wso2-extensions · ShanChathusanda93 · Sep 30, 2025 · wso2-engineering · Sep 30, 2025 · wso2-engineering
diff --git a/....carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/util/OAuth2Util.java b/....carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/util/OAuth2Util.java
@@ -615,6 +615,9 @@ public static boolean authenticateClient(String clientId, String clientSecretPro
     public static boolean authenticateClient(String clientId, String clientSecretProvided, String appTenant)
             throws IdentityOAuthAdminException, IdentityOAuth2Exception, InvalidOAuthClientException {
 
-    public static boolean authenticateClient(String clientId, String clientSecretProvided, String appTenant)
-            throws IdentityOAuthAdminException, IdentityOAuth2Exception, InvalidOAuthClientException {
+    public static boolean authenticateClient(String clientId, String clientSecretProvided, String appTenant)
+            throws IdentityOAuthAdminException, IdentityOAuth2Exception, InvalidOAuthClientException {
+
+        log.info("Authenticating OAuth client: " + clientId);
-    public static boolean authenticateClient(String clientId, String clientSecretProvided, String appTenant)
-            throws IdentityOAuthAdminException, IdentityOAuth2Exception, InvalidOAuthClientException {
+    public static boolean authenticateClient(String clientId, String clientSecretProvided, String appTenant)
+            throws IdentityOAuthAdminException, IdentityOAuth2Exception, InvalidOAuthClientException {
+
+        log.info("Authenticating OAuth client: " + clientId);
+        if (!isApplicationAccessible(clientId, appTenant)) {
+            throw new InvalidOAuthClientException("Application is disabled for the client_id: " + clientId);
-        if (!isApplicationAccessible(clientId, appTenant)) {
-            throw new InvalidOAuthClientException("Application is disabled for the client_id: " + clientId);
+        if (!isApplicationAccessible(clientId, appTenant)) {
+            log.warn("Application is disabled for client_id: " + clientId);
-        if (!isApplicationAccessible(clientId, appTenant)) {
-            throw new InvalidOAuthClientException("Application is disabled for the client_id: " + clientId);
+        if (!isApplicationAccessible(clientId, appTenant)) {
+            log.warn("Application is disabled for client_id: " + clientId);
+        }
         OAuthAppDO appDO = OAuth2Util.getAppInformationByClientId(clientId, appTenant);
         if (appDO == null) {
             if (log.isDebugEnabled()) {
@@ -660,6 +663,30 @@ public static boolean authenticateClient(String clientId, String clientSecretPro
         return true;
     }
 
+    private static boolean isApplicationAccessible(String clientId, String appTenant)
+            throws IdentityOAuth2Exception {
+
-    private static boolean isApplicationAccessible(String clientId, String appTenant)
-            throws IdentityOAuth2Exception {
+    private static boolean isApplicationAccessible(String clientId, String appTenant)
+            throws IdentityOAuth2Exception {
+
+        if (log.isDebugEnabled()) {
+            log.debug("Checking application accessibility for client_id: " + clientId);
+        }
-    private static boolean isApplicationAccessible(String clientId, String appTenant)
-            throws IdentityOAuth2Exception {
+    private static boolean isApplicationAccessible(String clientId, String appTenant)
+            throws IdentityOAuth2Exception {
+
+        if (log.isDebugEnabled()) {
+            log.debug("Checking application accessibility for client_id: " + clientId);
+        }
+        ServiceProvider serviceProvider = OAuth2Util.getServiceProvider(clientId, appTenant);
+        DiagnosticLog.DiagnosticLogBuilder diagnosticLogBuilder = null;
+        if (LoggerUtils.isDiagnosticLogsEnabled()) {
+            diagnosticLogBuilder = new DiagnosticLog.DiagnosticLogBuilder(
+                    OAuthConstants.LogConstants.OAUTH_INBOUND_SERVICE,
+                    OAuthConstants.LogConstants.ActionIDs.VALIDATE_APPLICATION_ENABLED_STATUS);
+            diagnosticLogBuilder.inputParam(LogConstants.InputKeys.CLIENT_ID, clientId)
+                    .logDetailLevel(DiagnosticLog.LogDetailLevel.APPLICATION);
+        }
+        if (!serviceProvider.isApplicationEnabled()) {
+            if (diagnosticLogBuilder != null) {
-        if (!serviceProvider.isApplicationEnabled()) {
-            if (diagnosticLogBuilder != null) {
+        if (!serviceProvider.isApplicationEnabled()) {
+            log.warn("Application is disabled for client_id: " + clientId);
-        if (!serviceProvider.isApplicationEnabled()) {
-            if (diagnosticLogBuilder != null) {
+        if (!serviceProvider.isApplicationEnabled()) {
+            log.warn("Application is disabled for client_id: " + clientId);
+                diagnosticLogBuilder
+                        .resultMessage("Application is disabled.")
+                        .resultStatus(DiagnosticLog.ResultStatus.FAILED);
+                LoggerUtils.triggerDiagnosticLogEvent(diagnosticLogBuilder);
+            }
+            return false;
+        }
-            return false;
-        }
+            return false;
+        }
+        if (log.isDebugEnabled()) {
+            log.debug("Application is enabled for client_id: " + clientId);
+        }
-            return false;
-        }
+            return false;
+        }
+        if (log.isDebugEnabled()) {
+            log.debug("Application is enabled for client_id: " + clientId);
+        }
+        return true;
+    }
+
     private static boolean isTenantActive(String tenantDomain) throws IdentityOAuth2Exception {
         try {
             TenantManager tenantManager = OAuthComponentServiceHolder.getInstance()

diff --git a/...bon.identity.oauth/src/test/java/org/wso2/carbon/identity/oauth2/util/OAuth2UtilTest.java b/...bon.identity.oauth/src/test/java/org/wso2/carbon/identity/oauth2/util/OAuth2UtilTest.java
@@ -497,6 +497,20 @@ public Object[][] authenticateClient() {
         };
     }
 
+    @DataProvider(name = "ApplicationStatusProvider")
+    public Object[][] applicationStatusProvider() {
+
+        ServiceProvider serviceProvider = new ServiceProvider();
+        serviceProvider.setApplicationEnabled(true);
+
+        ServiceProvider disabledServiceProvider = new ServiceProvider();
+        disabledServiceProvider.setApplicationEnabled(false);
+        return new Object[][]{
+                {serviceProvider, true},
+                {disabledServiceProvider, false}
+        };
+    }
+
     @Test(dataProvider = "AuthenticateClient")
     public void testAuthenticateClient(Object cacheResult, String clientSecretInDB, boolean expectedResult)
             throws Exception {
@@ -560,8 +574,9 @@ public void testAuthenticateClientWithHashPersistenceProcessor(Object cacheResul
         }
     }
 
-    @Test
-    public void testAuthenticateClientWithAppTenant() throws Exception {
+    @Test(dataProvider = "ApplicationStatusProvider")
+    public void testAuthenticateClientWithAppTenant(ServiceProvider serviceProvider, boolean isAppEnabled)
+            throws Exception {
 
         try (MockedStatic<AppInfoCache> appInfoCache = mockStatic(AppInfoCache.class)) {
             OAuthAppDO appDO = new OAuthAppDO();
@@ -581,16 +596,26 @@ public void testAuthenticateClientWithAppTenant() throws Exception {
                     (mock, context) -> {
                         when(mock.getAppInformation(eq(clientId), anyInt())).thenReturn(appDO);
                     })) {
+                ApplicationManagementService applicationManagementService = mock(ApplicationManagementService.class);
+                OAuth2ServiceComponentHolder.setApplicationMgtService(applicationManagementService);
+                when(applicationManagementService.getServiceProviderByClientId(anyString(), anyString(), anyString()))
+                        .thenReturn(serviceProvider);
                 identityTenantUtil.when(() -> IdentityTenantUtil.getTenantId(clientTenantDomain))
                         .thenReturn(clientTenantId);
 
                 // Mock realm and tenant manager.
-                when(oAuthComponentServiceHolderMock.getRealmService()).thenReturn(realmServiceMock);
-                when(realmServiceMock.getTenantManager()).thenReturn(tenantManagerMock);
-                when(tenantManagerMock.getTenantId(clientTenantDomain)).thenReturn(clientTenantId);
-                when(tenantManagerMock.isTenantActive(clientTenantId)).thenReturn(true);
+                lenient().when(oAuthComponentServiceHolderMock.getRealmService()).thenReturn(realmServiceMock);
+                lenient().when(realmServiceMock.getTenantManager()).thenReturn(tenantManagerMock);
+                lenient().when(tenantManagerMock.getTenantId(clientTenantDomain)).thenReturn(clientTenantId);
+                lenient().when(tenantManagerMock.isTenantActive(clientTenantId)).thenReturn(true);
 
-                assertTrue(OAuth2Util.authenticateClient(clientId, clientSecret, clientTenantDomain));
+                if (isAppEnabled) {
+                    assertTrue(OAuth2Util.authenticateClient(clientId, clientSecret, clientTenantDomain));
+                } else {
+                    assertThrows(InvalidOAuthClientException.class, () -> {
+                        OAuth2Util.authenticateClient(clientId, clientSecret, clientTenantDomain);
+                    });
+                }
             }
         }
     }