Skip to content

[Sync][master -> next][#3180]: Add highest priority to resident idp in id token issuer. #3181

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
github-actions wants to merge 1 commit into
base: next
Choose a base branch
from
Open

[Sync][master -> next][#3180]: Add highest priority to resident idp in id token issuer. #3181

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
31 changes: 27 additions & 4 deletions ....carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/util/OAuth2Util.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4999,17 +4999,26 @@ public static String getIdTokenIssuer(String tenantDomain) throws IdentityOAuth2

public static String getIdTokenIssuer(String tenantDomain, boolean isMtlsRequest) throws IdentityOAuth2Exception {

/*
If the useEntityIDAsIssuerEnabled config is enabled, then the issuer will be the resident IdP entity id.
Regardless of the request type (mtls or non-mtls), if the resident IdP entity id is available,
it will be used as the issuer.
*/
if (OAuthServerConfiguration.getInstance().getIsUseEntityIDAsIssuerEnabled()) {

String residentIdp = getResidentIdpEntityId(tenantDomain);
if (StringUtils.isNotBlank(residentIdp)) {
return residentIdp;
}
}
Comment on lines +5007 to +5013
Copy link
Copy Markdown
Contributor

@wso2-engineering wso2-engineering bot Apr 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Log Improvement Suggestion No: 1

Suggested change
if (OAuthServerConfiguration.getInstance().getIsUseEntityIDAsIssuerEnabled()) {
String residentIdp = getResidentIdpEntityId(tenantDomain);
if (StringUtils.isNotBlank(residentIdp)) {
return residentIdp;
}
}
if (OAuthServerConfiguration.getInstance().getIsUseEntityIDAsIssuerEnabled()) {
log.debug("useEntityIDAsIssuerEnabled is true. Attempting to use resident IdP entity ID as issuer.");
String residentIdp = getResidentIdpEntityId(tenantDomain);
if (StringUtils.isNotBlank(residentIdp)) {
if (log.isDebugEnabled()) {
log.debug("Using resident IdP entity ID as issuer for tenant: " + tenantDomain);
}
return residentIdp;
}
log.warn("Resident IdP entity ID is blank for tenant: " + tenantDomain + ". Falling back to default issuer.");
}


if (IdentityTenantUtil.shouldUseTenantQualifiedURLs() && StringUtils.isEmpty(PrivilegedCarbonContext.
getThreadLocalCarbonContext().getApplicationResidentOrganizationId())) {
try {
if (isMtlsRequest) {
return OAuthURL.getOAuth2MTLSTokenEPUrl();
}

if (OAuthServerConfiguration.getInstance().getIsUseEntityIDAsIssuerEnabled()) {
return getResidentIdpEntityId(tenantDomain);
}

return ServiceURLBuilder.create()
.addPath(OAUTH2_TOKEN_EP_URL)
.build()
Expand All @@ -5028,6 +5037,20 @@ public static String getIdTokenIssuer(String tenantDomain, boolean isMtlsRequest
public static String getIdTokenIssuer(String tenantDomain, String clientId, boolean isMtlsRequest)
throws IdentityOAuth2Exception {

/*
If the useEntityIDAsIssuerEnabled config is enabled, then the issuer will be the resident IdP entity id.
Regardless of the request type (mtls or non-mtls), if the resident IdP entity id is available,
it will be used as the issuer. When resident idp is used as the issuer, application level config to select
issuer to be root or sub-org will not be applied as well.
*/
if (OAuthServerConfiguration.getInstance().getIsUseEntityIDAsIssuerEnabled()) {

String residentIdp = getResidentIdpEntityId(tenantDomain);
if (StringUtils.isNotBlank(residentIdp)) {
return residentIdp;
}
}
Comment on lines +5046 to +5052
Copy link
Copy Markdown
Contributor

@wso2-engineering wso2-engineering bot Apr 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Log Improvement Suggestion No: 2

Suggested change
if (OAuthServerConfiguration.getInstance().getIsUseEntityIDAsIssuerEnabled()) {
String residentIdp = getResidentIdpEntityId(tenantDomain);
if (StringUtils.isNotBlank(residentIdp)) {
return residentIdp;
}
}
if (OAuthServerConfiguration.getInstance().getIsUseEntityIDAsIssuerEnabled()) {
log.debug("useEntityIDAsIssuerEnabled is true. Attempting to use resident IdP entity ID as issuer.");
String residentIdp = getResidentIdpEntityId(tenantDomain);
if (StringUtils.isNotBlank(residentIdp)) {
if (log.isDebugEnabled()) {
log.debug("Using resident IdP entity ID as issuer for tenant: " + tenantDomain + ", clientId: " + clientId);
}
return residentIdp;
}
log.warn("Resident IdP entity ID is blank for tenant: " + tenantDomain + ". Falling back to default issuer.");
}


String accessingOrgId = PrivilegedCarbonContext.getThreadLocalCarbonContext()
.getApplicationResidentOrganizationId();
/*
Expand Down