serverlessworkflow · fjtirado · Dec 18, 2025 · Dec 18, 2025
@@ -13,16 +13,16 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-package io.serverlessworkflow.impl.executors.http.auth.requestbuilder;
+package io.serverlessworkflow.impl.auth;
 
 import static io.serverlessworkflow.api.types.OAuth2AuthenticationDataClient.ClientAuthentication.CLIENT_SECRET_POST;
 import static io.serverlessworkflow.impl.WorkflowUtils.isValid;
-import static io.serverlessworkflow.impl.executors.http.SecretKeys.AUDIENCES;
-import static io.serverlessworkflow.impl.executors.http.SecretKeys.AUTHENTICATION;
-import static io.serverlessworkflow.impl.executors.http.SecretKeys.CLIENT;
-import static io.serverlessworkflow.impl.executors.http.SecretKeys.ENCODING;
-import static io.serverlessworkflow.impl.executors.http.SecretKeys.REQUEST;
-import static io.serverlessworkflow.impl.executors.http.SecretKeys.SCOPES;
+import static io.serverlessworkflow.impl.auth.AuthUtils.AUDIENCES;
+import static io.serverlessworkflow.impl.auth.AuthUtils.AUTHENTICATION;
+import static io.serverlessworkflow.impl.auth.AuthUtils.CLIENT;
+import static io.serverlessworkflow.impl.auth.AuthUtils.ENCODING;
+import static io.serverlessworkflow.impl.auth.AuthUtils.REQUEST;
+import static io.serverlessworkflow.impl.auth.AuthUtils.SCOPES;
 
 import io.serverlessworkflow.api.types.OAuth2AuthenticationData;
 import io.serverlessworkflow.api.types.OAuth2AuthenticationDataClient;

@@ -13,27 +13,12 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-package io.serverlessworkflow.impl.executors.http;
+package io.serverlessworkflow.impl.auth;
 
-import io.serverlessworkflow.api.types.DigestAuthenticationPolicy;
-import io.serverlessworkflow.api.types.Workflow;
 import io.serverlessworkflow.impl.TaskContext;
-import io.serverlessworkflow.impl.WorkflowApplication;
 import io.serverlessworkflow.impl.WorkflowContext;
 import io.serverlessworkflow.impl.WorkflowModel;
-import jakarta.ws.rs.client.Invocation.Builder;
 
-public class DigestAuthProvider implements AuthProvider {
-
-  public DigestAuthProvider(
-      WorkflowApplication app, Workflow workflow, DigestAuthenticationPolicy authPolicy) {
-    throw new UnsupportedOperationException("Digest auth not supported yet");
-  }
-
-  @Override
-  public Builder build(
-      Builder builder, WorkflowContext workflow, TaskContext task, WorkflowModel model) {
-    // TODO Auto-generated method stub
-    return builder;
-  }
+public interface AccessTokenProvider {
+  JWT validateAndGet(WorkflowContext workflow, TaskContext context, WorkflowModel model);
 }
@@ -0,0 +1,24 @@
+/*
+ * Copyright 2020-Present The Serverless Workflow Specification Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.serverlessworkflow.impl.auth;
+
+import java.util.List;
+
+public interface AccessTokenProviderFactory {
+
+  AccessTokenProvider build(
+      HttpRequestInfo requestInfo, List<String> issuers, JWTConverter converter);
+}
@@ -13,14 +13,15 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-package io.serverlessworkflow.impl.executors.http;
+package io.serverlessworkflow.impl.auth;
 
 import io.serverlessworkflow.impl.TaskContext;
 import io.serverlessworkflow.impl.WorkflowContext;
 import io.serverlessworkflow.impl.WorkflowModel;
-import jakarta.ws.rs.client.Invocation;
 
-interface AuthProvider {
-  Invocation.Builder build(
-      Invocation.Builder builder, WorkflowContext workflow, TaskContext task, WorkflowModel model);
+public interface AuthProvider {
+
+  String authScheme();
+
+  String authParameter(WorkflowContext workflow, TaskContext task, WorkflowModel model);
 }
@@ -13,20 +13,26 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-package io.serverlessworkflow.impl.executors.http;
+package io.serverlessworkflow.impl.auth;
 
 import io.serverlessworkflow.api.types.AuthenticationPolicyUnion;
+import io.serverlessworkflow.api.types.EndpointConfiguration;
 import io.serverlessworkflow.api.types.ReferenceableAuthenticationPolicy;
 import io.serverlessworkflow.api.types.Workflow;
 import io.serverlessworkflow.impl.WorkflowApplication;
 import io.serverlessworkflow.impl.WorkflowDefinition;
 import java.util.Optional;
 
-class AuthProviderFactory {
+public class AuthProviderFactory {
 
   private AuthProviderFactory() {}
 
-  static final String AUTH_HEADER_NAME = "Authorization";
+  public static Optional<AuthProvider> getAuth(
+      WorkflowDefinition definition, EndpointConfiguration configuration) {
+    return configuration == null
+        ? Optional.empty()
+        : getAuth(definition, configuration.getAuthentication());
+  }
 
   public static Optional<AuthProvider> getAuth(
       WorkflowDefinition definition, ReferenceableAuthenticationPolicy auth) {
@@ -64,9 +70,8 @@ private static Optional<AuthProvider> buildFromPolicy(
           new BearerAuthProvider(
               app, workflow, authenticationPolicy.getBearerAuthenticationPolicy()));
     } else if (authenticationPolicy.getDigestAuthenticationPolicy() != null) {
-      return Optional.of(
-          new DigestAuthProvider(
-              app, workflow, authenticationPolicy.getDigestAuthenticationPolicy()));
+      // TODO implement digest authentication
+      return Optional.empty();
     } else if (authenticationPolicy.getOAuth2AuthenticationPolicy() != null) {
       return Optional.of(
           new OAuth2AuthProvider(

@@ -13,7 +13,7 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-package io.serverlessworkflow.impl.executors.http.auth.requestbuilder;
+package io.serverlessworkflow.impl.auth;
 
 import io.serverlessworkflow.api.types.OAuth2AuthenticationData;
 import java.util.Map;

@@ -13,12 +13,13 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-package io.serverlessworkflow.impl.executors.http;
+package io.serverlessworkflow.impl.auth;
 
-public class SecretKeys {
+public class AuthUtils {
 
-  private SecretKeys() {}
+  private AuthUtils() {}
 
+  public static final String AUTH_HEADER_NAME = "Authorization";
   public static final String GRANT = "grant";
   public static final String USER = "username";
   public static final String CLIENT = "client";
@@ -34,4 +35,10 @@ private SecretKeys() {}
   public static final String REQUEST = "request";
   public static final String ENCODING = "encoding";
   public static final String AUTHENTICATION = "authentication";
+
+  private static final String AUTH_HEADER_FORMAT = "%s %s";
+
+  public static String authHeaderValue(String scheme, String parameter) {
+    return String.format(AUTH_HEADER_FORMAT, scheme, parameter);
+  }
 }
@@ -13,12 +13,12 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-package io.serverlessworkflow.impl.executors.http;
+package io.serverlessworkflow.impl.auth;
 
 import static io.serverlessworkflow.impl.WorkflowUtils.checkSecret;
 import static io.serverlessworkflow.impl.WorkflowUtils.secretProp;
-import static io.serverlessworkflow.impl.executors.http.SecretKeys.PASSWORD;
-import static io.serverlessworkflow.impl.executors.http.SecretKeys.USER;
+import static io.serverlessworkflow.impl.auth.AuthUtils.PASSWORD;
+import static io.serverlessworkflow.impl.auth.AuthUtils.USER;
 
 import io.serverlessworkflow.api.types.BasicAuthenticationPolicy;
 import io.serverlessworkflow.api.types.Workflow;
@@ -30,7 +30,7 @@
 import io.serverlessworkflow.impl.WorkflowValueResolver;
 import java.util.Base64;
 
-class BasicAuthProvider extends AbstractAuthProvider {
+class BasicAuthProvider implements AuthProvider {
 
   private static final String USER_PASSWORD = "%s:%s";
 
@@ -57,7 +57,7 @@ public BasicAuthProvider(
   }
 
   @Override
-  protected String authParameter(WorkflowContext workflow, TaskContext task, WorkflowModel model) {
+  public String authParameter(WorkflowContext workflow, TaskContext task, WorkflowModel model) {
     return new String(
         Base64.getEncoder()
             .encode(
@@ -69,7 +69,7 @@ protected String authParameter(WorkflowContext workflow, TaskContext task, Workf
   }
 
   @Override
-  protected String authScheme() {
+  public String authScheme() {
     return "Basic";
   }
 }
@@ -13,11 +13,11 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-package io.serverlessworkflow.impl.executors.http;
+package io.serverlessworkflow.impl.auth;
 
 import static io.serverlessworkflow.impl.WorkflowUtils.checkSecret;
 import static io.serverlessworkflow.impl.WorkflowUtils.secretProp;
-import static io.serverlessworkflow.impl.executors.http.SecretKeys.TOKEN;
+import static io.serverlessworkflow.impl.auth.AuthUtils.TOKEN;
 
 import io.serverlessworkflow.api.types.BearerAuthenticationPolicy;
 import io.serverlessworkflow.api.types.BearerAuthenticationPolicyConfiguration;
@@ -29,7 +29,7 @@
 import io.serverlessworkflow.impl.WorkflowUtils;
 import io.serverlessworkflow.impl.WorkflowValueResolver;
 
-class BearerAuthProvider extends AbstractAuthProvider {
+class BearerAuthProvider implements AuthProvider {
 
   private WorkflowValueResolver<String> tokenFilter;
 
@@ -48,12 +48,12 @@ public BearerAuthProvider(
   }
 
   @Override
-  protected String authParameter(WorkflowContext workflow, TaskContext task, WorkflowModel model) {
+  public String authParameter(WorkflowContext workflow, TaskContext task, WorkflowModel model) {
     return tokenFilter.apply(workflow, task, model);
   }
 
   @Override
-  protected String authScheme() {
+  public String authScheme() {
     return "Bearer";
   }
 }
@@ -13,14 +13,14 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-package io.serverlessworkflow.impl.executors.http.auth.requestbuilder;
+package io.serverlessworkflow.impl.auth;
 
-import static io.serverlessworkflow.impl.executors.http.SecretKeys.CLIENT;
-import static io.serverlessworkflow.impl.executors.http.SecretKeys.GRANT;
-import static io.serverlessworkflow.impl.executors.http.SecretKeys.ID;
-import static io.serverlessworkflow.impl.executors.http.SecretKeys.PASSWORD;
-import static io.serverlessworkflow.impl.executors.http.SecretKeys.SECRET;
-import static io.serverlessworkflow.impl.executors.http.SecretKeys.USER;
+import static io.serverlessworkflow.impl.auth.AuthUtils.CLIENT;
+import static io.serverlessworkflow.impl.auth.AuthUtils.GRANT;
+import static io.serverlessworkflow.impl.auth.AuthUtils.ID;
+import static io.serverlessworkflow.impl.auth.AuthUtils.PASSWORD;
+import static io.serverlessworkflow.impl.auth.AuthUtils.SECRET;
+import static io.serverlessworkflow.impl.auth.AuthUtils.USER;
 
 import io.serverlessworkflow.api.types.OAuth2AuthenticationData;
 import io.serverlessworkflow.impl.WorkflowApplication;

@@ -13,7 +13,7 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-package io.serverlessworkflow.impl.executors.http.auth.requestbuilder;
+package io.serverlessworkflow.impl.auth;
 
 import static io.serverlessworkflow.api.types.OAuth2AuthenticationData.OAuth2AuthenticationDataGrant.CLIENT_CREDENTIALS;
 import static io.serverlessworkflow.api.types.OAuth2AuthenticationData.OAuth2AuthenticationDataGrant.PASSWORD;

@@ -13,14 +13,14 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-package io.serverlessworkflow.impl.executors.http.auth.requestbuilder;
+package io.serverlessworkflow.impl.auth;
 
-import static io.serverlessworkflow.impl.executors.http.SecretKeys.CLIENT;
-import static io.serverlessworkflow.impl.executors.http.SecretKeys.GRANT;
-import static io.serverlessworkflow.impl.executors.http.SecretKeys.ID;
-import static io.serverlessworkflow.impl.executors.http.SecretKeys.PASSWORD;
-import static io.serverlessworkflow.impl.executors.http.SecretKeys.SECRET;
-import static io.serverlessworkflow.impl.executors.http.SecretKeys.USER;
+import static io.serverlessworkflow.impl.auth.AuthUtils.CLIENT;
+import static io.serverlessworkflow.impl.auth.AuthUtils.GRANT;
+import static io.serverlessworkflow.impl.auth.AuthUtils.ID;
+import static io.serverlessworkflow.impl.auth.AuthUtils.PASSWORD;
+import static io.serverlessworkflow.impl.auth.AuthUtils.SECRET;
+import static io.serverlessworkflow.impl.auth.AuthUtils.USER;
 
 import io.serverlessworkflow.api.types.OAuth2AuthenticationData;
 import io.serverlessworkflow.impl.WorkflowApplication;