Add changes required for FAPI 2.0 compliance

[imesh94]

Add changes required for FAPI 2.0 compliance

This PR contains the changes required to make WSO2 IS-7.1 FAPI 2.0 conformant.

Related Issues: wso2/product-is#25863

Changes Introduced

• authorization_response_iss_parameter_supported parameter is added to open-id configuration when FAPI 2.0 is enabled.
• 'iss' parameter is sent in the authorization response as a query parameter when FAPI 2.0 is enabled.
• 'state' parameter sent in the par request object is prioritized over the 'state' parameter sent in the authorization request.
• Change error codes for FAPI 2.0 compliant apps
• Add support for callback urls with query parameters
• Use custom url as the issuer (IDTokenIssuerID should be configured to https://<is_host>/oauth2/oidcdiscovery/)
• Support using ResidentIDPEntityId as the issuer

New Configurations

identity.xml

• OAuth.OpenIDConnect.FAPI.FAPIVersion : Determines the FAPI Version supported by the server. Accepts "1" or "2" as values
• OAuth.OpenIDConnect.UseEntityIdAsIssuer : Enable using ResidentIDPEntityId as the issuer. Boolean

[wso2-engineering]

Log Improvement Suggestion No: 1

Suggested change

	public void setAuthorizationResponseIssParameterSupported(Boolean authorizationResponseIssParameterSupported) {
	log.debug("Setting authorizationResponseIssParameterSupported to: " + authorizationResponseIssParameterSupported);

[wso2-engineering]

Log Improvement Suggestion No: 2

Suggested change

	this.authorizationResponseIssParameterSupported);
	this.authorizationResponseIssParameterSupported);
	if (log.isDebugEnabled()) {
	log.debug("Configuration map created with " + configMap.size() + " entries");
	}

[wso2-engineering]

Log Improvement Suggestion No: 3

Suggested change

	providerConfig
	.setAuthorizationDetailsTypesSupported(authorizationDetailTypes.stream().toArray(String[]::new));
	providerConfig
	.setAuthorizationDetailsTypesSupported(authorizationDetailTypes.stream().toArray(String[]::new));
	if (log.isDebugEnabled()) {
	log.debug("Setting authorization details types supported: " + authorizationDetailTypes.size() + " types");
	}

[wso2-engineering]

Log Improvement Suggestion No: 4

Suggested change

	if (OAuth2Util.isFapi2Enabled()) {
	providerConfig.setAuthorizationResponseIssParameterSupported(Boolean.TRUE);
	}
	if (OAuth2Util.isFapi2Enabled()) {
	providerConfig.setAuthorizationResponseIssParameterSupported(Boolean.TRUE);
	log.info("FAPI 2.0 enabled: Setting authorization response ISS parameter support to true");
	}

[wso2-engineering]

Log Improvement Suggestion No: 5

Suggested change

	if (isFapiConformant(oAuthAuthzRequest.getClientId()) && OAuth2Util.isFapi1Enabled()) {
	EndpointUtil.validateFAPIAllowedResponseTypeAndMode(oauthParams.get(RESPONSE_TYPE),
	if (isFapiConformant(oAuthAuthzRequest.getClientId()) && OAuth2Util.isFapi1Enabled()) {
	log.info("Processing FAPI 1.0 conformant authorization request for client: " + oAuthAuthzRequest.getClientId());
	EndpointUtil.validateFAPIAllowedResponseTypeAndMode(oauthParams.get(RESPONSE_TYPE),

[wso2-engineering]

Log Improvement Suggestion No: 6

Suggested change

	} else if (isFapiConformant(oAuthAuthzRequest.getClientId()) && OAuth2Util.isFapi1Enabled()) {
	/* Mandate request object for FAPI 1.0 Advanced requests
	} else if (isFapiConformant(oAuthAuthzRequest.getClientId()) && OAuth2Util.isFapi1Enabled()) {
	log.warn("Request object is missing for FAPI 1.0 Advanced client: " + oAuthAuthzRequest.getClientId());
	/* Mandate request object for FAPI 1.0 Advanced requests

[wso2-engineering]

Log Improvement Suggestion No: 7

Suggested change

	if (isFapiConformant(params.getClientId())) {
	if (isFapiConformant(params.getClientId()) && OAuth2Util.isFapi1Enabled()) {
	EndpointUtil.validateFAPIAllowedResponseTypeAndMode(params.getResponseType(), params.getResponseMode());
	}
	if (isFapiConformant(params.getClientId()) && OAuth2Util.isFapi1Enabled()) {
	log.debug("FAPI 1.0 validation enabled for client: " + params.getClientId());
	EndpointUtil.validateFAPIAllowedResponseTypeAndMode(params.getResponseType(), params.getResponseMode());
	}

[wso2-engineering]

Log Improvement Suggestion No: 8

Suggested change

	if (isFapiConformant(oAuthMessage.getClientId()) && OAuth2Util.isFapi2Enabled()) {
	/* For FAPI 2.0 compliance, state parameter sent in the par request should be returned in the
	authorization response */
	Object parState = oAuthMessage.getRequest().getAttribute(ParConstants.PAR_STATE);
	if (parState != null) {
	params.setState(parState.toString());
	}
	} else {
	params.setState(oauthRequest.getState());
	}
	if (isFapiConformant(oAuthMessage.getClientId()) && OAuth2Util.isFapi2Enabled()) {
	log.debug("FAPI 2.0 compliance check for client: " + oAuthMessage.getClientId());
	/* For FAPI 2.0 compliance, state parameter sent in the par request should be returned in the
	authorization response */
	Object parState = oAuthMessage.getRequest().getAttribute(ParConstants.PAR_STATE);
	if (parState != null) {
	log.debug("Using PAR state parameter for FAPI 2.0 compliant client");
	params.setState(parState.toString());
	}
	} else {
	params.setState(oauthRequest.getState());
	}

[wso2-engineering]

Log Improvement Suggestion No: 9

Suggested change

	@Test
	public void testParseJsonTokenRequest() throws Exception {
	@Test
	public void testParseJsonTokenRequest() throws Exception {
	log.info("Testing parseJsonTokenRequest method");

[wso2-engineering]

Log Improvement Suggestion No: 10

Suggested change

	Assert.fail("Expected TokenEndpointBadRequestException was not thrown");
	} catch (TokenEndpointBadRequestException e) {
	} catch (TokenEndpointBadRequestException e) {
	log.debug("Expected exception caught for malformed JSON: " + e.getMessage());
	assertTrue(e.getMessage().contains("Malformed or unsupported request payload"));

[wso2-engineering]

Log Improvement Suggestion No: 11

Suggested change

	params = ParAuthServiceComponentDataHolder.getInstance().getParAuthService()
	.retrieveParams(uuid, request.getParameter(OAuthConstants.OAuth20Params.CLIENT_ID));
	params = ParAuthServiceComponentDataHolder.getInstance().getParAuthService()
	.retrieveParams(uuid, request.getParameter(OAuthConstants.OAuth20Params.CLIENT_ID));
	if (log.isDebugEnabled()) {
	log.debug("Successfully retrieved PAR parameters for request UUID: " + uuid);
	}

[wso2-engineering]

Log Improvement Suggestion No: 12

Suggested change

	} catch (ParClientException e) {
	throw new ParAuthFailureException(e.getErrorCode(), e.getMessage(), e);
	} catch (ParClientException e) {
	log.error("PAR client error occurred while retrieving parameters: " + e.getMessage());
	throw new ParAuthFailureException(e.getErrorCode(), e.getMessage(), e);

[wso2-engineering]

Log Improvement Suggestion No: 13

Suggested change

	useEntityIDAsIssuer = Boolean.parseBoolean(openIDConnectConfigElem.getFirstChildWithName(
	getQNameWithIdentityNS(ConfigElements.OPENID_CONNECT_USE_ENTITY_ID_AS_ISSUER)).
	getText().trim());
	}
	useEntityIDAsIssuer = Boolean.parseBoolean(openIDConnectConfigElem.getFirstChildWithName(
	getQNameWithIdentityNS(ConfigElements.OPENID_CONNECT_USE_ENTITY_ID_AS_ISSUER)).
	getText().trim());
	log.info("UseEntityIdAsIssuer configuration loaded: " + useEntityIDAsIssuer);
	}

[wso2-engineering]

Log Improvement Suggestion No: 14

Suggested change

	if (fapiElem.getFirstChildWithName(getQNameWithIdentityNS(ConfigElements.FAPI_VERSION)) != null) {
	fapiVersion = fapiElem.getFirstChildWithName(getQNameWithIdentityNS(
	ConfigElements.FAPI_VERSION)).getText().trim();
	}
	if (fapiElem.getFirstChildWithName(getQNameWithIdentityNS(ConfigElements.FAPI_VERSION)) != null) {
	fapiVersion = fapiElem.getFirstChildWithName(getQNameWithIdentityNS(
	ConfigElements.FAPI_VERSION)).getText().trim();
	log.info("FAPI version configured: " + fapiVersion);
	}

[wso2-engineering]

Log Improvement Suggestion No: 15

Suggested change

	boolean isAuthorizedClient = authzHandler.isAuthorizedClient(authzReqMsgCtx);
	if (!isAuthorizedClient) {
	boolean isAuthorizedClient = authzHandler.isAuthorizedClient(authzReqMsgCtx);
	if (!isAuthorizedClient) {
	if (log.isDebugEnabled()) {
	log.debug("Client is not authorized to use the requested authorization grant type. ClientId: " + authzReqDTO.getConsumerKey());
	}

[wso2-engineering]

Log Improvement Suggestion No: 16

Suggested change

	} catch (InvalidOAuthClientException e) {
	throw new IdentityOAuth2Exception("Error occurred while retrieving the fapi conformance of the " +
	} catch (InvalidOAuthClientException e) {
	log.error("Error occurred while retrieving the FAPI conformance status for client: " + authzReqDTO.getConsumerKey(), e.getMessage());
	throw new IdentityOAuth2Exception("Error occurred while retrieving the fapi conformance of the " +

[wso2-engineering]

Log Improvement Suggestion No: 17

Suggested change

	try {
	if (OAuth2Util.isFapiConformantApp(authorizationResponseDTO.getClientId()) &&
	OAuth2Util.isFapi2Enabled()) {
	try {
	if (log.isDebugEnabled()) {
	log.debug("Checking FAPI conformance for client: " + authorizationResponseDTO.getClientId());
	}
	if (OAuth2Util.isFapiConformantApp(authorizationResponseDTO.getClientId()) &&

[wso2-engineering]

Log Improvement Suggestion No: 18

Suggested change

	} catch (IdentityOAuth2Exception | InvalidOAuthClientException e) {
	throw new OAuthRuntimeException("Error occurred while retrieving application details. ", e);
	}
	} catch (IdentityOAuth2Exception | InvalidOAuthClientException e) {
	log.error("Error occurred while retrieving application details for client: " + authorizationResponseDTO.getClientId());
	throw new OAuthRuntimeException("Error occurred while retrieving application details. ", e);

[wso2-engineering]

Log Improvement Suggestion No: 19

Suggested change

	if (OAuthServerConfiguration.getInstance().getIsUseEntityIDAsIssuerEnabled() || isFapi2Enabled()) {
	return getResidentIdpEntityId(tenantDomain);
	}
	if (OAuthServerConfiguration.getInstance().getIsUseEntityIDAsIssuerEnabled() || isFapi2Enabled()) {
	String entityId = getResidentIdpEntityId(tenantDomain);
	if (log.isDebugEnabled()) {
	log.debug("Using entity ID as issuer for tenant domain: " + tenantDomain + ", entity ID: " + entityId);
	}
	return entityId;
	}

[wso2-engineering]

Log Improvement Suggestion No: 20

Suggested change

	*/
	public static boolean isFapi2Enabled() {
	return OAuthConstants.FAPIVersions.FAPI2.equals(OAuthServerConfiguration.getInstance().getFapiVersion());
	}
	public static boolean isFapi2Enabled() {
	boolean isFapi2 = OAuthConstants.FAPIVersions.FAPI2.equals(OAuthServerConfiguration.getInstance().getFapiVersion());
	if (log.isDebugEnabled()) {
	log.debug("FAPI 2.0 enabled status: " + isFapi2);
	}
	return isFapi2;
	}

[wso2-engineering]

AI Agent Log Improvement Checklist

⚠️ Warning: AI-Generated Review Comments

• The log-related comments and suggestions in this review were generated by an AI tool to assist with identifying potential improvements. Purpose of reviewing the code for log improvements is to improve the troubleshooting capabilities of our products.
• Please make sure to manually review and validate all suggestions before applying any changes. Not every code suggestion would make sense or add value to our purpose. Therefore, you have the freedom to decide which of the suggestions are helpful.

✅ Before merging this pull request:

• Review all AI-generated comments for accuracy and relevance.
• Complete and verify the table below. We need your feedback to measure the accuracy of these suggestions and the value they add. If you are rejecting a certain code suggestion, please mention the reason briefly in the suggestion for us to capture it.

Comment	Accepted (Y/N)	Reason
#### Log Improvement Suggestion No: 1
#### Log Improvement Suggestion No: 2
#### Log Improvement Suggestion No: 3
#### Log Improvement Suggestion No: 4
#### Log Improvement Suggestion No: 5
#### Log Improvement Suggestion No: 6
#### Log Improvement Suggestion No: 7
#### Log Improvement Suggestion No: 8
#### Log Improvement Suggestion No: 9
#### Log Improvement Suggestion No: 10
#### Log Improvement Suggestion No: 11
#### Log Improvement Suggestion No: 12
#### Log Improvement Suggestion No: 13
#### Log Improvement Suggestion No: 14
#### Log Improvement Suggestion No: 15
#### Log Improvement Suggestion No: 16
#### Log Improvement Suggestion No: 17
#### Log Improvement Suggestion No: 18
#### Log Improvement Suggestion No: 19
#### Log Improvement Suggestion No: 20

[Copilot]

Pull Request Overview

This PR implements changes required for FAPI 2.0 compliance in WSO2 IS-7.1, adding support for FAPI version configuration and related functionality.

Key changes include:

• Added FAPI version configuration support with new helper methods to distinguish between FAPI 1.0 and 2.0
• Implemented FAPI 2.0 specific behaviors including issuer parameter in authorization responses and state parameter prioritization from PAR requests
• Updated test cases to accommodate the new FAPI version configurations

Reviewed Changes

Copilot reviewed 19 out of 19 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
OAuth2Util.java	Added FAPI version check methods and updated issuer logic to support entity ID usage
QueryResponseModeProvider.java	Added issuer parameter to authorization responses for FAPI 2.0 compliance
AuthorizationHandlerManager.java	Updated error codes for FAPI 2.0 compliant applications
OAuthServerConfiguration.java	Added FAPI version and entity ID issuer configuration support
ParRequestBuilder.java	Added state parameter extraction from PAR requests
AuthzUtil.java	Updated FAPI checks to be version-specific and prioritized PAR state parameter
OAuth2ParEndpoint.java	Made FAPI request object validation specific to FAPI 1.0
ProviderConfigBuilder.java	Added authorization response issuer parameter support for FAPI 2.0
OIDProviderConfigResponse.java	Added property for authorization response issuer parameter
DiscoveryConstants.java	Added constant for authorization response issuer parameter
Various test files	Updated test configurations and mocks to support new FAPI version settings

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[Copilot]

[nitpick] The else block only contains a single statement. Consider moving this outside the conditional block and only setting the PAR state when the condition is met, to improve code readability.

Suggested change

	} else {
	}
	if (params.getState() == null) {

[Copilot]

The FAPI 2.0 check is placed inside the authorization details types condition. This means the authorization response issuer parameter will only be set if authorization detail types are configured. Consider moving this check outside the authorization details condition to ensure it's always evaluated for FAPI 2.0.

Suggested change

	// `authorization_response_iss` should be true for FAPI 2.0 compliance.
	if (OAuth2Util.isFapi2Enabled()) {
	providerConfig.setAuthorizationResponseIssParameterSupported(Boolean.TRUE);
	}
	}
	}
	// `authorization_response_iss` should be true for FAPI 2.0 compliance.
	if (OAuth2Util.isFapi2Enabled()) {
	providerConfig.setAuthorizationResponseIssParameterSupported(Boolean.TRUE);
	}

[codecov]

Codecov Report

❌ Patch coverage is 23.21429% with 43 lines in your changes missing coverage. Please review.
✅ Project coverage is 58.38%. Comparing base (de7b217) to head (1bb9dac).
⚠️ Report is 15 commits behind head on master.

Files with missing lines	Patch %	Lines
...dentity/oauth/config/OAuthServerConfiguration.java	25.00%	8 Missing and 1 partial ⚠️
...emode/provider/impl/QueryResponseModeProvider.java	11.11%	7 Missing and 1 partial ⚠️
...g/wso2/carbon/identity/oauth2/util/OAuth2Util.java	20.00%	5 Missing and 3 partials ⚠️
...carbon/identity/oauth/endpoint/util/AuthzUtil.java	37.50%	1 Missing and 4 partials ⚠️
...tity/oauth2/authz/AuthorizationHandlerManager.java	42.85%	3 Missing and 1 partial ⚠️
.../identity/discovery/OIDProviderConfigResponse.java	25.00%	3 Missing ⚠️
...tity/discovery/builders/ProviderConfigBuilder.java	0.00%	1 Missing and 1 partial ⚠️
...identity/oauth/endpoint/par/OAuth2ParEndpoint.java	0.00%	0 Missing and 2 partials ⚠️
...bon/identity/oauth/par/core/ParRequestBuilder.java	0.00%	1 Missing and 1 partial ⚠️

❌ Your patch check has failed because the patch coverage (23.21%) is below the target coverage (80.00%). You can increase the patch coverage or adjust the target coverage.

Additional details and impacted files

@@             Coverage Diff              @@
##             master    #2963      +/-   ##
============================================
- Coverage     58.54%   58.38%   -0.16%     
+ Complexity     9349     9244     -105     
============================================
  Files           669      669              
  Lines         52226    51627     -599     
  Branches      11835    11734     -101     
============================================
- Hits          30577    30145     -432     
+ Misses        17495    17350     -145     
+ Partials       4154     4132      -22     

Flag	Coverage Δ
unit	41.15% <23.21%> (+0.27%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.