From ef232aa9f375ad67d3c00d7ae23485308475ed18 Mon Sep 17 00:00:00 2001
From: dervoeti <lukas.krug@stackable.tech>
Date: Mon, 23 Mar 2026 19:07:22 +0100
Subject: [PATCH] feat: support setting clientAuthenticationMethod for OIDC

---
 rust/operator-binary/src/config.rs             | 11 +++++++++++
 rust/operator-binary/src/crd/authentication.rs |  2 ++
 2 files changed, 13 insertions(+)

diff --git a/rust/operator-binary/src/config.rs b/rust/operator-binary/src/config.rs
index 9dc32c2f..54fa56c0 100644
--- a/rust/operator-binary/src/config.rs
+++ b/rust/operator-binary/src/config.rs
@@ -244,6 +244,14 @@ fn append_oidc_config(
                 let well_known_config_url = oidc
                     .well_known_config_url()
                     .context(InvalidWellKnownConfigUrlSnafu)?;
+                let client_auth_method = serde_json::to_value(
+                    client_options.client_authentication_method,
+                )
+                .expect("ClientAuthenticationMethod should serialize to JSON");
+                let client_auth_method = client_auth_method
+                    .as_str()
+                    .expect("ClientAuthenticationMethod should serialize to a string");
+
                 formatdoc!(
                     "
                       {{ 'name': 'keycloak',
@@ -257,6 +265,7 @@ fn append_oidc_config(
                           }},
                           'api_base_url': '{api_base_url}',
                           'server_metadata_url': '{well_known_config_url}',
+                          'token_endpoint_auth_method': '{client_auth_method}',
                         }},
                       }}",
                     scopes = scopes.join(" "),
@@ -340,6 +349,7 @@ mod tests {
         let oidc = oidc::v1alpha1::ClientAuthenticationOptions {
             client_credentials_secret_ref: "nifi-keycloak-client".to_owned(),
             extra_scopes: vec![],
+            client_authentication_method: Default::default(),
             product_specific_fields: (),
         };
 
@@ -357,6 +367,7 @@ mod tests {
         assert!(oauth_providers.contains("client_id': os.environ.get("));
         assert!(oauth_providers.contains("client_secret': os.environ.get("));
         assert!(oauth_providers.contains("'scope': 'openid'"));
+        assert!(oauth_providers.contains("'token_endpoint_auth_method': 'client_secret_basic'"));
         assert!(oauth_providers.contains(&format!("'api_base_url': '{expected_api_base_url}'")));
         assert!(oauth_providers.contains(&format!(
             "'server_metadata_url': '{expected_server_metadata_url}'"
diff --git a/rust/operator-binary/src/crd/authentication.rs b/rust/operator-binary/src/crd/authentication.rs
index 5fda6398..905c98e1 100644
--- a/rust/operator-binary/src/crd/authentication.rs
+++ b/rust/operator-binary/src/crd/authentication.rs
@@ -486,6 +486,7 @@ mod tests {
                         client_auth_options: oidc::v1alpha1::ClientAuthenticationOptions {
                             client_credentials_secret_ref: "superset-oidc-client1".into(),
                             extra_scopes: vec!["groups".into()],
+                            client_authentication_method: Default::default(),
                             product_specific_fields: ()
                         }
                     },
@@ -502,6 +503,7 @@ mod tests {
                         client_auth_options: oidc::v1alpha1::ClientAuthenticationOptions {
                             client_credentials_secret_ref: "superset-oidc-client2".into(),
                             extra_scopes: Vec::new(),
+                            client_authentication_method: Default::default(),
                             product_specific_fields: ()
                         }
                     }