Add support for rich authorization requests

[VimukthiRajapaksha]

Proposed changes in this pull request

This PR introduces several enhancements and features related to managing authorization_details:

• Adds CRUD operations for managing authorization details types.
• Enables accepting the authorization_details field in the authorization request.
• Integrates custom implementations of AuthorizationDetailsProcessor via OSGI for greater flexibility.
• Add enhancements to display detailed, rich authorization details to users.
• Enables the authorization_details field to be processed in token requests.
• Adds RAR support for hybrid authorization flows.
• Includes the authorization_details_types_supported parameter in the /.well-known response.
• Introduces schema validation for authorization details using Vert.x library.
• Adds unit tests to ensure the reliability of new features.

Related Issues

• https://github.com/wso2-enterprise/asgardeo-product/issues/22821

When should this PR be merged

[Please describe any preconditions that need to be addressed before we
can merge this pull request.]

Follow up actions

[List any possible follow-up actions here; for instance, testing data
migrations, software that we need to install on staging and production
environments.]

Checklist (for reviewing)

General

• Is this PR explained thoroughly? All code changes must be accounted for in the PR description.
• Is the PR labeled correctly?

Functionality

• Are all requirements met? Compare implemented functionality with the requirements specification.
• Does the UI work as expected? There should be no Javascript errors in the console; all resources should load. There should be no unexpected errors. Deliberately try to break the feature to find out if there are corner cases that are not handled.

Code

• Do you fully understand the introduced changes to the code? If not ask for clarification, it might uncover ways to solve a problem in a more elegant and efficient way.
• Does the PR introduce any inefficient database requests? Use the debug server to check for duplicate requests.
• Are all necessary strings marked for translation? All strings that are exposed to users via the UI must be marked for translation.

Tests

• Are there sufficient test cases? Ensure that all components are tested individually; models, forms, and serializers should be tested in isolation even if a test for a view covers these components.
• If this is a bug fix, are tests for the issue in place? There must be a test case for the bug to ensure the issue won’t regress. Make sure that the tests break without the new code to fix the issue.
• If this is a new feature or a significant change to an existing feature? has the manual testing spreadsheet been updated with instructions for manual testing?

Security

• Confirm this PR doesn't commit any keys, passwords, tokens, usernames, or other secrets.
• Are all UI and API inputs run through forms or serializers?
• Are all external inputs validated and sanitized appropriately?
• Does all branching logic have a default case?
• Does this solution handle outliers and edge cases gracefully?
• Are all external communications secured and restricted to SSL?

Documentation

• Are changes to the UI documented in the platform docs? If this PR introduces new platform site functionality or changes existing ones, the changes should be documented.
• Are changes to the API documented in the API docs? If this PR introduces new API functionality or changes existing ones, the changes must be documented.
• Are reusable components documented? If this PR introduces components that are relevant to other developers (for instance a mixin for a view or a generic form) they should be documented in the Wiki.

[CLAassistant]

All committers have signed the CLA.

[shashimalcse]

Why not apply a transaction here?

[shashimalcse]

please check the other places

[shashimalcse]

Please clearly specify the following:

• What types of validations are performed (e.g., tenant-level, app-level, policy)?
• Where are these validations applied (e.g., during grant types, code flow, token flow)?
• What types of decisions are made based on these validations (e.g., coarse-grained, fine-grained)?

[Thumimku]

Hi @VimukthiRajapaksha,

⚠️ Notice: This PR has been open for a while. To keep the repository clean and up-to-date, this PR will be closed within the next two weeks if there is no further activity.

Please take one of the following actions:

• Merge the PR if it is ready.
• Close the PR if it is no longer relevant.
• Leave a comment explaining why it should remain open and provide an update on its progress.

Your prompt attention to this matter is greatly appreciated. Thank you for your understanding and collaboration! 🙏

[codecov]

Codecov Report

Attention: Patch coverage is 55.97610% with 442 lines in your changes missing coverage. Please review.

Project coverage is 55.67%. Comparing base (32cb723) to head (0c03aa3).

Files with missing lines	Patch %	Lines
...alidator/DefaultAuthorizationDetailsValidator.java	5.29%	141 Missing and 2 partials ⚠️
...entity/oauth2/rar/AuthorizationDetailsService.java	67.81%	55 Missing and 20 partials ⚠️
...ity/oauth2/rar/util/AuthorizationDetailsUtils.java	28.39%	55 Missing and 3 partials ⚠️
.../oauth2/rar/model/AuthorizationDetailsContext.java	0.00%	26 Missing ⚠️
...rar/core/AuthorizationDetailsProcessorFactory.java	25.00%	22 Missing and 2 partials ⚠️
...arbon/identity/oauth2/token/AccessTokenIssuer.java	0.00%	21 Missing ⚠️
...tity/oauth/endpoint/authz/OAuth2AuthzEndpoint.java	71.42%	18 Missing and 2 partials ⚠️
...oauth2/rar/token/IntrospectionRARDataProvider.java	69.76%	10 Missing and 3 partials ⚠️
.../handlers/grant/AuthorizationCodeGrantHandler.java	0.00%	12 Missing ⚠️
...tity/oauth/endpoint/token/OAuth2TokenEndpoint.java	0.00%	7 Missing and 1 partial ⚠️
... and 13 more

Additional details and impacted files

@@             Coverage Diff              @@
##             master    #2511      +/-   ##
============================================
+ Coverage     55.66%   55.67%   +0.01%     
- Complexity     8435     8484      +49     
============================================
  Files           632      643      +11     
  Lines         48587    49589    +1002     
  Branches       9300     9395      +95     
============================================
+ Hits          27048    27611     +563     
- Misses        17670    18054     +384     
- Partials       3869     3924      +55     

Flag	Coverage Δ
unit	39.35% <55.97%> (+0.37%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[jenkins-is-staging]

PR builder started
Link: https://github.com/wso2/product-is/actions/runs/12827348409

[jenkins-is-staging]

PR builder completed
Link: https://github.com/wso2/product-is/actions/runs/12827348409
Status: failure

[jenkins-is-staging]

PR builder started
Link: https://github.com/wso2/product-is/actions/runs/12827348409

[jenkins-is-staging]

PR builder completed
Link: https://github.com/wso2/product-is/actions/runs/12827348409
Status: failure

[jenkins-is-staging]

PR builder started
Link: https://github.com/wso2/product-is/actions/runs/12827966649

[jenkins-is-staging]

PR builder completed
Link: https://github.com/wso2/product-is/actions/runs/12827966649
Status: failure

[jenkins-is-staging]

PR builder started
Link: https://github.com/wso2/product-is/actions/runs/12846332113

[jenkins-is-staging]

PR builder completed
Link: https://github.com/wso2/product-is/actions/runs/12846332113
Status: failure

[Thumimku]

SInce this is needed for the osig serveice, ideal practise is to ship the required jar as orbit and use orbit bundles. Let's go on that path.

[VimukthiRajapaksha]

I'm using the vert.x dependency to validate JSON schemas against JSON payloads. Currently, there's no built-in library for this in the product, so I’ve opted for this third-party dependency, which is under the Apache 2 license. This dependency is being used in the new org.wso2.carbon.identity.oauth.rar module. Since this module is a regular JAR and not an OSGi bundle (due to plans to phase out OSGi), via the product-is PR, I’m adding vert.x to the /lib directory, similar to gson, guava, and jackson. I believe we don’t need an orbit dependency for this, but please let me know if you think otherwise