Enable request object signature validation config

[hwupathum]

This pull request enables the request object signature validation configuration by default in the admin applications UI and refactors the related form logic to improve how the configuration is displayed. The main focus is on making the signature validation option visible and manageable by default, with some code cleanup and conditional rendering improvements.

Configuration changes:

• The showRequestObjectSignatureValidation flag in the applicationConfig object is now set to true by default, enabling the request object signature validation configuration for all relevant applications.
• A changeset was added to mark this update as a patch for the relevant packages.

UI and form rendering improvements:

• The conditional logic in InboundOIDCForm was updated so that the request object signature validation option is now shown by default where appropriate, and its checkbox is rendered within the main request object section instead of as a separate section. [1] [2] [3] [4]
• The previous separate rendering block for the request object signature validation option was removed, consolidating the UI and avoiding duplicate or confusing form sections.

Related Issues

• N/A

Related PRs

• N/A

Checklist

• e2e cypress tests locally verified. (for internal contributers)
• Manual test round performed and verified.
• UX/UI review done on the final implementation.
• Documentation provided. (Add links if there are any)
• Relevant backend changes deployed and verified
• Unit tests provided. (Add links if there are any)
• Integration tests provided. (Add links if there are any)

Security checks

• Followed secure coding standards in http://wso2.com/technical-reports/wso2-secure-engineering-guidelines
• Ran FindSecurityBugs plugin and verified report
• Confirmed that this PR doesn't commit any keys, passwords, tokens, usernames, or other secrets

Developer Checklist (Mandatory)

• Complete the Developer Checklist in the related product-is issue to track any behavioral change or migration impact.

Summary by CodeRabbit

• New Features

  • Request object signature validation is enabled by default for inbound OIDC configurations.

• UI

  • Request Object settings are consolidated: signing, encryption, and signature-validation controls and contextual hints now appear together in a single Request Object section.
  • Clarified tooltip/help text for signature validation.

• Chores

  • Patch bumps recorded for related packages.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

Enable request object signature validation by default, consolidate Request Object UI so signature-validation control and signing/encryption fields render together, add a changeset bumping related packages, and update the translation string describing signature validation.

Changes

Cohort / File(s)	Summary
Config toggle features/admin.extensions.v1/configs/application.tsx	Set applicationConfig.inboundOIDCForm.showRequestObjectSignatureValidation from false to true.
Inbound OIDC form UI features/admin.applications.v1/components/forms/inbound-oidc-form.tsx	Combined gating: Request Object block now renders when showRequestObjectConfigurations OR showRequestObjectSignatureValidation is true; moved signing/encryption fields into the unified block; added enableRequestObjectSignatureValidation checkbox inside that block; removed separate Request Object Signature section.
Translations modules/i18n/src/translations/en-US/portals/applications.ts	Updated description text for enabling signature validation to reference accepting only signed request objects in the authorization request.
Changeset / version bumps .changeset/wet-moles-marry.md	Added patch changeset for @wso2is/admin.applications.v1, @wso2is/admin.extensions.v1, @wso2is/i18n, and @wso2is/console with note about enabling request object signature validation by default.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐇 I nudged a toggle, soft and bright,
Request objects now sleep well at night.
Fields gathered close, signatures in view,
One cozy block where options grew.
A tiny hop — the settings right.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and accurately summarizes the main change: enabling request object signature validation configuration by default.
Description check	✅ Passed	The description covers the main changes, objectives, and includes a screenshot, but many checklist items remain incomplete and the Developer Checklist is unchecked.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

features/admin.applications.v1/components/forms/inbound-oidc-form.tsx (1)

2724-2892: Guard requestObject updates when configuration fields are hidden.

When showRequestObjectConfigurations is false but showRequestObjectSignatureValidation is true, the Request Object section renders but the signing and encryption fields are not mounted. However, updateConfiguration unconditionally builds requestObject from form values, resulting in undefined values being sent to the API and potentially clearing existing request-object settings. Add a guard to delete requestObject when the configuration is hidden, matching the existing pattern for validateRequestObjectSignature:

!applicationConfig.inboundOIDCForm.showRequestObjectSignatureValidation
    && delete inboundConfigFormValues.validateRequestObjectSignature;
+!applicationConfig.inboundOIDCForm.showRequestObjectConfigurations
+    && delete inboundConfigFormValues.requestObject;

🤖 Fix all issues with AI agents

In `@features/admin.applications.v1/components/forms/inbound-oidc-form.tsx`:
- Around line 2739-2876: The four Field components (refs
requestObjectSigningAlg, requestObjectEncryptionAlgorithm,
requestObjectEncryptionMethod, and enableRequestObjectSignatureValidation) are
passing options via a children prop which triggers Biome's noChildrenProp rule;
change each to use standard JSX children instead (i.e., remove the children=...
prop and place the array or JSX elements between the <Field>...</Field> tags),
keeping all other props (name, label, default, placeholder, readOnly,
data-componentId/testid) intact and preserving the exact option arrays/JSX (for
checkbox entries keep the array of { label, value } objects as the inner
children).

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 55.88%. Comparing base (a3fcf72) to head (a232045).
⚠️ Report is 23 commits behind head on master.

Additional details and impacted files

@@           Coverage Diff           @@
##           master    #9570   +/-   ##
=======================================
  Coverage   55.88%   55.88%           
=======================================
  Files          42       42           
  Lines        1020     1020           
  Branches      231      246   +15     
=======================================
  Hits          570      570           
+ Misses        450      416   -34     
- Partials        0       34   +34     

Flag	Coverage Δ
@wso2is/core	55.88% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.
see 10 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@features/admin.applications.v1/components/forms/inbound-oidc-form.tsx`:
- Around line 2724-2726: The new OR condition can render the signature
validation checkbox while the request object signing/encryption fields are
hidden, causing updateConfiguration to serialize a potentially undefined
requestObject and overwrite existing settings; modify updateConfiguration to
check the visibility flags
(applicationConfig.inboundOIDCForm.showRequestObjectConfigurations and
showRequestObjectSignatureValidation) and, if the full requestObject fields are
hidden, either preserve initialValues.requestObject or omit requestObject from
the payload so hidden/undefined form fields do not overwrite stored
requestObject settings when saving.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Prevent clearing request object settings when only signature validation is shown.

With the new OR-gate (Line 2724), the signature validation checkbox (Line 2856) can render while the request object signing/encryption fields remain hidden. updateConfiguration still serializes requestObject from form values, so hidden fields will likely be undefined and can overwrite existing request object settings on save. Consider preserving initialValues.requestObject or omitting requestObject when configs are hidden.

🛠️ Suggested guard in updateConfiguration

-            inboundConfigFormValues = {
-                ...inboundConfigFormValues,
-                pushAuthorizationRequest: {
-                    requirePushAuthorizationRequest: values.get("requirePushAuthorizationRequest")?.length > 0
-                },
-                requestObject: {
-                    encryption: {
-                        algorithm: values.get("requestObjectEncryptionAlgorithm"),
-                        method: values.get("requestObjectEncryptionMethod")
-                    },
-                    requestObjectSigningAlg: values.get("requestObjectSigningAlg")
-                },
-                subject: {
-                    sectorIdentifierUri: initialValues?.subject?.sectorIdentifierUri,
-                    subjectType: initialValues?.subject?.subjectType
-                }
-            };
+            const requestObjectConfig = applicationConfig.inboundOIDCForm.showRequestObjectConfigurations
+                ? {
+                    encryption: {
+                        algorithm: values.get("requestObjectEncryptionAlgorithm"),
+                        method: values.get("requestObjectEncryptionMethod")
+                    },
+                    requestObjectSigningAlg: values.get("requestObjectSigningAlg")
+                }
+                : initialValues?.requestObject;
+
+            inboundConfigFormValues = {
+                ...inboundConfigFormValues,
+                pushAuthorizationRequest: {
+                    requirePushAuthorizationRequest: values.get("requirePushAuthorizationRequest")?.length > 0
+                },
+                ...(requestObjectConfig ? { requestObject: requestObjectConfig } : {}),
+                subject: {
+                    sectorIdentifierUri: initialValues?.subject?.sectorIdentifierUri,
+                    subjectType: initialValues?.subject?.subjectType
+                }
+            };

Also applies to: 2856-2896

🤖 Prompt for AI Agents

In `@features/admin.applications.v1/components/forms/inbound-oidc-form.tsx` around
lines 2724 - 2726, The new OR condition can render the signature validation
checkbox while the request object signing/encryption fields are hidden, causing
updateConfiguration to serialize a potentially undefined requestObject and
overwrite existing settings; modify updateConfiguration to check the visibility
flags (applicationConfig.inboundOIDCForm.showRequestObjectConfigurations and
showRequestObjectSignatureValidation) and, if the full requestObject fields are
hidden, either preserve initialValues.requestObject or omit requestObject from
the payload so hidden/undefined form fields do not overwrite stored
requestObject settings when saving.