feat: make clientAuthenticationMethod configurable in Druid 35.0.1

[dervoeti]

Description

The OIDC tests currently are failing for Druid 35.0.1, because it fails to negotiate the correct client authentication method with Keycloak. This patch allows explicitly setting a method, which our operator is going to do (PR up soon). I raised the same patch PR upstream: apache/druid#19020

I tested building Druid with the patch and then ran the OIDC test with druid.auth.pac4j.oidc.clientAuthenticationMethod set to client_secret_basic and it worked.

Definition of Done Checklist

Note

Not all of these items are applicable to all PRs, the author should update this template to only leave the boxes in that are relevant.

Please make sure all these things are done and tick the boxes

• Changes are OpenShift compatible
• All added packages (via microdnf or otherwise) have a comment on why they are added
• Things not downloaded from Red Hat repositories should be mirrored in the Stackable repository and downloaded from there
• All packages should have (if available) signatures/hashes verified
• Add an entry to the CHANGELOG.md file
• Integration tests ran successfully

TIP: Running integration tests with a new product image

The image can be built and uploaded to the kind cluster with the following commands:

boil build <IMAGE> --image-version <RELEASE_VERSION> --strip-architecture --load
kind load docker-image <MANIFEST_URI> --name=<name-of-your-test-cluster>

See the output of boil to retrieve the image manifest URI for <MANIFEST_URI>.

[maltesander]

The patch name is cut off in an unfortunate way: 0011-feat-add-configurable-clientAuthenticationMethod-to-.patch. And is it rather a "fix" than a "feature"?

[dervoeti]

The patch name is cut off in an unfortunate way: 0011-feat-add-configurable-clientAuthenticationMethod-to-.patch. And is it rather a "fix" than a "feature"?

Yeah that's the generated name by patchable, but I don't think it's important? Not sure. But the patch file itself contains the full message as Subject line.
And I think it's a feature, because it enables more configuration in Druid, even though it is probably often used to fix the problem. But it's also useful if you do not have that problem and want to change this OIDC parameter for some other reason, like you were fine with the default selection but now want something else. So it's not specifically a fix I'd say. A fix would be to make pac4j choose the default in a correct way maybe.

[maltesander]

LGTM!

[dervoeti]

No release note needed, this is not used currently, a future change in druid-operator will leverage this patch though (that one will have a release note).