serverlessworkflow · ricardozanini · Nov 20, 2025 · Nov 20, 2025
@@ -18,10 +18,12 @@
 import io.serverlessworkflow.api.types.BasicAuthenticationPolicy;
 import io.serverlessworkflow.api.types.BasicAuthenticationPolicyConfiguration;
 import io.serverlessworkflow.api.types.BasicAuthenticationProperties;
+import io.serverlessworkflow.api.types.SecretBasedAuthenticationPolicy;
 
 public final class BasicAuthenticationPolicyBuilder {
 
-  private final BasicAuthenticationProperties basicAuthenticationProperties;
+  private BasicAuthenticationProperties basicAuthenticationProperties;
+  private SecretBasedAuthenticationPolicy secretBasedAuthenticationPolicy;
 
   BasicAuthenticationPolicyBuilder() {
     this.basicAuthenticationProperties = new BasicAuthenticationProperties();
@@ -37,10 +39,19 @@ public BasicAuthenticationPolicyBuilder password(String password) {
     return this;
   }
 
+  public BasicAuthenticationPolicyBuilder use(String secret) {
+    this.secretBasedAuthenticationPolicy = new SecretBasedAuthenticationPolicy(secret);
+    return this;
+  }
+
   public BasicAuthenticationPolicy build() {
     final BasicAuthenticationPolicyConfiguration configuration =
         new BasicAuthenticationPolicyConfiguration();
-    configuration.setBasicAuthenticationProperties(basicAuthenticationProperties);
+    if (this.secretBasedAuthenticationPolicy != null) {
+      configuration.setBasicAuthenticationPolicySecret(secretBasedAuthenticationPolicy);
+    } else {
+      configuration.setBasicAuthenticationProperties(basicAuthenticationProperties);
+    }
     return new BasicAuthenticationPolicy(configuration);
   }
 }
@@ -18,23 +18,32 @@
 import io.serverlessworkflow.api.types.BearerAuthenticationPolicy;
 import io.serverlessworkflow.api.types.BearerAuthenticationPolicyConfiguration;
 import io.serverlessworkflow.api.types.BearerAuthenticationProperties;
+import io.serverlessworkflow.api.types.SecretBasedAuthenticationPolicy;
 
 public final class BearerAuthenticationPolicyBuilder {
-  private final BearerAuthenticationProperties bearerAuthenticationProperties;
+  private BearerAuthenticationProperties bearerAuthenticationProperties;
+  private SecretBasedAuthenticationPolicy secretBasedAuthenticationPolicy;
 
-  BearerAuthenticationPolicyBuilder() {
-    this.bearerAuthenticationProperties = new BearerAuthenticationProperties();
-  }
+  BearerAuthenticationPolicyBuilder() {}
 
   public BearerAuthenticationPolicyBuilder token(final String token) {
-    this.bearerAuthenticationProperties.setToken(token);
+    this.bearerAuthenticationProperties = new BearerAuthenticationProperties().withToken(token);
+    return this;
+  }
+
+  public BearerAuthenticationPolicyBuilder use(final String secret) {
+    this.secretBasedAuthenticationPolicy = new SecretBasedAuthenticationPolicy(secret);
     return this;
   }
 
   public BearerAuthenticationPolicy build() {
     final BearerAuthenticationPolicyConfiguration configuration =
         new BearerAuthenticationPolicyConfiguration();
-    configuration.setBearerAuthenticationProperties(bearerAuthenticationProperties);
+    if (this.secretBasedAuthenticationPolicy != null) {
+      configuration.setBearerAuthenticationPolicySecret(this.secretBasedAuthenticationPolicy);
+    } else {
+      configuration.setBearerAuthenticationProperties(bearerAuthenticationProperties);
+    }
     return new BearerAuthenticationPolicy(configuration);
   }
 }
@@ -18,9 +18,11 @@
 import io.serverlessworkflow.api.types.DigestAuthenticationPolicy;
 import io.serverlessworkflow.api.types.DigestAuthenticationPolicyConfiguration;
 import io.serverlessworkflow.api.types.DigestAuthenticationProperties;
+import io.serverlessworkflow.api.types.SecretBasedAuthenticationPolicy;
 
 public final class DigestAuthenticationPolicyBuilder {
   private final DigestAuthenticationProperties digestAuthenticationProperties;
+  private SecretBasedAuthenticationPolicy secretBasedAuthenticationPolicy;
 
   DigestAuthenticationPolicyBuilder() {
     this.digestAuthenticationProperties = new DigestAuthenticationProperties();
@@ -36,10 +38,19 @@ public DigestAuthenticationPolicyBuilder password(String password) {
     return this;
   }
 
+  public DigestAuthenticationPolicyBuilder use(String secret) {
+    this.secretBasedAuthenticationPolicy = new SecretBasedAuthenticationPolicy(secret);
+    return this;
+  }
+
   public DigestAuthenticationPolicy build() {
     final DigestAuthenticationPolicyConfiguration configuration =
         new DigestAuthenticationPolicyConfiguration();
-    configuration.setDigestAuthenticationProperties(digestAuthenticationProperties);
+    if (this.secretBasedAuthenticationPolicy != null) {
+      configuration.setDigestAuthenticationPolicySecret(this.secretBasedAuthenticationPolicy);
+    } else {
+      configuration.setDigestAuthenticationProperties(digestAuthenticationProperties);
+    }
     return new DigestAuthenticationPolicy(configuration);
   }
 }
@@ -38,7 +38,13 @@ public OAuth2AuthenticationPolicyBuilder endpoints(
   public OAuth2AuthenticationPolicy build() {
     final OAuth2AuthenticationPolicyConfiguration configuration =
         new OAuth2AuthenticationPolicyConfiguration();
-    configuration.setOAuth2ConnectAuthenticationProperties(this.authenticationData);
+
+    if (this.secretBasedAuthenticationPolicy != null) {
+      configuration.setOAuth2AuthenticationPolicySecret(this.secretBasedAuthenticationPolicy);
+    } else {
+      configuration.setOAuth2ConnectAuthenticationProperties(this.authenticationData);
+    }
+
     final OAuth2AuthenticationPolicy policy = new OAuth2AuthenticationPolicy();
     policy.setOauth2(configuration);
     return policy;

@@ -22,11 +22,13 @@
 import io.serverlessworkflow.api.types.OAuth2ConnectAuthenticationProperties;
 import io.serverlessworkflow.api.types.OAuth2TokenDefinition;
 import io.serverlessworkflow.api.types.OAuth2TokenRequest;
+import io.serverlessworkflow.api.types.SecretBasedAuthenticationPolicy;
 import java.util.List;
 import java.util.function.Consumer;
 
 public abstract class OIDCBuilder<T extends AuthenticationPolicy> {
   protected final OAuth2ConnectAuthenticationProperties authenticationData;
+  protected SecretBasedAuthenticationPolicy secretBasedAuthenticationPolicy;
 
   OIDCBuilder() {
     this.authenticationData = new OAuth2ConnectAuthenticationProperties();
@@ -101,6 +103,11 @@ public OIDCBuilder<T> client(Consumer<OAuth2AuthenticationDataClientBuilder> cli
     return this;
   }
 
+  public OIDCBuilder<T> use(String secret) {
+    this.secretBasedAuthenticationPolicy = new SecretBasedAuthenticationPolicy(secret);
+    return this;
+  }
+
   protected final OAuth2AuthenticationData getAuthenticationData() {
     return authenticationData;
   }

@@ -340,6 +340,10 @@ public static AuthenticationConfigurer basic(String username, String password) {
     return a -> a.basic(b -> b.username(username).password(password));
   }
 
+  public static AuthenticationConfigurer basic(String secret) {
+    return a -> a.basic(b -> b.use(secret));
+  }
+
   /**
    * Build a Bearer token authentication configurer.
    *
@@ -356,6 +360,10 @@ public static AuthenticationConfigurer bearer(String token) {
     return a -> a.bearer(b -> b.token(token));
   }
 
+  public static AuthenticationConfigurer bearerUse(String secret) {
+    return a -> a.bearer(b -> b.use(secret));
+  }
+
   /**
    * Build a Digest authentication configurer with username and password.
    *
@@ -367,6 +375,10 @@ public static AuthenticationConfigurer digest(String username, String password)
     return a -> a.digest(d -> d.username(username).password(password));
   }
 
+  public static AuthenticationConfigurer digest(String secret) {
+    return a -> a.digest(d -> d.use(secret));
+  }
+
   /**
    * Build an OpenID Connect (OIDC) authentication configurer without client credentials.
    *
@@ -401,7 +413,9 @@ public static AuthenticationConfigurer oidc(
                     .client(c -> c.id(clientId).secret(clientSecret)));
   }
 
-  // TODO: we may create an OIDCSpec for chained builders if necessary
+  public static AuthenticationConfigurer oidc(String secret) {
+    return a -> a.openIDConnect(o -> o.use(secret));
+  }
 
   /**
    * Alias for {@link #oidc(String, OAuth2AuthenticationData.OAuth2AuthenticationDataGrant)} using
@@ -439,6 +453,10 @@ public static AuthenticationConfigurer oauth2(
                     .client(c -> c.id(clientId).secret(clientSecret)));
   }
 
+  public static AuthenticationConfigurer oauth2(String secret) {
+    return a -> a.openIDConnect(o -> o.use(secret));
+  }
+
   /**
    * Build a {@link RaiseSpec} for an error with a string type expression and HTTP status.
    *