Construct commonauth URL with tenant qualified organization path in the sub organization connection creation

[ShanChathusanda93]

Purpose

• $subject

Related Issues

• N/A

Related PRs

• N/A

Checklist

• e2e cypress tests locally verified. (for internal contributers)
• Manual test round performed and verified.
• UX/UI review done on the final implementation.
• Documentation provided. (Add links if there are any)
• Relevant backend changes deployed and verified
• Unit tests provided. (Add links if there are any)
• Integration tests provided. (Add links if there are any)

Security checks

• Followed secure coding standards in http://wso2.com/technical-reports/wso2-secure-engineering-guidelines
• Ran FindSecurityBugs plugin and verified report
• Confirmed that this PR doesn't commit any keys, passwords, tokens, usernames, or other secrets

Developer Checklist (Mandatory)

• Complete the Developer Checklist in the related product-is issue to track any behavioral change or migration impact.

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds a new organizations deployment config (with connections.useTenantQualifiedOrgPatternCommonauth), exposes it at runtime, extends config types, and updates OIDC/SAML connection flows to conditionally construct tenant-qualified commonauth callback/redirect URLs for sub-organizations when the flag is enabled.

Changes

Cohort / File(s)	Summary
Config models modules/core/src/models/config.ts	Added OrganizationsConfigInterface and optional organizations?: OrganizationsConfigInterface to CommonDeploymentConfigInterface.
Deployment config templates & public apps/console/java/.../deployment.config.json.j2, apps/console/src/public/deployment.config.json	Added top-level organizations JSON block with connections.useTenantQualifiedOrgPatternCommonauth (rendered from template, defaults to false).
Config exposure apps/console/src/init/app-utils.ts, features/admin.core.v1/configs/app.ts	Included organizations in AppUtils.getConfig() return and exposed it via Config.getDeploymentConfig().
Connection create/edit flows features/admin.connections.v1/components/create/enterprise-connection-create-wizard.tsx, features/admin.connections.v1/components/edit/forms/authenticators/saml-authenticator-form.tsx	Make OIDC/SAML callback/redirect URL generation organization-aware: when current context is a sub-organization and the new flag is enabled, build a tenant-qualified commonauth URL; otherwise use existing customServerHost + "/commonauth".
Release notes .changeset/large-toys-whisper.md	Added changeset scheduling patch releases and noting tenant-qualified commonauth URL behavior for sub-organization connection creation.

🚥 Pre-merge checks | ✅ 3 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The PR description is largely incomplete, with the Purpose section containing only a placeholder ('- $subject') and all checklist items unchecked, indicating no testing or verification was performed.	Replace the placeholder in Purpose with a detailed description of the change, and complete the checklist items to document testing, security checks, and verification performed.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The PR title accurately and specifically describes the main change: constructing the commonauth URL with a tenant-qualified organization path for sub-organization connections.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Changeset Required	✅ Passed	The pull request includes a properly formatted changeset file (.changeset/large-toys-whisper.md) listing all affected packages with appropriate patch version updates.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (2)

apps/console/src/init/app-utils.ts (1)

269-269: Add a defensive default for organizations in the exported config.

This field can be undefined on older/custom deployment configs. Defaulting it here avoids downstream null-access risk in consumers of deployment.organizations.connections.

♻️ Suggested patch

-                organizations: _config.organizations,
+                organizations: _config.organizations ?? {
+                    connections: {
+                        useTenantQualifiedOrgPatternCommonauth: false
+                    }
+                },

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@apps/console/src/init/app-utils.ts` at line 269, Exported config's
organizations can be undefined on older deployments; change the assignment for
organizations in the exported config (the line currently "organizations:
_config.organizations") to provide a defensive default (e.g., use nullish
coalescing to default to an empty object) so downstream access like
deployment.organizations.connections won't throw.

features/admin.connections.v1/components/create/enterprise-connection-create-wizard.tsx (1)

303-310: Consider extracting common URL construction to a shared utility.

The tenant-qualified commonauth URL construction logic is duplicated between this wizard and the SAML authenticator form (saml-authenticator-form.tsx:250-254). Consider extracting this to a shared utility function in connection-utils.ts to maintain consistency and reduce duplication.

// Example utility function signature
export const getCommonAuthUrl = (
    config: ConfigReducerStateInterface,
    currentOrganizationId: string,
    isSubOrg: boolean
): string => {
    return isSubOrg && config?.deployment?.organizations?.connections?.useTenantQualifiedOrgPatternCommonauth
        ? `${config?.deployment?.serverOrigin}/t/${config?.deployment?.tenant}/${config?.deployment?.organizationPrefix}/${currentOrganizationId}/commonauth`
        : `${config?.deployment?.customServerHost}/commonauth`;
};

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@features/admin.connections.v1/components/create/enterprise-connection-create-wizard.tsx`
around lines 303 - 310, The callbackUrl construction is duplicated (in
enterprise-connection-create-wizard.tsx and saml-authenticator-form.tsx);
extract the logic into a shared utility (e.g., add getCommonAuthUrl in
connection-utils.ts) that accepts (config, currentOrganizationId, isSubOrg) and
returns the tenant-qualified or customServerHost commonauth URL, then replace
the inline ternary in enterpriseConnectionCreateWizard (and the SAML form) to
call getCommonAuthUrl to remove duplication and ensure consistent URL formation.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@apps/console/src/init/app-utils.ts`:
- Line 269: Exported config's organizations can be undefined on older
deployments; change the assignment for organizations in the exported config (the
line currently "organizations: _config.organizations") to provide a defensive
default (e.g., use nullish coalescing to default to an empty object) so
downstream access like deployment.organizations.connections won't throw.

In
`@features/admin.connections.v1/components/create/enterprise-connection-create-wizard.tsx`:
- Around line 303-310: The callbackUrl construction is duplicated (in
enterprise-connection-create-wizard.tsx and saml-authenticator-form.tsx);
extract the logic into a shared utility (e.g., add getCommonAuthUrl in
connection-utils.ts) that accepts (config, currentOrganizationId, isSubOrg) and
returns the tenant-qualified or customServerHost commonauth URL, then replace
the inline ternary in enterpriseConnectionCreateWizard (and the SAML form) to
call getCommonAuthUrl to remove duplication and ensure consistent URL formation.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yml

Review profile: CHILL

Plan: Pro

Run ID: b1a906c9-25a2-417a-8024-2ede8b3e68f8

📥 Commits

Reviewing files that changed from the base of the PR and between 49e3b4f and 99e6827.

📒 Files selected for processing (7)

• apps/console/java/org.wso2.identity.apps.console.server.feature/resources/deployment.config.json.j2
• apps/console/src/init/app-utils.ts
• apps/console/src/public/deployment.config.json
• features/admin.connections.v1/components/create/enterprise-connection-create-wizard.tsx
• features/admin.connections.v1/components/edit/forms/authenticators/saml-authenticator-form.tsx
• features/admin.core.v1/configs/app.ts
• modules/core/src/models/config.ts

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.changeset/large-toys-whisper.md:
- Line 7: Update the release-note sentence that currently reads "Construct
commonauth URL with tenant qualified organization path in the sub organization
connection creation" to use hyphenated compounds for clarity: change it to
"Construct commonauth URL with tenant-qualified organization path in the
sub-organization connection creation" so both "tenant-qualified" and
"sub-organization" are hyphenated; edit the phrase in
.changeset/large-toys-whisper.md accordingly.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yml

Review profile: CHILL

Plan: Pro

Run ID: 4e4da61e-cb4c-44cf-9e44-c68b3f4dc424

📥 Commits

Reviewing files that changed from the base of the PR and between 99e6827 and 69c52f2.

📒 Files selected for processing (8)

• .changeset/large-toys-whisper.md
• apps/console/java/org.wso2.identity.apps.console.server.feature/resources/deployment.config.json.j2
• apps/console/src/init/app-utils.ts
• apps/console/src/public/deployment.config.json
• features/admin.connections.v1/components/create/enterprise-connection-create-wizard.tsx
• features/admin.connections.v1/components/edit/forms/authenticators/saml-authenticator-form.tsx
• features/admin.core.v1/configs/app.ts
• modules/core/src/models/config.ts

✅ Files skipped from review due to trivial changes (1)

• apps/console/src/public/deployment.config.json

🚧 Files skipped from review as they are similar to previous changes (5)

• apps/console/src/init/app-utils.ts
• apps/console/java/org.wso2.identity.apps.console.server.feature/resources/deployment.config.json.j2
• modules/core/src/models/config.ts
• features/admin.connections.v1/components/edit/forms/authenticators/saml-authenticator-form.tsx
• features/admin.connections.v1/components/create/enterprise-connection-create-wizard.tsx

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Polish release-note wording with hyphenation.

Line 7 should use hyphenated compounds for readability: tenant-qualified and sub-organization.

✍️ Suggested text tweak

-Construct commonauth URL with tenant qualified organization path in the sub organization connection creation
+Construct commonauth URL with tenant-qualified organization path in the sub-organization connection creation

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	Construct commonauth URL with tenant qualified organization path in the sub organization connection creation
	Construct commonauth URL with tenant-qualified organization path in the sub-organization connection creation

🧰 Tools

🪛 LanguageTool

[grammar] ~7-~7: Use a hyphen to join words.
Context: ...t qualified organization path in the sub organization connection creation

(QB_NEW_EN_HYPHEN)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.changeset/large-toys-whisper.md at line 7, Update the release-note sentence
that currently reads "Construct commonauth URL with tenant qualified
organization path in the sub organization connection creation" to use hyphenated
compounds for clarity: change it to "Construct commonauth URL with
tenant-qualified organization path in the sub-organization connection creation"
so both "tenant-qualified" and "sub-organization" are hyphenated; edit the
phrase in .changeset/large-toys-whisper.md accordingly.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 56.05%. Comparing base (7fb5759) to head (18633df).
⚠️ Report is 22 commits behind head on master.

Additional details and impacted files

@@           Coverage Diff           @@
##           master   #10094   +/-   ##
=======================================
  Coverage   56.05%   56.05%           
=======================================
  Files          42       42           
  Lines        1024     1024           
  Branches      254      247    -7     
=======================================
  Hits          574      574           
+ Misses        450      416   -34     
- Partials        0       34   +34     

Flag	Coverage Δ
@wso2is/core	56.05% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.
see 10 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[pavinduLakshan]

Let's add this under organizations feature config as properties.

[pavinduLakshan]

when config is enabled:

when config is disabled:

[coderabbitai]

♻️ Duplicate comments (1)

.changeset/large-toys-whisper.md (1)

7-7: ⚠️ Potential issue | 🟡 Minor

Hyphenate compound terms in the release note.

Please use tenant-qualified and sub-organization for readability and consistency.

✍️ Suggested edit

-Construct commonauth URL with tenant qualified organization path in the sub organization connection creation
+Construct commonauth URL with tenant-qualified organization path in the sub-organization connection creation

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.changeset/large-toys-whisper.md at line 7, Update the release note sentence
that starts with "Construct commonauth URL with tenant qualified organization
path in the sub organization connection creation" to hyphenate compound terms
for consistency: change "tenant qualified" to "tenant-qualified" and "sub
organization" to "sub-organization" so the text reads "Construct commonauth URL
with tenant-qualified organization path in the sub-organization connection
creation".

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In @.changeset/large-toys-whisper.md:
- Line 7: Update the release note sentence that starts with "Construct
commonauth URL with tenant qualified organization path in the sub organization
connection creation" to hyphenate compound terms for consistency: change "tenant
qualified" to "tenant-qualified" and "sub organization" to "sub-organization" so
the text reads "Construct commonauth URL with tenant-qualified organization path
in the sub-organization connection creation".

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yml

Review profile: CHILL

Plan: Pro

Run ID: 48c18487-8c1f-4520-bc69-39495a3ced2b

📥 Commits

Reviewing files that changed from the base of the PR and between 69c52f2 and 18633df.

📒 Files selected for processing (7)

• .changeset/large-toys-whisper.md
• apps/console/java/org.wso2.identity.apps.console.server.feature/resources/deployment.config.json.j2
• apps/console/src/init/app-utils.ts
• apps/console/src/public/deployment.config.json
• features/admin.connections.v1/components/create/enterprise-connection-create-wizard.tsx
• features/admin.connections.v1/components/edit/forms/authenticators/saml-authenticator-form.tsx
• features/admin.core.v1/configs/app.ts

✅ Files skipped from review due to trivial changes (3)

• apps/console/java/org.wso2.identity.apps.console.server.feature/resources/deployment.config.json.j2
• apps/console/src/public/deployment.config.json
• features/admin.connections.v1/components/create/enterprise-connection-create-wizard.tsx

🚧 Files skipped from review as they are similar to previous changes (2)

• apps/console/src/init/app-utils.ts
• features/admin.connections.v1/components/edit/forms/authenticators/saml-authenticator-form.tsx