Add Support nested act claim with azp and multi-audience in token request

components/org.wso2.carbon.identity.oauth.common/src/main/java/org/wso2/carbon/identity/oauth/common/OAuthConstants.java

@@ -134,6 +134,13 @@ public final class OAuthConstants {
             ".EnableHybridFlowAppLevelValidation";
     public static final String RESTRICT_FRAGMENT_COMPONENTS = "OAuth.Callback.RestrictFragmentComponents";
 
+    // Token Exchange delegation property key
+    public static final String ACTOR_AZP = "ACTOR_AZP";
+    public static final String IS_DELEGATION_REQUEST = "IS_DELEGATION_REQUEST";
+    public static final String IS_SELF_DELEGATION_WITH_ACT = "IS_SELF_DELEGATION_WITH_ACT";
+    public static final String ACTOR_SUBJECT = "ACTOR_SUBJECT";
+    public static final String EXISTING_ACT_CLAIM = "EXISTING_ACT_CLAIM";
+
     /**
      * Enum for OIDC supported subject types.
      */

components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/token/JWTTokenIssuer.java

@@ -76,6 +76,11 @@
 import static org.wso2.carbon.identity.oauth.common.OAuthConstants.REQUEST_BINDING_TYPE;
 import static org.wso2.carbon.identity.oauth2.util.OAuth2Util.JWT_X5T_ENABLED;
 import static org.wso2.carbon.identity.oauth2.util.OAuth2Util.getPrivateKey;
+import static org.wso2.carbon.identity.oauth.common.OAuthConstants.IS_DELEGATION_REQUEST;
+import static org.wso2.carbon.identity.oauth.common.OAuthConstants.IS_SELF_DELEGATION_WITH_ACT;
+import static org.wso2.carbon.identity.oauth.common.OAuthConstants.ACTOR_SUBJECT;
+import static org.wso2.carbon.identity.oauth.common.OAuthConstants.ACTOR_AZP;
+import static org.wso2.carbon.identity.oauth.common.OAuthConstants.EXISTING_ACT_CLAIM;
 
 /**
  * Self contained access token builder.
@@ -724,6 +729,77 @@ protected JWTClaimsSet createJWTClaimSet(OAuthAuthzReqMessageContext authAuthzRe
         jwtClaimsSetBuilder.audience(tokenReqMessageContext != null && tokenReqMessageContext.getAudiences() != null ?
                 tokenReqMessageContext.getAudiences() : OAuth2Util.getOIDCAudience(consumerKey, oAuthAppDO));
 
+        // Handle act claim for both delegation and self-delegation with existing act
+        if (tokenReqMessageContext != null) {
+            Object isDelegationRequest = tokenReqMessageContext.getProperty(IS_DELEGATION_REQUEST);
+            Object isSelfDelegationWithAct = tokenReqMessageContext.getProperty(IS_SELF_DELEGATION_WITH_ACT);
+
+            // Case 1: Regular delegation - create new act claim with nesting
+            if (Boolean.TRUE.equals(isDelegationRequest)) {
+                Object actorSubject = tokenReqMessageContext.getProperty(ACTOR_SUBJECT);
+                Object actorAzp = tokenReqMessageContext.getProperty(ACTOR_AZP);
+
+                if (actorSubject != null) {
+                    Object existingActClaim = tokenReqMessageContext.getProperty(EXISTING_ACT_CLAIM);
+
+                    // Build the act claim structure
+                    Map<String, Object> actClaim = new HashMap<>();
+                    actClaim.put("sub", actorSubject.toString());
+
+                    //Include azp in act claim
+                    if (actorAzp != null) {
+                        actClaim.put("azp", actorAzp.toString());
+                    }
+
+                    // Support nested act claims for chained delegation
+                    if (existingActClaim != null) {
+                        if (existingActClaim instanceof Map) {
+                            actClaim.put("act", existingActClaim);
+                            if (log.isDebugEnabled()) {
+                                log.debug("Delegation: Nesting existing act claim. New actor: " + actorSubject +
+                                        ", AZP: " + actorAzp);
+                            }
+                        } else {
+                            if (log.isDebugEnabled()) {
+                                log.debug("Delegation: Existing act claim is not in expected Map format. " +
+                                        "Type: " + existingActClaim.getClass().getName());
+                            }
+                        }
+                    }
+
+                    jwtClaimsSetBuilder.claim("act", actClaim);
+
+                    if (log.isDebugEnabled()) {
+                        log.debug("Added act claim for delegation. Actor: " + actorSubject +
+                                ", AZP: " + actorAzp + ", Has nested act: " + (existingActClaim != null));
+                    }
+                }
+            }
+            // Case 2: Self-delegation with existing act claim - preserve it
+            else if (Boolean.TRUE.equals(isSelfDelegationWithAct)) {
+                Object existingActClaim = tokenReqMessageContext.getProperty(EXISTING_ACT_CLAIM);
+
+                if (existingActClaim != null) {
+                    if (existingActClaim instanceof Map) {
+                        // Preserve the entire act claim chain as-is
+                        jwtClaimsSetBuilder.claim("act", existingActClaim);
+
+                        if (log.isDebugEnabled()) {
+                            log.debug("Self-delegation: Preserved existing act claim chain with azp");
+                        }
+                    } else {
+                        if (log.isDebugEnabled()) {
+                            log.debug("Self-delegation: Existing act claim is not in expected format. " +
+                                    "Type: " + existingActClaim.getClass().getName());
+                        }
+                    }
+                }
+            }
+
+            // Note: Regular self-delegation (without existing act claim) does NOT add any act claim
+            // Note: Impersonation uses "may_act" claim in subject token, not "act" in issued token
+        }
+
         JWTClaimsSet jwtClaimsSet;
 
         // Handle custom claims

components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/token/handlers/claims/AgentAccessTokenClaimProvider.java

@@ -11,6 +11,8 @@
 import java.util.HashMap;
 import java.util.Map;
 
+import static org.wso2.carbon.identity.oauth.common.OAuthConstants.ACTOR_AZP;
+
 /**
  * A class that provides additional claims for JWT access tokens when the AI agent is used.
  */
@@ -20,6 +22,7 @@ public class AgentAccessTokenClaimProvider implements JWTAccessTokenClaimProvide
     private static final String SUB = "sub";
     private static final String AGENT = "AGENT";
     private static final String AUT = "aut";
+    private static final String AZP = "azp";
 
     @Override
     public Map<String, Object> getAdditionalClaims(OAuthAuthzReqMessageContext context) throws IdentityOAuth2Exception {
@@ -38,8 +41,23 @@ public Map<String, Object> getAdditionalClaims(OAuthTokenReqMessageContext conte
             return agentMap;
         } else if (GrantType.AUTHORIZATION_CODE.toString().equals(context.getOauth2AccessTokenReqDTO().getGrantType())
             && context.getRequestedActor() != null) {
+
+            Map<String, Object> actClaimMap = new HashMap<>();
+            actClaimMap.put(SUB, context.getRequestedActor());
+            // Include azp in act claim from context property
+            Object actorAzp = context.getProperty(ACTOR_AZP);
+            if (actorAzp != null) {
+                actClaimMap.put(AZP, actorAzp.toString());
+            } else {
+                // Fallback: use the client_id of the requesting application
+                String clientId = context.getOauth2AccessTokenReqDTO().getClientId();
+                if (StringUtils.isNotEmpty(clientId)) {
+                    actClaimMap.put(AZP, clientId);
+                }
+            }
+
             Map<String, Object> agentMap = new HashMap<>();
-            agentMap.put(ACT, Collections.singletonMap(SUB, context.getRequestedActor()));
+            agentMap.put(ACT, actClaimMap);
             return agentMap;
         }
         return null;

components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/token/handlers/grant/AuthorizationCodeGrantHandler.java

@@ -774,6 +774,32 @@ private void validateActorToken(OAuthTokenReqMessageContext tokReqMsgCtx, String
         if (!StringUtils.equals(actorTokenSubject, requestedActor)) {
             throw new IdentityOAuth2Exception("Actor token subject does not match the requested actor");
         }
+
+        Object actorAzpClaim = claimsSet.getClaim("azp");
+        if (actorAzpClaim == null) {
+            // Fallback to client_id if azp not present
+            actorAzpClaim = claimsSet.getClaim("client_id");
+        }
+        // Check for existing act claim in actor token for delegation chain
+        Object existingActClaim = claimsSet.getClaim("act");
+        // Set delegation properties in context
+        tokReqMsgCtx.setImpersonationRequest(false);
+        tokReqMsgCtx.addProperty("IS_DELEGATION_REQUEST", true);
+        tokReqMsgCtx.addProperty("ACTOR_SUBJECT", actorTokenSubject);
+        if (actorAzpClaim != null) {
+            tokReqMsgCtx.addProperty("ACTOR_AZP", actorAzpClaim.toString());
+            if (log.isDebugEnabled()) {
+                log.debug("Actor AZP extracted from actor token: " + actorAzpClaim.toString());
+            }
+        }
+        // Preserve existing act claim for delegation chain nesting
+        if (existingActClaim != null) {
+            tokReqMsgCtx.addProperty("EXISTING_ACT_CLAIM", existingActClaim);
+            if (log.isDebugEnabled()) {
+                log.debug("Found existing act claim in actor token - will nest in delegation chain");
+            }
+        }
+
         // Validate mandatory claims
         JWTUtils.validateMandatoryClaims(claimsSet);
         String jwtIssuer = claimsSet.getIssuer();