[OB3] Restrict token scopes based on scopes allowed for application #880

imesh94 · 2026-01-09T05:15:51Z

[OB3] Restrict token scopes based on scopes allowed for application

This PR adds required changes to restrict token scopes based on scopes allowed when creating the application.
Following configuration changes should be applied in IS deployment.toml to enable the feature.

[open_banking.identity.application_scope_restriction]
enabled = true
grant_types = ["client_credentials"]

Issue link: #872

Doc Issue: Optional, link issue from documentation repository

Applicable Labels: Spec, product, version, type (specify requested labels)

Development Checklist

Built complete solution with pull request in place.
Ran checkstyle plugin with pull request in place.
Ran Findbugs plugin with pull request in place.
Formatted code according to WSO2 code style.
Migration scripts written (if applicable).

Secure Development Checklist

Ran FindSecurityBugs plugin and verified report.
Ran Dependency-check plugin and verified report for new dependencies added.
Ran Dependency-check plugin and verified report for dependency version changes.
Have you verify the PR does't commit any keys, passwords, tokens, usernames, or other secrets?
Have you followed secure coding standards in WSO2 Secure Engineering Guidelines?

Testing Checklist

Written unit tests.
Documented test scenarios(link available in guides).
Written automation tests (link available in guides).
Verified tests in multiple database environments (if applicable).
Verified tests in multiple deployed specifications (if applicable).
Tested with OBBI enabled (if applicable).
Tested with specification regulatory conformance suites (if applicable).

Automation Test Details

Test Suite	Test Script IDs
Integration Suite	TCXXXXX, TCXXXX

Conformance Tests Details

Test Suite Name	Test Suite Version	Scenarios	Result
Security Suite	VX.X	Foo, Bar	Passed

Resources

Knowledge Base: https://sites.google.com/wso2.com/open-banking/

Guides: https://sites.google.com/wso2.com/open-banking/developer-guides

coderabbitai · 2026-01-09T05:15:57Z

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

...o2/openbanking/accelerator/identity/grant/type/handlers/OBAuthorizationCodeGrantHandler.java

...o2/openbanking/accelerator/identity/grant/type/handlers/OBClientCredentialsGrantHandler.java

...va/com/wso2/openbanking/accelerator/identity/grant/type/handlers/OBPasswordGrantHandler.java

...ava/com/wso2/openbanking/accelerator/identity/grant/type/handlers/OBRefreshGrantHandler.java

...in/java/com/wso2/openbanking/accelerator/identity/internal/IdentityExtensionsDataHolder.java

...dentity/src/main/java/com/wso2/openbanking/accelerator/identity/util/IdentityCommonUtil.java

wso2-engineering

AI Agent Log Improvement Checklist

⚠️ Warning: AI-Generated Review Comments

The log-related comments and suggestions in this review were generated by an AI tool to assist with identifying potential improvements. Purpose of reviewing the code for log improvements is to improve the troubleshooting capabilities of our products.
Please make sure to manually review and validate all suggestions before applying any changes. Not every code suggestion would make sense or add value to our purpose. Therefore, you have the freedom to decide which of the suggestions are helpful.

✅ Before merging this pull request:

Review all AI-generated comments for accuracy and relevance.
Complete and verify the table below. We need your feedback to measure the accuracy of these suggestions and the value they add. If you are rejecting a certain code suggestion, please mention the reason briefly in the suggestion for us to capture it.

Comment	Accepted (Y/N)	Reason
#### Log Improvement Suggestion No: 1
#### Log Improvement Suggestion No: 2
#### Log Improvement Suggestion No: 3
#### Log Improvement Suggestion No: 4
#### Log Improvement Suggestion No: 5
#### Log Improvement Suggestion No: 6
#### Log Improvement Suggestion No: 7
#### Log Improvement Suggestion No: 8
#### Log Improvement Suggestion No: 9
#### Log Improvement Suggestion No: 10
#### Log Improvement Suggestion No: 11
#### Log Improvement Suggestion No: 12

amjadhifthikar · 2026-01-09T12:14:21Z

Shall we make this as follows to align more with other configs we have?

[open_banking.identity.application.scope_restriction]
enabled = true
grant_types = ["client_credentials", "authorization_code"]

imesh94 · 2026-01-12T03:41:54Z

Shall we make this as follows to align more with other configs we have?
[open_banking.identity.application.scope_restriction]
enabled = true
grant_types = ["client_credentials", "authorization_code"]

Fixed by 5d9e981

imesh94 added 2 commits January 9, 2026 10:44

Restrict token scopes based on scopes allowed for application

2da2eab

Reformat

bf48d32