1276 | add configurable userinfo response_type (JSON/JWS/JWE)

[nandhu-kumar]

Purpose

Currently, OAuth UserInfo response is always returned as plain JSON. However, as per the specification, the server should support returning signed (JWS) or encrypted (JWE) UserInfo responses.

This PR introduces support in the Thunder Application management endpoint to configure the userinfo.response_type flag per application.

Allowed values:

• JSON (default fallback)
• JWS
• JWE

The configured value is persisted in the database (OAuth config JSON) and returned via the Application APIs.

---

No Breaking Changes

This change is backward compatible.
If response_type is not provided or is invalid, it defaults to JSON.

---

Approach

• Added response_type field inside UserInfoConfig.
• Added constants for supported response types.
• Updated DTOs and processed models to support user_info.response_type.
• Added validation to allow only JSON, JWS, and JWE values.
• Implemented default fallback to JSON when the flag is not provided or invalid.
• Updated store layer:
  • Persisted response_type inside oauth_config_json.
  • Updated marshalling and unmarshalling logic.
• Ensured value is properly stored and returned in:
  • Create Application
  • Update Application
  • Get Application
• Added integration test coverage for:
  • JWS
  • JWE
  • Invalid value fallback

Note:
This PR only introduces configuration and persistence support. Actual signing/encryption logic in the UserInfo endpoint will be handled separately (#1220 ).

---

Related Issues

• Allow configuring response type for OAuth userinfo in application #1276

Related PRs

• N/A

Checklist

• Followed the contribution guidelines.
• Manual test round performed and verified.
• Documentation provided. (Add links if there are any)
• Tests provided. (Add links if there are any)
  • Unit Tests
  • Integration Tests
• Breaking changes. (Fill if applicable)
  • Breaking changes section filled.
  • breaking change label added.

Security checks

• Followed secure coding standards in WSO2 Secure Coding Guidelines
• Confirmed that this PR doesn't commit any keys, passwords, tokens, usernames, or other secrets.

Summary by CodeRabbit

• New Features

  • Added configurable UserInfo response formats: JSON, JWS, and JWE, with JSON as the default.
  • UserInfo configuration now includes and preserves an explicit response type.

• Bug Fixes

  • Preserves provided UserInfo attributes and falls back to ID token attributes when absent.
  • Invalid or unspecified response-format values now default to JSON.

• Tests

  • Added integration tests for JWS, JWE, and invalid-response-type fallback.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Added a UserInfo response type enum and field, propagated response_type through service and store layers, service normalizes/validates/uppercases to JSON|JWS|JWE with default JSON, and added integration tests for JWS, JWE, and invalid-value fallback.

Changes

Cohort / File(s)	Summary
Constants: response types backend/internal/application/model/constants.go	Add type UserInfoResponseType string and constants UserInfoResponseTypeJSON, UserInfoResponseTypeJWS, UserInfoResponseTypeJWE.
Model: public UserInfo config backend/internal/application/model/oauth_app.go, tests/integration/application/model.go	Add exported ResponseType field to UserInfoConfig (json:"response_type,omitempty").
Store: persist/restore response_type backend/internal/application/store.go	Add ResponseType model.UserInfoResponseType to internal userInfoConfig; propagate user_info.response_type during marshal/unmarshal and inbound config reconstruction.
Service: normalize and default backend/internal/application/service.go	Import strings; processUserInfoConfiguration copies UserAttributes, uppercases and validates ResponseType to JSON/JWS/JWE, defaults empty/invalid to JSON, and keeps UserAttributes fallback to id token config.
Tests: integration coverage tests/integration/application/application_api_test.go	Add three tests verifying stored UserInfo.ResponseType for JWS, JWE, and invalid value (fallback to JSON).

Sequence Diagram(s)

mermaid
sequenceDiagram
rect rgba(200,230,201,0.5)
participant Client
end
rect rgba(187,222,251,0.5)
participant API
end
rect rgba(255,224,178,0.5)
participant Service
end
rect rgba(255,204,204,0.5)
participant Store
end
rect rgba(224,224,224,0.5)
participant DB
end
Client->>API: Create/Update Application (includes user_info.response_type)
API->>Service: processUserInfoConfiguration(payload)
Service->>Service: uppercase & validate response_type -> {JSON,JWS,JWE} (default JSON)
Service->>Store: persist OAuth config (includes user_info.response_type)
Store->>DB: write stored config
DB-->>Store: read stored config
Store-->>API: return reconstructed config
API-->>Client: return application with oauth.user_info.response_type

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Suggested reviewers

• jeradrutnam

Poem

🐰 I hopped through fields of code with care,
Response types tidy in the breezy air.
JSON, JWS, JWE — I sort and mend,
Default to safe, then hop to the end. 🥕

🚥 Pre-merge checks | ✅ 4

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely describes the main change: adding configurable userinfo response_type support for JSON/JWS/JWE formats.
Description check	✅ Passed	The PR description covers all critical sections: Purpose explains the feature and allowed values, Approach details implementation, Breaking Changes section confirms backward compatibility, and Integration Tests are provided and documented.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Merge Conflict Detection	✅ Passed	✅ No merge conflicts detected when merging into main

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 89.68%. Comparing base (422d4b1) to head (c35ae32).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #1362   +/-   ##
=======================================
  Coverage   89.67%   89.68%           
=======================================
  Files         649      649           
  Lines       42534    42546   +12     
  Branches     2454     2454           
=======================================
+ Hits        38144    38156   +12     
  Misses       2375     2375           
  Partials     2015     2015           

Flag	Coverage Δ
backend-integration-postgres	53.11% <100.00%> (+0.01%)	⬆️
backend-integration-sqlite	53.08% <100.00%> (+0.01%)	⬆️
backend-unit	82.24% <61.53%> (-0.01%)	⬇️
frontend-apps-develop-unit	90.45% <ø> (ø)
frontend-apps-gate-unit	84.88% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[thiva-k]

We should add the response_type to the userInfoConfig model in the store layer too and add it to relevant store functions as well. Seems like currently it is being returned from the application cache, which stores the application struct during the create request at the service layer.

[thiva-k]

Shall we also squash the commits?

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

backend/internal/application/store.go (1)

276-286: ⚠️ Potential issue | 🟠 Major

Populate UserInfo.ResponseType in GetOAuthApplication.
Right now the stored response_type is dropped when rebuilding UserInfoConfig, so the OAuth-app fetch endpoint returns it empty even if configured.

🔧 Suggested fix

-		userInfoConfig = &model.UserInfoConfig{
-			UserAttributes: userAttributes,
-		}
+		userInfoConfig = &model.UserInfoConfig{
+			ResponseType:   oAuthConfig.UserInfo.ResponseType,
+			UserAttributes: userAttributes,
+		}

🤖 Fix all issues with AI agents

In `@tests/integration/application/model.go`:
- Around line 82-84: The equality logic for the UserInfo struct omits the
ResponseType field, so update the UserInfo equality comparisons (e.g.,
UserInfo.Equal or compareUserInfo helpers used in tests) to include ResponseType
alongside existing checks like UserAttributes, ensuring both equality
methods/compare helpers compare the ResponseType string; make the same change in
the other test equality helper referenced around the second location (lines
266-274) so response_type regressions are detected.

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@backend/internal/application/store.go`:
- Around line 70-71: GetOAuthApplication currently constructs the UserInfoConfig
without setting the ResponseType, which causes configured JWS/JWE values to be
lost; update the UserInfo block in GetOAuthApplication to populate the
ResponseType field (using the model.UserInfoResponseType type) from the stored
application record (same source used for UserAttributes) so the returned
UserInfoConfig includes ResponseType along with UserAttributes.

🧹 Nitpick comments (2)

backend/internal/application/model/constants.go (1)

31-43: Type the UserInfoResponseType constants to the enum type for stronger typing.

This avoids accidental mixing with other string‑typed response types and improves compile‑time checks.

♻️ Suggested change

 const (
 	// UserInfoResponseTypeJSON represents the JSON userinfo response type.
-	UserInfoResponseTypeJSON = "JSON"
+	UserInfoResponseTypeJSON UserInfoResponseType = "JSON"

 	// UserInfoResponseTypeJWS represents the JWS userinfo response type.
-	UserInfoResponseTypeJWS = "JWS"
+	UserInfoResponseTypeJWS UserInfoResponseType = "JWS"

 	// UserInfoResponseTypeJWE represents the JWE userinfo response type.
-	UserInfoResponseTypeJWE = "JWE"
+	UserInfoResponseTypeJWE UserInfoResponseType = "JWE"
 )

backend/internal/application/model/oauth_app.go (1)

50-51: Add a jsonschema description for user_info.response_type to keep schema docs consistent.

♻️ Suggested change

-	ResponseType   UserInfoResponseType `json:"response_type,omitempty" yaml:"response_type,omitempty"`
+	ResponseType   UserInfoResponseType `json:"response_type,omitempty" yaml:"response_type,omitempty" jsonschema:"UserInfo response type. Allowed values: JSON, JWS, JWE."`