chio chuan ooi created CAMEL-23974:
--------------------------------------

             Summary: camel-zeebe: OAuth clientId/clientSecret/oAuthAPI 
configured on ZeebeComponent are never passed to ZeebeService, so no 
authentication occurs
                 Key: CAMEL-23974
                 URL: https://issues.apache.org/jira/browse/CAMEL-23974
             Project: Camel
          Issue Type: Bug
    Affects Versions: 4.18.3
            Reporter: chio chuan ooi


camel-zeebe's OAuth configuration (clientId, clientSecret, oAuthAPI) is 
silently ignored. These properties are correctly exposed and bound on 
ZeebeComponent (e.g. via camel.component.zeebe.client-id, 
camel.component.zeebe.client-secret, camel.component.zeebe.o-auth-a-p-i in 
Spring Boot), but they are never propagated to the internal ZeebeService, which 
is the class that actually builds the ZeebeClient used for startProcess and 
job-worker registration.

As a result, no OAuth token request is ever made and no bearer token is ever 
attached to gRPC calls, regardless of configuration — the client always falls 
back to usePlaintext()/no-credentials, with no error or warning surfaced to the 
user. This is a silent failure: a user can configure full OAuth credentials, 
deploy to production, and never know authentication isn't happening.

issue: 

{{ZeebeComponent.doStart()}} constructs {{ZeebeService}} using only:
 
{code:java}
zeebeService = new ZeebeService(gatewayHost, gatewayPort); 

//but clientId is a private field on ZeebeService that is never assigned, so it 
is always null at runtime and this branch is unreachable in practice.

if (clientId != null) {
    // builds OAuthCredentialsProvider and passes to ZeebeClient
} else {
    // usePlaintext(), no credentials
}

{code}



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to