Remove Internal domain in application roles when creating JWT access token

components/org.wso2.carbon.identity.oauth.common/src/main/java/org/wso2/carbon/identity/oauth/common/OAuthConstants.java

@@ -581,6 +581,7 @@ public static class OIDCClaims {
         public static final String EMAIL_VERIFIED = "email_verified";
         public static final String ADDRESS = "address";
         public static final String ROLES = "roles";
+        public static final String APP_ROLES = "application_roles";
         public static final String CUSTOM = "custom";
         public static final String AZP = "azp";
         public static final String AUTH_TIME = "auth_time";

components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/openidconnect/JWTAccessTokenOIDCClaimsHandler.java

@@ -643,7 +643,7 @@ private static Map<String, Object> getUserClaimsInOIDCDialectFromFederatedUserAt
                     String oidcClaimUri = oidcToLocalClaimMappings.entrySet().stream()
                             .filter(entry -> entry.getValue().equals(localClaimURI))
                             .map(Map.Entry::getKey).findFirst().orElse(null);
-                    if (oidcClaimUri != null) {
+                    if (oidcClaimUri != null && StringUtils.isNotBlank(claimValue)) {
                         userClaimsInOidcDialect.put(oidcClaimUri, claimValue);
                         if (log.isDebugEnabled() &&
                                 IdentityUtil.isTokenLoggable(IdentityConstants.IdentityTokens.USER_CLAIMS)) {

components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/openidconnect/OpenIDConnectClaimFilterImpl.java

@@ -61,6 +61,7 @@
 import static org.wso2.carbon.identity.oauth.common.OAuthConstants.LogConstants.ActionIDs.ISSUE_ACCESS_TOKEN;
 import static org.wso2.carbon.identity.oauth.common.OAuthConstants.LogConstants.OAUTH_INBOUND_SERVICE;
 import static org.wso2.carbon.identity.oauth.common.OAuthConstants.OIDCClaims.ADDRESS;
+import static org.wso2.carbon.identity.oauth.common.OAuthConstants.OIDCClaims.APP_ROLES;
 import static org.wso2.carbon.identity.oauth.common.OAuthConstants.OIDCClaims.EMAIL_VERIFIED;
 import static org.wso2.carbon.identity.oauth.common.OAuthConstants.OIDCClaims.PHONE_NUMBER_VERIFIED;
 import static org.wso2.carbon.identity.oauth.common.OAuthConstants.OIDCClaims.ROLES;
@@ -137,6 +138,7 @@ public Map<String, Object> getClaimsFilteredByOIDCScopes(Map<String, Object> use
             handleAddressClaim(claimsToBeReturned, addressScopeClaims);
         }
         handleRolesClaim(claimsToBeReturned);
+        handleApplicationRolesClaim(claimsToBeReturned);
         handleUpdateAtClaim(claimsToBeReturned);
         handlePhoneNumberVerifiedClaim(claimsToBeReturned);
         handleEmailVerifiedClaim(claimsToBeReturned);
@@ -501,6 +503,23 @@ private void handleRolesClaim(Map<String, Object> returnClaims) {
         }
     }
 
+    private void handleApplicationRolesClaim(Map<String, Object> returnClaims) {
+
+        if (returnClaims.containsKey(APP_ROLES) && IdentityUtil.isGroupsVsRolesSeparationImprovementsEnabled()
+                && returnClaims.get(APP_ROLES) instanceof String) {
+            String multiAttributeSeparator = FrameworkUtils.getMultiAttributeSeparator();
+            List<String> roles = Arrays.asList(returnClaims.get(APP_ROLES).toString().split(multiAttributeSeparator));
+
+            for (String role : roles) {
+                if (UserCoreConstants.INTERNAL_DOMAIN.equalsIgnoreCase(IdentityUtil.extractDomainFromName(role))) {
+                    String domainRemovedRole = UserCoreUtil.removeDomainFromName(role);
+                    roles.set(roles.indexOf(role), domainRemovedRole);
+                }
+            }
+            returnClaims.put(APP_ROLES, StringUtils.join(roles, multiAttributeSeparator));
+        }
+    }
+
     private void startTenantFlow(String tenantDomain, int tenantId) {
 
         PrivilegedCarbonContext.startTenantFlow();