flowset · m-orlova · Mar 23, 2026
diff --git a/src/main/java/io/flowset/control/action/TestEngineConnectionAction.java b/src/main/java/io/flowset/control/action/TestEngineConnectionAction.java
@@ -3,6 +3,7 @@
 import com.google.common.base.Strings;
 import com.vaadin.flow.component.Component;
 import com.vaadin.flow.component.icon.VaadinIcon;
+import io.flowset.control.exception.AccessTokenConnectException;
 import io.jmix.core.AccessManager;
 import io.jmix.core.Messages;
 import io.jmix.core.Metadata;
@@ -16,18 +17,24 @@
 import io.flowset.control.entity.engine.BpmEngine;
 import io.flowset.control.exception.EngineConnectionFailedException;
 import io.flowset.control.service.engine.EngineUiService;
+import org.apache.commons.lang3.BooleanUtils;
 import org.apache.commons.lang3.StringUtils;
+import org.apache.commons.lang3.exception.ExceptionUtils;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.oauth2.core.OAuth2AuthorizationException;
+import org.springframework.web.client.HttpClientErrorException;
 
-import java.net.MalformedURLException;
-import java.net.URISyntaxException;
-import java.net.URL;
+import static io.flowset.control.util.ExceptionUtils.isConnectionError;
+import static io.flowset.control.util.UrlUtils.isValidUrl;
 
 @ActionType(TestEngineConnectionAction.ID)
 public class TestEngineConnectionAction extends SecuredBaseAction {
     public static final String ID = "control_testEngineConnection";
+    protected static final Logger log = LoggerFactory.getLogger(TestEngineConnectionAction.class);
 
-    private BpmEngine engine;
+    protected BpmEngine engine;
 
     protected Messages messages;
     protected EngineUiService engineUiService;
@@ -77,58 +84,128 @@ public void setAccessManager(AccessManager accessManager) {
 
     @Override
     public void actionPerform(Component component) {
-        if (engine != null) {
-            if (!isValidUrl(engine.getBaseUrl())) {
+        if (engine == null) {
+            return;
+        }
+
+        if (!isValidUrl(engine.getBaseUrl())) {
+            notifications.create(messages.getMessage("engineNotAvailable.title"),
+                            messages.formatMessage("", "engineNotAvailable.incorrectUrl",
+                                    Strings.nullToEmpty(engine.getBaseUrl())))
+                    .withType(Notifications.Type.ERROR)
+                    .show();
+            return;
+        }
+
+        if (BooleanUtils.isTrue(engine.getAuthEnabled()) && engine.getAuthType() != null) {
+            boolean valid = validateAuthFields();
+            if (!valid) {
+                return;
+            }
+        }
+
+        try {
+            engineUiService.getVersion(engine);
+            notifications.create(messages.formatMessage("", "engineAvailable", engine.getBaseUrl()))
+                    .withType(Notifications.Type.SUCCESS)
+                    .show();
+        } catch (EngineConnectionFailedException e) {
+            if (e.getStatusCode() > 0) {
                 notifications.create(messages.getMessage("engineNotAvailable.title"),
-                        messages.formatMessage("", "engineNotAvailable.incorrectUrl",
-                                Strings.nullToEmpty(engine.getBaseUrl())))
+                                messages.formatMessage("", "engineNotAvailable.description", e.getStatusCode()))
                         .withType(Notifications.Type.ERROR)
                         .show();
-                return;
-            }
-            if (engine.getAuthEnabled() && engine.getAuthType() != null) {
-                if (AuthType.BASIC == engine.getAuthType() && StringUtils.isEmpty(engine.getBasicAuthUsername())) {
-                    notifications.create(messages.getMessage("engineNotAvailable.title"),
-                                    messages.getMessage("engineNotAvailable.emptyAuthUsername"))
-                            .withType(Notifications.Type.ERROR)
-                            .show();
-                    return;
-                } else if (AuthType.BASIC == engine.getAuthType()
-                        && StringUtils.isEmpty(engine.getBasicAuthPassword())) {
-                    notifications.create(messages.getMessage("engineNotAvailable.title"),
-                                    messages.getMessage("engineNotAvailable.emptyAuthPassword"))
-                            .withType(Notifications.Type.ERROR)
-                            .show();
-                    return;
-                } else if (AuthType.HTTP_HEADER == engine.getAuthType()
-                        && StringUtils.isEmpty(engine.getHttpHeaderName())) {
-                    notifications.create(messages.getMessage("engineNotAvailable.title"),
-                                    messages.getMessage("engineNotAvailable.emptyHeaderName"))
-                            .withType(Notifications.Type.ERROR)
-                            .show();
-                    return;
-                }
-            }
-            try {
-                engineUiService.getVersion(engine);
-                notifications.create(messages.formatMessage("", "engineAvailable", engine.getBaseUrl()))
-                        .withType(Notifications.Type.SUCCESS)
+            } else {
+                String errorMessage = StringUtils.defaultIfBlank(e.getResponseErrorMessage(), e.getMessage());
+                notifications.create(messages.getMessage("engineNotAvailable.title"),
+                                messages.formatMessage("", "engineNotAvailable.descriptionWithError", errorMessage))
+                        .withType(Notifications.Type.ERROR)
                         .show();
-            } catch (EngineConnectionFailedException e) {
-                if (e.getStatusCode() > 0) {
-                    notifications.create(messages.getMessage("engineNotAvailable.title"),
-                                    messages.formatMessage("", "engineNotAvailable.description", e.getStatusCode()))
-                            .withType(Notifications.Type.ERROR)
-                            .show();
-                } else {
-                    String errorMessage = StringUtils.defaultIfBlank(e.getResponseErrorMessage(), e.getMessage());
-                    notifications.create(messages.getMessage("engineNotAvailable.title"),
-                                    messages.formatMessage("", "engineNotAvailable.descriptionWithError", errorMessage))
-                            .withType(Notifications.Type.ERROR)
-                            .show();
-                }
             }
+        } catch (OAuth2AuthorizationException | AccessTokenConnectException e) {
+            log.error("Error during getting access token authorization", e);
+
+            Throwable cause = ExceptionUtils.getRootCause(e);
+            String errorMessage = cause instanceof HttpClientErrorException || isConnectionError(cause) ? cause.getMessage() : e.getMessage();
+            notifications.create(messages.getMessage("oauth2AutorizationFailure.title"),
+                            messages.formatMessage("", "oauth2AutorizationFailure.descriptionWithError", errorMessage))
+                    .withType(Notifications.Type.ERROR)
+                    .show();
+        }
+    }
+
+    protected boolean validateAuthFields() {
+        AuthType authType = engine.getAuthType();
+        if (authType == AuthType.BASIC) {
+            return validateBasicAuthFields();
         }
+
+        if (authType == AuthType.HTTP_HEADER) {
+            return validateHttpHeaderAuthFields();
+        }
+
+        if (authType == AuthType.OAUTH2) {
+            return validateOauth2AuthFields();
+        }
+
+        return true;
+    }
+
+    protected boolean validateOauth2AuthFields() {
+        if (!isValidUrl(Strings.nullToEmpty(engine.getOauth2IssuerUri()))) {
+            notifications.create(messages.getMessage("engineNotAvailable.title"),
+                            messages.getMessage("engineNotAvailable.invalidOauth2IssuerUri"))
+                    .withType(Notifications.Type.ERROR)
+                    .show();
+            return false;
+        }
+
+        if (StringUtils.isEmpty(engine.getOauth2ClientId())) {
+            notifications.create(messages.getMessage("engineNotAvailable.title"),
+                            messages.getMessage("engineNotAvailable.emptyOauth2ClientId"))
+                    .withType(Notifications.Type.ERROR)
+                    .show();
+            return false;
+        }
+
+        if (StringUtils.isEmpty(engine.getOauth2ClientSecret())) {
+            notifications.create(messages.getMessage("engineNotAvailable.title"),
+                            messages.getMessage("engineNotAvailable.emptyOauth2ClientSecret"))
+                    .withType(Notifications.Type.ERROR)
+                    .show();
+            return false;
+        }
+
+        return true;
+    }
+
+    protected boolean validateHttpHeaderAuthFields() {
+        if (StringUtils.isEmpty(engine.getHttpHeaderName())) {
+            notifications.create(messages.getMessage("engineNotAvailable.title"),
+                            messages.getMessage("engineNotAvailable.emptyHeaderName"))
+                    .withType(Notifications.Type.ERROR)
+                    .show();
+            return false;
+        }
+        return true;
+    }
+
+    protected boolean validateBasicAuthFields() {
+        if (StringUtils.isEmpty(engine.getBasicAuthUsername())) {
+            notifications.create(messages.getMessage("engineNotAvailable.title"),
+                            messages.getMessage("engineNotAvailable.emptyAuthUsername"))
+                    .withType(Notifications.Type.ERROR)
+                    .show();
+            return false;
+        } else if (StringUtils.isEmpty(engine.getBasicAuthPassword())) {
+            notifications.create(messages.getMessage("engineNotAvailable.title"),
+                            messages.getMessage("engineNotAvailable.emptyAuthPassword"))
+                    .withType(Notifications.Type.ERROR)
+                    .show();
+            return false;
+        }
+
+        return true;
     }
 
     @Override
@@ -148,13 +225,4 @@ protected boolean isPermitted() {
 
         return super.isPermitted();
     }
-
-    private boolean isValidUrl(String url) {
-        try {
-            new URL(url).toURI();
-            return true;
-        } catch (URISyntaxException | MalformedURLException e) {
-            return false;
-        }
-    }
 }
diff --git a/src/main/java/io/flowset/control/configuration/CamundaFeignConfiguration.java b/src/main/java/io/flowset/control/configuration/CamundaFeignConfiguration.java
@@ -16,6 +16,7 @@
 import io.flowset.control.restsupport.FeignClientProvider;
 import io.flowset.control.restsupport.ObjectToStringConverter;
 import io.flowset.control.restsupport.camunda.CamundaFeignErrorDecoder;
+import io.flowset.control.service.engine.auth.EngineAuthenticator;
 import io.flowset.control.service.engine.EngineService;
 import org.camunda.community.rest.EnableCamundaRestClient;
 import org.camunda.community.rest.client.FeignClientConfiguration;
@@ -46,16 +47,16 @@ public FeignClientProvider feignClientProvider(Encoder encoder,
     }
 
     @Bean("control_DynamicEngineUrlRequestInterceptor")
-    public RequestInterceptor dynamicUrlInterceptor(EngineService engineService) {
-        return new DynamicEngineUrlRequestInterceptor(engineService);
+    public RequestInterceptor dynamicUrlInterceptor(EngineService engineService,
+                                                    EngineAuthenticator engineAuthenticator) {
+        return new DynamicEngineUrlRequestInterceptor(engineService, engineAuthenticator);
     }
 
     @Bean("control_ObjectToStringConverter")
     public ObjectToStringConverter objectToStringConverter() {
         return new ObjectToStringConverter();
     }
 
-
     @Bean("control_CamundaFeignErrorDecoder")
     @Primary
     public ErrorDecoder errorDecoder(CamundaRestClientProperties restClientProperties) {

diff --git a/src/main/java/io/flowset/control/configuration/OAuth2Configuration.java b/src/main/java/io/flowset/control/configuration/OAuth2Configuration.java
@@ -0,0 +1,45 @@
+/*
+ * Copyright (c) Haulmont 2026. All Rights Reserved.
+ * Use is subject to license terms.
+ */
+
+package io.flowset.control.configuration;
+
+import io.jmix.core.JmixOrder;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
+import org.springframework.boot.autoconfigure.security.oauth2.client.OAuth2ClientProperties;
+import org.springframework.boot.autoconfigure.security.oauth2.client.OAuth2ClientPropertiesMapper;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.core.annotation.Order;
+import org.springframework.security.oauth2.client.*;
+import org.springframework.security.oauth2.client.endpoint.RestClientClientCredentialsTokenResponseClient;
+import org.springframework.security.oauth2.client.registration.ClientRegistration;
+import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;
+import org.springframework.security.oauth2.client.registration.InMemoryClientRegistrationRepository;
+
+import java.util.List;
+
+@Configuration
+@Order(JmixOrder.HIGHEST_PRECEDENCE + 200)
+public class OAuth2Configuration {
+
+    @Bean("control_OAuth2AuthorizedClientManager")
+    public OAuth2AuthorizedClientManager oAuth2AuthorizedClientManager(ClientRegistrationRepository clientRegistrationRepository,
+                                                                       OAuth2AuthorizedClientProvider authorizedClientProvider,
+                                                                       OAuth2AuthorizedClientService clientService) {
+        AuthorizedClientServiceOAuth2AuthorizedClientManager authClientManager = new AuthorizedClientServiceOAuth2AuthorizedClientManager(clientRegistrationRepository, clientService);
+
+        authClientManager.setAuthorizedClientProvider(authorizedClientProvider);
+        return authClientManager;
+    }
+
+    @Bean("control_OAuth2AuthorizedClientProvider")
+    public OAuth2AuthorizedClientProvider oAuth2AuthorizedClientProvider() {
+        return OAuth2AuthorizedClientProviderBuilder
+                .builder()
+                .clientCredentials(builder ->
+                        builder.accessTokenResponseClient(new RestClientClientCredentialsTokenResponseClient()))
+                .build();
+    }
+}
diff --git a/src/main/java/io/flowset/control/configuration/OidcSecurityConfiguration.java b/src/main/java/io/flowset/control/configuration/OidcSecurityConfiguration.java
@@ -4,13 +4,22 @@
 import io.jmix.core.JmixOrder;
 import io.jmix.oidc.userinfo.JmixOidcUserService;
 import io.jmix.securityflowui.security.FlowuiVaadinWebSecurity;
+import org.springframework.beans.factory.ObjectProvider;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
+import org.springframework.boot.autoconfigure.security.oauth2.client.OAuth2ClientProperties;
+import org.springframework.boot.autoconfigure.security.oauth2.client.OAuth2ClientPropertiesMapper;
+import org.springframework.boot.context.properties.EnableConfigurationProperties;
+import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.core.annotation.Order;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.oauth2.client.oidc.web.logout.OidcClientInitiatedLogoutSuccessHandler;
+import org.springframework.security.oauth2.client.registration.ClientRegistration;
 import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;
+import org.springframework.security.oauth2.client.registration.InMemoryClientRegistrationRepository;
+
+import java.util.List;
 
 /**
  * Security configuration for OpenID Connect (OIDC) authentication mode.
@@ -33,21 +42,22 @@
 @EnableWebSecurity
 @Order(JmixOrder.HIGHEST_PRECEDENCE + 100)
 @ConditionalOnProperty(name = "flowset.control.security.login-mode", havingValue = "oidc")
+@EnableConfigurationProperties(OAuth2ClientProperties.class)
 public class OidcSecurityConfiguration extends FlowuiVaadinWebSecurity {
 
     protected final JmixOidcUserService jmixOidcUserService;
-    protected final ClientRegistrationRepository clientRegistrationRepository;
+    protected final ObjectProvider<ClientRegistrationRepository> registrationRepositoryObjectProvider;
 
     /**
      * Creates a new OIDC security configuration.
      *
      * @param jmixOidcUserService          the service used to load user information from the OIDC provider
-     * @param clientRegistrationRepository the client registration repository used for OIDC logout handling
+     * @param registrationRepositoryObjectProvider the client registration repository used for OIDC logout handling
      */
     public OidcSecurityConfiguration(JmixOidcUserService jmixOidcUserService,
-                                     ClientRegistrationRepository clientRegistrationRepository) {
+                                     ObjectProvider<ClientRegistrationRepository> registrationRepositoryObjectProvider) {
         this.jmixOidcUserService = jmixOidcUserService;
-        this.clientRegistrationRepository = clientRegistrationRepository;
+        this.registrationRepositoryObjectProvider = registrationRepositoryObjectProvider;
     }
 
 
@@ -67,9 +77,20 @@ protected void configure(HttpSecurity http) throws Exception {
         );
 
         OidcClientInitiatedLogoutSuccessHandler oidcLogoutHandler =
-                new OidcClientInitiatedLogoutSuccessHandler(clientRegistrationRepository);
+                new OidcClientInitiatedLogoutSuccessHandler(registrationRepositoryObjectProvider.getObject());
         oidcLogoutHandler.setPostLogoutRedirectUri("{baseUrl}/login");
 
         http.logout(logout -> logout.logoutSuccessHandler(oidcLogoutHandler));
     }
+
+    @Bean("control_ClientRegistrationRepository")
+    ClientRegistrationRepository inMemoryClientRegistrationRepository(OAuth2ClientProperties properties) {
+        List<ClientRegistration> registrations = new OAuth2ClientPropertiesMapper(properties)
+                .asClientRegistrations()
+                .values()
+                .stream()
+                .toList();
+
+        return new InMemoryClientRegistrationRepository(registrations);
+    }
 }
diff --git a/src/main/java/io/flowset/control/entity/engine/AuthType.java b/src/main/java/io/flowset/control/entity/engine/AuthType.java
@@ -12,7 +12,8 @@
 public enum AuthType implements EnumClass<String> {
 
     BASIC("Basic"),
-    HTTP_HEADER("HTTP header");
+    HTTP_HEADER("HTTP header"),
+    OAUTH2("OAuth2");
 
     private final String id;
 
@@ -33,4 +34,4 @@ public static AuthType fromId(String id) {
         }
         return null;
     }
-}
+}