Extend Agent Authorization Protocol to organizations

[HasiniSama]

Proposed changes in this pull request

$subject

[wso2-engineering]

AI Agent Log Improvement Checklist

⚠️ Warning: AI-Generated Review Comments

• The log-related comments and suggestions in this review were generated by an AI tool to assist with identifying potential improvements. Purpose of reviewing the code for log improvements is to improve the troubleshooting capabilities of our products.
• Please make sure to manually review and validate all suggestions before applying any changes. Not every code suggestion would make sense or add value to our purpose. Therefore, you have the freedom to decide which of the suggestions are helpful.

✅ Before merging this pull request:

• Review all AI-generated comments for accuracy and relevance.
• Complete and verify the table below. We need your feedback to measure the accuracy of these suggestions and the value they add. If you are rejecting a certain code suggestion, please mention the reason briefly in the suggestion for us to capture it.

Comment	Accepted (Y/N)	Reason
#### Log Improvement Suggestion No: 1
#### Log Improvement Suggestion No: 2

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR extends the OAuth module to support agent identity resolution in the authorization utility. It declares a new dependency on the organization agent sharing library, updates the organization management version, and implements agent-specific associated-user-id lookup logic in the AuthzUtil class.

Changes

Agent Identity Support in OAuth

Layer / File(s)	Summary
Dependency Version Update pom.xml	Root carbon.identity.organization.management.version property updated from 2.4.4 to 2.4.18; new dependency management entry added for org.wso2.carbon.identity.organization.management.organization.agent.sharing.
Module Dependencies & OSGi Configuration components/org.wso2.carbon.identity.oauth/pom.xml	New Maven dependency declared for org.wso2.carbon.identity.organization.management.organization.agent.sharing; OSGi Import-Package list extended to include org.wso2.carbon.identity.organization.management.organization.agent.sharing.util.
Agent Identity Lookup Logic components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/util/AuthzUtil.java	getUserIdOfAssociatedUser adds an early agent-specific branch that resolves shared agent ID via OrganizationSharedAgentUtil when agent identity is enabled and userstore domain matches; fallback to existing user-id resolution for non-agent paths; imports updated to include IdentityUtil and OrganizationSharedAgentUtil.

Suggested reviewers

• SujanSanjula96

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The pull request description is largely incomplete, providing only a placeholder '$subject' instead of the required template sections like Purpose, Goals, Approach, Testing, Documentation, and Security checks.	Complete the description using the required template, including Purpose, Goals, Approach, test coverage details, documentation links, security verification, and other mandatory sections.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'Extend Agent Authorization Protocol to organizations' clearly and specifically describes the main change: adding agent authorization support to organizations.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Review rate limit: 0/1 reviews remaining, refill in 60 minutes.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/util/AuthzUtil.java (1)

210-225: ⚡ Quick win

Add focused tests for the new agent branch.

Please add coverage for: agent-store success, agent-store not-associated (client exception), and non-agent-store fallback path. This is an auth-critical branch and worth locking down with tests.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/util/AuthzUtil.java`
around lines 210 - 225, Add unit tests covering the new agent-specific branch in
AuthzUtil: create tests that (1) simulate IdentityUtil.isAgentIdentityEnabled()
true and IdentityUtil.getAgentIdentityUserstoreName() matching
authenticatedUser.getUserStoreDomain() and assert
OrganizationSharedAgentUtil.getAgentIdOfAssociatedAgentByOrgId(associatedUserId,
authenticatedUser.getAccessingOrganization()) returns an agent id (success
path); (2) simulate the same agent-store match but have
OrganizationSharedAgentUtil.getAgentIdOfAssociatedAgentByOrgId(...) return empty
and assert AuthzUtil throws IdentityOAuth2ClientException (not-associated path);
and (3) simulate either isAgentIdentityEnabled false or agent-store name not
matching authenticatedUser.getUserStoreDomain() and assert the method falls back
to the existing non-agent sharing logic (fallback path). Use mocking for
IdentityUtil and OrganizationSharedAgentUtil and reference methods:
IdentityUtil.isAgentIdentityEnabled(),
IdentityUtil.getAgentIdentityUserstoreName(),
authenticatedUser.getUserStoreDomain(),
OrganizationSharedAgentUtil.getAgentIdOfAssociatedAgentByOrgId(...), and verify
thrown types and returned values accordingly.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In
`@components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/util/AuthzUtil.java`:
- Around line 210-225: Add unit tests covering the new agent-specific branch in
AuthzUtil: create tests that (1) simulate IdentityUtil.isAgentIdentityEnabled()
true and IdentityUtil.getAgentIdentityUserstoreName() matching
authenticatedUser.getUserStoreDomain() and assert
OrganizationSharedAgentUtil.getAgentIdOfAssociatedAgentByOrgId(associatedUserId,
authenticatedUser.getAccessingOrganization()) returns an agent id (success
path); (2) simulate the same agent-store match but have
OrganizationSharedAgentUtil.getAgentIdOfAssociatedAgentByOrgId(...) return empty
and assert AuthzUtil throws IdentityOAuth2ClientException (not-associated path);
and (3) simulate either isAgentIdentityEnabled false or agent-store name not
matching authenticatedUser.getUserStoreDomain() and assert the method falls back
to the existing non-agent sharing logic (fallback path). Use mocking for
IdentityUtil and OrganizationSharedAgentUtil and reference methods:
IdentityUtil.isAgentIdentityEnabled(),
IdentityUtil.getAgentIdentityUserstoreName(),
authenticatedUser.getUserStoreDomain(),
OrganizationSharedAgentUtil.getAgentIdOfAssociatedAgentByOrgId(...), and verify
thrown types and returned values accordingly.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yml

Review profile: CHILL

Plan: Pro

Run ID: 5c8311d7-bb38-4247-8cf4-cf81dd287eeb

📥 Commits

Reviewing files that changed from the base of the PR and between 0b31ed2 and 640440a.

📒 Files selected for processing (3)

• components/org.wso2.carbon.identity.oauth/pom.xml
• components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/util/AuthzUtil.java
• pom.xml

[HasiniSama]

This should be combined with the below user sharing logic