From 9b4ca8e95c64b440cb0545daef06ca9e71fc7e37 Mon Sep 17 00:00:00 2001
From: dervoeti <lukas.krug@stackable.tech>
Date: Mon, 23 Mar 2026 19:14:20 +0100
Subject: [PATCH] feat: support setting clientAuthenticationMethod for OIDC

---
 rust/operator-binary/src/config.rs             | 13 +++++++++++++
 rust/operator-binary/src/crd/authentication.rs |  2 ++
 2 files changed, 15 insertions(+)

diff --git a/rust/operator-binary/src/config.rs b/rust/operator-binary/src/config.rs
index 7d5382e3..8ffa9655 100644
--- a/rust/operator-binary/src/config.rs
+++ b/rust/operator-binary/src/config.rs
@@ -235,6 +235,14 @@ fn append_oidc_config(
                     .well_known_config_url()
                     .context(InvalidWellKnownConfigUrlSnafu)?;
 
+                let client_auth_method = serde_json::to_value(
+                    client_options.client_authentication_method,
+                )
+                .expect("ClientAuthenticationMethod should serialize to JSON");
+                let client_auth_method = client_auth_method
+                    .as_str()
+                    .expect("ClientAuthenticationMethod should serialize to a string");
+
                 formatdoc!(
                     "
                       {{ 'name': 'keycloak',
@@ -248,6 +256,7 @@ fn append_oidc_config(
                           }},
                           'api_base_url': '{api_base_url}',
                           'server_metadata_url': '{well_known_config_url}',
+                          'token_endpoint_auth_method': '{client_auth_method}',
                         }},
                       }}",
                     scopes = scopes.join(" "),
@@ -460,6 +469,7 @@ mod tests {
                     oidc: oidc::v1alpha1::ClientAuthenticationOptions {
                         client_credentials_secret_ref: "test-client-secret1".to_string(),
                         extra_scopes: vec!["roles".to_string()],
+                        client_authentication_method: Default::default(),
                         product_specific_fields: (),
                     },
                 },
@@ -468,6 +478,7 @@ mod tests {
                     oidc: oidc::v1alpha1::ClientAuthenticationOptions {
                         client_credentials_secret_ref: "test-client-secret2".to_string(),
                         extra_scopes: vec![],
+                        client_authentication_method: Default::default(),
                         product_specific_fields: (),
                     },
                 },
@@ -509,6 +520,7 @@ mod tests {
                   }},
                   'api_base_url': 'https://my.keycloak1.server:12345/realms/sdp/protocol/',
                   'server_metadata_url': 'https://my.keycloak1.server:12345/realms/sdp/.well-known/openid-configuration',
+                  'token_endpoint_auth_method': 'client_secret_basic',
                 }},
               }},
               {{ 'name': 'keycloak',
@@ -522,6 +534,7 @@ mod tests {
                   }},
                   'api_base_url': 'http://my.keycloak2.server/protocol/',
                   'server_metadata_url': 'http://my.keycloak2.server/.well-known/openid-configuration',
+                  'token_endpoint_auth_method': 'client_secret_basic',
                 }},
               }}
               ]
diff --git a/rust/operator-binary/src/crd/authentication.rs b/rust/operator-binary/src/crd/authentication.rs
index 6f9a6d53..30168aaa 100644
--- a/rust/operator-binary/src/crd/authentication.rs
+++ b/rust/operator-binary/src/crd/authentication.rs
@@ -472,6 +472,7 @@ mod tests {
                         oidc: oidc::v1alpha1::ClientAuthenticationOptions {
                             client_credentials_secret_ref: "airflow-oidc-client1".into(),
                             extra_scopes: vec!["groups".into()],
+                            client_authentication_method: Default::default(),
                             product_specific_fields: ()
                         }
                     },
@@ -488,6 +489,7 @@ mod tests {
                         oidc: oidc::v1alpha1::ClientAuthenticationOptions {
                             client_credentials_secret_ref: "airflow-oidc-client2".into(),
                             extra_scopes: Vec::new(),
+                            client_authentication_method: Default::default(),
                             product_specific_fields: ()
                         }
                     }