From c0811e59add0f52d1c6b70797354968211f3c352 Mon Sep 17 00:00:00 2001 From: Nick Larsen Date: Tue, 10 Mar 2026 15:10:54 +0100 Subject: [PATCH 1/3] Revert "feat: add support for specifying a clientAuthenticationMethod for OIDC (#1158)" This reverts commit 53748afd4c80a7a1e4a345ab5d5e65add47a265b. --- .../stackable-operator/crds/DummyCluster.yaml | 10 ---- .../src/crd/authentication/oidc/mod.rs | 59 ------------------- 2 files changed, 69 deletions(-) diff --git a/crates/stackable-operator/crds/DummyCluster.yaml b/crates/stackable-operator/crds/DummyCluster.yaml index 7f2e06039..e630b8b0e 100644 --- a/crates/stackable-operator/crds/DummyCluster.yaml +++ b/crates/stackable-operator/crds/DummyCluster.yaml @@ -30,16 +30,6 @@ spec: description: This field contains OIDC-specific configuration. It is only required in case OIDC is used. nullable: true properties: - clientAuthenticationMethod: - default: client_secret_basic - description: 'The client authentication method used when communicating with the token endpoint. Defaults to `client_secret_basic`. The required contents of `clientCredentialsSecret` depend on the chosen method: secret-based methods (`client_secret_basic`, `client_secret_post`, `client_secret_jwt`) expect a client secret, while `private_key_jwt` expects a private key.' - enum: - - client_secret_basic - - client_secret_post - - client_secret_jwt - - private_key_jwt - - none - type: string clientCredentialsSecret: description: |- A reference to the OIDC client credentials secret. The secret contains diff --git a/crates/stackable-operator/src/crd/authentication/oidc/mod.rs b/crates/stackable-operator/src/crd/authentication/oidc/mod.rs index c818d77b4..dd7aa35aa 100644 --- a/crates/stackable-operator/src/crd/authentication/oidc/mod.rs +++ b/crates/stackable-operator/src/crd/authentication/oidc/mod.rs @@ -90,46 +90,6 @@ pub mod versioned { Keycloak, } - /// OAuth2 client authentication methods as defined in the OpenID Connect Core spec. - /// - /// These methods are used by clients to authenticate to the authorization server - /// when using the token endpoint. - /// - /// See for details. - #[derive( - Clone, - Copy, - Debug, - Default, - Deserialize, - Eq, - Hash, - JsonSchema, - Ord, - PartialEq, - PartialOrd, - Serialize, - )] - #[serde(rename_all = "snake_case")] - pub enum ClientAuthenticationMethod { - /// Authenticate using HTTP Basic authentication with client_id and client_secret. - /// This is the default method according to the OIDC spec. - #[default] - ClientSecretBasic, - - /// Send client_id and client_secret in the request body. - ClientSecretPost, - - /// Authenticate using a JWT signed with an HMAC SHA algorithm using the client_secret. - ClientSecretJwt, - - /// Authenticate using a JWT signed with the client's private key. - PrivateKeyJwt, - - /// No client authentication (for public clients or implicit flow). - None, - } - /// OIDC specific config options. These are set on the product config level. #[derive( Clone, Debug, Deserialize, Eq, Hash, JsonSchema, Ord, PartialEq, PartialOrd, Serialize, @@ -151,25 +111,6 @@ pub mod versioned { #[serde(default)] pub extra_scopes: Vec, - /// The OAuth2 client authentication method to use for token endpoint requests. - /// Defaults to [`ClientAuthenticationMethod::ClientSecretBasic`]. - /// - /// The contents and format of the `clientCredentialsSecret` depend on the selected - /// method. For example, [`ClientAuthenticationMethod::ClientSecretBasic`] and - /// [`ClientAuthenticationMethod::ClientSecretPost`] require a client secret string, whereas - /// [`ClientAuthenticationMethod::PrivateKeyJwt`] requires a private key. - /// - /// See [`ClientAuthenticationMethod`] for available options. - #[schemars( - description = "The client authentication method used when communicating with the token \ - endpoint. Defaults to `client_secret_basic`. The required contents of \ - `clientCredentialsSecret` depend on the chosen method: secret-based methods \ - (`client_secret_basic`, `client_secret_post`, `client_secret_jwt`) expect a client \ - secret, while `private_key_jwt` expects a private key." - )] - #[serde(default)] - pub client_authentication_method: ClientAuthenticationMethod, - // If desired, operators can add custom fields that are only needed for this specific product. // They need to create a struct holding them and pass that as `T`. #[serde(flatten)] From 6bba43a35d9553eb687006e8de1bca1b43f15b4b Mon Sep 17 00:00:00 2001 From: Nick Larsen Date: Tue, 10 Mar 2026 15:19:59 +0100 Subject: [PATCH 2/3] chore: Update changelog --- crates/stackable-operator/CHANGELOG.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/crates/stackable-operator/CHANGELOG.md b/crates/stackable-operator/CHANGELOG.md index 94110ca9c..40e9613e3 100644 --- a/crates/stackable-operator/CHANGELOG.md +++ b/crates/stackable-operator/CHANGELOG.md @@ -4,6 +4,13 @@ All notable changes to this project will be documented in this file. ## [Unreleased] +### Removed + +- Reverted support for specifying a `clientAuthenticationMethod` for OIDC ([#1170]). + It can be added back afer the SDP release. + +[#1170]: https://github.com/stackabletech/operator-rs/pull/1170 + ## [0.107.1] - 2026-03-10 ### Added From a9e343f6e2e9a5f965f082e3b60f32c4698be891 Mon Sep 17 00:00:00 2001 From: Nick <10092581+NickLarsenNZ@users.noreply.github.com> Date: Tue, 10 Mar 2026 15:28:50 +0100 Subject: [PATCH 3/3] Update crates/stackable-operator/CHANGELOG.md Co-authored-by: Techassi --- crates/stackable-operator/CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/crates/stackable-operator/CHANGELOG.md b/crates/stackable-operator/CHANGELOG.md index 40e9613e3..cfcafb958 100644 --- a/crates/stackable-operator/CHANGELOG.md +++ b/crates/stackable-operator/CHANGELOG.md @@ -7,7 +7,7 @@ All notable changes to this project will be documented in this file. ### Removed - Reverted support for specifying a `clientAuthenticationMethod` for OIDC ([#1170]). - It can be added back afer the SDP release. + It can be added back afer the SDP 26.3.0 release. [#1170]: https://github.com/stackabletech/operator-rs/pull/1170