feat(rover): implement PatchAuthentication to map clientAuthMethod values

api/api/v1/security_types.go

@@ -4,6 +4,15 @@
 
 package v1
 
+// TokenRequestMethod defines the token endpoint authentication method (RFC 7591).
+// +kubebuilder:validation:Enum=client_secret_basic;client_secret_post
+type TokenRequestMethod string
+
+const (
+	TokenRequestClientSecretBasic TokenRequestMethod = "client_secret_basic"
+	TokenRequestClientSecretPost  TokenRequestMethod = "client_secret_post"
+)
+
 // Security defines the security configuration for the Rover
 // Security is optional, but if provided, exactly one of m2m or h2m must be set
 type Security struct {
@@ -64,10 +73,9 @@ type ExternalIdentityProvider struct {
 	// +kubebuilder:validation:Format=uri
 	TokenEndpoint string `json:"tokenEndpoint"`
 
-	// TokenRequest is the type of token request, "body" or "header"
+	// TokenRequest configures the token endpoint authentication method (RFC 7591)
 	// +kubebuilder:validation:Optional
-	// +kubebuilder:validation:Enum=body;header
-	TokenRequest string `json:"tokenRequest,omitempty"`
+	TokenRequest TokenRequestMethod `json:"tokenRequest,omitempty"`
 
 	// GrantType defines the OAuth2 grant type to use for the token request
 	// +kubebuilder:validation:Optional

api/config/crd/bases/api.cp.ei.telekom.de_apiexposures.yaml

@@ -154,11 +154,11 @@ spec:
                             format: uri
                             type: string
                           tokenRequest:
-                            description: TokenRequest is the type of token request,
-                              "body" or "header"
+                            description: TokenRequest configures the token endpoint
+                              authentication method (RFC 7591)
                             enum:
-                            - body
-                            - header
+                            - client_secret_basic
+                            - client_secret_post
                             type: string
                         required:
                         - tokenEndpoint

api/internal/controller/apiexposure_controller_test.go

@@ -6,7 +6,8 @@
 
 import (
 	"fmt"
+
 	"github.com/telekom/controlplane/api/internal/handler/util"
 	applicationapi "github.com/telekom/controlplane/application/api/v1"
 
 	adminapi "github.com/telekom/controlplane/admin/api/v1"
@@ -156,7 +157,7 @@
 				M2M: &apiapi.Machine2MachineAuthentication{
 					ExternalIDP: &apiapi.ExternalIdentityProvider{
 						TokenEndpoint: "https://example.com/token",
-						TokenRequest:  "header",
+						TokenRequest:  apiapi.TokenRequestClientSecretBasic,
 						GrantType:     "client_credentials",
 						Client: &apiapi.OAuth2ClientCredentials{
 							ClientId:  "client-id",
@@ -392,14 +393,14 @@
 			By("Creating the second APIExposure resource")
 			thirdApiExposure.Spec.Security.M2M = &apiv1.Machine2MachineAuthentication{
 				ExternalIDP: &apiv1.ExternalIdentityProvider{
-					TokenRequest: "sky",
+					TokenRequest: apiv1.TokenRequestMethod("sky"),
 				},
 				Scopes: []string{"team:scope", "api:scope"},
 			}
 			err := k8sClient.Create(ctx, thirdApiExposure)
 			Expect(err).To(HaveOccurred())
 			Expect(apierrors.IsInvalid(err)).To(BeTrue())
-			Expect(err.Error()).To(ContainSubstring("Unsupported value: \"sky\": supported values: \"body\", \"header\""))
+			Expect(err.Error()).To(ContainSubstring("Unsupported value: \"sky\": supported values: \"client_secret_basic\", \"client_secret_post\""))
 
 			thirdApiExposure.Spec.Security.M2M.ExternalIDP.GrantType = "not_a_valid_grant_type"
 			err = k8sClient.Create(ctx, thirdApiExposure)
@@ -413,7 +414,7 @@
 			thirdApiExposure.Spec.Security.M2M = &apiv1.Machine2MachineAuthentication{
 				ExternalIDP: &apiv1.ExternalIdentityProvider{
 					TokenEndpoint: "https://example.com/token",
-					TokenRequest:  "header",
+					TokenRequest:  apiv1.TokenRequestClientSecretBasic,
 					GrantType:     "client_credentials",
 					Client: &apiv1.OAuth2ClientCredentials{
 						ClientId:     "team",
@@ -439,7 +440,7 @@
 				g.Expect(route.Spec.Security.M2M.Scopes).To(Equal([]string{"team:scope", "api:scope"}))
 
 				g.Expect(route.Spec.Security.M2M.ExternalIDP.TokenEndpoint).To(Equal("https://example.com/token"))
-				g.Expect(route.Spec.Security.M2M.ExternalIDP.TokenRequest).To(Equal("header"))
+				g.Expect(route.Spec.Security.M2M.ExternalIDP.TokenRequest).To(Equal(gatewayapi.TokenRequestClientSecretBasic))
 				g.Expect(route.Spec.Security.M2M.ExternalIDP.GrantType).To(Equal("client_credentials"))
 			}, timeout, interval).Should(Succeed())
 		})

api/internal/controller/apisubscription_controller_ratelimiting_test.go

@@ -5,7 +5,7 @@
 package controller
 
 import (
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"
 	adminapi "github.com/telekom/controlplane/admin/api/v1"
 	apiapi "github.com/telekom/controlplane/api/api/v1"
@@ -83,7 +83,7 @@
 				M2M: &apiapi.Machine2MachineAuthentication{
 					ExternalIDP: &apiapi.ExternalIdentityProvider{
 						TokenEndpoint: "https://example.com/token",
-						TokenRequest:  "header",
+						TokenRequest:  apiapi.TokenRequestClientSecretBasic,
 						GrantType:     "client_credentials",
 						Client: &apiapi.OAuth2ClientCredentials{
 							ClientId:  "client-id",

api/internal/handler/util/route_util.go

@@ -520,7 +520,7 @@ func mapSecurity(apiSecurity *apiapi.Security) *gatewayapi.Security {
 		if apiSecurity.M2M.ExternalIDP != nil {
 			security.M2M.ExternalIDP = &gatewayapi.ExternalIdentityProvider{
 				TokenEndpoint: apiSecurity.M2M.ExternalIDP.TokenEndpoint,
-				TokenRequest:  apiSecurity.M2M.ExternalIDP.TokenRequest,
+				TokenRequest:  gatewayapi.TokenRequestMethod(apiSecurity.M2M.ExternalIDP.TokenRequest),
 				GrantType:     apiSecurity.M2M.ExternalIDP.GrantType,
 			}
 			if apiSecurity.M2M.ExternalIDP.Basic != nil {

discovery-server/internal/mapper/apiexposure/out.go

@@ -13,6 +13,18 @@ import (
 	"github.com/telekom/controlplane/discovery-server/internal/mapper/status"
 )
 
+// tokenRequestCRDToAPI converts CRD tokenRequest values to discovery-server API enum values.
+func tokenRequestCRDToAPI(value apiv1.TokenRequestMethod) api.OAuth2TokenRequest {
+	switch value {
+	case apiv1.TokenRequestClientSecretBasic:
+		return api.Header
+	case apiv1.TokenRequestClientSecretPost:
+		return api.Body
+	default:
+		return api.OAuth2TokenRequest(value)
+	}
+}
+
 // MapResponse maps an ApiExposure CRD to an ApiExposureResponse.
 func MapResponse(in *apiv1.ApiExposure) api.ApiExposureResponse {
 	resp := api.ApiExposureResponse{
@@ -81,7 +93,7 @@ func mapSecurity(in *apiv1.ApiExposure, out *api.ApiExposureResponse) {
 	if m2m.ExternalIDP != nil {
 		oauth2 := api.OAuth2{
 			TokenEndpoint: m2m.ExternalIDP.TokenEndpoint,
-			TokenRequest:  api.OAuth2TokenRequest(m2m.ExternalIDP.TokenRequest),
+			TokenRequest:  tokenRequestCRDToAPI(m2m.ExternalIDP.TokenRequest),
 			GrantType:     m2m.ExternalIDP.GrantType,
 		}
 

discovery-server/internal/mapper/apiexposure/out_test.go

@@ -141,7 +141,7 @@ func TestMapSecurity(t *testing.T) {
 		{
 			name: "external idp oauth2",
 			setup: func(in *apiv1.ApiExposure) {
-				in.Spec.Security = &apiv1.Security{M2M: &apiv1.Machine2MachineAuthentication{ExternalIDP: &apiv1.ExternalIdentityProvider{TokenEndpoint: "https://idp/token", TokenRequest: "body", GrantType: "client_credentials", Client: &apiv1.OAuth2ClientCredentials{ClientId: "cid", ClientSecret: "sec"}}, Scopes: []string{"s1"}}}
+				in.Spec.Security = &apiv1.Security{M2M: &apiv1.Machine2MachineAuthentication{ExternalIDP: &apiv1.ExternalIdentityProvider{TokenEndpoint: "https://idp/token", TokenRequest: apiv1.TokenRequestClientSecretPost, GrantType: "client_credentials", Client: &apiv1.OAuth2ClientCredentials{ClientId: "cid", ClientSecret: "sec"}}, Scopes: []string{"s1"}}}
 			},
 			assert: func(t *testing.T, out api.ApiExposureResponse) {
 				t.Helper()
@@ -157,7 +157,7 @@ func TestMapSecurity(t *testing.T) {
 		{
 			name: "external idp oauth2 with basic credentials",
 			setup: func(in *apiv1.ApiExposure) {
-				in.Spec.Security = &apiv1.Security{M2M: &apiv1.Machine2MachineAuthentication{ExternalIDP: &apiv1.ExternalIdentityProvider{TokenEndpoint: "https://idp/token", TokenRequest: "header", GrantType: "password", Basic: &apiv1.BasicAuthCredentials{Username: "bu", Password: "bp"}}}}
+				in.Spec.Security = &apiv1.Security{M2M: &apiv1.Machine2MachineAuthentication{ExternalIDP: &apiv1.ExternalIdentityProvider{TokenEndpoint: "https://idp/token", TokenRequest: apiv1.TokenRequestClientSecretBasic, GrantType: "password", Basic: &apiv1.BasicAuthCredentials{Username: "bu", Password: "bp"}}}}
 			},
 			assert: func(t *testing.T, out api.ApiExposureResponse) {
 				t.Helper()

gateway/api/v1/security_types.go

@@ -4,6 +4,15 @@
 
 package v1
 
+// TokenRequestMethod defines the token endpoint authentication method (RFC 7591).
+// +kubebuilder:validation:Enum=client_secret_basic;client_secret_post
+type TokenRequestMethod string
+
+const (
+	TokenRequestClientSecretBasic TokenRequestMethod = "client_secret_basic"
+	TokenRequestClientSecretPost  TokenRequestMethod = "client_secret_post"
+)
+
 type Security struct {
 	// DisableAccessControl disable the ACL mechanism for this route
 	// +kubebuilder:validation:Optional
@@ -112,10 +121,9 @@ type ExternalIdentityProvider struct {
 	// +kubebuilder:validation:Format=uri
 	TokenEndpoint string `json:"tokenEndpoint"`
 
-	// TokenRequest is the type of token request, "body" or "header"
+	// TokenRequest configures the token endpoint authentication method (RFC 7591)
 	// +kubebuilder:validation:Optional
-	// +kubebuilder:validation:Enum=body;header
-	TokenRequest string `json:"tokenRequest,omitempty"`
+	TokenRequest TokenRequestMethod `json:"tokenRequest,omitempty"`
 	// GrantType is the grant type for the external IDP authentication
 	// +kubebuilder:validation:Optional
 	// +kubebuilder:validation:Enum=client_credentials;authorization_code;password

gateway/config/crd/bases/gateway.cp.ei.telekom.de_routes.yaml

@@ -197,11 +197,11 @@ spec:
                             format: uri
                             type: string
                           tokenRequest:
-                            description: TokenRequest is the type of token request,
-                              "body" or "header"
+                            description: TokenRequest configures the token endpoint
+                              authentication method (RFC 7591)
                             enum:
-                            - body
-                            - header
+                            - client_secret_basic
+                            - client_secret_post
                             type: string
                         required:
                         - tokenEndpoint
@@ -354,11 +354,11 @@ spec:
                                     format: uri
                                     type: string
                                   tokenRequest:
-                                    description: TokenRequest is the type of token
-                                      request, "body" or "header"
+                                    description: TokenRequest configures the token
+                                      endpoint authentication method (RFC 7591)
                                     enum:
-                                    - body
-                                    - header
+                                    - client_secret_basic
+                                    - client_secret_post
                                     type: string
                                 required:
                                 - tokenEndpoint

gateway/internal/controller/route_controller_test.go

@@ -5,7 +5,7 @@
 package controller
 
 import (
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"
 	"github.com/telekom/controlplane/common/pkg/condition"
 	"github.com/telekom/controlplane/common/pkg/config"
@@ -144,11 +144,11 @@
 			})
 			It("should not accept a Route with TokenRequest=\"sky\"", func() {
 				By("Creating the Route with TokenRequest=\"sky\"")
-				route.Spec.Security.M2M.ExternalIDP.TokenRequest = "sky"
+				route.Spec.Security.M2M.ExternalIDP.TokenRequest = gatewayv1.TokenRequestMethod("sky")
 				err := k8sClient.Create(ctx, route)
 				Expect(err).To(HaveOccurred())
 				Expect(apierrors.IsInvalid(err)).To(BeTrue())
-				Expect(err.Error()).To(ContainSubstring("spec.security.m2m.externalIDP.tokenRequest: Unsupported value: \"sky\": supported values: \"body\", \"header\""))
+				Expect(err.Error()).To(ContainSubstring("spec.security.m2m.externalIDP.tokenRequest: Unsupported value: \"sky\": supported values: \"client_secret_basic\", \"client_secret_post\""))
 			})
 
 			It("should not accept a Route with GrantType=\"not_required\"", func() {

gateway/internal/features/builder_external_idp_test.go

@@ -215,7 +215,7 @@ func externalIDPProviderRouteOAuth() *gatewayv1.Route {
 		M2M: &gatewayv1.Machine2MachineAuthentication{
 			ExternalIDP: &gatewayv1.ExternalIdentityProvider{
 				TokenEndpoint: "https://example.com/tokenEndpoint",
-				TokenRequest:  "header",
+				TokenRequest:  gatewayv1.TokenRequestClientSecretBasic,
 				GrantType:     "client_credentials",
 				Client: &gatewayv1.OAuth2ClientCredentials{
 					ClientId:     "gateway",
@@ -243,7 +243,7 @@ func externalIDPProviderRouteBasic() *gatewayv1.Route {
 		M2M: &gatewayv1.Machine2MachineAuthentication{
 			ExternalIDP: &gatewayv1.ExternalIdentityProvider{
 				TokenEndpoint: "https://example.com/tokenEndpoint",
-				TokenRequest:  "header",
+				TokenRequest:  gatewayv1.TokenRequestClientSecretBasic,
 				GrantType:     "password",
 				Basic: &gatewayv1.BasicAuthCredentials{
 					Username: "user",
@@ -271,7 +271,7 @@ func externalIDPProviderRouteOAuthJwt() *gatewayv1.Route {
 		M2M: &gatewayv1.Machine2MachineAuthentication{
 			ExternalIDP: &gatewayv1.ExternalIdentityProvider{
 				TokenEndpoint: "https://example.com/tokenEndpoint",
-				TokenRequest:  "header",
+				TokenRequest:  gatewayv1.TokenRequestClientSecretBasic,
 				GrantType:     "client_credentials",
 				Client: &gatewayv1.OAuth2ClientCredentials{
 					ClientId:     "ClientId",

gateway/internal/features/feature/external_idp.go

@@ -6,6 +6,7 @@ package feature
 
 import (
 	"context"
+	"fmt"
 	"strings"
 
 	"github.com/pkg/errors"
@@ -146,7 +147,11 @@ func extendOauth(ctx context.Context, in plugin.OauthCredentials, providerSettin
 		in.Scopes = strings.Join(scopes, " ")
 	}
 
-	in.TokenRequest = providerSettings.TokenRequest
+	tokenRequest, err := tokenRequestToJumper(providerSettings.TokenRequest)
+	if err != nil {
+		return in, err
+	}
+	in.TokenRequest = tokenRequest
 	in.GrantType = providerSettings.GrantType
 
 	return in, nil
@@ -182,3 +187,15 @@ func extendBasic(ctx context.Context, in plugin.OauthCredentials, providerSettin
 
 	return in, nil
 }
+
+// tokenRequestToJumper converts CRD tokenRequest values to the values expected by the Jumper plugin.
+func tokenRequestToJumper(value gatewayv1.TokenRequestMethod) (string, error) {
+	switch value {
+	case gatewayv1.TokenRequestClientSecretBasic:
+		return "header", nil
+	case gatewayv1.TokenRequestClientSecretPost:
+		return "body", nil
+	default:
+		return "", fmt.Errorf("unsupported tokenRequest value %q", value)
+	}
+}

rover-ctl/pkg/handlers/v0/rover.go

@@ -7,6 +7,7 @@ package v0
 import (
 	"context"
 	"maps"
+	"strings"
 
 	"github.com/pkg/errors"
 	"github.com/telekom/controlplane/rover-ctl/pkg/handlers/common"
@@ -65,10 +66,66 @@ func PatchRoverRequest(ctx context.Context, obj types.Object) error {
 		}
 	}
 
+	PatchAuthentication(spec)
+
 	obj.SetContent(spec)
 	return nil
 }
 
+// PatchAuthentication restructures spec.authentication.m2m.clientAuthMethod
+// into spec.authentication.clientAuthMethod for the rover-server API format.
+// It also normalizes "BODY"/"body" to "POST" since the server schema only accepts
+// NONE, POST, BASIC.
+func PatchAuthentication(spec map[string]any) {
+	auth, exists := spec["authentication"]
+	if !exists {
+		return
+	}
+	authMap, ok := auth.(map[string]any)
+	if !ok {
+		return
+	}
+
+	m2m, exists := authMap["m2m"]
+	if !exists {
+		return
+	}
+	m2mMap, ok := m2m.(map[string]any)
+	if !ok {
+		return
+	}
+
+	clientAuthMethod, exists := m2mMap["clientAuthMethod"]
+	if !exists {
+		return
+	}
+
+	spec["authentication"] = map[string]any{
+		"clientAuthMethod": normalizeClientAuthMethod(clientAuthMethod),
+	}
+}
+
+// normalizeClientAuthMethod maps user-friendly aliases to the API enum values.
+// "BODY"/"body" is treated as "POST" per RFC 6749.
+func normalizeClientAuthMethod(value any) any {
+	s, ok := value.(string)
+	if !ok {
+		return value
+	}
+	switch strings.ToUpper(s) {
+	case "BODY":
+		return "POST"
+	case "BASIC":
+		return "BASIC"
+	case "NONE":
+		return "NONE"
+	case "POST":
+		return "POST"
+	default:
+		return value
+	}
+}
+
 func PatchExposures(exposures []any) []map[string]any {
 	if len(exposures) == 0 {
 		return nil