Improve OAuth2 DSL (FuncDSL and DSL)

Signed-off-by: Matheus Cruz <matheuscruz.dev@gmail.com>

Author: mcruzdev

experimental/fluent/func/src/main/java/io/serverlessworkflow/fluent/func/dsl/FuncDSL.java

@@ -39,6 +39,8 @@
 import io.serverlessworkflow.fluent.func.configurers.SwitchCaseConfigurer;
 import io.serverlessworkflow.fluent.spec.AbstractEventConsumptionStrategyBuilder;
 import io.serverlessworkflow.fluent.spec.EventFilterBuilder;
+import io.serverlessworkflow.fluent.spec.OAuth2AuthenticationPolicyBuilder;
+import io.serverlessworkflow.fluent.spec.OIDCBuilder.OAuth2AuthenticationPropertiesEndpointsBuilder;
 import io.serverlessworkflow.fluent.spec.ScheduleBuilder;
 import io.serverlessworkflow.fluent.spec.TimeoutBuilder;
 import io.serverlessworkflow.fluent.spec.WorkflowTaskBuilder;
@@ -2371,4 +2373,24 @@ public static AuthenticationConfigurer oauth2(
   public static AuthenticationConfigurer oauth2(String secret) {
     return DSL.oauth2(secret);
   }
+
+  /**
+   * @see DSL#oauth2(String, OAuth2AuthenticationData.OAuth2AuthenticationDataGrant, String, String,
+   *     Consumer)
+   */
+  public static AuthenticationConfigurer oauth2(
+      String authority,
+      OAuth2AuthenticationData.OAuth2AuthenticationDataGrant grant,
+      String clientId,
+      String clientSecret,
+      Consumer<OAuth2AuthenticationPropertiesEndpointsBuilder> endpoints) {
+    return DSL.oauth2(authority, grant, clientId, clientSecret, endpoints);
+  }
+
+  /**
+   * @see DSL#oauth2(Consumer)
+   */
+  public static AuthenticationConfigurer oauth2(Consumer<OAuth2AuthenticationPolicyBuilder> cfg) {
+    return DSL.oauth2(cfg);
+  }
 }

experimental/fluent/func/src/test/java/io/serverlessworkflow/fluent/func/FuncDSLOAuth2Test.java

@@ -0,0 +1,131 @@
+/*
+ * Copyright 2020-Present The Serverless Workflow Specification Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.serverlessworkflow.fluent.func;
+
+import static io.serverlessworkflow.fluent.func.dsl.FuncDSL.call;
+import static io.serverlessworkflow.fluent.func.dsl.FuncDSL.http;
+import static io.serverlessworkflow.fluent.func.dsl.FuncDSL.oauth2;
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertNotNull;
+
+import io.serverlessworkflow.api.types.OAuth2AuthenticationData;
+import io.serverlessworkflow.api.types.OAuth2AuthenticationDataClient;
+import io.serverlessworkflow.api.types.OAuth2ConnectAuthenticationProperties;
+import io.serverlessworkflow.api.types.Workflow;
+import java.net.URI;
+import java.util.List;
+import org.junit.jupiter.api.Test;
+
+class FuncDSLOAuth2Test {
+
+  private static final String EXPR_ENDPOINT = "${ .endpoint }";
+
+  private static OAuth2ConnectAuthenticationProperties oauth2PropertiesOf(Workflow wf) {
+    var auth =
+        wf.getDo()
+            .get(0)
+            .getTask()
+            .getCallTask()
+            .getCallHTTP()
+            .getWith()
+            .getEndpoint()
+            .getEndpointConfiguration()
+            .getAuthentication()
+            .getAuthenticationPolicy();
+    assertNotNull(auth.getOAuth2AuthenticationPolicy());
+    return auth.getOAuth2AuthenticationPolicy()
+        .getOauth2()
+        .getOAuth2ConnectAuthenticationProperties();
+  }
+
+  @Test
+  void convenience_overload_sets_token_endpoint() {
+    Workflow wf =
+        FuncWorkflowBuilder.workflow("oauth2-token")
+            .tasks(
+                call(
+                    http()
+                        .POST()
+                        .endpoint(
+                            EXPR_ENDPOINT,
+                            oauth2(
+                                "https://auth.example.com/",
+                                OAuth2AuthenticationData.OAuth2AuthenticationDataGrant
+                                    .CLIENT_CREDENTIALS,
+                                "client-id",
+                                "client-secret",
+                                e -> e.token("/custom/token")))))
+            .build();
+
+    var props = oauth2PropertiesOf(wf);
+    assertEquals(URI.create("https://auth.example.com/"), props.getAuthority().getLiteralUri());
+    assertEquals(
+        OAuth2AuthenticationData.OAuth2AuthenticationDataGrant.CLIENT_CREDENTIALS,
+        props.getGrant());
+    assertEquals("client-id", props.getClient().getId());
+    assertEquals("client-secret", props.getClient().getSecret());
+    assertEquals("/custom/token", props.getEndpoints().getToken());
+  }
+
+  @Test
+  void builder_overload_supports_full_oauth2_section() {
+    Workflow wf =
+        FuncWorkflowBuilder.workflow("oauth2-full")
+            .tasks(
+                call(
+                    http()
+                        .GET()
+                        .endpoint(
+                            EXPR_ENDPOINT,
+                            oauth2(
+                                o ->
+                                    o.endpoints(
+                                            e ->
+                                                e.token("/oauth2/token")
+                                                    .revocation("/oauth2/revoke")
+                                                    .introspection("/oauth2/introspect"))
+                                        .authority("https://auth.example.com/")
+                                        .grant(
+                                            OAuth2AuthenticationData.OAuth2AuthenticationDataGrant
+                                                .CLIENT_CREDENTIALS)
+                                        .scopes("read", "write")
+                                        .audiences("api://default")
+                                        .client(
+                                            c ->
+                                                c.id("client-id")
+                                                    .secret("client-secret")
+                                                    .authentication(
+                                                        OAuth2AuthenticationDataClient
+                                                            .ClientAuthentication
+                                                            .CLIENT_SECRET_BASIC))))))
+            .build();
+
+    var props = oauth2PropertiesOf(wf);
+    assertEquals(URI.create("https://auth.example.com/"), props.getAuthority().getLiteralUri());
+    assertEquals(
+        OAuth2AuthenticationData.OAuth2AuthenticationDataGrant.CLIENT_CREDENTIALS,
+        props.getGrant());
+    assertEquals(List.of("read", "write"), props.getScopes());
+    assertEquals(List.of("api://default"), props.getAudiences());
+    assertEquals("client-id", props.getClient().getId());
+    assertEquals(
+        OAuth2AuthenticationDataClient.ClientAuthentication.CLIENT_SECRET_BASIC,
+        props.getClient().getAuthentication());
+    assertEquals("/oauth2/token", props.getEndpoints().getToken());
+    assertEquals("/oauth2/revoke", props.getEndpoints().getRevocation());
+    assertEquals("/oauth2/introspect", props.getEndpoints().getIntrospection());
+  }
+}

fluent/spec/src/main/java/io/serverlessworkflow/fluent/spec/dsl/DSL.java

@@ -21,6 +21,8 @@
 import io.serverlessworkflow.fluent.spec.EmitTaskBuilder;
 import io.serverlessworkflow.fluent.spec.EventFilterBuilder;
 import io.serverlessworkflow.fluent.spec.ForkTaskBuilder;
+import io.serverlessworkflow.fluent.spec.OAuth2AuthenticationPolicyBuilder;
+import io.serverlessworkflow.fluent.spec.OIDCBuilder.OAuth2AuthenticationPropertiesEndpointsBuilder;
 import io.serverlessworkflow.fluent.spec.ScheduleBuilder;
 import io.serverlessworkflow.fluent.spec.TaskItemListBuilder;
 import io.serverlessworkflow.fluent.spec.TimeoutBuilder;
@@ -480,6 +482,75 @@ public static AuthenticationConfigurer oauth2(String secret) {
     return a -> a.openIDConnect(o -> o.use(secret));
   }
 
+  /**
+   * Build an OAuth2 authentication configurer with client credentials and explicit OAuth2 {@code
+   * endpoints} (token, revocation, introspection).
+   *
+   * <p>Unlike the other {@code oauth2(...)} helpers, which delegate to OpenID Connect, this
+   * overload produces a genuine OAuth2 authentication policy so that the OAuth2-specific {@code
+   * endpoints} can be configured without hand-building the whole policy.
+   *
+   * <pre>{@code
+   * oauth2(
+   *     "https://auth.example.com/",
+   *     OAuth2AuthenticationData.OAuth2AuthenticationDataGrant.CLIENT_CREDENTIALS,
+   *     "client-id",
+   *     "client-secret",
+   *     e -> e.token("/custom/token"));
+   * }</pre>
+   *
+   * @param authority OAuth2 authority/issuer URL
+   * @param grant OAuth2 grant type
+   * @param clientId client identifier
+   * @param clientSecret client secret
+   * @param endpoints consumer that configures the OAuth2 endpoints (e.g. {@code e -> e.token(...)})
+   * @return an {@link AuthenticationConfigurer} configured as OAuth2 with custom endpoints
+   */
+  public static AuthenticationConfigurer oauth2(
+      String authority,
+      OAuth2AuthenticationData.OAuth2AuthenticationDataGrant grant,
+      String clientId,
+      String clientSecret,
+      Consumer<OAuth2AuthenticationPropertiesEndpointsBuilder> endpoints) {
+    return a ->
+        a.oauth2(
+            o -> {
+              o.authority(authority).grant(grant).client(c -> c.id(clientId).secret(clientSecret));
+              o.endpoints(endpoints);
+            });
+  }
+
+  /**
+   * Build a fully customizable OAuth2 authentication configurer.
+   *
+   * <p>This overload exposes the complete {@link OAuth2AuthenticationPolicyBuilder} so that every
+   * field of the <a
+   * href="https://github.com/serverlessworkflow/specification/blob/main/dsl-reference.md#oauth2-authentication">OAuth2
+   * authentication</a> section of the Serverless Workflow DSL can be configured: {@code authority},
+   * {@code grant}, {@code client}, {@code request} encoding, {@code issuers}, {@code scopes},
+   * {@code audiences}, {@code username}, {@code password}, {@code subject}, {@code actor} and
+   * {@code endpoints} (token, revocation, introspection).
+   *
+   * <p>Because the OAuth2-only {@code endpoints(...)} method is declared on {@link
+   * OAuth2AuthenticationPolicyBuilder} (not on the shared {@link
+   * io.serverlessworkflow.fluent.spec.OIDCBuilder}), call it first when chaining fluently:
+   *
+   * <pre>{@code
+   * oauth2(o -> o.endpoints(e -> e.token("/custom/token"))
+   *              .authority("https://auth.example.com/")
+   *              .grant(OAuth2AuthenticationData.OAuth2AuthenticationDataGrant.CLIENT_CREDENTIALS)
+   *              .scopes("read", "write")
+   *              .audiences("api://default")
+   *              .client(c -> c.id("client-id").secret("client-secret")));
+   * }</pre>
+   *
+   * @param cfg consumer that configures the OAuth2 authentication policy builder
+   * @return an {@link AuthenticationConfigurer} configured as OAuth2
+   */
+  public static AuthenticationConfigurer oauth2(Consumer<OAuth2AuthenticationPolicyBuilder> cfg) {
+    return a -> a.oauth2(cfg);
+  }
+
   /**
    * Build a {@link RaiseSpec} for an error with a string type expression and HTTP status.
    *