Fix missing isk claim in ID token for Device Code App Native Auth flow

[HasiniSama]

Proposed changes in this pull request

$subject

Issues: wso2/product-is#27473

The isk claim was absent from ID tokens issued via the Device Code grant when App Native Authentication was enabled.

Root cause: The session context identifier was never propagated through the Device Code flow's cache pipeline.

1. DeviceAuthorizationGrantCacheEntry had no sessionContextIdentifier field, so it was dropped when user attributes were cached after device authorization.
2. AccessTokenIssuer.getAuthzGrantCacheEntryFromDeviceCode() did not copy sessionContextIdentifier when converting DeviceAuthorizationGrantCacheEntry to AuthorizationGrantCacheEntry.
3. The SESSION_IDENTIFIER property was never set on OAuthTokenReqMessageContext before ID token building, so DefaultIDTokenBuilder's fallback lookup also returned null on the first token request.

Summary by CodeRabbit

• Bug Fixes
  • Enhanced session context tracking during device authorization processes to ensure consistent session management across token operations.

[coderabbitai]

📝 Walkthrough

Walkthrough

Session context identifier propagation is added to the device authorization flow. A new field is introduced to store the identifier in the cache entry, then propagated from the session cache entry during device authorization and carried forward when issuing device-code tokens.

Changes

Cohort / File(s)

Summary

Device Authorization Session Context components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/device/cache/DeviceAuthorizationGrantCacheEntry.java, components/org.wso2.carbon.identity.oauth.endpoint/src/main/java/org/wso2/carbon/identity/oauth/endpoint/util/AuthzUtil.java, components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/token/AccessTokenIssuer.java

Added sessionContextIdentifier field to cache entry with accessor methods. Propagates identifier from session cache entry to device authorization cache entry during device authorization flow. Uses identifier when issuing device-code tokens via OAuthTokenReqMessageContext. Copyright years updated to include 2026.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Suggested reviewers

• ashanthamara
• SujanSanjula96

Poem

🐰 Hop through the device flows with glee,
Session context now travels so free,
From cache to cache, it bounces along,
Making authorization flow swift and strong! ✨

🚥 Pre-merge checks | ✅ 1 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 14.29% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Description check	⚠️ Warning	The pull request description lacks required sections from the template including Goals, Approach, Release note, Documentation, Training, Certification, Marketing, Automation tests, Security checks, and other standard sections.	Add the missing sections from the description template: Goals, Approach, Release note, Documentation, Training, Certification, Marketing, Automation tests (unit and integration), Security checks, and other required fields.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Title check	✅ Passed	The pull request title clearly summarizes the main fix: addressing the missing isk claim in ID tokens for the Device Code App Native Auth flow, which aligns with the core changes shown in the code.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[wso2-engineering]

AI Agent Log Improvement Checklist

⚠️ Warning: AI-Generated Review Comments

• The log-related comments and suggestions in this review were generated by an AI tool to assist with identifying potential improvements. Purpose of reviewing the code for log improvements is to improve the troubleshooting capabilities of our products.
• Please make sure to manually review and validate all suggestions before applying any changes. Not every code suggestion would make sense or add value to our purpose. Therefore, you have the freedom to decide which of the suggestions are helpful.

✅ Before merging this pull request:

• Review all AI-generated comments for accuracy and relevance.
• Complete and verify the table below. We need your feedback to measure the accuracy of these suggestions and the value they add. If you are rejecting a certain code suggestion, please mention the reason briefly in the suggestion for us to capture it.

Comment	Accepted (Y/N)	Reason
#### Log Improvement Suggestion No: 1	N	This is redundant.
#### Log Improvement Suggestion No: 2	N	This is redundant to add to getters/setters.
#### Log Improvement Suggestion No: 3	N	This is redundant.
#### Log Improvement Suggestion No: 4	N	This is redundant.

[codecov]

Codecov Report

❌ Patch coverage is 0% with 10 lines in your changes missing coverage. Please review.
✅ Project coverage is 59.70%. Comparing base (e484b6c) to head (9ef1a2d).
⚠️ Report is 53 commits behind head on master.

Files with missing lines	Patch %	Lines
...arbon/identity/oauth2/token/AccessTokenIssuer.java	0.00%	6 Missing ⚠️
...vice/cache/DeviceAuthorizationGrantCacheEntry.java	0.00%	3 Missing ⚠️
...carbon/identity/oauth/endpoint/util/AuthzUtil.java	0.00%	1 Missing ⚠️

❌ Your patch check has failed because the patch coverage (0.00%) is below the target coverage (80.00%). You can increase the patch coverage or adjust the target coverage.

Additional details and impacted files

@@             Coverage Diff              @@
##             master    #3184      +/-   ##
============================================
+ Coverage     58.77%   59.70%   +0.93%     
+ Complexity    10595    10271     -324     
============================================
  Files           711      711              
  Lines         59050    55919    -3131     
  Branches      14307    13800     -507     
============================================
- Hits          34705    33385    -1320     
+ Misses        19752    18148    -1604     
+ Partials       4593     4386     -207     

Flag	Coverage Δ
unit	42.76% <0.00%> (-0.02%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[DilshanSenarath]

I think this could lead to session deserialization issues. Could you take a look? @SujanSanjula96 may have more context.