Fix NPE when validating the issuer of the sub organization application

[ShanChathusanda93]

Proposed changes in this pull request

• $subject

Summary by CodeRabbit

• Bug Fixes
  • Strengthened JWT issuer validation in OAuth authentication flows. The system now validates JWT issuers against expected configuration and provides clear error messages when validation fails, improving troubleshooting of authentication issues.

[wso2-engineering]

AI Agent Log Improvement Checklist

⚠️ Warning: AI-Generated Review Comments

• The log-related comments and suggestions in this review were generated by an AI tool to assist with identifying potential improvements. Purpose of reviewing the code for log improvements is to improve the troubleshooting capabilities of our products.
• Please make sure to manually review and validate all suggestions before applying any changes. Not every code suggestion would make sense or add value to our purpose. Therefore, you have the freedom to decide which of the suggestions are helpful.

✅ Before merging this pull request:

• Review all AI-generated comments for accuracy and relevance.
• Complete and verify the table below. We need your feedback to measure the accuracy of these suggestions and the value they add. If you are rejecting a certain code suggestion, please mention the reason briefly in the suggestion for us to capture it.

Comment	Accepted (Y/N)	Reason
#### Log Improvement Suggestion No: 1

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: ce3c3013-878d-4939-98e9-1694e63619db

📥 Commits

Reviewing files that changed from the base of the PR and between 3ecff83 and b92f329.

📒 Files selected for processing (1)

• components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/util/JWTUtils.java

---

📝 Walkthrough

Walkthrough

This change adds validation to the JWT issuer resolution logic in JWTUtils. When a JWT issuer does not match the expected issuer derived from the OAuth application's tenant domain within an organization context, an IdentityOAuth2ClientException is now thrown instead of continuing execution.

Changes

Cohort / File(s)	Summary
JWT Issuer Validation components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/util/JWTUtils.java	Added exception throwing for mismatched JWT issuer names when resolving resident IDP issuer in organization contexts. Ensures stricter validation of token issuers against expected application issuers.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Suggested reviewers

• AnuradhaSK
• SujanSanjula96
• shashimalcse

Poem

🐰 A tiny fix, two lines so true,
JWT issuers now checked through and through,
No mismatched claims shall slip on by,
Security stands tall, reaching for the sky! 🔐

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The PR description is nearly empty with only a placeholder ('$subject') instead of providing required information such as purpose, goals, approach, test details, or security checks.	Expand the description to include Purpose, Goals, Approach, Automation tests, Security checks, and Test environment sections as specified in the template.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title directly relates to the main change: fixing an NPE when validating sub-organization application issuers, which matches the code modification in JWTUtils.java.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

❌ Patch coverage is 0% with 1 line in your changes missing coverage. Please review.
✅ Project coverage is 59.20%. Comparing base (05c4167) to head (b92f329).
⚠️ Report is 2 commits behind head on master.

Files with missing lines	Patch %	Lines
...org/wso2/carbon/identity/oauth2/util/JWTUtils.java	0.00%	1 Missing ⚠️

❌ Your patch check has failed because the patch coverage (0.00%) is below the target coverage (80.00%). You can increase the patch coverage or adjust the target coverage.

Additional details and impacted files

@@            Coverage Diff            @@
##             master    #3190   +/-   ##
=========================================
  Coverage     59.20%   59.20%           
- Complexity    10284    10285    +1     
=========================================
  Files           711      711           
  Lines         56712    56715    +3     
  Branches      13659    13625   -34     
=========================================
+ Hits          33575    33578    +3     
+ Misses        18678    18661   -17     
- Partials       4459     4476   +17     

Flag	Coverage Δ
unit	42.77% <0.00%> (+<0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.