Invalidate access tokens that are bound to an SSO session when that session is invalid.

[AfraHussaindeen]

Proposed changes in this pull request

This pull request introduces validation logic to ensure that access tokens bound to an SSO session are invalidated when the session expires.

• Problem addressed

  • Previously, when an access token bound to an SSO session was introspected, the endpoint would incorrectly return a response with "active": true, even after the SSO session had expired (e.g., due to an idle timeout).

• Solution

  • With this change, the introspection logic now properly checks the validity of the associated SSO session. If the session is expired or invalid, the endpoint correctly returns "active": false" for the access token.

[codecov]

Codecov Report

❌ Patch coverage is 50.00000% with 10 lines in your changes missing coverage. Please review.
✅ Project coverage is 57.97%. Comparing base (34cf007) to head (64ca6cf).
⚠️ Report is 13 commits behind head on master.

Files with missing lines	Patch %	Lines
...tity/oauth2/validators/TokenValidationHandler.java	50.00%	6 Missing and 4 partials ⚠️

Additional details and impacted files

@@             Coverage Diff              @@
##             master    #2933      +/-   ##
============================================
+ Coverage     56.08%   57.97%   +1.88%     
+ Complexity     9354     9042     -312     
============================================
  Files           669      669              
  Lines         53762    50342    -3420     
  Branches      11860    11039     -821     
============================================
- Hits          30155    29188     -967     
+ Misses        19378    17100    -2278     
+ Partials       4229     4054     -175     

Flag	Coverage Δ
unit	40.55% <50.00%> (+0.24%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[Copilot]

Pull Request Overview

This PR adds validation logic to invalidate OAuth2 access tokens that are bound to invalid SSO sessions. The implementation introduces a new validation method that can check token bindings directly from access token data without requiring request context.

Key changes:

• Adds token binding validation during access token introspection that marks tokens as inactive if their bound SSO sessions are invalid
• Implements SSO session validation by checking session context existence in the cache
• Introduces a new validation method in the TokenBinder interface for direct access token validation

Reviewed Changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.

File	Description
TokenValidationHandler.java	Adds token binding validation during introspection and implements the validation logic
SSOSessionBasedTokenBinder.java	Implements SSO session validation and refactors existing validation logic
TokenBinder.java	Adds new interface method for direct access token validation

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[Thumimku]

PR looks good, but this includes a behavioral change in introspection endpoint. So discuss with the leads and confirm the decision.

Let's run integration tests also before merging and consider asgardeo also

[jenkins-is-staging]

PR builder started
Link: https://github.com/wso2/product-is/actions/runs/17998449547

[jenkins-is-staging]

PR builder completed
Link: https://github.com/wso2/product-is/actions/runs/17998449547
Status: success

[jenkins-is-staging]

Approving the pull request based on the successful pr build https://github.com/wso2/product-is/actions/runs/17998449547