fix for post jwt

[Thumimku]

Proposed changes in this pull request

Fixes wso2/product-is#27528

This pull request improves the handling of OAuth2 response modes, specifically ensuring that the form_post.jwt response mode does not trigger forwarding to the JSP page, even when the JSP is available cause JSP page only handle form_post here its formpost.jwt so we have to skip JSP and give the response to responseMode Provider.. Additionally, new unit tests are added to verify the correct behavior for both form_post.jwt and standard form_post response modes.

Tested cases

• JWT Form Post with consent
• JWT Form Post with consent
• Form Post with consent
• Form Post with consent

Summary by CodeRabbit

• Bug Fixes

  • Corrected authorization response handling for FORM_POST_JWT response mode to properly route responses through the intended flow instead of JSP forwarding.

• Tests

  • Added unit tests to verify correct behavior of FORM_POST_JWT and FORM_POST response modes.

[wso2-engineering]

Log Improvement Suggestion No: 1

Suggested change

	if (OAuthServerConfiguration.getInstance().isOAuthResponseJspPageAvailable()
	&& !OAuthConstants.ResponseModes.FORM_POST_JWT.equals(oauth2Params.getResponseMode())) {
	String params = buildParams(authorizationResponseDTO.getSuccessResponseDTO().getFormPostBody(),
	authenticatedIdPs, sessionStateValue);
	if (OAuthServerConfiguration.getInstance().isOAuthResponseJspPageAvailable()
	&& !OAuthConstants.ResponseModes.FORM_POST_JWT.equals(oauth2Params.getResponseMode())) {
	log.debug("OAuth response JSP page is available and response mode is not FORM_POST_JWT, building params for JSP response.");
	String params = buildParams(authorizationResponseDTO.getSuccessResponseDTO().getFormPostBody(),

[wso2-engineering]

AI Agent Log Improvement Checklist

⚠️ Warning: AI-Generated Review Comments

• The log-related comments and suggestions in this review were generated by an AI tool to assist with identifying potential improvements. Purpose of reviewing the code for log improvements is to improve the troubleshooting capabilities of our products.
• Please make sure to manually review and validate all suggestions before applying any changes. Not every code suggestion would make sense or add value to our purpose. Therefore, you have the freedom to decide which of the suggestions are helpful.

✅ Before merging this pull request:

• Review all AI-generated comments for accuracy and relevance.
• Complete and verify the table below. We need your feedback to measure the accuracy of these suggestions and the value they add. If you are rejecting a certain code suggestion, please mention the reason briefly in the suggestion for us to capture it.

Comment	Accepted (Y/N)	Reason
#### Log Improvement Suggestion No: 1

[coderabbitai]

📝 Walkthrough

Walkthrough

The pull request fixes JARM Form Post JWT functionality by modifying AuthzUtil.handleFormPostResponseMode() to suppress JSP forwarding when the response mode is FORM_POST_JWT. Previously, JSP forwarding was controlled only by JSP availability; now it also requires a non-FORM_POST_JWT response mode. Two test cases were added to validate this behavior.

Changes

Cohort / File(s)	Summary
OAuth Response Mode Handling components/org.wso2.carbon.identity.oauth.endpoint/src/main/java/.../AuthzUtil.java	Added conditional check to suppress JSP forwarding when response_mode equals FORM_POST_JWT, maintaining existing non-JSP branch behavior for this response mode.
Unit Tests components/org.wso2.carbon.identity.oauth.endpoint/src/test/java/.../AuthzUtilTest.java	Added two new TestNG tests: one verifying JSP forwarding is skipped for FORM_POST_JWT with authenticatedIDPs populated, another verifying JSP forwarding is used for regular FORM_POST when JSP is available.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• JARM-wrap error response #3165: Adds JARM/form_post.jwt-aware error handling and helper utilities in AuthzUtil alongside this PR's control flow modification for the same response mode.

Suggested reviewers

• piraveena
• jenkins-is-staging

Poem

🐰 A hop, a skip, the form post flies,
No JSP walls block JARM's prize,
JWT mode claims its rightful way,
The rabbit fixed it—hip hooray! 🎉

🚥 Pre-merge checks | ✅ 2 | ❌ 3

❌ Failed checks (2 warnings, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Description check	⚠️ Warning	The PR description lacks required template sections including Purpose (with issue link), Goals, Approach, User stories, Release notes, Documentation, Training, Certification, Marketing, detailed Automation tests, Security checks, Samples, Related PRs, Migrations, Test environment, and Learning.	Complete the PR description using the repository template. At minimum, add Purpose with issue links, Goals, Approach, Release notes, Documentation, comprehensive Automation tests section, and Security checks verification.
Title check	❓ Inconclusive	The title 'fix for post jwt' is extremely vague and does not clearly communicate the actual change; it lacks specificity about what the fix addresses.	Revise the title to be more descriptive, such as 'Skip JSP forwarding for form_post.jwt response mode' or 'Fix JARM form_post.jwt response handling'.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Linked Issues check	✅ Passed	The code changes correctly address issue #27528 by preventing JSP forwarding for form_post.jwt response mode and delegating to the response mode provider, with tests verifying both form_post.jwt and form_post behaviors.
Out of Scope Changes check	✅ Passed	All changes are directly scoped to fixing the form_post.jwt response mode handling; modifications to AuthzUtil and corresponding unit tests are focused and on-topic.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

components/org.wso2.carbon.identity.oauth.endpoint/src/test/java/org/wso2/carbon/identity/oauth/endpoint/util/AuthzUtilTest.java (1)

2855-2929: Optional: extract shared setup to a helper for these two tests.

Both tests repeat the same reflection and common OAuth2/session DTO arrangement. Pulling shared setup into a private helper would reduce duplication and future edit risk.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@components/org.wso2.carbon.identity.oauth.endpoint/src/test/java/org/wso2/carbon/identity/oauth/endpoint/util/AuthzUtilTest.java`
around lines 2855 - 2929, Extract the repeated reflection and DTO/mock setup
used in testHandleFormPostResponseModeDoesNotUseJSPForFormPostJwt and
testHandleFormPostResponseModeUsesJSPForFormPost into a private helper method
(e.g., prepareHandleFormPostTest) that performs the
AuthzUtil.class.getDeclaredMethod(... "handleFormPostResponseMode"), sets it
accessible, constructs and returns the OAuth2Parameters (responseMode,
redirectURI, scopes), SessionDataCacheEntry mock (with getoAuth2Parameters and
getAuthenticatedIdPs), AuthorizationResponseDTO with formPostBody set,
OIDCSessionState, and any common OAuthServerConfiguration static mocking stubs;
update both tests to call this helper and use its returned objects before
invoking handleFormPostResponseMode so duplication is removed while preserving
per-test-specific mocks like servlet request/dispatcher behavior.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In
`@components/org.wso2.carbon.identity.oauth.endpoint/src/test/java/org/wso2/carbon/identity/oauth/endpoint/util/AuthzUtilTest.java`:
- Around line 2855-2929: Extract the repeated reflection and DTO/mock setup used
in testHandleFormPostResponseModeDoesNotUseJSPForFormPostJwt and
testHandleFormPostResponseModeUsesJSPForFormPost into a private helper method
(e.g., prepareHandleFormPostTest) that performs the
AuthzUtil.class.getDeclaredMethod(... "handleFormPostResponseMode"), sets it
accessible, constructs and returns the OAuth2Parameters (responseMode,
redirectURI, scopes), SessionDataCacheEntry mock (with getoAuth2Parameters and
getAuthenticatedIdPs), AuthorizationResponseDTO with formPostBody set,
OIDCSessionState, and any common OAuthServerConfiguration static mocking stubs;
update both tests to call this helper and use its returned objects before
invoking handleFormPostResponseMode so duplication is removed while preserving
per-test-specific mocks like servlet request/dispatcher behavior.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: de57d903-1f2c-4dce-a665-15827a30ea4d

📥 Commits

Reviewing files that changed from the base of the PR and between 3ecff83 and b0b114d.

📒 Files selected for processing (2)

• components/org.wso2.carbon.identity.oauth.endpoint/src/main/java/org/wso2/carbon/identity/oauth/endpoint/util/AuthzUtil.java
• components/org.wso2.carbon.identity.oauth.endpoint/src/test/java/org/wso2/carbon/identity/oauth/endpoint/util/AuthzUtilTest.java

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 59.26%. Comparing base (16f0517) to head (b0b114d).
⚠️ Report is 26 commits behind head on master.

Additional details and impacted files

@@             Coverage Diff              @@
##             master    #3194      +/-   ##
============================================
+ Coverage     57.27%   59.26%   +1.99%     
- Complexity    10310    10338      +28     
============================================
  Files           710      711       +1     
  Lines         59205    56715    -2490     
  Branches      14156    13740     -416     
============================================
- Hits          33911    33614     -297     
+ Misses        20787    18625    -2162     
+ Partials       4507     4476      -31     

Flag	Coverage Δ
unit	42.79% <100.00%> (+0.09%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[jenkins-is-staging]

PR builder started
Link: https://github.com/wso2/product-is/actions/runs/24228699255

[hwupathum]

Did we check negative cases as well?

[Thumimku]

Did we check negative cases as well?

I check all 4 cases
Tested cases

JWT Form Post with consent
JWT Form Post with consent
Form Post with consent
Form Post with consent

is there anything else I have to check as negative cases

[jenkins-is-staging]

PR builder completed
Link: https://github.com/wso2/product-is/actions/runs/24228699255
Status: success

[jenkins-is-staging]

Approving the pull request based on the successful pr build https://github.com/wso2/product-is/actions/runs/24228699255

[hwupathum]

Did we check negative cases as well?

I check all 4 cases Tested cases

JWT Form Post with consent JWT Form Post with consent Form Post with consent Form Post with consent

is there anything else I have to check as negative cases

• Request object not found
• Request object format not valid
• Signature verification failed