AthenZ · psasidhar · Nov 21, 2025 · Nov 20, 2025
diff --git a/clients/go/zms/model.go b/clients/go/zms/model.go
diff --git a/clients/go/zms/zms_schema.go b/clients/go/zms/zms_schema.go
diff --git a/core/zms/src/main/java/com/yahoo/athenz/zms/ServiceIdentity.java b/core/zms/src/main/java/com/yahoo/athenz/zms/ServiceIdentity.java
@@ -54,6 +54,9 @@ public class ServiceIdentity {
     @RdlOptional
     @JsonInclude(JsonInclude.Include.NON_EMPTY)
     public String creds;
+    @RdlOptional
+    @JsonInclude(JsonInclude.Include.NON_NULL)
+    public String clientId;
 
     public ServiceIdentity setName(String name) {
         this.name = name;
@@ -153,6 +156,13 @@ public ServiceIdentity setCreds(String creds) {
     public String getCreds() {
         return creds;
     }
+    public ServiceIdentity setClientId(String clientId) {
+        this.clientId = clientId;
+        return this;
+    }
+    public String getClientId() {
+        return clientId;
+    }
 
     @Override
     public boolean equals(Object another) {
@@ -203,6 +213,9 @@ public boolean equals(Object another) {
             if (creds == null ? a.creds != null : !creds.equals(a.creds)) {
                 return false;
             }
+            if (clientId == null ? a.clientId != null : !clientId.equals(a.clientId)) {
+                return false;
+            }
         }
         return true;
     }

diff --git a/core/zms/src/main/java/com/yahoo/athenz/zms/ServiceIdentitySystemMeta.java b/core/zms/src/main/java/com/yahoo/athenz/zms/ServiceIdentitySystemMeta.java
@@ -22,6 +22,9 @@ public class ServiceIdentitySystemMeta {
     @RdlOptional
     @JsonInclude(JsonInclude.Include.NON_NULL)
     public String sshCertSignerKeyId;
+    @RdlOptional
+    @JsonInclude(JsonInclude.Include.NON_NULL)
+    public String clientId;
 
     public ServiceIdentitySystemMeta setProviderEndpoint(String providerEndpoint) {
         this.providerEndpoint = providerEndpoint;
@@ -44,6 +47,13 @@ public ServiceIdentitySystemMeta setSshCertSignerKeyId(String sshCertSignerKeyId
     public String getSshCertSignerKeyId() {
         return sshCertSignerKeyId;
     }
+    public ServiceIdentitySystemMeta setClientId(String clientId) {
+        this.clientId = clientId;
+        return this;
+    }
+    public String getClientId() {
+        return clientId;
+    }
 
     @Override
     public boolean equals(Object another) {
@@ -61,6 +71,9 @@ public boolean equals(Object another) {
             if (sshCertSignerKeyId == null ? a.sshCertSignerKeyId != null : !sshCertSignerKeyId.equals(a.sshCertSignerKeyId)) {
                 return false;
             }
+            if (clientId == null ? a.clientId != null : !clientId.equals(a.clientId)) {
+                return false;
+            }
         }
         return true;
     }

diff --git a/core/zms/src/main/java/com/yahoo/athenz/zms/ZMSSchema.java b/core/zms/src/main/java/com/yahoo/athenz/zms/ZMSSchema.java
@@ -396,7 +396,8 @@ private static Schema build() {
             .field("resourceOwnership", "ResourceServiceIdentityOwnership", true, "ownership information for the service (read-only attribute)")
             .field("x509CertSignerKeyId", "String", true, "requested x509 cert signer key id (system attribute)")
             .field("sshCertSignerKeyId", "String", true, "requested ssh cert signer key id (system attribute)")
-            .field("creds", "String", true, "the credentials for the service");
+            .field("creds", "String", true, "the credentials for the service")
+            .field("clientId", "String", true, "the OAuth2 client id for the service (system attribute)");
 
         sb.structType("ServiceIdentities")
             .comment("The representation of list of services")
@@ -412,7 +413,8 @@ private static Schema build() {
             .comment("Set of system metadata attributes that all services may have and can be changed by system admins.")
             .field("providerEndpoint", "String", true, "provider callback endpoint")
             .field("x509CertSignerKeyId", "String", true, "requested x509 cert signer key id")
-            .field("sshCertSignerKeyId", "String", true, "requested ssh cert signer key id");
+            .field("sshCertSignerKeyId", "String", true, "requested ssh cert signer key id")
+            .field("clientId", "String", true, "the OAuth2 client id for the service");
 
         sb.structType("GroupAuditLog")
             .comment("An audit log entry for group membership change.")

diff --git a/core/zms/src/main/rdl/ServiceIdentity.tdl b/core/zms/src/main/rdl/ServiceIdentity.tdl
@@ -37,6 +37,7 @@ type ServiceIdentity Struct {
     String x509CertSignerKeyId (optional, x_allowempty="true"); //requested x509 cert signer key id (system attribute)
     String sshCertSignerKeyId (optional, x_allowempty="true"); //requested ssh cert signer key id (system attribute)
     String creds (optional); //the credentials for the service
+    String clientId (optional, x_allowempty="true"); //the OAuth2 client id for the service (system attribute)
 }
 
 //The representation of list of services
@@ -56,4 +57,5 @@ type ServiceIdentitySystemMeta Struct {
     String providerEndpoint (optional); //provider callback endpoint
     String x509CertSignerKeyId (optional, x_allowempty="true"); //requested x509 cert signer key id
     String sshCertSignerKeyId (optional, x_allowempty="true"); //requested ssh cert signer key id
+    String clientId (optional, x_allowempty="true"); //the OAuth2 client id for the service
 }
diff --git a/core/zms/src/test/java/com/yahoo/athenz/zms/ServiceIdentityTest.java b/core/zms/src/test/java/com/yahoo/athenz/zms/ServiceIdentityTest.java
@@ -50,7 +50,7 @@ public void testServiceIdentity() {
                 .setTags(tags)
                 .setResourceOwnership(new ResourceServiceIdentityOwnership().setObjectOwner("TF"))
                 .setX509CertSignerKeyId("x509-keyid").setSshCertSignerKeyId("ssh-keyid")
-                .setCreds("creds");
+                .setCreds("creds").setClientId("client-id");
 
         Validator.Result result = validator.validate(si, "ServiceIdentity");
         assertTrue(result.valid);
@@ -69,6 +69,7 @@ public void testServiceIdentity() {
         assertEquals(si.getX509CertSignerKeyId(), "x509-keyid");
         assertEquals(si.getSshCertSignerKeyId(), "ssh-keyid");
         assertEquals(si.getCreds(), "creds");
+        assertEquals(si.getClientId(), "client-id");
 
         ServiceIdentity si2 = new ServiceIdentity().setName("test.service").setPublicKeys(pkel)
                 .setProviderEndpoint("http://test.endpoint").setModified(Timestamp.fromMillis(123456789123L))
@@ -77,7 +78,7 @@ public void testServiceIdentity() {
                 .setTags(tags)
                 .setResourceOwnership(new ResourceServiceIdentityOwnership().setObjectOwner("TF"))
                 .setX509CertSignerKeyId("x509-keyid").setSshCertSignerKeyId("ssh-keyid")
-                .setCreds("creds");
+                .setCreds("creds").setClientId("client-id");
 
         assertTrue(si2.equals(si));
         assertTrue(si.equals(si));
@@ -180,6 +181,13 @@ public void testServiceIdentity() {
         si2.setCreds("creds");
         assertEquals(si2, si);
 
+        si2.setClientId("client-id2");
+        assertNotEquals(si2, si);
+        si2.setClientId(null);
+        assertNotEquals(si2, si);
+        si2.setClientId("client-id");
+        assertEquals(si2, si);
+
         assertFalse(si.equals(new String()));
     }
 
@@ -201,4 +209,63 @@ public void testCredsEntry() {
 
         assertFalse(credsEntry.equals(new String()));
     }
+
+    @Test
+    public void testServiceIdentitySystemMetaMethod() {
+        Schema schema = ZMSSchema.instance();
+        Validator validator = new Validator(schema);
+
+        ServiceIdentitySystemMeta meta = new ServiceIdentitySystemMeta()
+                .setProviderEndpoint("https://host:443/endpoint")
+                .setX509CertSignerKeyId("x509-keyid")
+                .setSshCertSignerKeyId("ssh-keyid")
+                .setClientId("client-id");
+        assertTrue(meta.equals(meta));
+
+        Validator.Result result = validator.validate(meta, "ServiceIdentitySystemMeta");
+        assertTrue(result.valid);
+
+        assertEquals(meta.getProviderEndpoint(), "https://host:443/endpoint");
+        assertEquals(meta.getX509CertSignerKeyId(), "x509-keyid");
+        assertEquals(meta.getSshCertSignerKeyId(), "ssh-keyid");
+        assertEquals(meta.getClientId(), "client-id");
+
+        ServiceIdentitySystemMeta meta2 = new ServiceIdentitySystemMeta()
+                .setProviderEndpoint("https://host:443/endpoint")
+                .setX509CertSignerKeyId("x509-keyid")
+                .setSshCertSignerKeyId("ssh-keyid")
+                .setClientId("client-id");
+        assertEquals(meta, meta2);
+
+        meta2.setProviderEndpoint("https://host:443/endpoint2");
+        assertNotEquals(meta, meta2);
+        meta2.setProviderEndpoint(null);
+        assertNotEquals(meta, meta2);
+        meta2.setProviderEndpoint("https://host:443/endpoint");
+        assertEquals(meta, meta2);
+
+        meta2.setX509CertSignerKeyId("x509-keyid2");
+        assertNotEquals(meta, meta2);
+        meta2.setX509CertSignerKeyId(null);
+        assertNotEquals(meta, meta2);
+        meta2.setX509CertSignerKeyId("x509-keyid");
+        assertEquals(meta, meta2);
+
+        meta2.setSshCertSignerKeyId("ssh-keyid2");
+        assertNotEquals(meta, meta2);
+        meta2.setSshCertSignerKeyId(null);
+        assertNotEquals(meta, meta2);
+        meta2.setSshCertSignerKeyId("ssh-keyid");
+        assertEquals(meta, meta2);
+
+        meta2.setClientId("client-id2");
+        assertNotEquals(meta, meta2);
+        meta2.setClientId(null);
+        assertNotEquals(meta, meta2);
+        meta2.setClientId("client-id");
+        assertEquals(meta, meta2);
+
+        assertFalse(meta2.equals(null));
+        assertFalse(meta.equals(new String()));
+    }
 }
diff --git a/core/zms/src/test/java/com/yahoo/athenz/zms/ZMSCoreTest.java b/core/zms/src/test/java/com/yahoo/athenz/zms/ZMSCoreTest.java
@@ -2616,55 +2616,6 @@ public void testDomainRoleMembership() {
         assertFalse(drm2.equals(null));
     }
 
-    @Test
-    public void testServiceIdentitySystemMetaMethod() {
-        Schema schema = ZMSSchema.instance();
-        Validator validator = new Validator(schema);
-
-        ServiceIdentitySystemMeta meta = new ServiceIdentitySystemMeta()
-                .setProviderEndpoint("https://host:443/endpoint")
-                .setX509CertSignerKeyId("x509-keyid")
-                .setSshCertSignerKeyId("ssh-keyid");
-        assertTrue(meta.equals(meta));
-
-        Result result = validator.validate(meta, "ServiceIdentitySystemMeta");
-        assertTrue(result.valid);
-
-        assertEquals(meta.getProviderEndpoint(), "https://host:443/endpoint");
-        assertEquals(meta.getX509CertSignerKeyId(), "x509-keyid");
-        assertEquals(meta.getSshCertSignerKeyId(), "ssh-keyid");
-
-        ServiceIdentitySystemMeta meta2 = new ServiceIdentitySystemMeta()
-                .setProviderEndpoint("https://host:443/endpoint")
-                .setX509CertSignerKeyId("x509-keyid")
-                .setSshCertSignerKeyId("ssh-keyid");
-        assertEquals(meta, meta2);
-
-        meta2.setProviderEndpoint("https://host:443/endpoint2");
-        assertNotEquals(meta, meta2);
-        meta2.setProviderEndpoint(null);
-        assertNotEquals(meta, meta2);
-        meta2.setProviderEndpoint("https://host:443/endpoint");
-        assertEquals(meta, meta2);
-
-        meta2.setX509CertSignerKeyId("x509-keyid2");
-        assertNotEquals(meta, meta2);
-        meta2.setX509CertSignerKeyId(null);
-        assertNotEquals(meta, meta2);
-        meta2.setX509CertSignerKeyId("x509-keyid");
-        assertEquals(meta, meta2);
-
-        meta2.setSshCertSignerKeyId("ssh-keyid2");
-        assertNotEquals(meta, meta2);
-        meta2.setSshCertSignerKeyId(null);
-        assertNotEquals(meta, meta2);
-        meta2.setSshCertSignerKeyId("ssh-keyid");
-        assertEquals(meta, meta2);
-
-        assertFalse(meta2.equals(null));
-        assertFalse(meta.equals(new String()));
-    }
-
     @Test
     public void testJWSDomain() {
 

diff --git a/libs/go/zmscli/cli.go b/libs/go/zmscli/cli.go
@@ -729,6 +729,10 @@ func (cli Zms) EvalCommand(params []string) (*string, error) {
 			if argc == 2 {
 				return cli.SetServiceEndpoint(dn, args[0], args[1])
 			}
+		case "set-service-client-id":
+			if argc == 2 {
+				return cli.SetServiceClientId(dn, args[0], args[1])
+			}
 		case "set-service-x509-cert-signer-keyid":
 			if argc == 2 {
 				return cli.SetServiceX509CertSignerKeyId(dn, args[0], args[1])
@@ -2604,6 +2608,18 @@ func (cli Zms) HelpSpecificCommand(interactive bool, cmd string) string {
 		buf.WriteString("            : To remove the endpoint pass \"\" as its value\n")
 		buf.WriteString(" examples:\n")
 		buf.WriteString("   " + domainExample + " set-service-endpoint storage https://coretech.athenzcompany.com:4080/tableProvider\n")
+	case "set-service-client-id":
+		buf.WriteString(" syntax:\n")
+		buf.WriteString("   " + domainParam + " set-service-client-id service client-id\n")
+		buf.WriteString(" parameters:\n")
+		if !interactive {
+			buf.WriteString("   domain   : name of the domain that service belongs to\n")
+		}
+		buf.WriteString("   service  : name of the service to set the oauth2 client id\n")
+		buf.WriteString("   client-id : the client id from the Identity Provider for this service\n")
+		buf.WriteString("            : To remove the client-id pass \"\" as its value\n")
+		buf.WriteString(" examples:\n")
+		buf.WriteString("   " + domainExample + " set-service-client-id storage a343nbsf36fg\n")
 	case "set-service-x509-cert-signer-keyid":
 		buf.WriteString(" syntax:\n")
 		buf.WriteString("   " + domainParam + " set-service-x509-cert-signer-keyid service keyid\n")
@@ -3866,6 +3882,7 @@ func (cli Zms) HelpListCommand() string {
 	buf.WriteString("   add-provider-service service key_id identity_pubkey.pem|identity_key_ybase64\n")
 	buf.WriteString("   set-service-resource-ownership service resource-owner\n")
 	buf.WriteString("   set-service-endpoint service endpoint\n")
+	buf.WriteString("   set-service-client-id service client-id\n")
 	buf.WriteString("   set-service-x509-cert-signer-keyid service keyid\n")
 	buf.WriteString("   set-service-ssh-cert-signer-keyid service keyid\n")
 	buf.WriteString("   set-service-exe service executable user group\n")

diff --git a/libs/go/zmscli/service.go b/libs/go/zmscli/service.go
@@ -361,6 +361,24 @@ func (cli Zms) SetServiceEndpoint(dn string, sn string, endpoint string) (*strin
 	return cli.dumpByFormat(message, cli.buildYAMLOutput)
 }
 
+func (cli Zms) SetServiceClientId(dn string, sn string, clientId string) (*string, error) {
+	shortName := shortname(dn, sn)
+	meta := zms.ServiceIdentitySystemMeta{
+		ClientId: clientId,
+	}
+	err := cli.Zms.PutServiceIdentitySystemMeta(zms.DomainName(dn), zms.SimpleName(shortName), "clientid", cli.AuditRef, &meta)
+	if err != nil {
+		return nil, err
+	}
+	s := "[domain " + dn + " service " + sn + " client-id successfully updated]\n"
+	message := SuccessMessage{
+		Status:  200,
+		Message: s,
+	}
+
+	return cli.dumpByFormat(message, cli.buildYAMLOutput)
+}
+
 func (cli Zms) SetServiceX509CertSignerKeyId(dn string, sn string, keyId string) (*string, error) {
 	shortName := shortname(dn, sn)
 	meta := zms.ServiceIdentitySystemMeta{