Skip to content

Introduce end user credential management admin API #1008

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
NipuniBhagya merged 25 commits into from
Jan 20, 2026
Merged

Introduce end user credential management admin API #1008

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
25 commits
Select commit Hold shift + click to select a range
f2e6dea
Add credential management admin API
NipuniBhagya Sep 23, 2025
a6fbfcb
Add credential handlers
NipuniBhagya Sep 23, 2025
40fe324
Add credential management service
NipuniBhagya Sep 23, 2025
8b07432
Add pom files
NipuniBhagya Sep 23, 2025
0647005
Improve exception handling in credential management API
NipuniBhagya Sep 24, 2025
758a299
Improve credential management API
NipuniBhagya Sep 25, 2025
bf0426b
Improve credential management API
NipuniBhagya Sep 25, 2025
bef86d0
Improve credential management API
NipuniBhagya Sep 28, 2025
d29080e
Fix formatting issues in the API
NipuniBhagya Sep 30, 2025
0700b39
Add unit tests for credential management service
NipuniBhagya Sep 30, 2025
270a78f
Add invalid user id validation
NipuniBhagya Oct 1, 2025
9fb1f58
Add logs for monitoring
NipuniBhagya Oct 1, 2025
d5957e5
Address PR comments (co-pilot)
NipuniBhagya Oct 1, 2025
ad8d73a
Update parent pom version
NipuniBhagya Oct 2, 2025
d964124
Refactor user credential management API
NipuniBhagya Oct 9, 2025
04b72a2
Refactor resolve username resolving by userid
NipuniBhagya Oct 13, 2025
e7fe9da
Refactor credential management API
NipuniBhagya Nov 25, 2025
6464f98
Add user credential API service impl
NipuniBhagya Nov 25, 2025
8427e0d
Bump version in credential management API
NipuniBhagya Nov 26, 2025
c8b68f4
Resolve minor issues
NipuniBhagya Jan 13, 2026
55c3c53
Resolve merge conflicts
NipuniBhagya Jan 14, 2026
7ec8883
Bump WebAuthn and Push device handler versions
NipuniBhagya Jan 15, 2026
b267572
Fx PR build failure
NipuniBhagya Jan 18, 2026
b705fa8
Resolve PR comments
NipuniBhagya Jan 18, 2026
1c0172f
Exclude lombok transitive dependency in FIDO
NipuniBhagya Jan 20, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
53 changes: 53 additions & 0 deletions ...ntial.management/org.wso2.carbon.identity.api.server.credential.management.common/pom.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,53 @@
<?xml version="1.0" encoding="UTF-8"?>
<!--
~ Copyright (c) 2025, WSO2 LLC. (http://www.wso2.com).
~
~ WSO2 LLC. licenses this file to you under the Apache License,
~ Version 2.0 (the "License"); you may not use this file except
~ in compliance with the License.
~ You may obtain a copy of the License at
~
~ http://www.apache.org/licenses/LICENSE-2.0
~
~ Unless required by applicable law or agreed to in writing,
~ software distributed under the License is distributed on an
~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
~ KIND, either express or implied. See the License for the
~ specific language governing permissions and limitations
~ under the License.
-->

<project xmlns="http://maven.apache.org/POM/4.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>

<parent>
<groupId>org.wso2.carbon.identity.server.api</groupId>
<artifactId>org.wso2.carbon.identity.api.server.credential.management</artifactId>
<version>1.3.231-SNAPSHOT</version>
<relativePath>../pom.xml</relativePath>
</parent>

<artifactId>org.wso2.carbon.identity.api.server.credential.management.common</artifactId>
<packaging>jar</packaging>

<dependencies>
<dependency>
<groupId>org.wso2.carbon.identity.framework</groupId>
<artifactId>org.wso2.carbon.identity.core</artifactId>
</dependency>
<dependency>
<groupId>org.wso2.carbon.identity.local.auth.fido</groupId>
<artifactId>org.wso2.carbon.identity.application.authenticator.fido2</artifactId>
</dependency>
<dependency>
<groupId>org.wso2.carbon.identity.notification.push</groupId>
<artifactId>org.wso2.carbon.identity.notification.push.device.handler</artifactId>
</dependency>
<dependency>
<groupId>org.wso2.carbon.identity.server.api</groupId>
<artifactId>org.wso2.carbon.identity.api.server.common</artifactId>
</dependency>
</dependencies>
</project>
41 changes: 41 additions & 0 deletions ...a/org/wso2/carbon/identity/api/server/credential/management/common/CredentialHandler.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
/*
* Copyright (c) 2025, WSO2 LLC. (http://www.wso2.com).
*
* WSO2 LLC. licenses this file to you under the Apache License,
* Version 2.0 (the "License"); you may not use this file except
* in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/

package org.wso2.carbon.identity.api.server.credential.management.common;

import org.wso2.carbon.identity.api.server.credential.management.common.dto.CredentialDTO;
import org.wso2.carbon.identity.api.server.credential.management.common.dto.CredentialDeletionRequestDTO;
import org.wso2.carbon.identity.api.server.credential.management.common.exception.CredentialMgtException;

import java.util.List;

/**
* Credential Management Service interface.
*/
Comment on lines +27 to +29
Copy link

@coderabbitai coderabbitai bot Nov 26, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

Correct the interface javadoc.

The javadoc describes this as "Credential Management Service interface" but the interface is actually named CredentialHandler. The documentation should accurately reflect the interface name.

Apply this diff to fix the javadoc:

 /**
- * Credential Management Service interface.
+ * Interface for handling credential operations for a specific credential type.
  */
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
/**
* Credential Management Service interface.
*/
/**
* Interface for handling credential operations for a specific credential type.
*/
🤖 Prompt for AI Agents 
In
components/org.wso2.carbon.identity.api.server.credential.management/org.wso2.carbon.identity.api.server.credential.management.common/src/main/java/org/wso2/carbon/identity/api/server/credential/management/common/CredentialHandler.java
around lines 27 to 29, update the class-level Javadoc so it accurately names the
interface (replace "Credential Management Service interface." with a description
that references the interface name, e.g., "CredentialHandler interface." or
"Interface for handling credential management operations."). Ensure the first
sentence references CredentialHandler and keep the Javadoc concise and
grammatically correct.

public interface CredentialHandler {
/**
* Retrieves credentials for a given entity.
*/
List<CredentialDTO> getCredentials(String entityId) throws CredentialMgtException;

/**
* Deletes a credential for an entity.
*/
void deleteCredential(CredentialDeletionRequestDTO credentialDeletionRequest)
throws CredentialMgtException;
}
150 changes: 150 additions & 0 deletions ...arbon/identity/api/server/credential/management/common/CredentialManagementConstants.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,150 @@
/*
* Copyright (c) 2025, WSO2 LLC. (http://www.wso2.com).
*
* WSO2 LLC. licenses this file to you under the Apache License,
* Version 2.0 (the "License"); you may not use this file except
* in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/

package org.wso2.carbon.identity.api.server.credential.management.common;

import java.text.Collator;
import java.util.Arrays;
import java.util.Locale;

/**
* Credential Management related constants.
*/
public class CredentialManagementConstants {

private CredentialManagementConstants() {

}

/**
* Enum for supported credential types.
*/
public enum CredentialTypes {

PASSKEY("passkey"),
PUSH_AUTH("push-auth");

private final String apiValue;

CredentialTypes(String apiValue) {

this.apiValue = apiValue;
}

public String getApiValue() {

return apiValue;
}

/**
* Resolve the credential type for a given identifier. Accepts both API values and enum names.
*
* @param value Credential type provided by the caller.
* @return Matching credential type if available.
*/
public static CredentialTypes fromString(String value) {

if (value == null) {

return null;
}

String candidate = value.trim();
if (candidate.isEmpty()) {

return null;
}

Collator collator = Collator.getInstance(Locale.ROOT);
collator.setStrength(Collator.PRIMARY);

return Arrays.stream(values())
.filter(type -> collator.compare(type.name(), candidate) == 0
|| collator.compare(type.getApiValue(), candidate) == 0)
.findFirst()
.orElse(null);
}
}

/**
* Enum for error messages.
*/
public enum ErrorMessages {

// Server errors.
ERROR_CODE_GET_PASSKEYS("65001", "Error retrieving registered passkeys.",
"Unexpected server error while fetching registered passkeys for entity ID: %s."),
ERROR_CODE_DELETE_PASSKEYS("65002", "Error deleting registered passkey.",
"Unexpected server error while deleting registered passkey: %s for entity ID: %s."),
ERROR_CODE_GET_PUSH_AUTH_DEVICE("65003", "Error retrieving registered push auth devices.",
"Unexpected server error while fetching registered push auth device for entity ID: %s."),
ERROR_CODE_DELETE_PUSH_AUTH_DEVICE("65004", "Error deleting registered push auth devices.",
"Unexpected server error while deleting registered push auth device: %s for entity ID: %s."),

// Client errors.
ERROR_CODE_DELETE_PASSKEY_CREDENTIAL("60001", "Error deleting credential.",
"The request to delete the passkey credential: %s was invalid."),
ERROR_CODE_DELETE_PUSH_AUTH_CREDENTIAL("60002", "Error deleting credential.",
"The request to delete the push auth credential: %s was invalid."),
Comment on lines +100 to +103
Copy link

@coderabbitai coderabbitai bot Jan 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

Fix typos: double spaces in error descriptions.

Lines 101 and 103 contain double spaces before "was invalid".

✏️ Proposed fix 
     ERROR_CODE_DELETE_PASSKEY_CREDENTIAL("60001", "Error deleting credential.",
-            "The request to delete the passkey credential: %s  was invalid."),
+            "The request to delete the passkey credential: %s was invalid."),
     ERROR_CODE_DELETE_PUSH_AUTH_CREDENTIAL("60002", "Error deleting credential.",
-            "The request to delete the push auth credential: %s  was invalid."),
+            "The request to delete the push auth credential: %s was invalid."),
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
ERROR_CODE_DELETE_PASSKEY_CREDENTIAL("60001", "Error deleting credential.",
"The request to delete the passkey credential: %s was invalid."),
ERROR_CODE_DELETE_PUSH_AUTH_CREDENTIAL("60002", "Error deleting credential.",
"The request to delete the push auth credential: %s was invalid."),
ERROR_CODE_DELETE_PASSKEY_CREDENTIAL("60001", "Error deleting credential.",
"The request to delete the passkey credential: %s was invalid."),
ERROR_CODE_DELETE_PUSH_AUTH_CREDENTIAL("60002", "Error deleting credential.",
"The request to delete the push auth credential: %s was invalid."),
🤖 Prompt for AI Agents 
In
@components/org.wso2.carbon.identity.api.server.credential.management/org.wso2.carbon.identity.api.server.credential.management.common/src/main/java/org/wso2/carbon/identity/api/server/credential/management/common/CredentialManagementConstants.java
around lines 100 - 103, The enum constants ERROR_CODE_DELETE_PASSKEY_CREDENTIAL
and ERROR_CODE_DELETE_PUSH_AUTH_CREDENTIAL contain double spaces before "was
invalid"; remove the extra space in both message templates so each reads
"...credential: %s was invalid." ensuring the String values for these
identifiers are updated accordingly.

ERROR_CODE_GET_USERNAME_FROM_USERID("60003", "Error retrieving username from user ID.",
"The request to retrieve the username from the user ID: %s was invalid."),
ERROR_CODE_ENTITY_NOT_FOUND("60004", "Entity not found",
"Entity with ID %s not found in the tenant domain."),
ERROR_CODE_INVALID_CREDENTIAL_TYPE("60005",
"Invalid credential type.",
"The provided credential type is not supported."),
ERROR_CODE_INVALID_CREDENTIAL_ID("60006",
"Invalid credential ID.",
"The provided credential ID is invalid."),
;

private static final String ERROR_PREFIX = "CM";
public static final String ERROR_CODE_PUSH_AUTH_DEVICE_NOT_FOUND = "PDH-15010";
private final String code;
private final String message;
private final String description;

ErrorMessages(String code, String message, String description) {

this.code = ERROR_PREFIX + "-" + code;
this.message = message;
this.description = description;
}

public String getCode() {

return code;
}

public String getMessage() {

return message;
}

public String getDescription() {

return description;
}

@Override
public String toString() {

return code + ":" + message;
}
}
}
40 changes: 40 additions & 0 deletions .../carbon/identity/api/server/credential/management/common/CredentialManagementService.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
/*
* Copyright (c) 2025, WSO2 LLC. (http://www.wso2.com).
*
* WSO2 LLC. licenses this file to you under the Apache License,
* Version 2.0 (the "License"); you may not use this file except
* in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/

package org.wso2.carbon.identity.api.server.credential.management.common;

import org.wso2.carbon.identity.api.server.credential.management.common.dto.CredentialDTO;
import org.wso2.carbon.identity.api.server.credential.management.common.dto.CredentialDeletionRequestDTO;

import java.util.List;

/**
* Credential Management Service interface.
*/
public interface CredentialManagementService {

/**
* Retrieves credentials for a given entity.
*/
List<CredentialDTO> getCredentials(String entityId);

/**
* Deletes a credential of the specified type for an entity.
*/
void deleteCredential(CredentialDeletionRequestDTO credentialDeletionRequest);
}
81 changes: 81 additions & 0 deletions ...entity/api/server/credential/management/common/CredentialManagementServiceDataHolder.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,81 @@
/*
* Copyright (c) 2025, WSO2 LLC. (http://www.wso2.com).
*
* WSO2 LLC. licenses this file to you under the Apache License,
* Version 2.0 (the "License"); you may not use this file except
* in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/

package org.wso2.carbon.identity.api.server.credential.management.common;

import org.wso2.carbon.context.PrivilegedCarbonContext;
import org.wso2.carbon.identity.application.authenticator.fido2.core.WebAuthnService;
import org.wso2.carbon.identity.notification.push.device.handler.DeviceHandlerService;
import org.wso2.carbon.user.core.service.RealmService;

/**
* Service holder class for credential management related services.
*/
public class CredentialManagementServiceDataHolder {

private CredentialManagementServiceDataHolder() {

}

private static class WebAuthnServiceHolder {

private static final WebAuthnService SERVICE = new WebAuthnService();
}
Comment on lines +35 to +38
Copy link

@coderabbitai coderabbitai bot Nov 25, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

Direct instantiation of OSGi service will fail.

Line 37 directly instantiates WebAuthnService with new WebAuthnService(), which is inconsistent with how PushDeviceHandlerHolder and RealmServiceHolder retrieve services from the OSGi context. OSGi services should be obtained via PrivilegedCarbonContext, not instantiated directly.

Apply this diff to retrieve the service from OSGi:

 private static class WebAuthnServiceHolder {
 
-    private static final WebAuthnService SERVICE = new WebAuthnService();
+    private static final WebAuthnService SERVICE = (WebAuthnService) PrivilegedCarbonContext
+            .getThreadLocalCarbonContext().getOSGiService(WebAuthnService.class, null);
 }
🤖 Prompt for AI Agents 
In
components/org.wso2.carbon.identity.api.server.credential.management/org.wso2.carbon.identity.api.server.credential.management.common/src/main/java/org/wso2/carbon/identity/api/server/credential/management/common/CredentialManagementServiceDataHolder.java
around lines 35 to 38, the WebAuthnService is being directly instantiated with
new WebAuthnService(), which will fail for OSGi-managed services; instead
retrieve the service from the OSGi context via PrivilegedCarbonContext (e.g.,
use
PrivilegedCarbonContext.getThreadLocalCarbonContext().getOSGiService(WebAuthnService.class,
null)), assign that result to the SERVICE field, and ensure you handle a
possible null return consistently with how PushDeviceHandlerHolder and
RealmServiceHolder do so.


private static class PushDeviceHandlerHolder {

private static final DeviceHandlerService SERVICE = (DeviceHandlerService) PrivilegedCarbonContext
.getThreadLocalCarbonContext().getOSGiService(DeviceHandlerService.class, null);
}

private static class RealmServiceHolder {

private static final RealmService SERVICE = (RealmService) PrivilegedCarbonContext
.getThreadLocalCarbonContext().getOSGiService(RealmService.class, null);
}

/**
* Get WebAuthnService OSGi service.
*
* @return WebAuthnService
*/
public static WebAuthnService getWebAuthnService() {

return WebAuthnServiceHolder.SERVICE;
}

/**
* Get Push DeviceHandler OSGi service.
*
* @return DeviceHandler
*/
public static DeviceHandlerService getPushDeviceHandler() {

return PushDeviceHandlerHolder.SERVICE;
}

/**
* Get RealmService OSGi service.
*
* @return RealmService
*/
public static RealmService getRealmService() {

return RealmServiceHolder.SERVICE;
}
}
Loading