Fix validation logic for ID token and update Key Manager configuration

[rasika2012]

Purpose

This pull request updates the authentication and token validation configuration to ensure stricter compliance with OIDC standards and to align with the actual deployment environment. The most important changes are grouped below:

Authentication and Token Validation:

• Fixed the logic for enabling ID token validation in config.template.js by ensuring validateIDToken is set to true only when the VALIDATE_ID_TOKEN environment variable is 'true', making the validation behavior correct and predictable.

Agent Manager Key Manager Configuration:

• Updated the keyManager configuration in values.yaml to use the correct issuer ("thunder"), audience ("amp-console-client"), and provided the appropriate jwksUrl for JWT validation, aligning the Helm chart configuration with the actual authentication provider setup.

Goals

Describe the solutions that this feature/fix will introduce to resolve the problems described above

Approach

Describe how you are implementing the solutions. Include an animated GIF or screenshot if the change affects the UI (email documentation@wso2.com to review all UI text). Include a link to a Markdown file or Google doc if the feature write-up is too long to paste here.

User stories

Summary of user stories addressed by this change>

Release note

Brief description of the new feature or bug fix as it will appear in the release notes

Documentation

Link(s) to product documentation that addresses the changes of this PR. If no doc impact, enter �N/A� plus brief explanation of why there�s no doc impact

Training

Link to the PR for changes to the training content in https://github.com/wso2/WSO2-Training, if applicable

Certification

Type �Sent� when you have provided new/updated certification questions, plus four answers for each question (correct answer highlighted in bold), based on this change. Certification questions/answers should be sent to certification@wso2.com and NOT pasted in this PR. If there is no impact on certification exams, type �N/A� and explain why.

Marketing

Link to drafts of marketing content that will describe and promote this feature, including product page changes, technical articles, blog posts, videos, etc., if applicable

Automation tests

• Unit tests

  Code coverage information

• Integration tests

  Details about the test cases and coverage

Security checks

• Followed secure coding standards in http://wso2.com/technical-reports/wso2-secure-engineering-guidelines? yes/no
• Ran FindSecurityBugs plugin and verified report? yes/no
• Confirmed that this PR doesn't commit any keys, passwords, tokens, usernames, or other secrets? yes/no

Samples

Provide high-level details about the samples related to this feature

Related PRs

List any other related PRs

Migrations (if applicable)

Describe migration steps and platforms on which migration has been tested

Test environment

List all JDK versions, operating systems, databases, and browser/versions on which this feature/fix was tested

Learning

Describe the research phase and any blog posts, patterns, libraries, or add-ons you used to solve the problem.

Summary by CodeRabbit

Release Notes

• Bug Fixes

  • Fixed ID token validation logic to enable validation only when explicitly configured.

• Chores

  • Updated identity provider endpoint configuration and settings for improved service integration.

[coderabbitai]

📝 Walkthrough

Walkthrough

Two configuration updates affecting ID token validation logic and OAuth2/OpenID endpoint configuration. The ID token validation flag logic is inverted to enable only when explicitly set to 'true', and keyManager OAuth2 endpoints are updated to point to Thunder platform with new issuer, audience, and JWKS URL values.

Changes

Cohort / File(s)	Summary
ID Token Validation Logic console/apps/webapp/public/config.template.js	Inverted boolean condition: ID token validation now enabled only when $VALIDATE_ID_TOKEN equals 'true', previously enabled when not equal to 'true'.
OAuth2/OpenID Configuration deployments/helm-charts/wso2-agent-manager/values.yaml	Updated keyManager configuration: issuer changed to "thunder", audience changed to "amp-console-client", and jwksUrl updated to Thunder's OAuth2 JWKS endpoint at http://thunder.amp.localhost:8080/oauth2/jwks.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Poem

🐰 A flip of the flag, a Thunder so bright,
Validation now true when the settings align just right,
OAuth endpoints redirected with care,
Configuration whispers float through the air! ⚡

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The PR description has only the Purpose section filled with relevant details; most required sections (Goals, Approach, User stories, Release note, Documentation, Training, Certification, Marketing, tests, Security checks, Samples, Related PRs, Migrations, Test environment, Learning) remain incomplete.	Complete the remaining template sections with specific information about goals, approach, test coverage, security verification, documentation impact, and test environment details.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the two main changes: fixing ID token validation logic and updating Key Manager configuration.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

• 📝 Generate docstrings (stacked PR)
• 📝 Generate docstrings (commit on current branch)

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@deployments/helm-charts/wso2-agent-manager/values.yaml`:
- Around line 112-114: The jwksUrl is using a localhost-based hostname which
won’t resolve in-cluster; update the jwksUrl value to use the cluster DNS name
consistent with values-cp.yaml/values-op.yaml and the oidc.tokenUrl pattern in
this file (so it points at the Thunder service FQDN reachable from pods), e.g.,
replace "http://thunder.amp.localhost:8080/oauth2/jwks" with the in-cluster URL
following the same host/port/path convention used by oidc.tokenUrl; ensure the
key name jwksUrl remains unchanged.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

# Search for Thunder-related service definitions in YAML files
rg -n "thunder" --type yaml -i -A 5 -B 2

Repository: wso2/agent-manager

Length of output: 50374

---

🏁 Script executed:

# Check if there's CoreDNS or DNS-related configuration
rg -n "dns|coredns|localhost" --type yaml | head -50

Repository: wso2/agent-manager

Length of output: 3940

---

🏁 Script executed:

# Look for any documentation or comments about local development setup
rg -n "localhost|local.*dev|development" --type yaml -A 2 -B 2 | grep -i "thunder\|jwks\|issuer" -A 5 -B 5

Repository: wso2/agent-manager

Length of output: 8064

---

🏁 Script executed:

# Check the full context of the values.yaml file around the changed lines
wc -l deployments/helm-charts/wso2-agent-manager/values.yaml

Repository: wso2/agent-manager

Length of output: 120

---

jwksUrl must use in-cluster Kubernetes DNS, not a localhost-based URL

The agent-manager pod resolves DNS through CoreDNS, where thunder.amp.localhost will not resolve to the Thunder service. This will cause JWKS fetch failures and break JWT validation.

Correct this to match the pattern already used in values-cp.yaml and values-op.yaml, and align with oidc.tokenUrl in the same file (line 122):

-      jwksUrl: "http://thunder.amp.localhost:8080/oauth2/jwks"
+      jwksUrl: "http://amp-thunder-extension-service.amp-thunder.svc.cluster.local:8090/oauth2/jwks"

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	issuer: "thunder"
	audience: "amp-console-client"
	jwksUrl: "http://thunder.amp.localhost:8080/oauth2/jwks"
	issuer: "thunder"
	audience: "amp-console-client"
	jwksUrl: "http://amp-thunder-extension-service.amp-thunder.svc.cluster.local:8090/oauth2/jwks"

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@deployments/helm-charts/wso2-agent-manager/values.yaml` around lines 112 -
114, The jwksUrl is using a localhost-based hostname which won’t resolve
in-cluster; update the jwksUrl value to use the cluster DNS name consistent with
values-cp.yaml/values-op.yaml and the oidc.tokenUrl pattern in this file (so it
points at the Thunder service FQDN reachable from pods), e.g., replace
"http://thunder.amp.localhost:8080/oauth2/jwks" with the in-cluster URL
following the same host/port/path convention used by oidc.tokenUrl; ensure the
key name jwksUrl remains unchanged.