Fix getting SUCCESS_COMPLETED as flowStatus for some error scenarios in App Native Authentication

[VihangaMunasinghe]

Problem

In certain error scenarios during App Native Authentication, the system incorrectly returns SUCCESS_COMPLETED as the flowStatus instead of a failure state.

Examples of affected scenarios:

• Mandatory PKCE: The code_challenge or code_challenge_method is missing when PKCE is required.
• Invalid Prompt Parameters: The prompt parameter in the request payload is invalid (e.g., using none with other values or providing unsupported strings).

Root Cause

The authentication framework handles error redirections through two primary paths:

1. Internal Redirection: Redirecting to the server’s internal error page.
2. External Redirection: Redirecting back to the client’s redirect_url with error details appended as query parameters.

The current logic for building App Native (API-based) responses only checks if the flow is redirected to the server error page. If the flow redirects back to the client side, the system ignores the error parameters attached to the URL and defaults to a SUCCESS_COMPLETED status, failing to communicate the failure to the API caller.

Solution

The logic has been updated to inspect the redirection URL even when it points to the client side.

• Error Detection: The system now checks the redirection URL for error-related query parameters.
• Exception Handling: If errors are found, the function throws an AuthServiceClientException.
• Standardized Response: The flow now correctly responds with an HTTP 400 Bad Request and the corresponding error description.

Testing

• Added unit test scenarios to cover different redirection url cases.

Before Merging

As the code changes the HTTP response for some App Native Requests, backward compatibility config should be included

Related Issue

• For some error scenrios in app native authentication getting SUCCESS_COMPLETED as the flowStatus wso2/product-is#25463

[CLAassistant]

All committers have signed the CLA.

[wso2-engineering]

Log Improvement Suggestion No: 1

Suggested change

	private static void handleApiBasedAuthError(String errorMsg) throws AuthServiceClientException {
	if (StringUtils.isBlank(errorMsg)) {
	private static void handleApiBasedAuthError(String errorMsg) throws AuthServiceClientException {
	log.error("API based authentication failed: {}", errorMsg);
	if (StringUtils.isBlank(errorMsg)) {

[wso2-engineering]

Log Improvement Suggestion No: 2

Suggested change

	String jsonPayload = new Gson().toJson(successCompleteAuthResponse);
	oAuthMessage.getRequest().setAttribute(IS_API_BASED_AUTH_HANDLED, true);
	return Response.status(HttpServletResponse.SC_OK).entity(jsonPayload).build();
	String jsonPayload = new Gson().toJson(successCompleteAuthResponse);
	oAuthMessage.getRequest().setAttribute(IS_API_BASED_AUTH_HANDLED, true);
	log.info("API based authentication completed successfully");
	return Response.status(HttpServletResponse.SC_OK).entity(jsonPayload).build();

[wso2-engineering]

AI Agent Log Improvement Checklist

⚠️ Warning: AI-Generated Review Comments

• The log-related comments and suggestions in this review were generated by an AI tool to assist with identifying potential improvements. Purpose of reviewing the code for log improvements is to improve the troubleshooting capabilities of our products.
• Please make sure to manually review and validate all suggestions before applying any changes. Not every code suggestion would make sense or add value to our purpose. Therefore, you have the freedom to decide which of the suggestions are helpful.

✅ Before merging this pull request:

• Review all AI-generated comments for accuracy and relevance.
• Complete and verify the table below. We need your feedback to measure the accuracy of these suggestions and the value they add. If you are rejecting a certain code suggestion, please mention the reason briefly in the suggestion for us to capture it.

Comment	Accepted (Y/N)	Reason
#### Log Improvement Suggestion No: 1
#### Log Improvement Suggestion No: 2

[codecov]

Codecov Report

❌ Patch coverage is 71.42857% with 6 lines in your changes missing coverage. Please review.
✅ Project coverage is 56.53%. Comparing base (0fc0e24) to head (2fee8de).

Files with missing lines	Patch %	Lines
...carbon/identity/oauth/endpoint/util/AuthzUtil.java	71.42%	4 Missing and 2 partials ⚠️

Additional details and impacted files

@@             Coverage Diff              @@
##             master    #3006      +/-   ##
============================================
+ Coverage     56.50%   56.53%   +0.02%     
+ Complexity    10413    10224     -189     
============================================
  Files           677      677              
  Lines         59374    59384      +10     
  Branches      14166    13921     -245     
============================================
+ Hits          33552    33573      +21     
+ Misses        21171    21160      -11     
  Partials       4651     4651              

Flag	Coverage Δ
unit	41.96% <71.42%> (+0.11%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.