Add configuration for SaaS app role return in ID token

[SujanSanjula96]

Proposed changes in this pull request

Add configuration for the change #8167

[coderabbitai]

📝 Walkthrough

Walkthrough

A new server configuration flag ReturnRolesInSaaSAppsInIDToken (defaulting to false) is added across identity.xml, identity.xml.j2, and the default JSON. A matching FrameworkConstants string constant is defined and used in DefaultClaimHandler.getAppAssociatedRolesOfLocalUser to return an empty role list early when the authenticated user's tenant differs from the service provider's tenant and the flag is disabled.

Changes

SaaS App Roles in ID Token Gate

Layer / File(s)	Summary
Configuration constant and server defaults ...framework/util/FrameworkConstants.java, features/identity-core/.../identity.xml, features/identity-core/.../identity.xml.j2, features/identity-core/.../org.wso2.carbon.identity.core.server.feature.default.json	Adds RETURN_ROLES_IN_SAAS_APPS_IN_ID_TOKEN constant, registers the default value false in the feature JSON, and adds the <ReturnRolesInSaaSAppsInIDToken> element to both the static config file and its Jinja2 template.
Early-return guard in DefaultClaimHandler ...handler/claims/impl/DefaultClaimHandler.java	Imports the new constant and inserts a cross-tenant early-return in getAppAssociatedRolesOfLocalUser: returns an empty list when the user tenant differs from the SP tenant and RETURN_ROLES_IN_SAAS_APPS_IN_ID_TOKEN is disabled.

Suggested reviewers

• Yasasr1

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The PR description only states the change and a link, but it misses the required template sections and key details.	Fill in Purpose, Goals, Approach, User stories, Release note, Documentation, tests, security checks, and any applicable sections per the repository template.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly matches the main change: adding a configuration for returning SaaS app roles in the ID token.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[coderabbitai]

🧹 Nitpick comments (1)

components/authentication-framework/org.wso2.carbon.identity.application.authentication.framework/src/main/java/org/wso2/carbon/identity/application/authentication/framework/handler/claims/impl/DefaultClaimHandler.java (1)

433-438: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Add a guarded DEBUG log for the cross-tenant role-skip branch.

This new branch makes a meaningful business decision silently; a guarded debug log will improve troubleshooting without adding noise.

♻️ Proposed change

         if (!StringUtils.equals(serviceProvider.getTenantDomain(), authenticatedUser.getTenantDomain()) &&
                 !Boolean.parseBoolean(IdentityUtil.getProperty(RETURN_ROLES_IN_SAAS_APPS_IN_ID_TOKEN))) {
+            if (log.isDebugEnabled()) {
+                log.debug("Skipping app-associated role resolution for cross-tenant user since " +
+                        RETURN_ROLES_IN_SAAS_APPS_IN_ID_TOKEN + " is disabled.");
+            }
             return new ArrayList<>();
         }

As per path instructions, add logs around key decision points and guard DEBUG logs with if (log.isDebugEnabled()).

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@components/authentication-framework/org.wso2.carbon.identity.application.authentication.framework/src/main/java/org/wso2/carbon/identity/application/authentication/framework/handler/claims/impl/DefaultClaimHandler.java`
around lines 433 - 438, The cross-tenant role-skip branch in DefaultClaimHandler
currently returns an empty role list without any trace, so add a guarded DEBUG
log before the return that explains the application and authenticated user
tenant domains and that role claims are being skipped because
ReturnRolesInSaaSAppsInIDToken is disabled. Use the existing log pattern in
DefaultClaimHandler and wrap the message with if (log.isDebugEnabled()) so the
new decision point is observable without adding runtime noise.

Source: Path instructions

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In
`@components/authentication-framework/org.wso2.carbon.identity.application.authentication.framework/src/main/java/org/wso2/carbon/identity/application/authentication/framework/handler/claims/impl/DefaultClaimHandler.java`:
- Around line 433-438: The cross-tenant role-skip branch in DefaultClaimHandler
currently returns an empty role list without any trace, so add a guarded DEBUG
log before the return that explains the application and authenticated user
tenant domains and that role claims are being skipped because
ReturnRolesInSaaSAppsInIDToken is disabled. Use the existing log pattern in
DefaultClaimHandler and wrap the message with if (log.isDebugEnabled()) so the
new decision point is observable without adding runtime noise.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yml

Review profile: CHILL

Plan: Pro

Run ID: 8902f18a-af6e-45a1-a57c-3217e30cd823

📥 Commits

Reviewing files that changed from the base of the PR and between c97c4ea and a0b1a3a.

📒 Files selected for processing (5)

• components/authentication-framework/org.wso2.carbon.identity.application.authentication.framework/src/main/java/org/wso2/carbon/identity/application/authentication/framework/handler/claims/impl/DefaultClaimHandler.java
• components/authentication-framework/org.wso2.carbon.identity.application.authentication.framework/src/main/java/org/wso2/carbon/identity/application/authentication/framework/util/FrameworkConstants.java
• features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/identity.xml
• features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/identity.xml.j2
• features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/org.wso2.carbon.identity.core.server.feature.default.json

[codecov]

Codecov Report

❌ Patch coverage is 0% with 3 lines in your changes missing coverage. Please review.
✅ Project coverage is 52.97%. Comparing base (3de9766) to head (a0b1a3a).
⚠️ Report is 34 commits behind head on master.

Files with missing lines	Patch %	Lines
...ework/handler/claims/impl/DefaultClaimHandler.java	0.00%	2 Missing and 1 partial ⚠️

❌ Your patch check has failed because the patch coverage (0.00%) is below the target coverage (80.00%). You can increase the patch coverage or adjust the target coverage.

Additional details and impacted files

@@             Coverage Diff              @@
##             master    #8181      +/-   ##
============================================
+ Coverage     52.93%   52.97%   +0.03%     
- Complexity    20987    20994       +7     
============================================
  Files          2197     2197              
  Lines        129206   129323     +117     
  Branches      19237    19265      +28     
============================================
+ Hits          68398    68504     +106     
- Misses        52469    52473       +4     
- Partials       8339     8346       +7     

Flag	Coverage Δ
unit	38.23% <0.00%> (+0.02%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[SujanSanjula96]

Integration test run - https://github.com/SujanSanjula96/product-is/actions/runs/28081082974

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud