From 70773ab8db3ab90052fbeeb22eb4f776e572cde2 Mon Sep 17 00:00:00 2001
From: Srikanth Padakanti <srikanth_padakanti@apple.com>
Date: Tue, 12 May 2026 01:50:19 -0500
Subject: [PATCH 1/4] Change bearer_token from String to PluginConfigVariable
 for secrets manager integration

Signed-off-by: Srikanth Padakanti <srikanth_padakanti@apple.com>
---
 .../configuration/AuthenticationConfig.java   |  9 +++++---
 .../auth/AtlassianBearerTokenAuthConfig.java  | 22 ++++++++++++-------
 .../rest/auth/AtlassianAuthFactoryTest.java   |  6 +++--
 .../AtlassianBearerTokenAuthConfigTest.java   | 21 ++++++++++++------
 .../utils/ConfluenceConfigHelper.java         |  6 +++--
 .../ConfluenceConfigHelperTest.java           | 10 +++++++--
 6 files changed, 50 insertions(+), 24 deletions(-)

diff --git a/data-prepper-plugins/saas-source-plugins/atlassian-commons/src/main/java/org/opensearch/dataprepper/plugins/source/atlassian/configuration/AuthenticationConfig.java b/data-prepper-plugins/saas-source-plugins/atlassian-commons/src/main/java/org/opensearch/dataprepper/plugins/source/atlassian/configuration/AuthenticationConfig.java
index 595c739ea9..b1c109ae89 100644
--- a/data-prepper-plugins/saas-source-plugins/atlassian-commons/src/main/java/org/opensearch/dataprepper/plugins/source/atlassian/configuration/AuthenticationConfig.java
+++ b/data-prepper-plugins/saas-source-plugins/atlassian-commons/src/main/java/org/opensearch/dataprepper/plugins/source/atlassian/configuration/AuthenticationConfig.java
@@ -14,6 +14,7 @@
 import jakarta.validation.Valid;
 import jakarta.validation.constraints.AssertTrue;
 import lombok.Getter;
+import org.opensearch.dataprepper.model.plugin.PluginConfigVariable;
 
 import static org.opensearch.dataprepper.plugins.source.atlassian.utils.Constants.BASIC;
 import static org.opensearch.dataprepper.plugins.source.atlassian.utils.Constants.BEARER_TOKEN;
@@ -31,13 +32,14 @@ public class AuthenticationConfig {
     private Oauth2Config oauth2Config;
 
     @JsonProperty("bearer_token")
-    private String bearerToken;
+    private PluginConfigVariable bearerToken;
 
     @AssertTrue(message = "Authentication config should have exactly one of basic, oauth2, or bearer_token")
     private boolean isValidAuthenticationConfig() {
         boolean hasBasic = basicConfig != null;
         boolean hasOauth = oauth2Config != null;
-        boolean hasBearer = bearerToken != null && !bearerToken.isEmpty();
+        boolean hasBearer = bearerToken != null && bearerToken.getValue() != null
+                && !((String) bearerToken.getValue()).isEmpty();
         int count = (hasBasic ? 1 : 0) + (hasOauth ? 1 : 0) + (hasBearer ? 1 : 0);
         return count == 1;
     }
@@ -45,7 +47,8 @@ private boolean isValidAuthenticationConfig() {
     public String getAuthType() {
         if (basicConfig != null) {
             return BASIC;
-        } else if (bearerToken != null && !bearerToken.isEmpty()) {
+        } else if (bearerToken != null && bearerToken.getValue() != null
+                && !((String) bearerToken.getValue()).isEmpty()) {
             return BEARER_TOKEN;
         } else {
             return OAUTH2;
diff --git a/data-prepper-plugins/saas-source-plugins/atlassian-commons/src/main/java/org/opensearch/dataprepper/plugins/source/atlassian/rest/auth/AtlassianBearerTokenAuthConfig.java b/data-prepper-plugins/saas-source-plugins/atlassian-commons/src/main/java/org/opensearch/dataprepper/plugins/source/atlassian/rest/auth/AtlassianBearerTokenAuthConfig.java
index f1a85be860..7be0a5f24a 100644
--- a/data-prepper-plugins/saas-source-plugins/atlassian-commons/src/main/java/org/opensearch/dataprepper/plugins/source/atlassian/rest/auth/AtlassianBearerTokenAuthConfig.java
+++ b/data-prepper-plugins/saas-source-plugins/atlassian-commons/src/main/java/org/opensearch/dataprepper/plugins/source/atlassian/rest/auth/AtlassianBearerTokenAuthConfig.java
@@ -10,19 +10,25 @@
 
 package org.opensearch.dataprepper.plugins.source.atlassian.rest.auth;
 
+import org.opensearch.dataprepper.model.plugin.PluginConfigVariable;
 import org.opensearch.dataprepper.plugins.source.atlassian.AtlassianSourceConfig;
 
+import java.util.Objects;
+
 public class AtlassianBearerTokenAuthConfig implements AtlassianAuthConfig {
 
-    private String accountUrl;
-    private final String bearerToken;
+    private final String accountUrl;
+    private final PluginConfigVariable bearerTokenVariable;
 
     public AtlassianBearerTokenAuthConfig(AtlassianSourceConfig sourceConfig) {
-        this.bearerToken = sourceConfig.getAuthenticationConfig().getBearerToken();
-        accountUrl = sourceConfig.getAccountUrl();
-        if (!accountUrl.endsWith("/")) {
-            accountUrl += "/";
+        Objects.requireNonNull(sourceConfig, "sourceConfig must not be null");
+        this.bearerTokenVariable = sourceConfig.getAuthenticationConfig().getBearerToken();
+        Objects.requireNonNull(bearerTokenVariable, "bearer_token must not be null");
+        String url = sourceConfig.getAccountUrl();
+        if (!url.endsWith("/")) {
+            url += "/";
         }
+        this.accountUrl = url;
     }
 
     @Override
@@ -31,11 +37,11 @@ public String getUrl() {
     }
 
     public String getBearerToken() {
-        return bearerToken;
+        return (String) bearerTokenVariable.getValue();
     }
 
     @Override
     public void renewCredentials() {
-        // static token, no renewal needed
+        bearerTokenVariable.refresh();
     }
 }
diff --git a/data-prepper-plugins/saas-source-plugins/atlassian-commons/src/test/java/org/opensearch/dataprepper/plugins/source/atlassian/rest/auth/AtlassianAuthFactoryTest.java b/data-prepper-plugins/saas-source-plugins/atlassian-commons/src/test/java/org/opensearch/dataprepper/plugins/source/atlassian/rest/auth/AtlassianAuthFactoryTest.java
index 536a34de87..e1f4b5a76c 100644
--- a/data-prepper-plugins/saas-source-plugins/atlassian-commons/src/test/java/org/opensearch/dataprepper/plugins/source/atlassian/rest/auth/AtlassianAuthFactoryTest.java
+++ b/data-prepper-plugins/saas-source-plugins/atlassian-commons/src/test/java/org/opensearch/dataprepper/plugins/source/atlassian/rest/auth/AtlassianAuthFactoryTest.java
@@ -46,6 +46,9 @@ public class AtlassianAuthFactoryTest {
     @Mock
     private PluginConfigVariable refreshTokenPluginConfigVariable;
 
+    @Mock
+    private PluginConfigVariable bearerTokenVariable;
+
     private AtlassianAuthFactory confluenceAuthFactory;
 
     @BeforeEach
@@ -72,10 +75,9 @@ void testGetObjectBasicAuth() {
 
     @Test
     void testGetObjectBearerToken() {
-        final String token = UUID.randomUUID().toString();
         when(sourceConfig.getAuthType()).thenReturn(BEARER_TOKEN);
         when(sourceConfig.getAuthenticationConfig()).thenReturn(authenticationConfig);
-        when(authenticationConfig.getBearerToken()).thenReturn(token);
+        when(authenticationConfig.getBearerToken()).thenReturn(bearerTokenVariable);
         when(sourceConfig.getAccountUrl()).thenReturn("https://confluence.opensearch.org");
         assertInstanceOf(AtlassianBearerTokenAuthConfig.class, confluenceAuthFactory.getObject());
     }
diff --git a/data-prepper-plugins/saas-source-plugins/atlassian-commons/src/test/java/org/opensearch/dataprepper/plugins/source/atlassian/rest/auth/AtlassianBearerTokenAuthConfigTest.java b/data-prepper-plugins/saas-source-plugins/atlassian-commons/src/test/java/org/opensearch/dataprepper/plugins/source/atlassian/rest/auth/AtlassianBearerTokenAuthConfigTest.java
index 1fd4b94b12..779e6468ca 100644
--- a/data-prepper-plugins/saas-source-plugins/atlassian-commons/src/test/java/org/opensearch/dataprepper/plugins/source/atlassian/rest/auth/AtlassianBearerTokenAuthConfigTest.java
+++ b/data-prepper-plugins/saas-source-plugins/atlassian-commons/src/test/java/org/opensearch/dataprepper/plugins/source/atlassian/rest/auth/AtlassianBearerTokenAuthConfigTest.java
@@ -15,6 +15,7 @@
 import org.junit.jupiter.api.extension.ExtendWith;
 import org.mockito.Mock;
 import org.mockito.junit.jupiter.MockitoExtension;
+import org.opensearch.dataprepper.model.plugin.PluginConfigVariable;
 import org.opensearch.dataprepper.plugins.source.atlassian.AtlassianSourceConfig;
 import org.opensearch.dataprepper.plugins.source.atlassian.configuration.AuthenticationConfig;
 
@@ -22,7 +23,7 @@
 
 import static org.hamcrest.MatcherAssert.assertThat;
 import static org.hamcrest.Matchers.equalTo;
-import static org.junit.jupiter.api.Assertions.assertDoesNotThrow;
+import static org.mockito.Mockito.verify;
 import static org.mockito.Mockito.when;
 
 @ExtendWith(MockitoExtension.class)
@@ -34,6 +35,9 @@ class AtlassianBearerTokenAuthConfigTest {
     @Mock
     private AuthenticationConfig authenticationConfig;
 
+    @Mock
+    private PluginConfigVariable bearerTokenVariable;
+
     private String token;
 
     @BeforeEach
@@ -45,7 +49,7 @@ void setUp() {
     void testGetUrl() {
         when(sourceConfig.getAccountUrl()).thenReturn("https://confluence.opensearch.org");
         when(sourceConfig.getAuthenticationConfig()).thenReturn(authenticationConfig);
-        when(authenticationConfig.getBearerToken()).thenReturn(token);
+        when(authenticationConfig.getBearerToken()).thenReturn(bearerTokenVariable);
 
         AtlassianBearerTokenAuthConfig config = new AtlassianBearerTokenAuthConfig(sourceConfig);
         assertThat(config.getUrl(), equalTo("https://confluence.opensearch.org/"));
@@ -55,7 +59,7 @@ void testGetUrl() {
     void testGetUrlWithTrailingSlash() {
         when(sourceConfig.getAccountUrl()).thenReturn("https://confluence.opensearch.org/");
         when(sourceConfig.getAuthenticationConfig()).thenReturn(authenticationConfig);
-        when(authenticationConfig.getBearerToken()).thenReturn(token);
+        when(authenticationConfig.getBearerToken()).thenReturn(bearerTokenVariable);
 
         AtlassianBearerTokenAuthConfig config = new AtlassianBearerTokenAuthConfig(sourceConfig);
         assertThat(config.getUrl(), equalTo("https://confluence.opensearch.org/"));
@@ -65,19 +69,22 @@ void testGetUrlWithTrailingSlash() {
     void testGetBearerToken() {
         when(sourceConfig.getAccountUrl()).thenReturn("https://confluence.opensearch.org");
         when(sourceConfig.getAuthenticationConfig()).thenReturn(authenticationConfig);
-        when(authenticationConfig.getBearerToken()).thenReturn(token);
+        when(authenticationConfig.getBearerToken()).thenReturn(bearerTokenVariable);
+        when(bearerTokenVariable.getValue()).thenReturn(token);
 
         AtlassianBearerTokenAuthConfig config = new AtlassianBearerTokenAuthConfig(sourceConfig);
         assertThat(config.getBearerToken(), equalTo(token));
     }
 
     @Test
-    void testRenewCredentialsIsNoOp() {
+    void testRenewCredentials_calls_refresh() {
         when(sourceConfig.getAccountUrl()).thenReturn("https://confluence.opensearch.org");
         when(sourceConfig.getAuthenticationConfig()).thenReturn(authenticationConfig);
-        when(authenticationConfig.getBearerToken()).thenReturn(token);
+        when(authenticationConfig.getBearerToken()).thenReturn(bearerTokenVariable);
 
         AtlassianBearerTokenAuthConfig config = new AtlassianBearerTokenAuthConfig(sourceConfig);
-        assertDoesNotThrow(config::renewCredentials);
+        config.renewCredentials();
+
+        verify(bearerTokenVariable).refresh();
     }
 }
diff --git a/data-prepper-plugins/saas-source-plugins/confluence-source/src/main/java/org/opensearch/dataprepper/plugins/source/confluence/utils/ConfluenceConfigHelper.java b/data-prepper-plugins/saas-source-plugins/confluence-source/src/main/java/org/opensearch/dataprepper/plugins/source/confluence/utils/ConfluenceConfigHelper.java
index 22f1f446ab..6d0632f00a 100644
--- a/data-prepper-plugins/saas-source-plugins/confluence-source/src/main/java/org/opensearch/dataprepper/plugins/source/confluence/utils/ConfluenceConfigHelper.java
+++ b/data-prepper-plugins/saas-source-plugins/confluence-source/src/main/java/org/opensearch/dataprepper/plugins/source/confluence/utils/ConfluenceConfigHelper.java
@@ -12,6 +12,7 @@
 
 
 import lombok.extern.slf4j.Slf4j;
+import org.opensearch.dataprepper.model.plugin.PluginConfigVariable;
 import org.opensearch.dataprepper.plugins.source.confluence.ConfluenceSourceConfig;
 import org.opensearch.dataprepper.plugins.source.source_crawler.utils.AddressValidation;
 
@@ -105,8 +106,9 @@ public static boolean validateConfig(ConfluenceSourceConfig config) {
         }
 
         if (BEARER_TOKEN.equals(authType)) {
-            String bearerToken = config.getAuthenticationConfig().getBearerToken();
-            if (bearerToken == null || bearerToken.isEmpty()) {
+            PluginConfigVariable bearerToken = config.getAuthenticationConfig().getBearerToken();
+            if (bearerToken == null || bearerToken.getValue() == null
+                    || ((String) bearerToken.getValue()).isEmpty()) {
                 throw new RuntimeException("Bearer token is required for BearerToken AuthType");
             }
         }
diff --git a/data-prepper-plugins/saas-source-plugins/confluence-source/src/test/java/org/opensearch/dataprepper/plugins/source/confluence/ConfluenceConfigHelperTest.java b/data-prepper-plugins/saas-source-plugins/confluence-source/src/test/java/org/opensearch/dataprepper/plugins/source/confluence/ConfluenceConfigHelperTest.java
index e16f0ca37c..b99726ced8 100644
--- a/data-prepper-plugins/saas-source-plugins/confluence-source/src/test/java/org/opensearch/dataprepper/plugins/source/confluence/ConfluenceConfigHelperTest.java
+++ b/data-prepper-plugins/saas-source-plugins/confluence-source/src/test/java/org/opensearch/dataprepper/plugins/source/confluence/ConfluenceConfigHelperTest.java
@@ -70,6 +70,9 @@ public class ConfluenceConfigHelperTest {
     @Mock
     PluginConfigVariable refreshTokenPluginConfigVariable;
 
+    @Mock
+    PluginConfigVariable bearerTokenVariable;
+
     @Test
     void testInitialization() {
         ConfluenceConfigHelper confluenceConfigHelper = new ConfluenceConfigHelper();
@@ -170,7 +173,8 @@ void testValidateConfigBearerToken_emptyToken_throwsException() {
         when(confluenceSourceConfig.getAccountUrl()).thenReturn("https://opensearch.org");
         when(confluenceSourceConfig.getAuthType()).thenReturn(BEARER_TOKEN);
         when(confluenceSourceConfig.getAuthenticationConfig()).thenReturn(authenticationConfig);
-        when(authenticationConfig.getBearerToken()).thenReturn("");
+        when(authenticationConfig.getBearerToken()).thenReturn(bearerTokenVariable);
+        when(bearerTokenVariable.getValue()).thenReturn("");
         assertThrows(RuntimeException.class, () -> ConfluenceConfigHelper.validateConfig(confluenceSourceConfig));
     }
 
@@ -179,7 +183,9 @@ void testValidateConfigBearerToken_validToken_succeeds() {
         when(confluenceSourceConfig.getAccountUrl()).thenReturn("https://opensearch.org");
         when(confluenceSourceConfig.getAuthType()).thenReturn(BEARER_TOKEN);
         when(confluenceSourceConfig.getAuthenticationConfig()).thenReturn(authenticationConfig);
-        when(authenticationConfig.getBearerToken()).thenReturn(UUID.randomUUID().toString());
+        when(authenticationConfig.getBearerToken()).thenReturn(bearerTokenVariable);
+        when(bearerTokenVariable.getValue()).thenReturn(UUID.randomUUID().toString());
+        when(confluenceSourceConfig.isAllowLocalAddress()).thenReturn(false);
         assertDoesNotThrow(() -> ConfluenceConfigHelper.validateConfig(confluenceSourceConfig));
     }
 }

From 756005d3d859419ff82cf03f3eba23c882089408 Mon Sep 17 00:00:00 2001
From: Srikanth Padakanti <srikanth_padakanti@apple.com>
Date: Wed, 20 May 2026 20:14:59 -0500
Subject: [PATCH 2/4] Use instanceof for safe cast, guard refresh with
 isUpdatable, consolidate token validation into helper method

Signed-off-by: Srikanth Padakanti <srikanth_padakanti@apple.com>
---
 .../configuration/AuthenticationConfig.java   | 25 ++++++++++++++-----
 .../auth/AtlassianBearerTokenAuthConfig.java  | 10 ++++++--
 .../AtlassianBearerTokenAuthConfigTest.java   | 17 ++++++++++++-
 .../utils/ConfluenceConfigHelper.java         |  6 ++---
 .../ConfluenceConfigHelperTest.java           |  8 +++---
 5 files changed, 48 insertions(+), 18 deletions(-)

diff --git a/data-prepper-plugins/saas-source-plugins/atlassian-commons/src/main/java/org/opensearch/dataprepper/plugins/source/atlassian/configuration/AuthenticationConfig.java b/data-prepper-plugins/saas-source-plugins/atlassian-commons/src/main/java/org/opensearch/dataprepper/plugins/source/atlassian/configuration/AuthenticationConfig.java
index b1c109ae89..f729c1ff74 100644
--- a/data-prepper-plugins/saas-source-plugins/atlassian-commons/src/main/java/org/opensearch/dataprepper/plugins/source/atlassian/configuration/AuthenticationConfig.java
+++ b/data-prepper-plugins/saas-source-plugins/atlassian-commons/src/main/java/org/opensearch/dataprepper/plugins/source/atlassian/configuration/AuthenticationConfig.java
@@ -10,6 +10,7 @@
 
 package org.opensearch.dataprepper.plugins.source.atlassian.configuration;
 
+import com.fasterxml.jackson.annotation.JsonIgnore;
 import com.fasterxml.jackson.annotation.JsonProperty;
 import jakarta.validation.Valid;
 import jakarta.validation.constraints.AssertTrue;
@@ -34,12 +35,24 @@ public class AuthenticationConfig {
     @JsonProperty("bearer_token")
     private PluginConfigVariable bearerToken;
 
+    @JsonIgnore
+    public String getBearerTokenValue() {
+        if (bearerToken == null || bearerToken.getValue() == null) {
+            return null;
+        }
+        final Object value = bearerToken.getValue();
+        if (value instanceof String) {
+            return (String) value;
+        }
+        return value.toString();
+    }
+
     @AssertTrue(message = "Authentication config should have exactly one of basic, oauth2, or bearer_token")
     private boolean isValidAuthenticationConfig() {
         boolean hasBasic = basicConfig != null;
         boolean hasOauth = oauth2Config != null;
-        boolean hasBearer = bearerToken != null && bearerToken.getValue() != null
-                && !((String) bearerToken.getValue()).isEmpty();
+        final String tokenValue = getBearerTokenValue();
+        boolean hasBearer = tokenValue != null && !tokenValue.isEmpty();
         int count = (hasBasic ? 1 : 0) + (hasOauth ? 1 : 0) + (hasBearer ? 1 : 0);
         return count == 1;
     }
@@ -47,11 +60,11 @@ private boolean isValidAuthenticationConfig() {
     public String getAuthType() {
         if (basicConfig != null) {
             return BASIC;
-        } else if (bearerToken != null && bearerToken.getValue() != null
-                && !((String) bearerToken.getValue()).isEmpty()) {
+        }
+        final String tokenValue = getBearerTokenValue();
+        if (tokenValue != null && !tokenValue.isEmpty()) {
             return BEARER_TOKEN;
-        } else {
-            return OAUTH2;
         }
+        return OAUTH2;
     }
 }
diff --git a/data-prepper-plugins/saas-source-plugins/atlassian-commons/src/main/java/org/opensearch/dataprepper/plugins/source/atlassian/rest/auth/AtlassianBearerTokenAuthConfig.java b/data-prepper-plugins/saas-source-plugins/atlassian-commons/src/main/java/org/opensearch/dataprepper/plugins/source/atlassian/rest/auth/AtlassianBearerTokenAuthConfig.java
index 7be0a5f24a..f96ef2293d 100644
--- a/data-prepper-plugins/saas-source-plugins/atlassian-commons/src/main/java/org/opensearch/dataprepper/plugins/source/atlassian/rest/auth/AtlassianBearerTokenAuthConfig.java
+++ b/data-prepper-plugins/saas-source-plugins/atlassian-commons/src/main/java/org/opensearch/dataprepper/plugins/source/atlassian/rest/auth/AtlassianBearerTokenAuthConfig.java
@@ -37,11 +37,17 @@ public String getUrl() {
     }
 
     public String getBearerToken() {
-        return (String) bearerTokenVariable.getValue();
+        final Object value = bearerTokenVariable.getValue();
+        if (value instanceof String) {
+            return (String) value;
+        }
+        return value != null ? value.toString() : null;
     }
 
     @Override
     public void renewCredentials() {
-        bearerTokenVariable.refresh();
+        if (bearerTokenVariable.isUpdatable()) {
+            bearerTokenVariable.refresh();
+        }
     }
 }
diff --git a/data-prepper-plugins/saas-source-plugins/atlassian-commons/src/test/java/org/opensearch/dataprepper/plugins/source/atlassian/rest/auth/AtlassianBearerTokenAuthConfigTest.java b/data-prepper-plugins/saas-source-plugins/atlassian-commons/src/test/java/org/opensearch/dataprepper/plugins/source/atlassian/rest/auth/AtlassianBearerTokenAuthConfigTest.java
index 779e6468ca..ebb70b1c1e 100644
--- a/data-prepper-plugins/saas-source-plugins/atlassian-commons/src/test/java/org/opensearch/dataprepper/plugins/source/atlassian/rest/auth/AtlassianBearerTokenAuthConfigTest.java
+++ b/data-prepper-plugins/saas-source-plugins/atlassian-commons/src/test/java/org/opensearch/dataprepper/plugins/source/atlassian/rest/auth/AtlassianBearerTokenAuthConfigTest.java
@@ -23,6 +23,7 @@
 
 import static org.hamcrest.MatcherAssert.assertThat;
 import static org.hamcrest.Matchers.equalTo;
+import static org.mockito.Mockito.never;
 import static org.mockito.Mockito.verify;
 import static org.mockito.Mockito.when;
 
@@ -77,14 +78,28 @@ void testGetBearerToken() {
     }
 
     @Test
-    void testRenewCredentials_calls_refresh() {
+    void testRenewCredentials_calls_refresh_when_updatable() {
         when(sourceConfig.getAccountUrl()).thenReturn("https://confluence.opensearch.org");
         when(sourceConfig.getAuthenticationConfig()).thenReturn(authenticationConfig);
         when(authenticationConfig.getBearerToken()).thenReturn(bearerTokenVariable);
+        when(bearerTokenVariable.isUpdatable()).thenReturn(true);
 
         AtlassianBearerTokenAuthConfig config = new AtlassianBearerTokenAuthConfig(sourceConfig);
         config.renewCredentials();
 
         verify(bearerTokenVariable).refresh();
     }
+
+    @Test
+    void testRenewCredentials_does_not_call_refresh_when_not_updatable() {
+        when(sourceConfig.getAccountUrl()).thenReturn("https://confluence.opensearch.org");
+        when(sourceConfig.getAuthenticationConfig()).thenReturn(authenticationConfig);
+        when(authenticationConfig.getBearerToken()).thenReturn(bearerTokenVariable);
+        when(bearerTokenVariable.isUpdatable()).thenReturn(false);
+
+        AtlassianBearerTokenAuthConfig config = new AtlassianBearerTokenAuthConfig(sourceConfig);
+        config.renewCredentials();
+
+        verify(bearerTokenVariable, never()).refresh();
+    }
 }
diff --git a/data-prepper-plugins/saas-source-plugins/confluence-source/src/main/java/org/opensearch/dataprepper/plugins/source/confluence/utils/ConfluenceConfigHelper.java b/data-prepper-plugins/saas-source-plugins/confluence-source/src/main/java/org/opensearch/dataprepper/plugins/source/confluence/utils/ConfluenceConfigHelper.java
index 6d0632f00a..9bd5640718 100644
--- a/data-prepper-plugins/saas-source-plugins/confluence-source/src/main/java/org/opensearch/dataprepper/plugins/source/confluence/utils/ConfluenceConfigHelper.java
+++ b/data-prepper-plugins/saas-source-plugins/confluence-source/src/main/java/org/opensearch/dataprepper/plugins/source/confluence/utils/ConfluenceConfigHelper.java
@@ -12,7 +12,6 @@
 
 
 import lombok.extern.slf4j.Slf4j;
-import org.opensearch.dataprepper.model.plugin.PluginConfigVariable;
 import org.opensearch.dataprepper.plugins.source.confluence.ConfluenceSourceConfig;
 import org.opensearch.dataprepper.plugins.source.source_crawler.utils.AddressValidation;
 
@@ -106,9 +105,8 @@ public static boolean validateConfig(ConfluenceSourceConfig config) {
         }
 
         if (BEARER_TOKEN.equals(authType)) {
-            PluginConfigVariable bearerToken = config.getAuthenticationConfig().getBearerToken();
-            if (bearerToken == null || bearerToken.getValue() == null
-                    || ((String) bearerToken.getValue()).isEmpty()) {
+            final String tokenValue = config.getAuthenticationConfig().getBearerTokenValue();
+            if (tokenValue == null || tokenValue.isEmpty()) {
                 throw new RuntimeException("Bearer token is required for BearerToken AuthType");
             }
         }
diff --git a/data-prepper-plugins/saas-source-plugins/confluence-source/src/test/java/org/opensearch/dataprepper/plugins/source/confluence/ConfluenceConfigHelperTest.java b/data-prepper-plugins/saas-source-plugins/confluence-source/src/test/java/org/opensearch/dataprepper/plugins/source/confluence/ConfluenceConfigHelperTest.java
index b99726ced8..d78465befb 100644
--- a/data-prepper-plugins/saas-source-plugins/confluence-source/src/test/java/org/opensearch/dataprepper/plugins/source/confluence/ConfluenceConfigHelperTest.java
+++ b/data-prepper-plugins/saas-source-plugins/confluence-source/src/test/java/org/opensearch/dataprepper/plugins/source/confluence/ConfluenceConfigHelperTest.java
@@ -164,7 +164,7 @@ void testValidateConfigBearerToken_nullToken_throwsException() {
         when(confluenceSourceConfig.getAccountUrl()).thenReturn("https://opensearch.org");
         when(confluenceSourceConfig.getAuthType()).thenReturn(BEARER_TOKEN);
         when(confluenceSourceConfig.getAuthenticationConfig()).thenReturn(authenticationConfig);
-        when(authenticationConfig.getBearerToken()).thenReturn(null);
+        when(authenticationConfig.getBearerTokenValue()).thenReturn(null);
         assertThrows(RuntimeException.class, () -> ConfluenceConfigHelper.validateConfig(confluenceSourceConfig));
     }
 
@@ -173,8 +173,7 @@ void testValidateConfigBearerToken_emptyToken_throwsException() {
         when(confluenceSourceConfig.getAccountUrl()).thenReturn("https://opensearch.org");
         when(confluenceSourceConfig.getAuthType()).thenReturn(BEARER_TOKEN);
         when(confluenceSourceConfig.getAuthenticationConfig()).thenReturn(authenticationConfig);
-        when(authenticationConfig.getBearerToken()).thenReturn(bearerTokenVariable);
-        when(bearerTokenVariable.getValue()).thenReturn("");
+        when(authenticationConfig.getBearerTokenValue()).thenReturn("");
         assertThrows(RuntimeException.class, () -> ConfluenceConfigHelper.validateConfig(confluenceSourceConfig));
     }
 
@@ -183,8 +182,7 @@ void testValidateConfigBearerToken_validToken_succeeds() {
         when(confluenceSourceConfig.getAccountUrl()).thenReturn("https://opensearch.org");
         when(confluenceSourceConfig.getAuthType()).thenReturn(BEARER_TOKEN);
         when(confluenceSourceConfig.getAuthenticationConfig()).thenReturn(authenticationConfig);
-        when(authenticationConfig.getBearerToken()).thenReturn(bearerTokenVariable);
-        when(bearerTokenVariable.getValue()).thenReturn(UUID.randomUUID().toString());
+        when(authenticationConfig.getBearerTokenValue()).thenReturn(UUID.randomUUID().toString());
         when(confluenceSourceConfig.isAllowLocalAddress()).thenReturn(false);
         assertDoesNotThrow(() -> ConfluenceConfigHelper.validateConfig(confluenceSourceConfig));
     }

From c1b23c4789de1e74727f4d8dbaea537437fdd781 Mon Sep 17 00:00:00 2001
From: Srikanth Padakanti <srikanth_padakanti@apple.com>
Date: Wed, 20 May 2026 20:44:56 -0500
Subject: [PATCH 3/4] Remove unused UUID import from AtlassianAuthFactoryTest

Signed-off-by: Srikanth Padakanti <srikanth_padakanti@apple.com>
---
 .../source/atlassian/rest/auth/AtlassianAuthFactoryTest.java     | 1 -
 1 file changed, 1 deletion(-)

diff --git a/data-prepper-plugins/saas-source-plugins/atlassian-commons/src/test/java/org/opensearch/dataprepper/plugins/source/atlassian/rest/auth/AtlassianAuthFactoryTest.java b/data-prepper-plugins/saas-source-plugins/atlassian-commons/src/test/java/org/opensearch/dataprepper/plugins/source/atlassian/rest/auth/AtlassianAuthFactoryTest.java
index e1f4b5a76c..46c30893f2 100644
--- a/data-prepper-plugins/saas-source-plugins/atlassian-commons/src/test/java/org/opensearch/dataprepper/plugins/source/atlassian/rest/auth/AtlassianAuthFactoryTest.java
+++ b/data-prepper-plugins/saas-source-plugins/atlassian-commons/src/test/java/org/opensearch/dataprepper/plugins/source/atlassian/rest/auth/AtlassianAuthFactoryTest.java
@@ -20,7 +20,6 @@
 import org.opensearch.dataprepper.plugins.source.atlassian.configuration.AuthenticationConfig;
 import org.opensearch.dataprepper.plugins.source.atlassian.configuration.Oauth2Config;
 
-import java.util.UUID;
 
 import static org.junit.jupiter.api.Assertions.assertEquals;
 import static org.junit.jupiter.api.Assertions.assertInstanceOf;

From 4996a6430607de451ed48594643e42d94bc88ca9 Mon Sep 17 00:00:00 2001
From: Srikanth Padakanti <srikanth_padakanti@apple.com>
Date: Thu, 21 May 2026 16:03:12 -0500
Subject: [PATCH 4/4] Remove isUpdatable guard and call refresh directly per
 reviewer feedback

Signed-off-by: Srikanth Padakanti <srikanth_padakanti@apple.com>
---
 .../auth/AtlassianBearerTokenAuthConfig.java    |  4 +---
 .../AtlassianBearerTokenAuthConfigTest.java     | 17 +----------------
 2 files changed, 2 insertions(+), 19 deletions(-)

diff --git a/data-prepper-plugins/saas-source-plugins/atlassian-commons/src/main/java/org/opensearch/dataprepper/plugins/source/atlassian/rest/auth/AtlassianBearerTokenAuthConfig.java b/data-prepper-plugins/saas-source-plugins/atlassian-commons/src/main/java/org/opensearch/dataprepper/plugins/source/atlassian/rest/auth/AtlassianBearerTokenAuthConfig.java
index f96ef2293d..e6785e2410 100644
--- a/data-prepper-plugins/saas-source-plugins/atlassian-commons/src/main/java/org/opensearch/dataprepper/plugins/source/atlassian/rest/auth/AtlassianBearerTokenAuthConfig.java
+++ b/data-prepper-plugins/saas-source-plugins/atlassian-commons/src/main/java/org/opensearch/dataprepper/plugins/source/atlassian/rest/auth/AtlassianBearerTokenAuthConfig.java
@@ -46,8 +46,6 @@ public String getBearerToken() {
 
     @Override
     public void renewCredentials() {
-        if (bearerTokenVariable.isUpdatable()) {
-            bearerTokenVariable.refresh();
-        }
+        bearerTokenVariable.refresh();
     }
 }
diff --git a/data-prepper-plugins/saas-source-plugins/atlassian-commons/src/test/java/org/opensearch/dataprepper/plugins/source/atlassian/rest/auth/AtlassianBearerTokenAuthConfigTest.java b/data-prepper-plugins/saas-source-plugins/atlassian-commons/src/test/java/org/opensearch/dataprepper/plugins/source/atlassian/rest/auth/AtlassianBearerTokenAuthConfigTest.java
index ebb70b1c1e..779e6468ca 100644
--- a/data-prepper-plugins/saas-source-plugins/atlassian-commons/src/test/java/org/opensearch/dataprepper/plugins/source/atlassian/rest/auth/AtlassianBearerTokenAuthConfigTest.java
+++ b/data-prepper-plugins/saas-source-plugins/atlassian-commons/src/test/java/org/opensearch/dataprepper/plugins/source/atlassian/rest/auth/AtlassianBearerTokenAuthConfigTest.java
@@ -23,7 +23,6 @@
 
 import static org.hamcrest.MatcherAssert.assertThat;
 import static org.hamcrest.Matchers.equalTo;
-import static org.mockito.Mockito.never;
 import static org.mockito.Mockito.verify;
 import static org.mockito.Mockito.when;
 
@@ -78,28 +77,14 @@ void testGetBearerToken() {
     }
 
     @Test
-    void testRenewCredentials_calls_refresh_when_updatable() {
+    void testRenewCredentials_calls_refresh() {
         when(sourceConfig.getAccountUrl()).thenReturn("https://confluence.opensearch.org");
         when(sourceConfig.getAuthenticationConfig()).thenReturn(authenticationConfig);
         when(authenticationConfig.getBearerToken()).thenReturn(bearerTokenVariable);
-        when(bearerTokenVariable.isUpdatable()).thenReturn(true);
 
         AtlassianBearerTokenAuthConfig config = new AtlassianBearerTokenAuthConfig(sourceConfig);
         config.renewCredentials();
 
         verify(bearerTokenVariable).refresh();
     }
-
-    @Test
-    void testRenewCredentials_does_not_call_refresh_when_not_updatable() {
-        when(sourceConfig.getAccountUrl()).thenReturn("https://confluence.opensearch.org");
-        when(sourceConfig.getAuthenticationConfig()).thenReturn(authenticationConfig);
-        when(authenticationConfig.getBearerToken()).thenReturn(bearerTokenVariable);
-        when(bearerTokenVariable.isUpdatable()).thenReturn(false);
-
-        AtlassianBearerTokenAuthConfig config = new AtlassianBearerTokenAuthConfig(sourceConfig);
-        config.renewCredentials();
-
-        verify(bearerTokenVariable, never()).refresh();
-    }
 }