Skip to content

Fix passkey credential resolution to use fully-qualified username#301

Merged
pamodaaw merged 1 commit into
wso2:masterfrom
pamodaaw:feature/user-credential-api-v2
Jun 18, 2026
Merged

Fix passkey credential resolution to use fully-qualified username#301
pamodaaw merged 1 commit into
wso2:masterfrom
pamodaaw:feature/user-credential-api-v2

Conversation

@pamodaaw

@pamodaaw pamodaaw commented Jun 18, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Added CredentialManagementService and fixed user ID validation
  • Changed resolveUsernameFromUserId in CredentialManagementUtils to return the full User object instead of a manually concatenated username string
  • Updated PasskeyCredentialHandler to call .toFullQualifiedUsername() at the call sites for get and delete passkey operations, ensuring the tenant domain is correctly included when invoking the WebAuthn service

@coderabbitai

coderabbitai Bot commented Jun 18, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Summary

This pull request addresses username resolution in passkey credential management by ensuring fully-qualified usernames (in the format user@tenant) are correctly passed to the WebAuthn service.

Changes

CredentialManagementUtils - The resolveUsernameFromUserId method signature was changed to return a User object instead of a String. The method now directly returns the result from UniqueIdToUser().apply() rather than manually concatenating username and tenant domain values. The Javadoc was updated accordingly.

PasskeyCredentialHandler - Updated to call .toFullQualifiedUsername() on the User object returned by CredentialManagementUtils.resolveUsernameFromUserId() before passing the username to WebAuthn service operations. This change was applied in both the getCredentials and deleteCredentialById methods, ensuring the WebAuthn service receives the fully-qualified username format.

CredentialManagementService - A new core service was added to handle credential management operations. It validates user IDs, resolves credential handlers based on credential type, and translates handler results to API response DTOs. The service provides methods for creating, deleting, and retrieving credentials by type or ID.

Walkthrough

CredentialManagementUtils.resolveUsernameFromUserId was refactored to return a User object instead of a concatenated userName@tenantDomain string. The previous logic that extracted username and tenant domain fields and joined them has been removed; the method now directly returns the result of UniqueIdToUser().apply(...). In PasskeyCredentialHandler, both getCredentials and deleteCredentialById were updated to call .toFullQualifiedUsername() on the returned User object before invoking webAuthnService.getFIDO2DeviceMetaData and webAuthnService.deregisterFIDO2Credential.

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (2 warnings)

Check name Status Explanation Resolution
Description check ⚠️ Warning The PR description is significantly incomplete compared to the required template. Missing critical sections: Purpose/related issues, Goals, Approach, User stories, Developer Checklist, Release notes, Documentation, Training, Certification, Marketing, Security checks, and Test environment details. Complete the PR description using the required template. At minimum, add Purpose/Goals/Approach sections, link related issues, include security checks acknowledgment, document test environment details, and confirm Developer Checklist completion.
Docstring Coverage ⚠️ Warning Docstring coverage is 50.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (3 passed)
Check name Status Explanation
Title check ✅ Passed The title accurately summarizes the main change: fixing passkey credential resolution to use fully-qualified usernames, which directly aligns with the PR's primary objective.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
components/org.wso2.carbon.identity.api.user.credential/org.wso2.carbon.identity.api.user.credential.common/src/main/java/org/wso2/carbon/identity/api/user/credential/common/core/PasskeyCredentialHandler.java (1)

63-84: ⚠️ Potential issue | 🔴 Critical

Wrap username resolution to handle exceptions consistently.

The resolveUsernameFromUserId() call at line 64 can throw runtime exceptions (e.g., when the user ID cannot be resolved), which are not caught by the try-catch block that only handles FIDO2AuthenticatorServerException. This causes resolution failures to propagate as unhandled exceptions instead of being wrapped as CredentialMgtException for consistent error handling.

Wrap the username resolution call in a separate try-catch block or modify the existing catch block to handle exceptions from UniqueIdToUser.apply().

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@components/org.wso2.carbon.identity.api.user.credential/org.wso2.carbon.identity.api.user.credential.common/src/main/java/org/wso2/carbon/identity/api/user/credential/common/core/PasskeyCredentialHandler.java`
around lines 63 - 84, The username resolution call to
`CredentialManagementUtils.resolveUsernameFromUserId(userId)` at the beginning
of the try block can throw runtime exceptions that are not caught by the
existing catch block, which only handles `FIDO2AuthenticatorServerException`.
Wrap the `resolveUsernameFromUserId()` call and its `toFullQualifiedUsername()`
invocation in a separate try-catch block, or extend the existing catch block to
also catch exceptions from username resolution and wrap them using
`CredentialManagementUtils.handleServerException` with an appropriate error code
to ensure consistent error handling.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In
`@components/org.wso2.carbon.identity.api.user.credential/org.wso2.carbon.identity.api.user.credential.common/src/main/java/org/wso2/carbon/identity/api/user/credential/common/core/PasskeyCredentialHandler.java`:
- Around line 63-84: The username resolution call to
`CredentialManagementUtils.resolveUsernameFromUserId(userId)` at the beginning
of the try block can throw runtime exceptions that are not caught by the
existing catch block, which only handles `FIDO2AuthenticatorServerException`.
Wrap the `resolveUsernameFromUserId()` call and its `toFullQualifiedUsername()`
invocation in a separate try-catch block, or extend the existing catch block to
also catch exceptions from username resolution and wrap them using
`CredentialManagementUtils.handleServerException` with an appropriate error code
to ensure consistent error handling.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 40bcc98d-b4b7-490e-9bf2-49f85a4e064c

📥 Commits

Reviewing files that changed from the base of the PR and between 46396f8 and 82cf38c.

📒 Files selected for processing (2)
  • components/org.wso2.carbon.identity.api.user.credential/org.wso2.carbon.identity.api.user.credential.common/src/main/java/org/wso2/carbon/identity/api/user/credential/common/core/PasskeyCredentialHandler.java
  • components/org.wso2.carbon.identity.api.user.credential/org.wso2.carbon.identity.api.user.credential.common/src/main/java/org/wso2/carbon/identity/api/user/credential/common/utils/CredentialManagementUtils.java

@pamodaaw pamodaaw merged commit c3fd434 into wso2:master Jun 18, 2026
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants