From bc564272debcbd10138e134dbbe920970a305075 Mon Sep 17 00:00:00 2001
From: MyMirelHub <15373565+MyMirelHub@users.noreply.github.com>
Date: Wed, 8 Apr 2026 11:27:00 +0200
Subject: [PATCH 1/2] Add OAuth configuration fields to Zeebe command and
 JobWorker binding specs

Signed-off-by: MyMirelHub <15373565+MyMirelHub@users.noreply.github.com>
---
 .../supported-bindings/zeebe-command.md       | 20 +++++++++++++++++++
 .../supported-bindings/zeebe-jobworker.md     | 20 +++++++++++++++++++
 2 files changed, 40 insertions(+)

diff --git a/daprdocs/content/en/reference/components-reference/supported-bindings/zeebe-command.md b/daprdocs/content/en/reference/components-reference/supported-bindings/zeebe-command.md
index b34642e913f..5457b7f3d8d 100644
--- a/daprdocs/content/en/reference/components-reference/supported-bindings/zeebe-command.md
+++ b/daprdocs/content/en/reference/components-reference/supported-bindings/zeebe-command.md
@@ -28,6 +28,18 @@ spec:
     value: "true"
   - name: caCertificatePath
     value: "/path/to/ca-cert"
+  - name: clientId
+    value: "zeebe-client"
+  - name: clientSecret
+    value: "zeebe-secret"
+  - name: authorizationServerUrl
+    value: "https://issuer.example.com/oauth/token"
+  - name: tokenAudience
+    value: "zeebe-api"
+  - name: tokenScope
+    value: "read write"
+  - name: clientConfigPath
+    value: "/tmp/zeebe-credentials.yaml"
 ```
 
 ## Spec metadata fields
@@ -38,6 +50,14 @@ spec:
 | `gatewayKeepAlive`        | N | Output | Sets how often keep alive messages should be sent to the gateway. Defaults to 45 seconds  | `"45s"` |
 | `usePlainTextConnection`  | N | Output | Whether to use a plain text connection or not                                             | `"true"`, `"false"` |
 | `caCertificatePath`       | N | Output | The path to the CA cert                                                                    | `"/path/to/ca-cert"` |
+| `clientId`                | N | Output | OAuth client ID used to request an access token. When OAuth is configured, set this together with `clientSecret`, `authorizationServerUrl`, and `tokenAudience` | `"zeebe-client"` |
+| `clientSecret`            | N | Output | OAuth client secret used to request an access token. When OAuth is configured, set this together with `clientId`, `authorizationServerUrl`, and `tokenAudience` | `"zeebe-secret"` |
+| `authorizationServerUrl`  | N | Output | OAuth authorization server URL used to obtain access tokens. When OAuth is configured, set this together with `clientId`, `clientSecret`, and `tokenAudience` | `"https://issuer.example.com/oauth/token"` |
+| `tokenAudience`           | N | Output | OAuth token audience for Zeebe API access. When OAuth is configured, set this together with `clientId`, `clientSecret`, and `authorizationServerUrl` | `"zeebe-api"` |
+| `tokenScope`              | N | Output | Optional OAuth scope requested in the access token when OAuth is configured | `"read write"` |
+| `clientConfigPath`        | N | Output | Optional path to the OAuth credentials cache file when OAuth is configured | `"/tmp/zeebe-credentials.yaml"` |
+
+OAuth is optional. If any OAuth metadata field is set, all of these fields are required: `clientId`, `clientSecret`, `authorizationServerUrl`, and `tokenAudience`.
 
 ## Binding support
 
diff --git a/daprdocs/content/en/reference/components-reference/supported-bindings/zeebe-jobworker.md b/daprdocs/content/en/reference/components-reference/supported-bindings/zeebe-jobworker.md
index a4d0e6aaaea..e955098fb54 100644
--- a/daprdocs/content/en/reference/components-reference/supported-bindings/zeebe-jobworker.md
+++ b/daprdocs/content/en/reference/components-reference/supported-bindings/zeebe-jobworker.md
@@ -28,6 +28,18 @@ spec:
     value: "true"
   - name: caCertificatePath
     value: "/path/to/ca-cert"
+  - name: clientId
+    value: "zeebe-client"
+  - name: clientSecret
+    value: "zeebe-secret"
+  - name: authorizationServerUrl
+    value: "https://issuer.example.com/oauth/token"
+  - name: tokenAudience
+    value: "zeebe-api"
+  - name: tokenScope
+    value: "read write"
+  - name: clientConfigPath
+    value: "/tmp/zeebe-credentials.yaml"
   - name: workerName
     value: "products-worker"
   - name: workerTimeout
@@ -62,6 +74,12 @@ spec:
 | `gatewayKeepAlive`        | N | Input | Sets how often keep alive messages should be sent to the gateway. Defaults to 45 seconds                                         | `"45s"` |
 | `usePlainTextConnection`  | N | Input | Whether to use a plain text connection or not                                                                                    | `"true"`, `"false"` |
 | `caCertificatePath`       | N | Input | The path to the CA cert                                                                                                          | `"/path/to/ca-cert"` |
+| `clientId`                | N | Input | OAuth client ID used to request an access token. When OAuth is configured, set this together with `clientSecret`, `authorizationServerUrl`, and `tokenAudience` | `"zeebe-client"` |
+| `clientSecret`            | N | Input | OAuth client secret used to request an access token. When OAuth is configured, set this together with `clientId`, `authorizationServerUrl`, and `tokenAudience` | `"zeebe-secret"` |
+| `authorizationServerUrl`  | N | Input | OAuth authorization server URL used to obtain access tokens. When OAuth is configured, set this together with `clientId`, `clientSecret`, and `tokenAudience` | `"https://issuer.example.com/oauth/token"` |
+| `tokenAudience`           | N | Input | OAuth token audience for Zeebe API access. When OAuth is configured, set this together with `clientId`, `clientSecret`, and `authorizationServerUrl` | `"zeebe-api"` |
+| `tokenScope`              | N | Input | Optional OAuth scope requested in the access token when OAuth is configured | `"read write"` |
+| `clientConfigPath`        | N | Input | Optional path to the OAuth credentials cache file when OAuth is configured | `"/tmp/zeebe-credentials.yaml"` |
 | `workerName`              | N | Input | The name of the worker activating the jobs, mostly used for logging purposes                                                     | `"products-worker"` |
 | `workerTimeout`           | N | Input | A job returned after this call will not be activated by another call until the timeout has been reached; defaults to 5 minutes   | `"5m"` |
 | `requestTimeout`          | N | Input | The request will be completed when at least one job is activated or after the requestTimeout. If the requestTimeout = 0, a default timeout is used. If the requestTimeout < 0, long polling is disabled and the request is completed immediately, even when no job is activated. Defaults to 10 seconds  | `"30s"` |
@@ -75,6 +93,8 @@ spec:
 | `retryBackOff`            | N | Input | The back-off timeout for the next retry if a job fails                                                                           | `15s` |
 | `direction`            | N | Input | The direction of the binding | `"input"` |
 
+OAuth is optional. If any OAuth metadata field is set, all of these fields are required: `clientId`, `clientSecret`, `authorizationServerUrl`, and `tokenAudience`.
+
 ## Binding support
 
 This component supports **input** binding interfaces.

From 524c2afd78dbc5d32f5e2d76dfb975b654d31628 Mon Sep 17 00:00:00 2001
From: MyMirelHub <15373565+MyMirelHub@users.noreply.github.com>
Date: Fri, 10 Apr 2026 15:03:12 +0100
Subject: [PATCH 2/2] Add OAuth cache path guidance to Zeebe command and
 JobWorker binding specs

Signed-off-by: MyMirelHub <15373565+MyMirelHub@users.noreply.github.com>
---
 .../supported-bindings/zeebe-command.md                     | 6 ++++++
 .../supported-bindings/zeebe-jobworker.md                   | 6 ++++++
 2 files changed, 12 insertions(+)

diff --git a/daprdocs/content/en/reference/components-reference/supported-bindings/zeebe-command.md b/daprdocs/content/en/reference/components-reference/supported-bindings/zeebe-command.md
index 5457b7f3d8d..7df847bace6 100644
--- a/daprdocs/content/en/reference/components-reference/supported-bindings/zeebe-command.md
+++ b/daprdocs/content/en/reference/components-reference/supported-bindings/zeebe-command.md
@@ -59,6 +59,12 @@ spec:
 
 OAuth is optional. If any OAuth metadata field is set, all of these fields are required: `clientId`, `clientSecret`, `authorizationServerUrl`, and `tokenAudience`.
 
+### OAuth cache path guidance
+
+- `clientConfigPath` points to the OAuth credentials cache file used by the Zeebe client.
+- The Dapr sidecar must have write permissions to this file path.
+- To preserve cached credentials across restarts, use a persistent mounted path.
+
 ## Binding support
 
 This component supports **output binding** with the following operations:
diff --git a/daprdocs/content/en/reference/components-reference/supported-bindings/zeebe-jobworker.md b/daprdocs/content/en/reference/components-reference/supported-bindings/zeebe-jobworker.md
index e955098fb54..9498e051f0e 100644
--- a/daprdocs/content/en/reference/components-reference/supported-bindings/zeebe-jobworker.md
+++ b/daprdocs/content/en/reference/components-reference/supported-bindings/zeebe-jobworker.md
@@ -95,6 +95,12 @@ spec:
 
 OAuth is optional. If any OAuth metadata field is set, all of these fields are required: `clientId`, `clientSecret`, `authorizationServerUrl`, and `tokenAudience`.
 
+### OAuth cache path guidance
+
+- `clientConfigPath` points to the OAuth credentials cache file used by the Zeebe client.
+- The Dapr sidecar must have write permissions to this file path.
+- To preserve cached credentials across restarts, use a persistent mounted path.
+
 ## Binding support
 
 This component supports **input** binding interfaces.