feat(oauth): add conditional loading of client key and cert for getti…

…ng a token (#161) Support mTLS for REST API clients with `CAMUNDA_CUSTOM_CERT_CHAIN_PATH` and `CAMUNDA_CUSTOM_PRIVATE_KEY_PATH`.
camunda · May 15, 2024 · f05aa8a · f05aa8a
1 parent 02558d0
commit f05aa8a
Showing 1 changed file with 10 additions and 0 deletions.
diff --git a/src/oauth/lib/OAuthProvider.ts b/src/oauth/lib/OAuthProvider.ts
@@ -30,6 +30,8 @@ export class OAuthProvider implements IOAuthProvider {
 	private static readonly defaultTokenCache = `${homedir}/.camunda`
 	private cacheDir: string
 	private authServerUrl: string
+	private mTLSPrivateKey: string | undefined
+	private mTLSCertChain: string | undefined
 	private clientId: string | undefined
 	private clientSecret: string | undefined
 	private useFileCache: boolean
@@ -61,6 +63,12 @@ export class OAuthProvider implements IOAuthProvider {
 
 		this.clientId = config.ZEEBE_CLIENT_ID
 		this.clientSecret = config.ZEEBE_CLIENT_SECRET
+		this.mTLSPrivateKey = config.CAMUNDA_CUSTOM_PRIVATE_KEY_PATH
+			? fs.readFileSync(config.CAMUNDA_CUSTOM_PRIVATE_KEY_PATH).toString()
+			: undefined
+		this.mTLSCertChain = config.CAMUNDA_CUSTOM_CERT_CHAIN_PATH
+			? fs.readFileSync(config.CAMUNDA_CUSTOM_CERT_CHAIN_PATH).toString()
+			: undefined
 
 		this.consoleClientId = config.CAMUNDA_CONSOLE_CLIENT_ID
 		this.consoleClientSecret = config.CAMUNDA_CONSOLE_CLIENT_SECRET
@@ -284,6 +292,8 @@ export class OAuthProvider implements IOAuthProvider {
 				'user-agent': this.userAgentString,
 				accept: '*/*',
 			},
+			key: this.mTLSPrivateKey,
+			cert: this.mTLSCertChain,
 		}
 
 		trace(`Making token request to the token endpoint: `)