+                new OAuthCacheKey(cacheKey));
+        if (accessTokenDO == null) {
+            throw new IdentityOAuth2ServerException("Access token not found in the cache");
+        }
+        String tokenType = accessTokenDO.getTokenType();
+        int appResidentTenantId = accessTokenDO.getAppResidentTenantId();
+        String issuedTime = accessTokenDO.getIssuedTime() != null ?
+                accessTokenDO.getIssuedTime().toString() : StringUtils.EMPTY;
+        String authorizedOrganizationId = accessTokenDO.getAuthorizedOrganizationId();
+        if (!existingTokenUsed(tokReqMsgCtx)) {
+            OAuth2TokenUtil.postIssueToken(new TokenIssuanceDO.Builder().
+                    tokenId(tokenRespDTO.getTokenId()).
+                    tokenType(tokenType).
+                    tenantDomain(tokReqMsgCtx.getOauth2AccessTokenReqDTO().getTenantDomain()).
+                    tokenType(accessTokenDO.getTokenType()).
+                    clientId(tokReqMsgCtx.getOauth2AccessTokenReqDTO().getClientId()).
+                    grantType(tokenReqDTO.getGrantType()).
+                    tokenBillingCategory(OIDCConstants.TokenBillingCategory.M2M_ACCESS_TOKEN).
+                    appResidentTenantId(appResidentTenantId).
+                    issuedTime(issuedTime).
+                    authorizedOrganizationId(authorizedOrganizationId).
+                    build()
+            );
+        }
+    }
+
+    private static Boolean existingTokenUsed(OAuthTokenReqMessageContext tokReqMsgCtx) {
+
+        Boolean existingTokenUsed = (Boolean) tokReqMsgCtx.getProperty(EXISTING_TOKEN_USED);
+        if (existingTokenUsed == null) {
+            existingTokenUsed = false;
+        }
+        return existingTokenUsed;
+    }
+
     /**
      * Copies the cache entry against the authorization code/device code and adds an entry against the access token.
      * This is done to reuse the calculated user claims for subsequent usages such as user info calls.