Introduce POST_ISSUE_ACCESS_TOKEN_V2 event

[RushanNanayakkara]

Purpose

• Introduce POST_TOKEN_ISSUANCE event and fire it after access token issuance.

PR Description

This pull request introduces a new feature for publishing token issuance events in the OAuth2 component, along with associated refactoring and test enhancements. The changes include the addition of a post-issue token event mechanism, updates to constants, and the introduction of unit tests to ensure the new functionality works as expected.

New Feature: Token Issuance Event Publishing

• Added a new method postIssueToken in OAuth2TokenUtil to publish token issuance details as events. This includes creating and handling an event with properties like token ID, client ID, grant type, and issued time.
• Introduced a new private method triggerPostIssueTokenEvent in AccessTokenIssuer to handle the logic for triggering the post-issue token event. This method validates input and skips the event if certain conditions are not met.
• Added a new constant POST_ISSUE_TOKEN in OIDCConstants.Event to represent the event name for token issuance.

Refactoring and Code Enhancements

• Introduced new constants in OIDCConstants.Event for additional token properties such as GRANT_TYPE, CLIENT_ID, TENANT_DOMAIN, and ISSUED_TIME.
• Created a helper method existingTokenUsed in AccessTokenIssuer to determine whether an existing token was reused.

Unit Test Additions

• Added a new test class OAuth2TokenUtilTest to validate the behavior of the postIssueToken method. This includes tests for successful event handling and scenarios where exceptions are thrown.
• Updated testng.xml to include the AccessTokenIssuerTest class for execution. [1] [2]

Minor Changes

• Updated pom.xml to exclude the DeprecatedAccessTokenIssuerTest instead of AccessTokenIssuerTest during Checkstyle checks.
• Added new imports and static imports for utility classes and constants in AccessTokenIssuer. [1] [2] [3]

[Copilot]

Pull Request Overview

This PR introduces a new POST_ISSUE_TOKEN event in the OAuth2 flow, encapsulating token issuance details in a structured TokenIssuanceDO object, and fires this event after access token issuance.

• Added constants to OIDCConstants for new event attributes and token billing categories.
• Introduced TokenIssuanceDO and OAuth2TokenUtil.postIssueToken(...) to build and publish issuance events.
• Updated AccessTokenIssuer to invoke the new event on token issue and adjusted related imports and WSDL definitions.

Reviewed Changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
components/.../OIDCConstants.java	Added constants and new TokenBillingCategory enum
components/.../OAuth2TokenUtil.java	New postIssueToken method and helper event builder
components/.../AccessTokenIssuer.java	Hooked in new event in triggerPostListeners
components/.../TokenIssuanceDO.java	New data object and builder for token issuance data
components/.../OAuthAdminService.wsdl	Renamed <tokenType> element to <tokenCategory>
components/.../OAuth2TokenValidationService.wsdl	Renamed <tokenType> to <tokenCategory> in three places

Comments suppressed due to low confidence (5)

components/org.wso2.carbon.identity.oauth.stub/src/main/resources/OAuthAdminService.wsdl:440

• Renaming the <tokenType> element to <tokenCategory> is a breaking change in the WSDL API. Ensure all downstream consumers are updated or provide a migration path.

                    <xs:element minOccurs="0" name="tokenCategory" nillable="true" type="xs:string"/>

components/org.wso2.carbon.identity.oauth.stub/src/main/resources/OAuth2TokenValidationService.wsdl:105

• This change renames the <tokenType> element to <tokenCategory>, which breaks the existing validation service contract. Confirm clients are updated accordingly.

                    <xs:element minOccurs="0" name="tokenCategory" nillable="true" type="xs:string"/>

components/org.wso2.carbon.identity.oauth.stub/src/main/resources/OAuth2TokenValidationService.wsdl:134

• Similarly, <tokenType> was replaced with <tokenCategory> in this element; ensure compatibility with existing clients.

                    <xs:element minOccurs="0" name="tokenCategory" nillable="true" type="xs:string"/>

components/org.wso2.carbon.identity.oauth.stub/src/main/resources/OAuth2TokenValidationService.wsdl:155

• The <tokenType> element has been renamed to <tokenCategory> here as well, which impacts the introspection response schema; verify client updates.

                    <xs:element minOccurs="0" name="tokenCategory" nillable="true" type="xs:string"/>

components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/util/OAuth2TokenUtil.java:116

• The code references OIDCConstants.Event.TOKEN_ID but no TOKEN_ID constant is declared in OIDCConstants.Event. Add this constant or correct the reference.

        tokenIssuanceData.put(OIDCConstants.Event.TOKEN_ID, tokenIssuanceDO.getTokenId());

[codecov]

Codecov Report

Attention: Patch coverage is 42.59259% with 31 lines in your changes missing coverage. Please review.

Project coverage is 55.80%. Comparing base (da89d9b) to head (4e0802c).
Report is 10 commits behind head on master.

Files with missing lines	Patch %	Lines
...arbon/identity/oauth2/token/AccessTokenIssuer.java	56.09%	12 Missing and 6 partials ⚠️
...2/carbon/identity/oauth2/util/OAuth2TokenUtil.java	0.00%	13 Missing ⚠️

Additional details and impacted files

@@             Coverage Diff              @@
##             master    #2815      +/-   ##
============================================
- Coverage     57.39%   55.80%   -1.60%     
+ Complexity     9757     9098     -659     
============================================
  Files           664      664              
  Lines         52656    53757    +1101     
  Branches      11618    12323     +705     
============================================
- Hits          30223    30000     -223     
- Misses        18220    19436    +1216     
- Partials       4213     4321     +108     

Flag	Coverage Δ
unit	40.71% <42.59%> (+0.43%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[jenkins-is-staging]

PR builder started
Link: https://github.com/wso2/product-is/actions/runs/16199001652

[jenkins-is-staging]

PR builder completed
Link: https://github.com/wso2/product-is/actions/runs/16199001652
Status: failure

[jenkins-is-staging]

PR builder started
Link: https://github.com/wso2/product-is/actions/runs/16201997704

[jenkins-is-staging]

PR builder completed
Link: https://github.com/wso2/product-is/actions/runs/16201997704
Status: success

[jenkins-is-staging]

Approving the pull request based on the successful pr build https://github.com/wso2/product-is/actions/runs/16201997704

[piraveena]

Do we need to handle null checks for userType, tenantDomain, clientId, tokenId and grantType. Because these are mandatory items in a token issuance flow.

Also we can simplify these resolving logic for b2b cases
if (StringUtils.isNotEmpty(tenantDomain)) {
organizationId = OAuthComponentServiceHolder.getInstance()
.getOrganizationManager()
.resolveOrganizationId(tenantDomain);
}

String accessingOrganizationId = user != null ? user.getAccessingOrganization() : StringUtils.EMPTY;

[RushanNanayakkara]

The null checks are removed with 4e0802c

However, the checks for accessingOrganizationId need to be kept since user.getAccessingOrganization can also return a null. If we go with the above approach it'll result in empty string when user is null , and null when user.getAccessingOrganization returns null.

[piraveena]

Why do we need to skip in here? This is a token issuance event, and it should be aware of the token issuance flow. The consumer can check this and handle the scenarios as per their usecses

[RushanNanayakkara]

Agree. Changed with 4e0802c

[piraveena]

what this test calss do? Why we introduced new test class instead of AccessTokenIssuerTest?

[RushanNanayakkara]

The AccessaTokenIssuerTest was already existing. This was commented out by @madurangasiriwardena since it was not functional and needed an extra effort. Therefore it was renamed and kept as deprecated for future reference and a new test class was introduced to cover the changes being introduced by the PR.