Improve Recipient Validation in SAML2 Bearer Grant

[ImalshaG]

Current Limitation

In the SAML2 Bearer Grant type, there is a recipient validation at [1] where we check whether the recipient list in the saml assertion contains the token endpoint alias of the IS. This behaviour has been implemented to align with the specification [2] which states:

The authorization server MUST verify that the value of the Recipient attribute matches the token endpoint URL (or an acceptable alias) to which the Assertion was delivered.

However, there has been requirements where the saml bearer grant needs to be used to exchange a saml assertion issued by a third party IDP which does not support adding multiple recipients. In such cases, the ACS url will be considered as the recipient of the assertion and if the ACS is in a trusted domain, the above recipient validation can be improved to allow such trusted recipients to be considered for the validation instead of only checking for the token endpoint of IS.

[1] https://github.com/wso2-extensions/identity-inbound-auth-oauth/blob/v7.0.195/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/token/handlers/grant/saml/SAML2BearerGrantHandler.java#L506
[2] https://datatracker.ietf.org/doc/html/draft-ietf-oauth-saml2-bearer

Suggested Improvement

Improve the recipient validation logic in the SAML2BearerGrantHandler to provide the ability to configure multiple token endpoint aliases or multiple optional values that can be expected as recipients in the saml assertion. Therefore if a third party IDP has support to only send 1 recipient in the saml assertion, if the recipient is a trusted party then it can be considered during the recipient validation at [1] instead of looking only for the token endpoint alias.

[1] https://github.com/wso2-extensions/identity-inbound-auth-oauth/blob/v7.0.195/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/token/handlers/grant/saml/SAML2BearerGrantHandler.java#L509

Version

No response