Fix Bug in Agent Token obtain when email as username feature enabled

[ranuka-laksika]

When email as username feature enabled then when try to get agent token it get failed in authn endpoint because it failed at the validateUsername section. The reason is that Agent username is not a email but a randomly generated UUID hence it throws an error saying username is not a valid email.

As a fix for that inside the validateUsername function check where this context has the aget_identity param with the agent as the value if yes that means this is an agent. For agents we don't validate the username instead return from that function.

Related Issue:- wso2/product-is#27856

[wso2-engineering]

Log Improvement Suggestion No: 1

Suggested change

	if (IdentityUtil.isEmailUsernameEnabled()) {
	if (context != null && context.getProperties() != null
	&& context.getProperties().containsKey(AUTH_ENTITY)
	&& AUTH_ENTITY_AGENT.equals(context.getProperty(AUTH_ENTITY))) {
	return;
	}
	if (IdentityUtil.isEmailUsernameEnabled()) {
	if (log.isDebugEnabled()) {
	log.debug("Email username validation enabled. Checking username format.");
	}
	if (context != null && context.getProperties() != null
	&& context.getProperties().containsKey(AUTH_ENTITY)
	&& AUTH_ENTITY_AGENT.equals(context.getProperty(AUTH_ENTITY))) {
	if (log.isDebugEnabled()) {
	log.debug("Skipping email username validation for agent authentication entity.");
	}
	return;
	}

[wso2-engineering]

Log Improvement Suggestion No: 2

Suggested change

	if (StringUtils.countMatches(tenantAwareUsername, "@") < 1) {
	context.setProperty(CONTEXT_PROP_INVALID_EMAIL_USERNAME, true);
	if (StringUtils.countMatches(tenantAwareUsername, "@") < 1) {
	log.warn("Invalid email username format detected. Username does not contain '@' symbol.");
	context.setProperty(CONTEXT_PROP_INVALID_EMAIL_USERNAME, true);

[wso2-engineering]

AI Agent Log Improvement Checklist

⚠️ Warning: AI-Generated Review Comments

• The log-related comments and suggestions in this review were generated by an AI tool to assist with identifying potential improvements. Purpose of reviewing the code for log improvements is to improve the troubleshooting capabilities of our products.
• Please make sure to manually review and validate all suggestions before applying any changes. Not every code suggestion would make sense or add value to our purpose. Therefore, you have the freedom to decide which of the suggestions are helpful.

✅ Before merging this pull request:

• Review all AI-generated comments for accuracy and relevance.
• Complete and verify the table below. We need your feedback to measure the accuracy of these suggestions and the value they add. If you are rejecting a certain code suggestion, please mention the reason briefly in the suggestion for us to capture it.

Comment	Accepted (Y/N)	Reason
#### Log Improvement Suggestion No: 1
#### Log Improvement Suggestion No: 2

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yml

Review profile: CHILL

Plan: Pro

Run ID: 9d80ef43-e823-4d82-b352-205255e4ea3c

📥 Commits

Reviewing files that changed from the base of the PR and between 077656a and 3f9149a.

📒 Files selected for processing (1)

• components/authentication-framework/org.wso2.carbon.identity.application.authentication.framework/src/main/java/org/wso2/carbon/identity/application/authentication/framework/util/FrameworkUtils.java

---

📝 Walkthrough

Walkthrough

This PR adds a conditional bypass to username validation in FrameworkUtils. When authentication context properties indicate the request originates from an agent entity (AUTH_ENTITY_AGENT), the validateUsername() method skips email-format validation. Two new static constant imports support this logic.

Changes

Agent-initiated authentication bypass

Layer / File(s)	Summary
Username validation bypass for agent-initiated requests components/authentication-framework/org.wso2.carbon.identity.application.authentication.framework/src/main/java/org/wso2/carbon/identity/application/authentication/framework/util/FrameworkUtils.java	Static imports for AUTH_ENTITY and AUTH_ENTITY_AGENT constants are added. The validateUsername() method is updated with an early-return condition that skips email-format validation when the authentication context properties contain AUTH_ENTITY matching AUTH_ENTITY_AGENT.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The description explains the problem, proposed fix, and related issue, but is missing most required template sections (Goals, Approach, User stories, Release note, Documentation, Testing, Security, etc.).	Complete the PR description using the repository template, including Goals, Approach, Release note, Documentation impact, Automation tests, Security checks, and Test environment sections.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title directly summarizes the main fix: preventing agent token acquisition failures when email-as-username validation is enabled.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[sonarqubecloud]

Quality Gate passed

Issues
2 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[codecov]

Codecov Report

❌ Patch coverage is 0% with 4 lines in your changes missing coverage. Please review.
✅ Project coverage is 53.10%. Comparing base (efaa6ec) to head (3f9149a).
⚠️ Report is 40 commits behind head on master.

Files with missing lines	Patch %	Lines
.../authentication/framework/util/FrameworkUtils.java	0.00%	4 Missing ⚠️

❌ Your patch check has failed because the patch coverage (0.00%) is below the target coverage (80.00%). You can increase the patch coverage or adjust the target coverage.

Additional details and impacted files

@@             Coverage Diff              @@
##             master    #8118      +/-   ##
============================================
+ Coverage     53.02%   53.10%   +0.07%     
+ Complexity    21214    20728     -486     
============================================
  Files          2151     2151              
  Lines        130121   127313    -2808     
  Branches      18991    18753     -238     
============================================
- Hits          69003    67604    -1399     
+ Misses        52711    51442    -1269     
+ Partials       8407     8267     -140     

Flag	Coverage Δ
unit	37.85% <0.00%> (-0.02%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.