Add DecodeRedirectUrisInResponse config knob for DCR redirect_uris response

[BimsaraBodaragama]

Root cause and fix

• When an application is registered with multiple redirect URIs, the DCR response incorrectly returned the internal regexp=(uri1|uri2|...) encoding as a single-element redirect_uris array instead of the original URI list.
• This PR adds the Jinja2 template entry and default config value for the DecodeRedirectUrisInResponse knob that gates the decode fix in identity-inbound-auth-oauth.
• The {% if oauth.dcrm.decode_redirect_uris_in_response is defined %} guard ensures no change to the generated identity.xml unless the property is set.

Related PR

wso2-extensions/identity-inbound-auth-oauth#3262

Linked issue

wso2/product-is#27851

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yml

Review profile: CHILL

Plan: Pro

Run ID: f8718a22-1fb9-47ca-8763-035462d232d1

📥 Commits

Reviewing files that changed from the base of the PR and between e59e9c2 and 9b63522.

📒 Files selected for processing (1)

• features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/identity.xml.j2

💤 Files with no reviewable changes (1)

• features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/identity.xml.j2

---

📝 Walkthrough

Walkthrough

Adds a new OAuth DCRM configuration property oauth.dcrm.decode_redirect_uris_in_response with a default value of false in the server feature defaults JSON, and adds a template element in identity.xml.j2 that emits <DecodeRedirectUrisInResponse> inside the <DCRM> section when the property is defined.

Changes

DCRM Redirect URI Decoding Configuration

Layer / File(s)	Summary
Default value and template rendering for DecodeRedirectUrisInResponse features/identity-core/.../org.wso2.carbon.identity.core.server.feature.default.json, features/identity-core/.../identity.xml.j2	Introduces oauth.dcrm.decode_redirect_uris_in_response defaulting to false in the JSON defaults file, and adds a <DecodeRedirectUrisInResponse> element in the <DCRM> section of the Jinja2 template that is populated from the configured property value.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The description provides root cause, implementation details, and links to related PR and issue, but lacks several template sections required by the repository standards.	Add missing sections: Purpose/Goals, Approach, User stories, Release note, Documentation, Training, Certification, Marketing, Automation tests, Security checks, Samples, Test environment, and Learning to meet the repository's PR description template requirements.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately and specifically describes the main change: adding a configuration knob for decoding redirect URIs in DCR responses.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/identity.xml.j2`:
- Around line 1301-1303: The `is defined` check in the
DecodeRedirectUrisInResponse template block is ineffective because the default
configuration already defines oauth.dcrm.decode_redirect_uris_in_response with a
value of false, making the condition always evaluate to true. To fix this,
either remove the default declaration of
oauth.dcrm.decode_redirect_uris_in_response from the defaults configuration file
so the key is only defined when explicitly set by users, or introduce a separate
explicit-enable flag (like oauth.dcrm.explicitly_set_decode_redirect_uris) that
can be checked in the template instead of relying on the is defined guard.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yml

Review profile: CHILL

Plan: Pro

Run ID: d3b97cdf-3a4c-4ec1-9836-0f0611d6d0cc

📥 Commits

Reviewing files that changed from the base of the PR and between 93e0996 and e59e9c2.

📒 Files selected for processing (2)

• features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/identity.xml.j2
• features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/org.wso2.carbon.identity.core.server.feature.default.json

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

is defined guard is ineffective if the default file always defines this key.

Given this PR stack also introduces oauth.dcrm.decode_redirect_uris_in_response=false in defaults, this condition will always pass and <DecodeRedirectUrisInResponse> will always be emitted. That breaks the stated “only when explicitly set” behavior. Consider either removing the default-key declaration or introducing a separate explicit-enable marker for template emission.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/identity.xml.j2`
around lines 1301 - 1303, The `is defined` check in the
DecodeRedirectUrisInResponse template block is ineffective because the default
configuration already defines oauth.dcrm.decode_redirect_uris_in_response with a
value of false, making the condition always evaluate to true. To fix this,
either remove the default declaration of
oauth.dcrm.decode_redirect_uris_in_response from the defaults configuration file
so the key is only defined when explicitly set by users, or introduce a separate
explicit-enable flag (like oauth.dcrm.explicitly_set_decode_redirect_uris) that
can be checked in the template instead of relying on the is defined guard.

[BimsaraBodaragama]

The PR was closed. Hence, ignoring this.

[coderabbitai]

@BimsaraBodaragama, understood — since the PR is closed, no action is needed here. Thanks for the update.

---

🧠 Learnings used

Learnt from: Thumimku
Repo: wso2/carbon-identity-framework PR: 7730
File: features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/identity.xml.j2:1192-1208
Timestamp: 2026-03-11T07:46:22.960Z
Learning: In features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/identity.xml.j2, the OAuth TokenPersistence config elements (PersistAccessToken, PersistRefreshToken, KeepRevokedAccessTokens) are parsed by the upstream identity-inbound-auth-oauth module (OAuthServerConfiguration.parseTokenPersistenceConfiguration) and not by this repository's Java code. Do not rely on or modify local Java parsing for these tokens. Treat identity.xml.j2 as a template that may be consumed by upstream configuration, and avoid introducing changes that assume local parsing of TokenPersistence settings. If changes are needed, coordinate with upstream module behavior and document the dependency in comments or release notes.

[BimsaraBodaragama]

Closing — wrong target. IS 7.3 fix goes to wso2-support branch, not public master.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 52.81%. Comparing base (93e0996) to head (9b63522).

Additional details and impacted files

@@             Coverage Diff              @@
##             master    #8174      +/-   ##
============================================
+ Coverage     52.77%   52.81%   +0.03%     
+ Complexity    21216    21178      -38     
============================================
  Files          2197     2197              
  Lines        130819   130615     -204     
  Branches      19654    19622      -32     
============================================
- Hits          69040    68978      -62     
+ Misses        53364    53241     -123     
+ Partials       8415     8396      -19     

Flag	Coverage Δ
unit	38.23% <ø> (+0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[BimsaraBodaragama]

The effort will be tracked via the below PR

• [Master] Add DecodeRedirectUrisInResponse config key for DCR response #8175