Skip to content

[Master] Add DecodeRedirectUrisInResponse config key for DCR response#8175

Open
BimsaraBodaragama wants to merge 5 commits into
wso2:masterfrom
BimsaraBodaragama:fix-7314-master
Open

[Master] Add DecodeRedirectUrisInResponse config key for DCR response#8175
BimsaraBodaragama wants to merge 5 commits into
wso2:masterfrom
BimsaraBodaragama:fix-7314-master

Conversation

@BimsaraBodaragama

@BimsaraBodaragama BimsaraBodaragama commented Jun 22, 2026
edited
Loading

Copy link
Copy Markdown
Member

Root Cause and Fix

  • DCR GET/PUT /register endpoints return redirect_uris as a single regexp=(...) string for apps with multiple redirect URIs. The config key oauth.dcrm.decode_redirect_uris_in_response was missing from the CIF template and defaults.
  • Added <DecodeRedirectUrisInResponse> to identity.xml.j2 unconditionally (matching the pattern of the neighbouring <ReturnNullFieldsInResponse> element).
  • Added "oauth.dcrm.decode_redirect_uris_in_response": true to default.json so correct URI-array behaviour is the default on fresh installs.
  • Added "IS_7.3.0" block to infer.json with "oauth.dcrm.decode_redirect_uris_in_response": false so deployments upgrading from IS 7.3.0 preserve the previous (legacy) response format rather than silently switching to the new default.

Tracking

Fixes wso2/product-is#27851

Related PRs

  • identity-inbound-auth-oauth: Java fix (see linked PR)

@coderabbitai

coderabbitai Bot commented Jun 22, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Review Change Stack

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

  • @coderabbitai resume to resume automatic reviews.
  • @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

  • ▶️ Resume reviews
  • 🔍 Trigger review

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yml

Review profile: CHILL

Plan: Pro

Run ID: 0c1f9aa7-dafe-4e74-9e3c-9e9416266912

📥 Commits

Reviewing files that changed from the base of the PR and between 515523e and 3c8c402.

📒 Files selected for processing (2)
  • features/compatibility-settings-mgt/org.wso2.carbon.identity.compatibility.settings.management.server.feature/resources/identity/compatibilitysettings/compatibility-settings-metadata.json.j2
  • features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/org.wso2.carbon.identity.core.server.feature.infer.json
🚧 Files skipped from review as they are similar to previous changes (1)
  • features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/org.wso2.carbon.identity.core.server.feature.infer.json
📝 Walkthrough

Walkthrough

Three configuration files are updated to introduce a new OAuth DCRM flag controlling redirect URI decoding in DCR responses. The feature defaults JSON adds oauth.dcrm.decode_redirect_uris_in_response set to true, the Jinja2 identity template emits a corresponding <DecodeRedirectUrisInResponse> element inside the existing <DCRM> block, version-specific behavior preservation configuration pins the flag to false for IS 7.2.0 and IS 7.3.0, and the compatibility settings metadata registers the feature with timestamp reference for version targeting.

Changes

DCRM Redirect URI Decode Configuration

Layer / File(s) Summary
Default value and template binding for DecodeRedirectUrisInResponse
features/identity-core/.../org.wso2.carbon.identity.core.server.feature.default.json, features/identity-core/.../identity.xml.j2		 Adds oauth.dcrm.decode_redirect_uris_in_response: true to the feature defaults and wires it into the <DCRM> block in the identity XML template as <DecodeRedirectUrisInResponse>.
Backward compatibility configuration for IS 7.2.0 and IS 7.3.0
features/identity-core/.../org.wso2.carbon.identity.core.server.feature.infer.json		 Extends the preserve_previous_product_behaviour.version map with version-specific entries for IS 7.2.0 and IS 7.3.0, setting oauth.dcrm.decode_redirect_uris_in_response to false to maintain legacy behavior.
Compatibility settings metadata registration
features/compatibility-settings-mgt/.../compatibility-settings-metadata.json.j2		 Registers the new decodeRedirectUrisInResponse setting under a top-level dcr configuration group with Jinja-parameterized timestampReference (2026-07-01T00:00:00Z), targetValue (false), and defaultValue (true) for version-scoped feature targeting.

Possibly related issues

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name Status Explanation Resolution
Description check ❓ Inconclusive The PR description provides root cause, fix details, tracking issue, and related PRs, but lacks several required template sections like Goals, Approach, Release notes, Documentation, Testing, and Security checks. Complete the PR description with Goals, Approach, Release notes, Documentation impact, test coverage details, and security verification confirmations as specified in the repository template.
✅ Passed checks (4 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly and concisely summarizes the main change: adding the DecodeRedirectUrisInResponse configuration key for DCR response handling.
Linked Issues check ✅ Passed The PR addresses the configuration layer requirements from issue #27851 by adding the DecodeRedirectUrisInResponse config key to templates and defaults with proper backward compatibility.
Out of Scope Changes check ✅ Passed All changes are directly related to adding the DecodeRedirectUrisInResponse configuration: updates to identity.xml.j2, default.json, infer.json, and compatibility-settings-metadata.json.j2 are all within scope.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@codecov

codecov Bot commented Jun 22, 2026
edited
Loading

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 52.81%. Comparing base (93e0996) to head (3c8c402).
⚠️ Report is 17 commits behind head on master.

Additional details and impacted files 
@@             Coverage Diff              @@
##             master    #8175      +/-   ##
============================================
+ Coverage     52.77%   52.81%   +0.03%     
+ Complexity    21216    21178      -38     
============================================
  Files          2197     2197              
  Lines        130819   130615     -204     
  Branches      19654    19622      -32     
============================================
- Hits          69040    68978      -62     
+ Misses        53364    53241     -123     
+ Partials       8415     8396      -19
Flag Coverage Δ
unit 38.23% <ø> (+0.01%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@BimsaraBodaragama BimsaraBodaragama mentioned this pull request Jun 22, 2026
Closed
@jenkins-is-staging

jenkins-is-staging commented Jun 22, 2026

Copy link
Copy Markdown

PR builder started
Link: https://github.com/wso2/product-is/actions/runs/27969688389

@jenkins-is-staging

jenkins-is-staging commented Jun 22, 2026

Copy link
Copy Markdown

PR builder completed
Link: https://github.com/wso2/product-is/actions/runs/27969688389
Status: failure

@jenkins-is-staging

jenkins-is-staging commented Jun 22, 2026

Copy link
Copy Markdown

PR builder started
Link: https://github.com/wso2/product-is/actions/runs/27983247778

@jenkins-is-staging

jenkins-is-staging commented Jun 22, 2026

Copy link
Copy Markdown

PR builder completed
Link: https://github.com/wso2/product-is/actions/runs/27983247778
Status: failure

@BimsaraBodaragama BimsaraBodaragama changed the title Add DecodeRedirectUrisInResponse config key for DCR response [Master] Add DecodeRedirectUrisInResponse config key for DCR response Jun 23, 2026
@sonarqubecloud

sonarqubecloud Bot commented Jun 23, 2026

Copy link
Copy Markdown

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@BimsaraBodaragama BimsaraBodaragama mentioned this pull request Jun 23, 2026
Open
9 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Invalid response for redirect_uris in DCR endpoint when multiple urls are provided

2 participants

@BimsaraBodaragama @jenkins-is-staging