feat: add support for OAuth2 resource parameter in JWT authentication (#269)

Author: Szik

README.md

@@ -51,6 +51,7 @@ operate:
     client-id:
     client-secret:
     scope: # optional
+    resource: # optional
 ```
 
 To adjust the (meaningful) default properties, you can also override them:
@@ -66,6 +67,7 @@ operate:
     client-id:
     client-secret:
     scope: # optional
+    resource: # optional
     client-assertion-keystore-path: # optional
     client-assertion-keystore-password: # optional
     client-assertion-keystore-key-alias: # optional
@@ -102,6 +104,14 @@ operate:
     client-secret:
 ```
 
+### Environment Variables
+
+All configuration properties can also be set via environment variables using Spring Boot's standard naming convention. For example:
+
+- `operate.client.resource` → `OPERATE_CLIENT_RESOURCE`
+- `operate.client.client-id` → `OPERATE_CLIENT_CLIENT_ID`
+- `operate.client.client-secret` → `OPERATE_CLIENT_CLIENT_SECRET`
+
 ### Plain Java
 
 Add the dependency to your project:
@@ -156,6 +166,8 @@ CamundaOperateClientConfiguration configuration =
 CamundaOperateClient client = new CamundaOperateClient(configuration);
 ```
 
+> **Note**: The `JwtCredential` constructor also supports an optional `resource` parameter. If you need to specify a resource in your OAuth2 token requests, you can use the extended constructor that includes the resource parameter.
+
 Build a Camunda Operate client for Saas:
 
 ```java

extension/java-client-operate/src/main/java/io/camunda/operate/auth/JwtAuthentication.java

@@ -93,6 +93,9 @@ private HttpPost buildRequest() throws Exception {
     if (jwtCredential.scope() != null && !jwtCredential.scope().isEmpty()) {
       formParams.add(new BasicNameValuePair("scope", jwtCredential.scope()));
     }
+    if (jwtCredential.resource() != null && !jwtCredential.resource().isEmpty()) {
+      formParams.add(new BasicNameValuePair("resource", jwtCredential.resource()));
+    }
     httpPost.setEntity(new UrlEncodedFormEntity(formParams));
     return httpPost;
   }

extension/java-client-operate/src/main/java/io/camunda/operate/auth/JwtCredential.java

@@ -9,13 +9,14 @@ public record JwtCredential(
     String audience,
     URL authUrl,
     String scope,
+    String resource,
     Path clientAssertionKeystorePath,
     String clientAssertionKeystorePassword,
     String clientAssertionKeystoreKeyAlias,
     String clientAssertionKeystoreKeyPassword) {
 
   public JwtCredential(
       String clientId, String clientSecret, String audience, URL authUrl, String scope) {
-    this(clientId, clientSecret, audience, authUrl, scope, null, null, null, null);
+    this(clientId, clientSecret, audience, authUrl, scope, null, null, null, null, null);
   }
 }

extension/java-client-operate/src/test/java/io/camunda/operate/auth/JwtAuthenticationTest.java

@@ -0,0 +1,165 @@
+package io.camunda.operate.auth;
+
+import static org.junit.jupiter.api.Assertions.*;
+
+import java.net.URI;
+import java.net.URL;
+import org.apache.hc.client5.http.classic.methods.HttpPost;
+import org.apache.hc.client5.http.entity.UrlEncodedFormEntity;
+import org.apache.hc.core5.http.io.entity.EntityUtils;
+import org.junit.jupiter.api.Test;
+
+public class JwtAuthenticationTest {
+
+  @Test
+  void shouldBuildBasicTokenRequest() throws Exception {
+    // Given
+    URL authUrl = URI.create("https://auth.example.com/token").toURL();
+    JwtCredential credential =
+        new JwtCredential(
+            "test-client-id",
+            "test-client-secret",
+            "test-audience",
+            authUrl,
+            "test-scope",
+            null, // no resource parameter - backward compatibility
+            null,
+            null,
+            null,
+            null);
+
+    JwtAuthentication authentication = new JwtAuthentication(credential);
+
+    // Use reflection to access private method for testing
+    java.lang.reflect.Method buildRequestMethod =
+        JwtAuthentication.class.getDeclaredMethod("buildRequest");
+    buildRequestMethod.setAccessible(true);
+
+    // When
+    HttpPost request = (HttpPost) buildRequestMethod.invoke(authentication);
+
+    // Then
+    UrlEncodedFormEntity entity = (UrlEncodedFormEntity) request.getEntity();
+    String entityContent = EntityUtils.toString(entity);
+
+    // Verify standard OAuth2 parameters are included
+    assertTrue(entityContent.contains("client_id=test-client-id"));
+    assertTrue(entityContent.contains("audience=test-audience"));
+    assertTrue(entityContent.contains("scope=test-scope"));
+    assertTrue(entityContent.contains("grant_type=client_credentials"));
+    // Verify resource parameter is not included when null
+    assertFalse(entityContent.contains("resource="));
+  }
+
+  @Test
+  void shouldIncludeResourceParameterInTokenRequest() throws Exception {
+    // Given
+    URL authUrl = URI.create("https://auth.example.com/token").toURL();
+    JwtCredential credential =
+        new JwtCredential(
+            "test-client-id",
+            "test-client-secret",
+            "test-audience",
+            authUrl,
+            "test-scope",
+            "test-resource",
+            null,
+            null,
+            null,
+            null);
+
+    JwtAuthentication authentication = new JwtAuthentication(credential);
+
+    // Use reflection to access private method for testing
+    java.lang.reflect.Method buildRequestMethod =
+        JwtAuthentication.class.getDeclaredMethod("buildRequest");
+    buildRequestMethod.setAccessible(true);
+
+    // When
+    HttpPost request = (HttpPost) buildRequestMethod.invoke(authentication);
+
+    // Then
+    UrlEncodedFormEntity entity = (UrlEncodedFormEntity) request.getEntity();
+    String entityContent = EntityUtils.toString(entity);
+
+    assertTrue(entityContent.contains("resource=test-resource"));
+    assertTrue(entityContent.contains("client_id=test-client-id"));
+    assertTrue(entityContent.contains("audience=test-audience"));
+    assertTrue(entityContent.contains("scope=test-scope"));
+    assertTrue(entityContent.contains("grant_type=client_credentials"));
+  }
+
+  @Test
+  void shouldNotIncludeResourceParameterWhenNull() throws Exception {
+    // Given
+    URL authUrl = URI.create("https://auth.example.com/token").toURL();
+    JwtCredential credential =
+        new JwtCredential(
+            "test-client-id",
+            "test-client-secret",
+            "test-audience",
+            authUrl,
+            "test-scope",
+            null, // resource is null
+            null,
+            null,
+            null,
+            null);
+
+    JwtAuthentication authentication = new JwtAuthentication(credential);
+
+    // Use reflection to access private method for testing
+    java.lang.reflect.Method buildRequestMethod =
+        JwtAuthentication.class.getDeclaredMethod("buildRequest");
+    buildRequestMethod.setAccessible(true);
+
+    // When
+    HttpPost request = (HttpPost) buildRequestMethod.invoke(authentication);
+
+    // Then
+    UrlEncodedFormEntity entity = (UrlEncodedFormEntity) request.getEntity();
+    String entityContent = EntityUtils.toString(entity);
+
+    assertFalse(entityContent.contains("resource="));
+    assertTrue(entityContent.contains("client_id=test-client-id"));
+    assertTrue(entityContent.contains("audience=test-audience"));
+    assertTrue(entityContent.contains("scope=test-scope"));
+  }
+
+  @Test
+  void shouldNotIncludeResourceParameterWhenEmpty() throws Exception {
+    // Given
+    URL authUrl = URI.create("https://auth.example.com/token").toURL();
+    JwtCredential credential =
+        new JwtCredential(
+            "test-client-id",
+            "test-client-secret",
+            "test-audience",
+            authUrl,
+            "test-scope",
+            "", // resource is empty
+            null,
+            null,
+            null,
+            null);
+
+    JwtAuthentication authentication = new JwtAuthentication(credential);
+
+    // Use reflection to access private method for testing
+    java.lang.reflect.Method buildRequestMethod =
+        JwtAuthentication.class.getDeclaredMethod("buildRequest");
+    buildRequestMethod.setAccessible(true);
+
+    // When
+    HttpPost request = (HttpPost) buildRequestMethod.invoke(authentication);
+
+    // Then
+    UrlEncodedFormEntity entity = (UrlEncodedFormEntity) request.getEntity();
+    String entityContent = EntityUtils.toString(entity);
+
+    assertFalse(entityContent.contains("resource="));
+    assertTrue(entityContent.contains("client_id=test-client-id"));
+    assertTrue(entityContent.contains("audience=test-audience"));
+    assertTrue(entityContent.contains("scope=test-scope"));
+  }
+}

extension/spring-boot-starter-camunda-operate/src/main/java/io/camunda/operate/spring/OperateClientConfiguration.java

@@ -82,6 +82,7 @@ public Authentication operateAuthentication() {
                 properties.audience(),
                 properties.authUrl(),
                 properties.scope(),
+                properties.resource(),
                 properties.clientAssertionKeystorePath(),
                 properties.clientAssertionKeystorePassword(),
                 properties.clientAssertionKeystoreKeyAlias(),

extension/spring-boot-starter-camunda-operate/src/main/java/io/camunda/operate/spring/OperateClientConfigurationProperties.java

@@ -21,6 +21,7 @@ public record OperateClientConfigurationProperties(
     URL authUrl,
     String audience,
     String scope,
+    String resource,
     Path clientAssertionKeystorePath,
     String clientAssertionKeystorePassword,
     String clientAssertionKeystoreKeyAlias,

extension/spring-boot-starter-camunda-operate/src/test/java/io/camunda/operate/spring/OperateClientConfigurationPropertiesProfileOidcTest.java

@@ -31,4 +31,52 @@ void shouldApplyProfiles() throws MalformedURLException {
                     "http://localhost:18080/auth/realms/camunda-platform/protocol/openid-connect/token")
                 .toURL());
   }
+
+  @SpringBootTest(
+      properties = {
+        "operate.client.profile=oidc",
+        "operate.client.client-id=test-client",
+        "operate.client.client-secret=test-secret",
+        "operate.client.resource=test-resource"
+      })
+  static class WithResourcePropertyTest {
+    @Autowired OperateClientConfigurationProperties properties;
+
+    @Test
+    void shouldApplyResourceProperty() throws MalformedURLException {
+      assertThat(properties.profile()).isEqualTo(oidc);
+      assertThat(properties.clientId()).isEqualTo("test-client");
+      assertThat(properties.clientSecret()).isEqualTo("test-secret");
+      assertThat(properties.resource()).isEqualTo("test-resource");
+      assertThat(properties.baseUrl()).isEqualTo(URI.create("http://localhost:8081").toURL());
+      assertThat(properties.enabled()).isEqualTo(true);
+      assertThat(properties.authUrl())
+          .isEqualTo(
+              URI.create(
+                      "http://localhost:18080/auth/realms/camunda-platform/protocol/openid-connect/token")
+                  .toURL());
+    }
+  }
+
+  @SpringBootTest(
+      properties = {
+        "operate.client.profile=oidc",
+        "operate.client.client-id=env-test-client",
+        "operate.client.client-secret=env-test-secret",
+        "operate.client.resource=env-test-resource",
+        "operate.client.scope=env-test-scope"
+      })
+  static class EnvironmentVariableTest {
+    @Autowired OperateClientConfigurationProperties properties;
+
+    @Test
+    void shouldSupportEnvironmentVariableMapping() {
+      // Verify that properties can be set via environment-style configuration
+      assertThat(properties.profile()).isEqualTo(oidc);
+      assertThat(properties.clientId()).isEqualTo("env-test-client");
+      assertThat(properties.clientSecret()).isEqualTo("env-test-secret");
+      assertThat(properties.resource()).isEqualTo("env-test-resource");
+      assertThat(properties.scope()).isEqualTo("env-test-scope");
+    }
+  }
 }