serverlessworkflow · hughneale · Jan 5, 2026 · Jan 5, 2026
@@ -21,22 +21,24 @@ import (
 
 // AuthenticationPolicy Defines an authentication policy.
 type AuthenticationPolicy struct {
-	Basic  *BasicAuthenticationPolicy         `json:"basic,omitempty"`
-	Bearer *BearerAuthenticationPolicy        `json:"bearer,omitempty"`
-	Digest *DigestAuthenticationPolicy        `json:"digest,omitempty"`
-	OAuth2 *OAuth2AuthenticationPolicy        `json:"oauth2,omitempty"`
-	OIDC   *OpenIdConnectAuthenticationPolicy `json:"oidc,omitempty"`
+	Basic       *BasicAuthenticationPolicy         `json:"basic,omitempty"`
+	Bearer      *BearerAuthenticationPolicy        `json:"bearer,omitempty"`
+	ProxyBearer *ProxyBearerAuthenticationPolicy   `json:"proxy_bearer,omitempty"`
+	Digest      *DigestAuthenticationPolicy        `json:"digest,omitempty"`
+	OAuth2      *OAuth2AuthenticationPolicy        `json:"oauth2,omitempty"`
+	OIDC        *OpenIdConnectAuthenticationPolicy `json:"oidc,omitempty"`
 }
 
 // UnmarshalJSON for AuthenticationPolicy to enforce "oneOf" behavior.
 func (ap *AuthenticationPolicy) UnmarshalJSON(data []byte) error {
 	// Create temporary maps to detect which field is populated
 	temp := struct {
-		Basic  json.RawMessage `json:"basic"`
-		Bearer json.RawMessage `json:"bearer"`
-		Digest json.RawMessage `json:"digest"`
-		OAuth2 json.RawMessage `json:"oauth2"`
-		OIDC   json.RawMessage `json:"oidc"`
+		Basic       json.RawMessage `json:"basic"`
+		Bearer      json.RawMessage `json:"bearer"`
+		ProxyBearer json.RawMessage `json:"proxy_bearer"`
+		Digest      json.RawMessage `json:"digest"`
+		OAuth2      json.RawMessage `json:"oauth2"`
+		OIDC        json.RawMessage `json:"oidc"`
 	}{}
 
 	if err := json.Unmarshal(data, &temp); err != nil {
@@ -59,6 +61,13 @@ func (ap *AuthenticationPolicy) UnmarshalJSON(data []byte) error {
 			return err
 		}
 	}
+	if len(temp.ProxyBearer) > 0 {
+		count++
+		ap.ProxyBearer = &ProxyBearerAuthenticationPolicy{}
+		if err := json.Unmarshal(temp.ProxyBearer, ap.ProxyBearer); err != nil {
+			return err
+		}
+	}
 	if len(temp.Digest) > 0 {
 		count++
 		ap.Digest = &DigestAuthenticationPolicy{}
@@ -96,6 +105,9 @@ func (ap *AuthenticationPolicy) MarshalJSON() ([]byte, error) {
 	if ap.Bearer != nil {
 		return json.Marshal(map[string]interface{}{"bearer": ap.Bearer})
 	}
+	if ap.ProxyBearer != nil {
+		return json.Marshal(map[string]interface{}{"proxy_bearer": ap.ProxyBearer})
+	}
 	if ap.Digest != nil {
 		return json.Marshal(map[string]interface{}{"digest": ap.Digest})
 	}
@@ -173,6 +185,13 @@ type BearerAuthenticationPolicy struct {
 	Use   string `json:"use,omitempty" validate:"required_without=Token"`
 }
 
+// ProxyBearerAuthenticationPolicy supports either an inline token or a secret reference (use).
+// https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Proxy-Authorization
+type ProxyBearerAuthenticationPolicy struct {
+	Token string `json:"token,omitempty" validate:"required_without=Use,proxy_bearer_policy"`
+	Use   string `json:"use,omitempty" validate:"required_without=Token"`
+}
+
 // DigestAuthenticationPolicy supports either inline properties (username/password) or a secret reference (use).
 type DigestAuthenticationPolicy struct {
 	Username string `json:"username,omitempty" validate:"required_without=Use"`

@@ -49,6 +49,16 @@ func TestAuthenticationPolicy(t *testing.T) {
 			expected:   `{"digest":{"username":"digestUser","password":"digestPass"}}`,
 			expectsErr: false,
 		},
+		{
+			name: "Valid Proxy Bearer Authentication Inline",
+			input: `{
+				"proxy_bearer": {
+					"token": "proxyToken123"
+				}
+			}`,
+			expected:   `{"proxy_bearer":{"token":"proxyToken123"}}`,
+			expectsErr: false,
+		},
 	}
 
 	for _, tc := range testCases {
@@ -64,6 +74,9 @@ func TestAuthenticationPolicy(t *testing.T) {
 				if authPolicy.Bearer != nil {
 					err = validate.Struct(authPolicy.Bearer)
 				}
+				if authPolicy.ProxyBearer != nil {
+					err = validate.Struct(authPolicy.ProxyBearer)
+				}
 				if authPolicy.Digest != nil {
 					err = validate.Struct(authPolicy.Digest)
 				}

@@ -43,6 +43,7 @@ func init() {
 
 	registerValidator("basic_policy", validateBasicPolicy)
 	registerValidator("bearer_policy", validateBearerPolicy)
+	registerValidator("proxy_bearer_policy", validateProxyBearerPolicy)
 	registerValidator("digest_policy", validateDigestPolicy)
 	registerValidator("oauth2_policy", validateOAuth2Policy)
 	registerValidator("client_auth_type", validateOptionalOAuthClientAuthentication)
@@ -186,6 +187,18 @@ func validateBearerPolicy(fl validator.FieldLevel) bool {
 	return true
 }
 
+// validateProxyBearerPolicy ensures ProxyBearerAuthenticationPolicy has mutually exclusive fields set.
+func validateProxyBearerPolicy(fl validator.FieldLevel) bool {
+	policy, ok := fl.Parent().Interface().(ProxyBearerAuthenticationPolicy)
+	if !ok {
+		return false
+	}
+	if policy.Token != "" && policy.Use != "" {
+		return false
+	}
+	return true
+}
+
 // validateDigestPolicy ensures DigestAuthenticationPolicy has mutually exclusive fields set.
 func validateDigestPolicy(fl validator.FieldLevel) bool {
 	policy, ok := fl.Parent().Interface().(DigestAuthenticationPolicy)