feat: Add Connection ID support across all frameworks

[BrandtKruger]

• Add CONNECTION_ID constant to KindeRequestParameters and KindeConstants
• Implement getConnectionId() method in KindeToken interface and BaseToken
  • Supports direct connection_id claim
  • Supports nested ext_provider.connection_id structure
• Add connection_id parameter support to authorizationUrlWithParameters()
• Update J2EE filter and servlet to read connection_id from request parameters
  • Works with LOGIN, REGISTER, and CREATE_ORG actions
• Add comprehensive test coverage:
  • ConnectionIdTest: 5 tests for authorization URL generation
  • ConnectionIdTokenTest: 8 tests for token extraction
  • ConnectionIdFilterTest: J2EE filter integration tests
• Add JWT generator helpers for testing connection_id claims

This implementation enables:

• Passing connection_id when generating authorization URLs for social/enterprise login
• Extracting connection_id from tokens (both direct and nested structures)
• Automatic connection_id support in J2EE via request parameters
• Core support available for SpringBoot (requires Spring Security config)

All changes are backward compatible and optional.

Explain your changes

Suppose there is a related issue with enough detail for a reviewer to understand your changes fully. In that case, you can omit an explanation and instead include either “Fixes #XX” or “Updates #XX” where “XX” is the issue number.

Checklist

• I have read the “Pull requests” section in the contributing guidelines.
• I agree to the terms within the code of conduct.

🛟 If you need help, consider asking for advice over in the Kinde community.

Summary by CodeRabbit

• New Features

  • Authentication flows (login, registration, org creation) accept an optional connection_id and include related URL parameters (supports_reauth, prompt, org name) while preserving existing behavior when absent.
  • Tokens expose a connection_id accessor that reads direct or nested provider claims and returns null when not present.

• Tests

  • Added comprehensive tests validating connection_id propagation in authorization URLs and extraction from various token formats and edge cases.

• Bug Fixes

  • Improved validation and error messaging for unknown actions and missing authorization URLs.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds connection_id support across core and J2EE modules: new constants, token API and BaseToken implementation to extract connection_id (direct or nested), propagation of connection_id into authorization URL generation in filters/servlets, and corresponding unit tests and JWT test helpers.

Changes

Cohort / File(s)	Summary
Constants kinde-core/src/main/java/com/kinde/constants/KindeConstants.java, kinde-core/src/main/java/com/kinde/session/KindeRequestParameters.java	Added public static final CONNECTION_ID = "connection_id".
Token API & Impl kinde-core/src/main/java/com/kinde/token/KindeToken.java, kinde-core/src/main/java/com/kinde/token/BaseToken.java	Added getConnectionId() to KindeToken (default null) and implemented in BaseToken to return top-level connection_id or fallback to ext_provider.connection_id; returns null if absent or token invalid.
J2EE Filters & Servlets kinde-j2ee/src/main/java/com/kinde/filter/KindeAuthenticationFilter.java, kinde-j2ee/src/main/java/com/kinde/servlet/KindeAuthenticationServlet.java	Extract request parameters (including connection_id, org_code, lang), build a parameters map, and call authorizationUrlWithParameters for LOGIN/REGISTER/CREATE_ORG flows when params present; added unknown-action guard and null-URL validation.
Test JWT Helpers kinde-core/src/test/java/com/kinde/token/jwt/JwtGenerator.java	Added methods to generate signed ID tokens containing direct connection_id, nested ext_provider.connection_id, both variants, and ext_provider without connection_id for tests.
Token Tests kinde-core/src/test/java/com/kinde/token/ConnectionIdTokenTest.java	New tests covering extraction from direct claim, nested ext_provider, precedence of direct over nested, missing/null cases, invalid token handling, and AccessToken compatibility.
Session Tests kinde-core/src/test/java/com/kinde/session/ConnectionIdTest.java	New tests validating that authorization URLs include connection_id and related parameters across login/register/code-grant/create-org flows.
Filter Tests kinde-j2ee/src/test/java/com/kinde/filter/ConnectionIdFilterTest.java	New unit tests mocking HTTP flow to verify filter behavior with and without connection_id, ensuring parameter propagation and redirects.

Sequence Diagram

sequenceDiagram
    participant Client as HTTP Client
    participant Filter as KindeAuthenticationFilter / Servlet
    participant Session as KindeClientSession
    participant Auth as AuthorizationUrl Generator
    participant Token as KindeToken

    Client->>Filter: HTTP request (may include connection_id)
    Filter->>Filter: extract params map (connection_id, org_code, lang, etc.)
    alt params present
        Filter->>Session: authorizationUrlWithParameters(action, params)
    else no params
        Filter->>Session: login()/register()/createOrg() (legacy)
    end
    Session->>Auth: generate authorization URL (includes params if provided)
    Auth->>Filter: return authorization URL
    Filter->>Client: redirect to authorization URL
    Client->>Auth: completes auth, receives token (JWT)
    Client->>Token: parse JWT
    Token->>Token: getConnectionId() → check `connection_id` or `ext_provider.connection_id`

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Poem

🐇
I hop through claims both near and wide,
A little key named connection_id,
I peek direct, then deeper probe,
From request to token I trace the lobe,
Hooray — one hop, one tidy guide! 🥕

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 3.23% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title accurately summarizes the main change: adding connection ID support across multiple frameworks and components in the SDK.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 5

🤖 Fix all issues with AI agents

In `@kinde-core/src/test/java/com/kinde/session/ConnectionIdTest.java`:
- Line 27: The test currently calls
KindeEnvironmentSingleton.init(KindeEnvironmentSingleton.State.ACTIVE); to set
environment state; change this to
KindeEnvironmentSingleton.init(KindeEnvironmentSingleton.State.TEST); to align
with other unit tests (KindClientBuilderTest, KindTokenFactoryImplTest,
KindClientImplTest) unless ACTIVE is intentionally required—if ACTIVE is
intentional, add a brief comment above the call explaining why ACTIVE-specific
behavior is needed for ConnectionIdTest to justify the deviation.

In `@kinde-core/src/test/java/com/kinde/token/ConnectionIdTokenTest.java`:
- Around line 52-67: Update the test testGetConnectionIdPreferDirectOverNested
to actually verify precedence by creating a token that contains both a top-level
connection_id and a nested ext_provider.connection_id with different values; add
a helper in JwtGenerator (e.g., generateIDTokenWithBothConnectionIds(String
direct, String nested)) that injects both claims, then call
IDToken.init(tokenString, true) and assert KindeToken.getConnectionId() equals
the directConnectionId, ensuring the direct claim is preferred over
ext_provider.connection_id.

In `@kinde-j2ee/src/main/java/com/kinde/filter/KindeAuthenticationFilter.java`:
- Line 88: In KindeAuthenticationFilter replace the typo in the thrown
ServletException message—change "Must proved org_name query parameter to create
an organisation." to use "provided" so the exception reads something like "Must
provide org_name query parameter to create an organisation."; update the string
in the throw statement inside KindeAuthenticationFilter to correct the wording.
- Around line 70-97: The REGISTER and CREATE_ORG branches build parameter maps
for authorizationUrlWithParameters but omit parameters that the dedicated
methods add; update the REGISTER branch to add
registerParams.put("supports_reauth", "true") alongside prompt=create (so it
matches register()), and update the CREATE_ORG branch to add
createOrgParams.put("is_create_org", "true") alongside prompt=create and
org_name (so it matches createOrg()); modify the blocks that construct
registerParams and createOrgParams in KindeAuthenticationFilter (the branches
handling KindeAuthenticationAction.REGISTER and
KindeAuthenticationAction.CREATE_ORG and the calls to
kindeClientSession.authorizationUrlWithParameters(...)) to include those keys.

In `@kinde-j2ee/src/test/java/com/kinde/filter/ConnectionIdFilterTest.java`:
- Around line 83-116: The tests fail because KindeSingleton.setInstance(...)
does not exist; either add a static test-only setter on KindeSingleton (e.g.,
public/static void setInstance(KindeSingleton instance)) and a reset method
(clearInstance or setInstance(null)) so ConnectionIdFilterTest can inject and
clean up the singleton, or update ConnectionIdFilterTest to avoid modifying
global state (use dependency injection or obtain the singleton via a
factory/mocking approach or use reflection to set the private static field).
Ensure the change exposes/uses the symbols referenced in the test
(KindeSingleton.setInstance, KindeSingleton) and add cleanup after each test to
reset the singleton.

🧹 Nitpick comments (3)

kinde-core/src/main/java/com/kinde/token/BaseToken.java (1)

93-118: Use shared constant for connection_id lookups.
Avoids drift between token claims and parameter keys.

♻️ Suggested refactor

+import com.kinde.constants.KindeConstants;
@@
-        Object connectionId = getClaim("connection_id");
+        Object connectionId = getClaim(KindeConstants.CONNECTION_ID);
@@
-            Object nestedConnectionId = extProviderMap.get("connection_id");
+            Object nestedConnectionId = extProviderMap.get(KindeConstants.CONNECTION_ID);

kinde-core/src/test/java/com/kinde/token/ConnectionIdTokenTest.java (1)

97-124: Tests 7 and 8 cover identical scenarios.

Both testGetConnectionIdWithNullExtProvider and testGetConnectionIdWithExtProviderButNoConnectionId use JwtGenerator.generateIDToken(), which produces a token without any ext_provider or connection_id claims. To test the described behavior in test 8 (ext_provider present but without connection_id), you'd need a token with an ext_provider object that has other properties but lacks connection_id.

💡 Suggested approach

Add a JwtGenerator method like generateIDTokenWithEmptyExtProvider() or generateIDTokenWithExtProviderOtherKeys() that creates an ext_provider object without connection_id, then use it in testGetConnectionIdWithExtProviderButNoConnectionId.

kinde-core/src/test/java/com/kinde/session/ConnectionIdTest.java (1)

23-32: Consider adding @AfterEach cleanup to prevent test pollution.

The @BeforeEach calls fin() then init() on the singletons, which works for sequential tests, but adding explicit cleanup improves test isolation and makes the intent clearer.

💡 Suggested addition

`@AfterEach`
public void tearDown() {
    KindeGuiceSingleton.fin();
    KindeEnvironmentSingleton.fin();
}

[codecov]

Codecov Report

❌ Patch coverage is 33.80282% with 47 lines in your changes missing coverage. Please review.

Files with missing lines	Patch %	Lines
.../com/kinde/servlet/KindeAuthenticationServlet.java	10.71%	22 Missing and 3 partials ⚠️
...va/com/kinde/filter/KindeAuthenticationFilter.java	31.03%	18 Missing and 2 partials ⚠️
...-core/src/main/java/com/kinde/token/BaseToken.java	92.30%	1 Missing ⚠️
...core/src/main/java/com/kinde/token/KindeToken.java	0.00%	1 Missing ⚠️

📢 Thoughts on this report? Let us know!

[coderabbitai]

Caution

Failed to replace (edit) comment. This is likely due to insufficient permissions or the comment being deleted.

Error details

{"name":"HttpError","status":401,"request":{"method":"PATCH","url":"https://api.github.com/repos/kinde-oss/kinde-java-sdk/issues/comments/3774102197","headers":{"accept":"application/vnd.github.v3+json","user-agent":"octokit.js/0.0.0-development octokit-core.js/7.0.6 Node.js/24","authorization":"token [REDACTED]","content-type":"application/json; charset=utf-8"},"body":{"body":"<!-- This is an auto-generated comment: summarize by coderabbit.ai -->\n<!-- This is an auto-generated comment: failure by coderabbit.ai -->\n\n> [!CAUTION]\n> ## Review failed\n> \n> An error occurred during the review process. Please try again later.\n\n<!-- end of auto-generated comment: failure by coderabbit.ai -->\n\n<!-- walkthrough_start -->\n\n<details>\n<summary>📝 Walkthrough</summary>\n\n## Walkthrough\n\nAdds connection_id support: new constants, token extraction API and implementation, authorization URL propagation in filters/servlets, and unit tests plus test JWT helpers to validate behavior.\n\n## Changes\n\n| Cohort / File(s) | Summary |\n|---|---|\n| **Constants** <br> `kinde-core/src/main/java/com/kinde/constants/KindeConstants.java`, `kinde-core/src/main/java/com/kinde/session/KindeRequestParameters.java` | Added public static final `CONNECTION_ID = \"connection_id\"` constant in both classes. |\n| **Token API & Impl** <br> `kinde-core/src/main/java/com/kinde/token/KindeToken.java`, `kinde-core/src/main/java/com/kinde/token/BaseToken.java` | Added `getConnectionId()` to the interface (default null) and implemented it in BaseToken. Method returns direct `connection_id` claim or `ext_provider.connection_id` if present; returns null when absent or token invalid. |\n| **J2EE Filters & Servlets** <br> `kinde-j2ee/src/main/java/com/kinde/filter/KindeAuthenticationFilter.java`, `kinde-j2ee/src/main/java/com/kinde/servlet/KindeAuthenticationServlet.java` | Propagates `connection_id` via a parameters map into authorization URL generation. Adds action-specific parameter augmentation (e.g., `supports_reauth=true` for LOGIN, `prompt=create` for REGISTER/CREATE_ORG), unknown-action guard, and null-URL validation. |\n| **Test JWT Helpers** <br> `kinde-core/src/test/java/com/kinde/token/jwt/JwtGenerator.java` | Added `generateIDTokenWithConnectionId(String)` and `generateIDTokenWithExtProviderConnectionId(String)` to produce tokens containing `connection_id` (direct or nested) for tests. |\n| **Token Tests** <br> `kinde-core/src/test/java/com/kinde/token/ConnectionIdTokenTest.java` | New suite testing extraction of `connection_id` across scenarios: direct claim, nested `ext_provider`, preference rules, null/missing cases, invalid token handling, and AccessToken compatibility. |\n| **Session Tests** <br> `kinde-core/src/test/java/com/kinde/session/ConnectionIdTest.java` | New tests validating generated authorization URLs include `connection_id` (and related params like `supports_reauth`, `prompt`, `org_code`, `lang`) across flows (login, register, code grant, create org). |\n| **Filter Tests** <br> `kinde-j2ee/src/test/java/com/kinde/filter/ConnectionIdFilterTest.java` | New tests mocking HTTP/request flow to verify filter behavior with and without `connection_id`, ensuring proper parameter propagation and redirects. |\n\n## Sequence Diagram\n\n```mermaid\nsequenceDiagram\n    participant Client as HTTP Client\n    participant Filter as KindeAuthenticationFilter / Servlet\n    participant Session as KindeClientSession\n    participant Auth as AuthorizationUrl Generator\n    participant Token as KindeToken\n\n    Client->>Filter: Request (may include connection_id)\n    Filter->>Filter: Extract connection_id, build params map\n    alt connection_id Present\n        Filter->>Session: authorizationUrlWithParameters(action, params)\n    else No connection_id\n        Filter->>Session: login(action)\n    end\n    Session->>Auth: Generate authorization URL (includes params)\n    Auth->>Filter: Return URL\n    Filter->>Client: Redirect to authorization URL\n    Client->>Auth: Complete auth, receive token\n    Client->>Token: Parse token\n    Token->>Token: getConnectionId() -> check claim or ext_provider.connection_id\n```\n\n## Estimated code review effort\n\n🎯 3 (Moderate) | ⏱️ ~25 minutes\n\n## Poem\n\n> 🐰 *twitches whiskers*  \n> A tiny id hops through the lane,  \n> From request to token, clear and plain,  \n> It nests, it jumps, it finds its way,  \n> One little claim that saves the day,  \n> Hooray for connection_id — hip, hop, hooray! 🥕\n\n</details>\n\n<!-- walkthrough_end -->\n\n<!-- pre_merge_checks_walkthrough_start -->\n\n<details>\n<summary>🚥 Pre-merge checks | ✅ 2 | ❌ 1</summary>\n\n<details>\n<summary>❌ Failed checks (1 warning)</summary>\n\n|     Check name     | Status     | Explanation                                                                          | Resolution                                                                         |\n| :----------------: | :--------- | :----------------------------------------------------------------------------------- | :--------------------------------------------------------------------------------- |\n| Docstring Coverage | ⚠️ Warning | Docstring coverage is 3.45% which is insufficient. The required threshold is 80.00%. | Write docstrings for the functions missing them to satisfy the coverage threshold. |\n\n</details>\n<details>\n<summary>✅ Passed checks (2 passed)</summary>\n\n|     Check name    | Status   | Explanation                                                                                                                                                                  |\n| :---------------: | :------- | :--------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |\n| Description Check | ✅ Passed | Check skipped - CodeRabbit’s high-level summary is enabled.                                                                                                                  |\n|    Title check    | ✅ Passed | The title 'feat: Add Connection ID support across all frameworks' clearly and concisely summarizes the main change: adding connection ID support across multiple frameworks. |\n\n</details>\n\n<sub>✏️ Tip: You can configure your own custom pre-merge checks in the settings.</sub>\n\n</details>\n\n<!-- pre_merge_checks_walkthrough_end -->\n\n<!-- tips_start -->\n\n---\n\nThanks for using [CodeRabbit](https://coderabbit.ai?utm_source=oss&utm_medium=github&utm_campaign=kinde-oss/kinde-java-sdk&utm_content=212)! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.\n\n<details>\n<summary>❤️ Share</summary>\n\n- [X](https://twitter.com/intent/tweet?text=I%20just%20used%20%40coderabbitai%20for%20my%20code%20review%2C%20and%20it%27s%20fantastic%21%20It%27s%20free%20for%20OSS%20and%20offers%20a%20free%20trial%20for%20the%20proprietary%20code.%20Check%20it%20out%3A&url=https%3A//coderabbit.ai)\n- [Mastodon](https://mastodon.social/share?text=I%20just%20used%20%40coderabbitai%20for%20my%20code%20review%2C%20and%20it%27s%20fantastic%21%20It%27s%20free%20for%20OSS%20and%20offers%20a%20free%20trial%20for%20the%20proprietary%20code.%20Check%20it%20out%3A%20https%3A%2F%2Fcoderabbit.ai)\n- [Reddit](https://www.reddit.com/submit?title=Great%20tool%20for%20code%20review%20-%20CodeRabbit&text=I%20just%20used%20CodeRabbit%20for%20my%20code%20review%2C%20and%20it%27s%20fantastic%21%20It%27s%20free%20for%20OSS%20and%20offers%20a%20free%20trial%20for%20proprietary%20code.%20Check%20it%20out%3A%20https%3A//coderabbit.ai)\n- [LinkedIn](https://www.linkedin.com/sharing/share-offsite/?url=https%3A%2F%2Fcoderabbit.ai&mini=true&title=Great%20tool%20for%20code%20review%20-%20CodeRabbit&summary=I%20just%20used%20CodeRabbit%20for%20my%20code%20review%2C%20and%20it%27s%20fantastic%21%20It%27s%20free%20for%20OSS%20and%20offers%20a%20free%20trial%20for%20proprietary%20code)\n\n</details>\n\n<sub>Comment `@coderabbitai help` to get the list of available commands and usage tips.</sub>\n\n<!-- tips_end -->\n\n<!-- internal state start -->\n\n\n<!-- DwQgtGAEAqAWCWBnSTIEMB26CuAXA9mAOYCmGJATmriQCaQDG+Ats2bgFyQAOFk+AIwBWJBrngA3EsgEBPRvlqU0AgfFwA6NPEgQAfACgjoCEYDEZyAAUASpETZWaCrKPR1AGxJcAZiWpcAIK09ADC+BjkYvARkACSACL22Nzc+BS46AwU+IjIaB4ekD5UbADu6QDWyAAUtpBmAEwAjI0AlJCQBoF4sOlcAEJUGLS4ANIU2KR8XQDK+NgUDCSQAsMMsL7+uIskAPRMkaLiEWDwtGAOqemZgEmEMM6kmWuYG1zM2lhdoRTbdOicSCNAAMjQAbGBgc0wCDoM0AOwcRoATiRABYAFqdAwAVRsABkuLBcLhuIgOHs9kR1LBsAINExmHtKvARiQwLlEMzWUowEI0BI0JdaJU9txsIU9i1GtjZrhqNhyfxuGQ3AhkPU0CFkPhuCcMAUADSrNAMSplZwXRncajwAReZLXDLFdLoBRHaIRAD65yyOTykFwsBWswSY3QI0gAClGgBRWMoDA0IhUfWIDSQUKwTCkZCshgebBKDgGKAAORIZUzAHky2XY6FoHFa17Eu7EPKk4nIGMeSQbCQAI7YaS4KzONBsGgUfKR3ts8IYDuYXDp0s9vvQfCVMiJ6c+U0rTD0AZoRAkLc7rApWjUf5lGmQJ6LqL6uK0GptY1XNIZVlEVZ8CDN1aHgX4xHdV8YgwH16ALbRmAjeg0EgcgO3+EgAA9cC9Xh8Akc5KAZCIoO9X0O0mMRdg0dc0F6dJ4AAL1tCIcQoDwAHUaXHUoSGnRBP0gLCaDZegCCyZY9TdQ5SJg30bV46cXT4RB8AYeACj2dhKF4JAVg8fBqSwHwDLKNcoBjeNingDwlOPexKAkLxMhvO8xPwSBfi1SDjmg2DihyRDfmHUceAnKdKGQHxXXxasAHE4jLY0bFjBLZmgWMbGNezQhSwIMq9asbDirI0xoqBwmYXgSGDJdJBWGgO1nMTQuDDwVRnEtOgqkjfIid9oFCmoAFZA1HRAOmivg6KDBjmP1SA8XxJ8yGUfUDG6zNes9DABu3MhBo7SAagADjGprJtdAgryE7CqB2jbdC2j031oAAxGzp0OzIpujOMEx8T7KD3EgUxYjBHosjjoBW8hU1dNqOuQcTsj+QN9qXSAH2AmS+rkuCPAQxAjDLIDpC4cJfkdX9MlQAVtEJ+0Go82ZdIwIgBnwIDjuC7AwOkSBWYof9BdERZ1HkQ5AaIRZwbaDNAkKdAQnUaD8ip3V9QKJCTTNC0KFoZBrVtJmaIMCwttYdRIDYPI0FzZInBcIwoEBzCuBxbhbxoZ7ZPfD7bMob70cgRUVgAWTUlkCA0Zgo7lW0GGUjc2Vmf9nNiQAUAk8khuEJ5ZkAwU4sKQETMnPXA4iXTtlkExV7ZIbKPHgIhMex2BbtLkXGsyG0SUoJdjTdgXQlretG2bMtWySeAqpubLIy1Q2eByDqxucBJ8DKDBBJRgzz0gSOzToBPxAYM39GMcAoDIeh8B8HACGIVbU3+Rk2CTLheH4YRfKkGRJaKGUKodQWgdCXxMFAOAqA6ZYBmoQUgcM3IKFYOwLgVAqwOCdvIOQCglBUBAZobQugwCGCvqYAwLI2RgCYL8PYiAlh7A+KyPY/JBQHBYNyNkHDq4ri5POJQi5lxJnTGwtAJYABEUjzaWECHEZ+SCaD0CwR8Fw/AH4bBzNIF2kBgjLxQuQKs4p7TwCTocYRmRR51gbE2FsbYAC8kAJG4x2rBCRIcBEkCEZ2VcGZSb8CDMDTR7MBbiRLh2EW5ifE6j4AZakDAADcqEPICBqgKGIfBgm5jNuYWRgdUxqxDoEyASh4IFIiDqB+WEab/FdMY5uSd2Cq20euPRdAv50gafYeUZ9rIGiKHKYW7MazWInnYpIjjnHbX1G47s8EAwAANGQaCoUoYivCREaE8d4vhCzjqAwdAs1Z7JaH7AYQwJhnxWH0w4UyY5PCLH8L7DszZYiFltCMPiVkAssntMgAAamaHsSERhYwRI+EovBKxfgEUrEJHwU1AThzoPARwBgpESJdhQ45ND0hnMYcwjA1z2GMi4Uoeh0hEDQT2J4gcIUOw8UnHxSKGgxGSOkRbORCi1r/BUc4eQ99GDZhCcTVpIR/gGLhfU0x3TE59O1oMyJFSfEjPHrYqeDinEuJmecdx4laVDhHAy8KzKZx+I8kBYMmThUOzCZhLuwyol8P4LEwypickyN0fk8GyMPLFNKYTcpmNBXVJuLUvg0rGlJmaaKqAH0SAeGQuK2gXAFmRvlUUZcvTFXDKsWqye089mskYITRZBr6VjhNfxItxkbIrCOX2XFdDzmXJYWI25ZKzmUupeWo1lbFIsrecdQUhZvBaumX5XVHzPXh0wPAPwR0A4rECP02QjFKCfO+UbG1fzAXAuBKC8FyCmBKBzrCqsJAEU3C4Mi0CaKMVYrAEYHFpz6EEque20l9zrpkD2Kec8l4yCsvpuyzFnL5GIJ5coxwqiBUaJ3bG3RyaeCdJlVOPo9BnwTv6h+Do4l/0XgxhmaByB0OKGNGUWqjACheFoMaX4OwKCY2KdqydyjcBDIArgwGM5MgbFEFQgCKFQLgT44TWeqEmX0CmS9Nj7jjzGnnegAQ54kzGlwQZbcItfqSvQvQYSuEcgEXwd0yijGjyRgY8LEgBFhkGbwsZoirGyK0AzHETIDHFiYwwBKIoSnilUtbv8KM0MUCF18y6lAD8i7JHUCoB0I6RxhZdNgEYxHgw2z4hh5LmAi49P+AAAWrFICgwtT32QK7McgaBKiyDgDkMy5VD6sldLPG0EEwmlYRseZu7MuBYdkzhp891L2+fkJ5pj4WlasnQt5QVQYGsi0o7uGLP6sCungrPdWR5BQ2XiyQD1nLvVpiKRlgNE4TshswjUu+EbUNRvEOIFpUBkWzSTUoFNkAFk5oAgNv2uGa0lrPMgBZBHAMYEBwc+tL68VvouYS4laAO3foxn+s8hGrzAcFAs3Jh850LsyEu3Rq710UE3WhIVWjPv/MaPCYFzRD3iAhW/IBZ74BwsvYim9KL73SNLNixtr6W0I8/ZwlHV4aWbiI2y9FHLZEQZfsgvlajBW/MQ205CqE4VKAPBKTIZHMN8RfHjd8u8/UZc8eDkGFADzLHSysA3OdGOYxQj9nWDnCL5GKDRgQppKgoCql4D+PToKBmzB5viXmpseHt9GemtA1JA+FoDUJ4eUDl38EsYMvqbqbeYFFDb2H8aKYwAWIsIs0KQr7rAZAzcdy3Rwh7/B6zZKwXNQEq1mW3sxNWGkgiroyiUBWL82gSTwniGGQb5AvxCWh1LzuujOsYtxJle3Yt4+RZT6xmeG2ih53s9c0YHRr3stLz+QsnXdFbKCw4yLP7JuAdzNLSD5ZxyNBra2VLq8eyahQ64DD5td9NtG5L9PsPYNbSXNkcHLHNAadI7acH1U7FYc7INSpW6G7SLdNJpJ7RDE/RQZWD7VNS/PXG/TjFaXAY3HaU3NoQHVkfcQ8L7V/Psd/IjS3DGHHGdfHUKInFdAoNdDdAwL5CnEfLgQFIFEFAwMFJnY9VnGFdnC9K9DIbnO9ZgWXTFfnJ9ShQXWHFtHuRHZHMA88PIalSg16b6GA0DT1LlSDV+aDbBdRSnEVIwKuDjRQbAAuN0Qxc6cuPmH2Uw6CAaUKVLEzJgtkDQIwqlWIIMagW6SgdSIwnyVxX0YVWgXrACYtGaPoYWeaUPJafIbITkG2PXeAPOFYRAZYA0YWXIWPHuPMDAVWAoJiI8FOQRZudgHWCI6CdTPmRNMKAdPgD4MkY6fMQsUCXNMeGxAtNseyTWaCbWH8G4RAL0LyXoY0PCKqXAY0dIIgL0E9RuSAQmdmL8WGHlXReibI8GNiIoAiFCTIuaS49iLiIMRlCKGcBeZCPISgTIYpX4BwWyEWJad0eUGbMPFYapY4f4BSJlfiNzUvUYgWFCCuFILvbLcSVkBo5uddSAOKPmZYewdOPiCpHWHuFExQAvCgLgO4i4/UK4p42AfwnDY0FfDAOkhk3aRfX4akdCCgVkovd8Y0Zzdk3kpQOKYYTIGoXmfmI2IBL0ErffYGX6UeBIBMMGJMY4+yQU98Ok6sQJCgF401WoOUlPaUwbfGdAAyYZduF1HYvYnWQ4ogeWL1IoWo9AKmSNY0MOSAArYOK0pQco4WPUeqL0hIJAPONAWQMsJld4nODwAVLAQEiiJVJMT4YPdAT4v8CpHJeAtaQpcSf1UQQNRAq7DAupe7ISaNHAnRUIZ/Ag8/dNeZZANkwIjsQHBZXQ0cfQ0A7hToiIPYJs2gcwt5dcPA97OsssiQfAciPiT2T8QHBsr7fs76H/XLICZBK0hZArAYS9PFWMU0WAd5YcrLfAs/T7NNccyclqDsHoWaak6CWkmkfs2cp/YHBcvkgc0cZcyIVcyFdc70j840DckMxAMMiMplA8l7I80c089NCc30HufEN1Fkh8t8p84techZRcj846Fc/LegX8pcgCgrICkCyMtgcCw+SC2s6C88uC0cAcLk6cXk006gucmsjCt8pc7Cr83CrGR8Dcgir7Ii0MwmUCsij5CCt7Ki1NGCi87w/s4UkgUUlcVCrAdCzClsrivLNcviv8lswi4ikS0ikgcikcqSr7GS2ijseSmkHUq1fU/iFSoHRZdS3AT8rSn8nSgSwC4S8Moyg8wQrdRw0ganZoMEOnCQqQ2eGQ09OQjnRQpFHnVQh9DQ59bQwAi5PQ0XO5MAiAxcjGQckDNQqwhXRRXlGDflBwtXZwpMHIWgdwhErXKsEk+cvKq8YONClgFZZgtbXi4CYSMgKlKQbwhQErBuZOYSe6CfACQU/yEoFgdGK8dMGADLF0pgErEsKAEM0TRInVegaqVTTIHfFCAgbgMALwKQIoPPJrCsPTBvQzfCQiCgFvPGNvVpFTMgPE1XIvfyGocEiCHzQoeWdcKwX4PwX4UvFYQVETY4HatjfgErLXW6+zIzR6/gcgJrSqPuO0GyCWXqjuQIBgAuRAK3GoRAJlSAMHDGAPUo4POWJrAACR6xFkFVZBHTgoxlqD+tpgwDZuQkjABsuu+vOCBqgEZpGDSIWoGrxtQgi2RoepMxqDBmWB8AlBlqVl+L1xFsgDFtSJFjlscwjV+PaIEDwDxoWD4yFvoEVpGxVqKAFpzj+NwCBskL3OGqiTMxzylpuOjDKFwDikVwID4ERkihLwxKaM9sxm9sSGgPRPFNdAJqJpjvqJ+iugywTspStwYHR3VPTNXElqwF5olmjOBy+ORgyy5v+HvyoNw34DwEZBWCtILEz0yztmySPysOO1zPN2QILIu0KWLLDVuxQxMQexjR0QrCMTLIbNTVaoOiwuLXa0qDGqWU6rfzWx/z/y+wAPxQyo7Kys7XANR1nowAKux3EsgAnuHq6RJK32LXYuYoHPyo/K6iegWR7n9ooLfK2uOGrIQlnMhi+3fqNzfLekCljGwhBvlsoH/s2jftHA/vktqlJjHCNqTBgdfqAc/ofpBsvUoG/rEGK0oBuqUXQagDgY7AQbfLpPTryHB1IcAfgeAYfrpKrl5roZoIAfIb9qYf+zpLLF83AZQagYoHoa4coeYZpEEcgYNoGDwFJkfI4Zdo2FJPoFgXcvvEfF0sOsjCEuAsMqjJ1jDmQEjXoRDyThLozKwCnzNgtlnXqIJ0gB4JJwEKEJ+QX1ENaGGn3UZyishVtNioUK5wopUKKpSq0OoSF0YUypALFxytRyEF9r2CjF9v9sUXSAsKKvA25VsMdlg0qoQx0Q10DAqEaqvplSzTQ0gt9R9u4bSYpIAZsLvGjoxiYv+xqDd01NoDaC4FRjvC90C3IHoDbB6qtJQhmt9CuoaYDpIGaavDpKkZRvwUfI6bfO6cYC8kajdAGf+GGaptGawH1tRsEBEAgkOGBPqMdUtqa05mAlvuTo0kxOaK8JsFmECEgB3FkG/BbiwGKRGcfBecaGGjBGjJGKLDKM7FvANiBy2x4ELDLrKJVHUhTzgiLzAF+EJkhW9jQHt3kGYDAhyD4ACw43cPMwcI32GR6saYWin2yhVmGV+MRfECGrzzXCPwktP2TWkrLIqaTjdypZmYSHB1aYf3adv0uYfpoOfMWRqdSbWnSFbO3rh3AL3pieyu4QgISdwCSZSYDvSaHPZePM5fMu5bMdILv2mdmbIHmYgcWcoGWbFemtWdYpfL2WSdqblYoAVbSp3uVY7E7NifVficSbddlfhieqHNx0VgQJOzzLO17tQLJeu0HswLLOwPZ1wMopPK5ZHtlWzQdZONfktaQqDHtbIM6clbQrYpDd1c9e7AbQiZ0KiZVZJQDfJQ1eDZ1bqZgJxwNaguza6R5bNeGX5aLetaEYNtLaTP+wrdUqrc7Y9a9YbfSt9a1f3vF1/U1e1fdbDe7fJzcap1EPhC8YiqPT8dkJs3kPhSCdvVRSSr5wgE0JxSEEaBIB9ZF1VYPoOWnEgKUGvNqjPnBgDmnAyYfSyf5bsLydVwKfXBcNqvquQAWOdF+jwhtCIFtGGTGctr6OhOBgWwWCIA7mKUyKaSzoWhMi3lWBwR6LGKE2w9eNIzQG4B1lBZo/T27CI/OKYnBkWgJCxio32vYCaz0WQBSIlvEjoiIFTOZPo1BlLkoGjN6ZoC9G2MfiyK44WjyOlqXlVgiG1hCjUShPo5fqgFigSjLEpO1GpkWOWP8F6HsWJYbqo3GdUeMdQc0AAZSjSgyhsAs+XnWL1HsUU8c93Gc+SwE6TBok2lyljHyljEKmKl89c5YAC6C51m2K9ANDYD45C6w9QHC/c6gGE88LhVS0qCLm3jAFNAWhlktDDxiLw7MjdFmEcmcnAckjI9dFS3AkMnqPXXoE8T/ZI/BgJoWkS2kCawADVGjvZU8YjMBVP7iNPeO8u4Plg+axJYAGs8wH5rYZ9Pho8mtYO3CPCvC2tFjjpGbEBYBZ1uBjQbvjRe1Rx7LIoOh7IjG3RDODSbZGOQ4s7StAFTT/J7J0XkExvzJIABw45/4Pu5CFg8xA9TFrYBaaFgwzQwpgJfow49Shl1IbQ/MfmMtAZ+khIPAD4Xh58ZOwz1JhlrZRmk951ZAlVUEuxgeE1GfhlYgygqBUhu4MteZQpltrxzxsf8wSjtYVvpBBPcdI3O6iTY2e6ykiyqkk2Mhw0ynR7Kz1x/ETHQ1VflFvmFQqY1cSlmUxA6AzZXHt0D2AU0RgRgUwQfHmcUWYqL24rr3ErQmH3UrqFn3X2lX32W21XyVhenI+If2SBBvo1SPoJmuKBQ/NAZdQP5dsmldyqVd4MtFEMju6qPDEOU6+BZjdPBbAf5Iq1IpKPVhqORYUJPv+JvumO5rEIfjDVQoFNsusB8vsophg9eejxOOcjYhASqXQ9RmVYtYiha+WV1w3oYp4pEpkpUo4h0pMpozovYv4uSoqu1YBSENQTihTJ0ZjPFoD5ilyWAIqVA8Vhq92/kk6OvvnAr/bXD9NocQD4qT1O7zHjuIy+ZxpaznhJLgiLffI0jug75Bed/OvuPhfqbRTOiUXzlZwyBLEViQYezpMBICPRNonnJft53gH+dcAgXDZugM6BRc8oBUIqHFFwGBQUuhAtLhQB2KZcVgjfHOBWjFT6Inw2AWrrGwawRghIXWPgEpnm6ldyucCXoENwWhb9YgqAD6gsCTBD5D8hXSzihBq5QsuBFHAQf3weJFBb4yAZEvbTQA+AlIk/IOkzXZhNZZ0dBfbp3AiTDJUk2YfvHwHAExZQuqAH8G0UPxH5syCbeXib0V6XZleJZO7DmzTbPYL6EQdAQFWELuMAUAAZmRDApohjvaKtCld6BNr02tFuLAE94C4feL7H1tE0D6fsgYFAPsiAyKGn1xEmTZPuB1yYVUoOmfIwEV0lRVhUs1sZqjWX7JAcg4oUX6J4gQpGROhfAWwekn6DDko4yAemtAGgBWBmBfaPYAywqT7EeyGAB7n2DTjswM4ywlol4jaJJhZGNkfBCsIXA7DNiWw6suziTDNdjCEQaMn+0W6f8Y864CuJ7ETBh110pGMYSXhOZ50UIccY+P11WEEkCABdDSLmzQxRx/wCnCINLF2DIBiC1+fnn6yWG947BGSJrD3AGHCtq6aZYXnnWiKZBwBmHEvntR/5hcn+xoYpF+2Bgm19hs4BbreUH68dvaxSbZMcMuGREsAVpFjLlzhJgt1uboX4NDQgh5dKAU0NgPIO8IYiaQ5tfstiNLp1d8RVGJwblyS6OZF8FIoodRkKC15EKgkKIhbmeSsju0sQVnoKN8Trgswlg34dUGTieI1hRADYboD0CnDjhewxNMDFITOjzhmQD0SyK9FsiuiOsI0umwgHAxwueJGoCxxFh5pJi4yDoikBphIDbOQYV7pZhRTbUhh9gmxnkmjZd09+KBJXugWTalkghFZdNlWRrJZtjWObFqqUPyScVi0UOLeo2l955Dm2SOLsuSkpHFCOhZQ0cLuwiH7sQkIVYaOIQPSSFT2LOF3ueivZpCb2vOdQpfAMCQJyyd8B+PAhT5ntmegIDBDULUS4I9iBCNQEQnASkIlx18FBHixwjnBEx56OgF6GXDOhFxy4+EMCGiEMBmgAgZEMNBIDwhohJ0YELQGiFohohJAE6M0AYAnQ0QAgQmvCAEAnR/AaAYaD4FoCNAfAJ0WgAIBISGBnxtOYaAwFt5ghTQjQNEPCBOjIhQJ0Q78dEJUAhAAJnOACbQHwlAtGg0ErCeQigDvx1AsEG8fITvG3w2Jy46qF6DYB0CSAuxVHtUHvHyhHxp4gwAAG9HoEiJALYAGAGQ/hlUYPFYFyBKIJEvgAoOeENCKSruCwRNKpKji2BdJ3uUno3EUlIBCGpWc4EoAwCWSDw1kwyZ0AkSgRaANgVLJvAYA/ZEAWYATJZIc7uSnEXknySfU8BeIJJIUtAWFM8nnBIpCQaQNkBKL6ggpZoFyfpJskeTesO4WgHEDyBGpBklkqRAlNLQUEJJA4R2ogEskABtDAZAAUnEDiBziCSUZTKkpT/S6U0PJlMqASIwprUiRFmkVBxSRwQ0tqdUkOLgwyp/U+wCyFSD/AeoSgGwCoCPGABMAhE4ZCzqNmBNLuPkBSCDQTMVzINKakeS44SgMqfrAuZEAzprUjyQxCMgFB+pnUrgJ5NSkBl9QmKVqQAF9JpLUh6e1IExvSnE7gXAA6H4xZTJpHk0aXVK4ChTzpTiaaZgFmnvS4ADUaKZAAADkfgAIEhjCBF54gSQPPn6EKI0YAoTKCoBQGqDYyS0meWMjrEODxE2eu48Onv1ny/JfOU7PGMTIQGHUCiAYZgMUVKKUzygVQdMPdKBm/F8AhYb6VwAFowynEl0kgNdOcC3SpZw07rhgGhG/BspbkpGRIiemsgXpHUplGVMexeAfpxA/6U1MBnDSoZlQUGRIj8mJlc0+EZQKQE1ltS4Z+sgyYbJRkGh5ZTiV2fmzWqeyVgqAaIRoDRDDQAApHx1MQdwYES4bAAikR6CdlqyQ4cPzA26/E+gvRVAP+I0DAhgQccjQN7I8kyy5Z0EMqRxGFg+wE8DAN2UQHJJ78VapeE7Hi2MIUtgwTfDyGTXECIAfA8gLkaNVIBh585ss06UrIkQqy1ZTGf8JXKcTGz+kr082e9Kbkty6pTU36Y9AAC6FUs8GOBsDdS0pgZCIGVN9zRDmgaIZoNELBBggQJtAMECOPhAQSSAaIeCcNEQngSTow0ciciDBBoSfAyINED4EfnQTmgJ0FoLQGBCpJQQsE5oAiAEDAgtQf4qWRIkqm2BwZVs96SdB8Dvy/xhEtEGCF9zvzgQv4x+VBOGjoSfAQLYaLEPQnIhbcDAYicgtoBogGA8IDCc0GBAQSgFYIEIMiDQDIg4J0E4aJgq3kOtwg48mZrIKYwFBT4qsrgPbKcSKt2yfrNdoYSNFEoXKMBSyWoo8kEB5QHgN6Klh2jwzIAwLQ2R3MsV0lQ5nGKxQej+mTSJEGiptloo/brs9FHFJ+h2AMWqLDZJigoOYs7lqxLJJ0WeXYrTAOK1I28yyS4ptluKPF8OD9N4riYS42CmOMRIYuCWrkzFFitMJZOiHRKilasOJc3IdZWKGcripqe4ubG5D/e6Sgofci7Hh9I+AHfUAMMCXNT8lpisJZYssnNAyl4SipJUoSVcAklnQW2cNNSWtoiU2iwNhLkpo5L6YeSh6U4hCWFKxlS4EpaMvsU0hHF/4ZxbvJSWNK/ewuFpe2NbZdo4+zkDpaIKj7gxY+8fXpUYq2UFLBlxSrgCMtsXlLxlRy+JdUsSVnL6lT7JpZotXYZLuE7SnsXWL7G5KglmyiRNsu+URKuAaIA5bEqBVVKnFoKupXMu9ZKt8hNyoPvsHbZatq2XbJFX0pRVoqAVeyrgKUv+W7LEAEykFVMt3mPQ95e8s8RABXhiSRJpAcSQJiWL8T9AQAA -->\n\n<!-- internal state end -->"},"request":{"retryCount":1}},"response":{"url":"https://api.github.com/repos/kinde-oss/kinde-java-sdk/issues/comments/3774102197","status":401,"headers":{"access-control-allow-origin":"*","access-control-expose-headers":"ETag, Link, Location, Retry-After, X-GitHub-OTP, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Used, X-RateLimit-Resource, X-RateLimit-Reset, X-OAuth-Scopes, X-Accepted-OAuth-Scopes, X-Poll-Interval, X-GitHub-Media-Type, X-GitHub-SSO, X-GitHub-Request-Id, Deprecation, Sunset","connection":"close","content-security-policy":"default-src 'none'","content-type":"application/json; charset=utf-8","date":"Wed, 28 Jan 2026 16:27:35 GMT","referrer-policy":"origin-when-cross-origin, strict-origin-when-cross-origin","server":"github.com","strict-transport-security":"max-age=31536000; includeSubdomains; preload","vary":"Accept-Encoding, Accept, X-Requested-With","x-content-type-options":"nosniff","x-frame-options":"deny","x-github-media-type":"github.v3; format=json","x-github-request-id":"300B:32A183:10666BE:49987F1:697A38F7","x-xss-protection":"0"},"data":{"message":"Bad credentials","documentation_url":"https://docs.github.com/rest","status":"401"}}}

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@kinde-core/src/test/java/com/kinde/token/ConnectionIdTokenTest.java`:
- Around line 111-124: The test method
testGetConnectionIdWithExtProviderButNoConnectionId is mislabeled because
JwtGenerator.generateIDToken() produces a token without ext_provider; either
update the `@DisplayName` to reflect "ext_provider is null" or change the token
generation to exercise the intended case: add a new JwtGenerator method (e.g.,
generateIDTokenWithExtProviderNoConnectionId) that builds a token containing an
ext_provider object without a connection_id, call that new generator in
testGetConnectionIdWithExtProviderButNoConnectionId, and keep the existing
assertions against KindeToken (IDToken.init and getConnectionId()) to verify
null is returned.

🧹 Nitpick comments (1)

kinde-j2ee/src/main/java/com/kinde/servlet/KindeAuthenticationServlet.java (1)

68-100: Consider extracting shared authorization URL building logic.

The parameter building and action handling logic (lines 68-100) is nearly identical to KindeAuthenticationFilter (lines 70-102). Consider extracting this to a shared utility class to reduce duplication and ensure consistent behavior.