Skip to content

Add integration test to ensure isk claim is present in the ID token#27779

Open
HasiniSama wants to merge 1 commit into
wso2:masterfrom
HasiniSama:isk-claim
Open

Add integration test to ensure isk claim is present in the ID token#27779
HasiniSama wants to merge 1 commit into
wso2:masterfrom
HasiniSama:isk-claim

Conversation

@HasiniSama

Copy link
Copy Markdown
Contributor

@coderabbitai

coderabbitai Bot commented May 12, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

📝 Walkthrough

Summary

This PR adds integration test coverage to verify that the isk (IDP Session Key) claim is present in ID tokens during the native authentication device flow.

Changes

The ApplicationNativeAuthenticationDeviceFlowTestCase.java test has been enhanced with JWT token validation capabilities:

  • ID token validation: Adds JWT parsing and claim extraction during the token request phase to verify the presence of the isk claim
  • Scope standardization: Updates the device flow to use the standard OIDC scope constant instead of a hardcoded device identifier
  • OIDC configuration: Configures the application to issue OIDC access tokens as JWT format with a token expiry time of 3600 seconds

Lines changed: +18/-1

Related work

This change complements related updates in the identity-inbound-auth-oauth extension (PR #3221) to support the isk claim in ID tokens as described in issue #27473.

Walkthrough

This pull request enhances a device flow test case for native authentication by integrating JWT token validation into the test execution. The test now configures OIDC to issue JWT-formatted access tokens, requests an OPENID scope during device authorization, and validates that the resulting ID token contains the expected IDP session key claim. The changes add JWT parsing logic using Nimbus libraries and introduce static constants for claim verification.

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title accurately describes the main change: adding an integration test to verify the presence of the 'isk' claim in the ID token, which matches the file changes.
Description check ✅ Passed The description is related to the changeset, referencing relevant issue and pull request links that provide context for the integration test addition.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@sonarqubecloud

Copy link
Copy Markdown

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@modules/integration/tests-integration/tests-backend/src/test/java/org/wso2/identity/integration/test/applicationNativeAuthentication/ApplicationNativeAuthenticationDeviceFlowTestCase.java`:
- Around line 243-244: The test currently calls toString() directly on
obj.get(OAuth2Constant.ID_TOKEN) which can throw before the Assert.assertNotNull
runs; in ApplicationNativeAuthenticationDeviceFlowTestCase locate the lines
assigning idToken (using obj.get(OAuth2Constant.ID_TOKEN)) and change the flow
to first retrieve the raw Object (e.g., tokenObj), call
Assert.assertNotNull(tokenObj, "ID token is null"), then convert it to String
(tokenObj.toString()) and assign idToken so the assertion fails clearly if the
token is missing.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: e7013082-33a2-4640-ad34-71820f98e6da

📥 Commits

Reviewing files that changed from the base of the PR and between 420bbab and e472e42.

📒 Files selected for processing (1)
  • modules/integration/tests-integration/tests-backend/src/test/java/org/wso2/identity/integration/test/applicationNativeAuthentication/ApplicationNativeAuthenticationDeviceFlowTestCase.java

Comment on lines +243 to +244
String idToken = obj.get(OAuth2Constant.ID_TOKEN).toString();
Assert.assertNotNull(idToken, "ID token is null");

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Avoid toString() before null assertion for id_token.

At Line 243, toString() can throw before the test reaches the assertion. Cast first, then assert non-null for a clearer failure.

Proposed fix
-        String idToken = obj.get(OAuth2Constant.ID_TOKEN).toString();
-        Assert.assertNotNull(idToken, "ID token is null");
+        String idToken = (String) obj.get(OAuth2Constant.ID_TOKEN);
+        Assert.assertNotNull(idToken, "ID token is null");
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
String idToken = obj.get(OAuth2Constant.ID_TOKEN).toString();
Assert.assertNotNull(idToken, "ID token is null");
String idToken = (String) obj.get(OAuth2Constant.ID_TOKEN);
Assert.assertNotNull(idToken, "ID token is null");
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@modules/integration/tests-integration/tests-backend/src/test/java/org/wso2/identity/integration/test/applicationNativeAuthentication/ApplicationNativeAuthenticationDeviceFlowTestCase.java`
around lines 243 - 244, The test currently calls toString() directly on
obj.get(OAuth2Constant.ID_TOKEN) which can throw before the Assert.assertNotNull
runs; in ApplicationNativeAuthenticationDeviceFlowTestCase locate the lines
assigning idToken (using obj.get(OAuth2Constant.ID_TOKEN)) and change the flow
to first retrieve the raw Object (e.g., tokenObj), call
Assert.assertNotNull(tokenObj, "ID token is null"), then convert it to String
(tokenObj.toString()) and assign idToken so the assertion fails clearly if the
token is missing.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant