Skip to content

feat: support setting clientAuthenticationMethod for OIDC#716

Open
dervoeti wants to merge 1 commit intomainfrom
feat/oidc-client-auth-method
Open

feat: support setting clientAuthenticationMethod for OIDC#716
dervoeti wants to merge 1 commit intomainfrom
feat/oidc-client-auth-method

Conversation

@dervoeti
Copy link
Member

@dervoeti dervoeti commented Mar 23, 2026

Description

Part of stackabletech/issues#838

The clientAuthenticationMethod field from the OIDC ClientAuthenticationOptions is currently deserialized but never used. This PR passes it through to the generated superset_config.py as token_endpoint_auth_method.

I tested it in a Kind cluster with our Keycloak setup from the OIDC integration test (by setting the client authentication method to private_key_jwt instead of client_secret_basic, then OIDC login failed, as expected).

Requires an operator-rs release with stackabletech/operator-rs#1178.

Definition of Done Checklist

  • Not all of these items are applicable to all PRs, the author should update this template to only leave the boxes in that are relevant
  • Please make sure all these things are done and tick the boxes

Author

  • Changes are OpenShift compatible
  • CRD changes approved
  • CRD documentation for all fields, following the style guide.
  • Helm chart can be installed and deployed operator works
  • Integration tests passed (for non trivial changes)
  • Changes need to be "offline" compatible
  • Links to generated (nightly) docs added
  • Release note snippet added

Reviewer

  • Code contains useful comments
  • Code contains useful logging statements
  • (Integration-)Test cases added
  • Documentation added or updated. Follows the style guide.
  • Changelog updated
  • Cargo.toml only contains references to git tags (not specific commits or branches)

Acceptance

  • Feature Tracker has been updated
  • Proper release label has been added
  • Links to generated (nightly) docs added
  • Release note snippet added
  • Add type/deprecation label & add to the deprecation schedule
  • Add type/experimental label & add to the experimental features tracker

@dervoeti dervoeti mentioned this pull request Mar 23, 2026
Open
20 tasks
NickLarsenNZ
NickLarsenNZ reviewed Mar 23, 2026
View reviewed changes
rust/operator-binary/src/crd/authentication.rs
client_auth_options: oidc::v1alpha1::ClientAuthenticationOptions {
client_credentials_secret_ref: "superset-oidc-client2".into(),
extra_scopes: Vec::new(),
client_authentication_method: Default::default(),
Copy link
Member

@NickLarsenNZ NickLarsenNZ Mar 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is the field a String? Just curious what the default value is here.

Copy link
Member Author

@dervoeti dervoeti Mar 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, defaults to client_secret_basic: https://github.com/stackabletech/operator-rs/blob/a000311568b65333e7f72399ce17031458785132/crates/stackable-operator/src/crd/authentication/oidc/mod.rs#L117-L118

@dervoeti dervoeti mentioned this pull request Mar 24, 2026
Open
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@NickLarsenNZ NickLarsenNZ NickLarsenNZ left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@dervoeti @NickLarsenNZ