Improve username claim validation to handle domain-prefixed usernames during JIT provisioning

[Zeta201]

Problem

Related to wso2/product-is#27494

Self registration of a user to a secondary userstore fails with:

WorkflowException: Username and the username claim value should be same.

This issue is caused by a flaw in the existing username claim validation logic in AbstractUserStoreManager:

String userNameWithoutDomain = UserCoreUtil.removeDomainFromName(userName);

if (claims != null && claims.containsKey(USERNAME_CLAIM_URI) &&

!claims.get(USERNAME_CLAIM_URI).equals(userNameWithoutDomain)) {

throw new UserStoreException("Username and the username claim value should be same.");

}

Root Cause

The current logic removes the domain prefix from userName (e.g., PRIMARY/user1 → user1) before comparison, but does not normalize the USERNAME_CLAIM_URI claim value.

This leads to incorrect mismatches in scenarios such as:

• If the claim value has no domain (e.g., user1) and the username includes a domain (e.g., PRIMARY/user1), the comparison may incorrectly fail.

• If both the username and claim value include a secondary user store domain (e.g., SECONDARY/John), removing the domain only from the username results in:

  John != SECONDARY/John
  
  

  causing a false mismatch.

---

Fix

Normalize both values by applying UserCoreUtil.removeDomainFromName() to the claim value as well:

!UserCoreUtil.removeDomainFromName(claims.get(USERNAME_CLAIM_URI))

.equals(userNameWithoutDomain)

This ensures the comparison is always performed between domain-free usernames.

---

Behavior Comparison

userName	Claim Value	Existing Logic Result	Fixed Logic Result
PRIMARY/user1	user1	❌ user1 != user1 (false mismatch)	✅ user1 == user1
SECONDARY/John	SECONDARY/John	❌ SECONDARY/John != John	✅ John == John
user1	user1	✅ user1 == user1	✅ user1 == user1

---

Scope of Fix

The fix is applied to both:

• addUser

• addUserWithID

methods in AbstractUserStoreManager.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yml

Review profile: CHILL

Plan: Pro

Run ID: 9016a230-162e-43dc-93d0-4fe05068f5c3

📥 Commits

Reviewing files that changed from the base of the PR and between 67ca166 and 939032e.

📒 Files selected for processing (1)

• core/org.wso2.carbon.user.core/src/main/java/org/wso2/carbon/user/core/common/AbstractUserStoreManager.java

🚧 Files skipped from review as they are similar to previous changes (1)

• core/org.wso2.carbon.user.core/src/main/java/org/wso2/carbon/user/core/common/AbstractUserStoreManager.java

---

📝 Walkthrough

Summary by CodeRabbit

• Bug Fixes
  • Fixed username claim validation to properly handle values containing userstore domain prefixes by normalizing both values before comparison, preventing validation failures.

Walkthrough

Username-claim validation in user creation was changed to normalize both the stored username and the claim value by removing userstore domain prefixes (with a null-check on the claim) before comparison; a related comment was adjusted.

Changes

Cohort / File(s)	Summary
Username claim validation normalization core/org.wso2.carbon.user.core/src/main/java/org/wso2/carbon/user/core/common/AbstractUserStoreManager.java	In addUser and addUserWithID, null-check the username claim and compare UserCoreUtil.removeDomainFromName(usernameClaimValue) to userNameWithoutDomain; updated comment wording to reflect domain-normalization.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 1 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 50.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Description check	❓ Inconclusive	The PR description provides a well-structured explanation of the problem, root cause, fix, and behavior comparison. However, it does not follow the required template structure with sections like Purpose, Goals, Approach, etc., and is missing several required sections.	Reformat the description to match the repository template, including sections for Purpose, Goals, Approach, User stories, Release note, Documentation, Testing, and Security checks.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Title check	✅ Passed	The PR title clearly and specifically describes the main change: improving username claim validation to handle domain-prefixed usernames during JIT provisioning, which directly matches the fix in AbstractUserStoreManager.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 ast-grep (0.42.1)

core/org.wso2.carbon.user.core/src/main/java/org/wso2/carbon/user/core/common/AbstractUserStoreManager.java

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[wso2-engineering]

AI Agent Log Improvement Checklist

⚠️ Warning: AI-Generated Review Comments

• The log-related comments and suggestions in this review were generated by an AI tool to assist with identifying potential improvements. Purpose of reviewing the code for log improvements is to improve the troubleshooting capabilities of our products.
• Please make sure to manually review and validate all suggestions before applying any changes. Not every code suggestion would make sense or add value to our purpose. Therefore, you have the freedom to decide which of the suggestions are helpful.

✅ Before merging this pull request:

• Review all AI-generated comments for accuracy and relevance.
• Complete and verify the table below. We need your feedback to measure the accuracy of these suggestions and the value they add. If you are rejecting a certain code suggestion, please mention the reason briefly in the suggestion for us to capture it.

Comment	Accepted (Y/N)	Reason
#### Log Improvement Suggestion No: 1
#### Log Improvement Suggestion No: 2

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In
`@core/org.wso2.carbon.user.core/src/main/java/org/wso2/carbon/user/core/common/AbstractUserStoreManager.java`:
- Around line 5096-5097: The null value for the username claim can cause a
NullPointerException when calling
UserCoreUtil.removeDomainFromName(claims.get(USERNAME_CLAIM_URI))); update the
conditional in AbstractUserStoreManager to first retrieve the claim value into a
local (e.g., String usernameClaim = claims.get(USERNAME_CLAIM_URI)), check for
null, and if null throw a UserStoreException (or handle per existing error flow)
instead of invoking removeDomainFromName; apply the identical null-guard and
exception handling to the duplicated occurrence referenced at the second
location so both spots use the safe local variable + null check before calling
UserCoreUtil.removeDomainFromName.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yml

Review profile: CHILL

Plan: Pro

Run ID: 7d74f544-6dde-4776-8657-169980454745

📥 Commits

Reviewing files that changed from the base of the PR and between 4d63763 and 67ca166.

📒 Files selected for processing (1)

• core/org.wso2.carbon.user.core/src/main/java/org/wso2/carbon/user/core/common/AbstractUserStoreManager.java

[jenkins-is-staging]

PR builder started
Link: https://github.com/wso2/product-is/actions/runs/24228862055

[jenkins-is-staging]

PR builder completed
Link: https://github.com/wso2/product-is/actions/runs/24228862055
Status: success

[jenkins-is-staging]

Approving the pull request based on the successful pr build https://github.com/wso2/product-is/actions/runs/24228862055