[APIM 4.2.0] Issue with Subject Claim Returning UserID Instead of Username in Authorization Code Grant Flow

[Hamool-Nizar]

Description

We are trying set the subject claim as the username in the authorization code grant flow. However, we are receiving a user ID instead, despite applying the following configuration as outlined in Update No: 10538 from our U2 update summary:

“Use the following config under deployment.toml to change sub claim value to username. Note that by default the sub claim value will be the userID.
[service_provider]
use_username_as_sub_claim = true”

We also confirmed that the above configuration works for client credentials grant type.

Given that the fix was initially provided for the client credentials grant type, could you please confirm if it should also apply to the authorization code grant type? Is this behavior expected for the authorization code grant flow?

Steps to Reproduce

1. Add Configuration: Insert the following configuration into the deployment.toml file.

   [service_provider]
   use_username_as_sub_claim = true”
   

2. Create Application: Log in to the APIM Developer Portal and create a new application.
3. Generate Keys: Generate the keys using the authorization code grant type.
4. Enable Debug Logs: Enable debug logging for org.wso2.carbon.apimgt.gateway.handlers and synapse-wire.
5. Invoke API: Invoke an API and retrieve the backend token.

Affected Component

APIM

Version

4.2.0

Environment Details (with versions)

No response

Relevant Log Output

[2024-08-23 19:31:28,456] DEBUG - JWTValidator Scope validation successful for the resource: /menu, user: 0a75d458-9237-4b59-9774-ed027322c6da

Related Issues

No response

Suggested Labels

No response