[Accelerator 4] Add FSJWTAccessTokenClaimProvider to set consent-id as an access token claim

[imesh94]

Add FSJWTAccessTokenClaimProvider to put consent-id as an access token claim

We are using a OIDCClaimsCallbackHandler to add consent-id as a claim to the jwt access token. This overrides IS default behavior disabling the capability to set user claims to the access token from the IS Console UI. This PR adds a claim provider to set the consent-id as an access token claim, instead of using OIDCClaimsCallbackHandler.

Issue link: #887

Doc Issue: Optional, link issue from documentation repository

Applicable Labels: Spec, product, version, type (specify requested labels)

---

Development Checklist

1. Built complete solution with pull request in place.
2. Ran checkstyle plugin with pull request in place.
3. Ran Findbugs plugin with pull request in place.
4. Formatted code according to WSO2 code style.
5. Migration scripts written (if applicable).

Secure Development Checklist

1. Ran FindSecurityBugs plugin and verified report.
2. Ran Dependency-check plugin and verified report for new dependencies added.
3. Ran Dependency-check plugin and verified report for dependency version changes.
4. Have you verify the PR does't commit any keys, passwords, tokens, usernames, or other secrets?
5. Have you followed secure coding standards in WSO2 Secure Engineering Guidelines?

Testing Checklist

1. Written unit tests.
2. Documented test scenarios(link available in guides).
3. Written automation tests (link available in guides).
4. Verified tests in multiple database environments (if applicable).
5. Verified tests in multiple deployed specifications (if applicable).
6. Tested with OBBI enabled (if applicable).
7. Tested with specification regulatory conformance suites (if applicable).

Automation Test Details

Test Suite	Test Script IDs
Integration Suite	TCXXXXX, TCXXXX

Conformance Tests Details

Test Suite Name	Test Suite Version	Scenarios	Result
Security Suite	VX.X	Foo, Bar	Passed

Summary by CodeRabbit

• New Features

  • Access tokens now include financial-services-specific claims (such as consent identifiers) to support regulatory compliance and downstream processing.

• Improvements

  • OAuth/OIDC deployment defaults updated to no longer explicitly disable claims separation for access tokens, simplifying configuration and aligning with default behavior.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[wso2-engineering]

AI Agent Log Improvement Checklist

⚠️ Warning: AI-Generated Review Comments

• The log-related comments and suggestions in this review were generated by an AI tool to assist with identifying potential improvements. Purpose of reviewing the code for log improvements is to improve the troubleshooting capabilities of our products.
• Please make sure to manually review and validate all suggestions before applying any changes. Not every code suggestion would make sense or add value to our purpose. Therefore, you have the freedom to decide which of the suggestions are helpful.

✅ Before merging this pull request:

• Review all AI-generated comments for accuracy and relevance.
• Complete and verify the table below. We need your feedback to measure the accuracy of these suggestions and the value they add. If you are rejecting a certain code suggestion, please mention the reason briefly in the suggestion for us to capture it.

Comment	Accepted (Y/N)	Reason
#### Log Improvement Suggestion No: 1
#### Log Improvement Suggestion No: 2
#### Log Improvement Suggestion No: 4

[coderabbitai]

Walkthrough

This PR removes explicit claims-separation flags from three WSO2 IS deployment.toml files and adds a new FSJWTAccessTokenClaimProvider registered as a JWTAccessTokenClaimProvider to inject consent ID claims and filter scopes during access token issuance.

Changes

Cohort / File(s)	Summary
Configuration updates financial-services-accelerator/accelerators/fs-is/repository/resources/wso2is-7.0.0-deployment.toml, financial-services-accelerator/accelerators/fs-is/repository/resources/wso2is-7.1.0-deployment.toml, financial-services-accelerator/accelerators/fs-is/repository/resources/wso2is-7.2.0-deployment.toml	Removed the single line enable_claims_separation_for_access_tokens = false from the [oauth.oidc] section in each deployment.toml (deletion only).
JWT claims provider implementation financial-services-accelerator/components/org.wso2.financial.services.accelerator.identity.extensions/src/main/java/org/wso2/financial/services/accelerator/identity/extensions/claims/FSJWTAccessTokenClaimProvider.java	Added FSJWTAccessTokenClaimProvider implementing JWTAccessTokenClaimProvider; extracts consent ID from scopes, adds a consent ID claim when present, removes internal/consent-related scopes from token scope claim, and wraps errors in IdentityOAuth2Exception.
Service registration financial-services-accelerator/components/org.wso2.financial.services.accelerator.identity.extensions/src/main/java/org/wso2/financial/services/accelerator/identity/extensions/internal/IdentityExtensionsServiceComponent.java	Registered FSJWTAccessTokenClaimProvider as an OSGi service implementing JWTAccessTokenClaimProvider.

Sequence Diagram(s)

sequenceDiagram
    participant Client
    participant OAuth as OAuth Token Endpoint
    participant Provider as FSJWTAccessTokenClaimProvider
    participant ScopeUtil as Scope/Claims Processor
    participant Token as JWT Access Token

    Client->>OAuth: Token request (with scopes)
    OAuth->>Provider: getAdditionalClaims(TokenReqContext)
    Provider->>ScopeUtil: extractConsentIdFromScopes(scopes)
    ScopeUtil-->>Provider: consentId (optional)
    Provider->>ScopeUtil: removeConsentIdScope(scopes)
    ScopeUtil-->>Provider: filteredScopes
    Provider->>Provider: build claims map (add consentId if present)
    Provider-->>OAuth: additional claims + filteredScopes
    OAuth->>Token: issue JWT with claims and filtered scopes
    Token-->>Client: JWT Access Token

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~22 minutes

Poem

🐰 I nibble scopes and chase the clue,

Consent IDs hop into view,
Tokens trimmed with nimble care,
Claims tucked tidy, light as air,
A joyful hop — the change is new!

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 50.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description check	✅ Passed	The description includes the required purpose section explaining the motivation for the changes and links to the GitHub issue, but several checklist items remain unchecked including secure development, testing, unit tests, and automation tests.
Title check	✅ Passed	The PR title accurately and concisely describes the main change: adding FSJWTAccessTokenClaimProvider to set consent-id as an access token claim, which is the primary objective reflected in both the raw summary and PR objectives.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Fix all issues with AI agents

In
`@financial-services-accelerator/components/org.wso2.financial.services.accelerator.identity.extensions/src/main/java/org/wso2/financial/services/accelerator/identity/extensions/claims/FSJWTAccessTokenClaimProvider.java`:
- Around line 80-92: In addConsentIDClaim, change scope matching to use
startsWith instead of contains to avoid accidental matches: when finding the
FS_PREFIX use Arrays.stream(scopes).filter(scope ->
scope.startsWith(IdentityCommonConstants.FS_PREFIX)) and when finding
consentIdClaimName use .filter(scope -> scope.startsWith(consentIdClaimName));
keep the subsequent replace/remove logic (replace FS_PREFIX or
consentIdClaimName with StringUtils.EMPTY) and the existing fallback behavior
for empty values so the claim extraction remains unchanged except for stricter
prefix matching.
- Around line 56-65: The null-check order can cause NPEs when evaluating
context.getOauth2AccessTokenReqDTO().getClientId(); update the conditional in
FSJWTAccessTokenClaimProvider to first verify context != null, then
context.getOauth2AccessTokenReqDTO() != null, then optionally clientId != null,
and finally context.getScope() != null before calling
IdentityCommonUtils.isRegulatoryApp(...) and using context.getScope(); ensure
all uses of context.getScope() (including the log.debug call and calls to
addConsentIDClaim/removeConsentIdScope) are only executed after these null
guards.

🧹 Nitpick comments (1)

financial-services-accelerator/components/org.wso2.financial.services.accelerator.identity.extensions/src/main/java/org/wso2/financial/services/accelerator/identity/extensions/claims/FSJWTAccessTokenClaimProvider.java (1)

44-44: Static initialization of consentIdClaimName may cause issues.

If the configuration is not yet loaded when this class is initialized, or if getConfiguredConsentIdClaimName() returns null, subsequent usages at lines 87, 89, 95, and 98 will throw NullPointerException. Additionally, any runtime configuration changes won't be reflected.

Consider fetching the claim name dynamically within methods or adding a null guard:

Suggested approach

-    private static final String consentIdClaimName = IdentityCommonUtils.getConfiguredConsentIdClaimName();
+    private static String getConsentIdClaimName() {
+        String claimName = IdentityCommonUtils.getConfiguredConsentIdClaimName();
+        return claimName != null ? claimName : "consent_id";
+    }

Then replace usages of consentIdClaimName with getConsentIdClaimName().