From 9b60c8d6e0d96b873429e2b3abb03ca0ac1b8f85 Mon Sep 17 00:00:00 2001 From: Rolfe Dlugy-Hegwer Date: Tue, 16 Jul 2024 13:52:56 -0400 Subject: [PATCH] Update for quarkus-resteasy-client-oidc-token-propagation and quarkus-rest-client-oidc-token-propagation support in RHBQ --- .../security-authentication-mechanisms.adoc | 2 - ...urity-openid-connect-client-reference.adoc | 9 ---- .../security-openid-connect-client.adoc | 42 ------------------- 3 files changed, 53 deletions(-) diff --git a/docs/src/main/asciidoc/security-authentication-mechanisms.adoc b/docs/src/main/asciidoc/security-authentication-mechanisms.adoc index 2f564939a6906..c1281764ae000 100644 --- a/docs/src/main/asciidoc/security-authentication-mechanisms.adoc +++ b/docs/src/main/asciidoc/security-authentication-mechanisms.adoc @@ -362,14 +362,12 @@ For example, it can be a public endpoint or be protected with mTLS. In this scenario, you do not need to protect your Quarkus endpoint by using the Quarkus OpenID Connect adapter. ==== -ifndef::no-quarkus-oidc-token-propagation[] The `quarkus-oidc-token-propagation` extension requires the `quarkus-oidc` extension. It provides Jakarta REST `TokenCredentialRequestFilter`, which sets the OpenID Connect Bearer token or Authorization Code Flow access token as the `Bearer` scheme value of the HTTP `Authorization` header. This filter can be registered with MicroProfile REST client implementations injected into the current Quarkus endpoint, which must be protected by using the Quarkus OIDC adapter. This filter can propagate the access token to the downstream services. For more information, see the xref:security-openid-connect-client.adoc[OpenID Connect client and token propagation quickstart] and xref:security-openid-connect-client-reference.adoc[OpenID Connect (OIDC) and OAuth2 client and filters reference] guides. -endif::no-quarkus-oidc-token-propagation[] [[smallrye-jwt-authentication]] diff --git a/docs/src/main/asciidoc/security-openid-connect-client-reference.adoc b/docs/src/main/asciidoc/security-openid-connect-client-reference.adoc index acd8627a157fe..1f640b1e1179e 100644 --- a/docs/src/main/asciidoc/security-openid-connect-client-reference.adoc +++ b/docs/src/main/asciidoc/security-openid-connect-client-reference.adoc @@ -16,10 +16,7 @@ This includes the following: - Using `quarkus-oidc-client`, `quarkus-oidc-client-reactive-filter` and `quarkus-oidc-client-filter` extensions to acquire and refresh access tokens from OpenID Connect and OAuth 2.0 compliant Authorization Servers such as link:https://www.keycloak.org[Keycloak]. -ifndef::no-quarkus-oidc-token-propagation[] - - Using `quarkus-oidc-token-propagation-reactive` and `quarkus-oidc-token-propagation` extensions to propagate the current `Bearer` or `Authorization Code Flow` access tokens. -endif::no-quarkus-oidc-token-propagation[] The access tokens managed by these extensions can be used as HTTP Authorization Bearer tokens to access the remote services. @@ -917,7 +914,6 @@ public class OidcRequestCustomizer implements OidcRequestFilter { } ---- -ifndef::no-quarkus-oidc-token-propagation-reactive[] [[token-propagation-reactive]] == Token Propagation Reactive @@ -993,9 +989,7 @@ quarkus.oidc-token-propagation-reactive.exchange-token=true ---- `AccessTokenRequestReactiveFilter` uses a default `OidcClient` by default. A named `OidcClient` can be selected with a `quarkus.oidc-token-propagation-reactive.client-name` configuration property or with the `io.quarkus.oidc.token.propagation.AccessToken#exchangeTokenClient` annotation attribute. -endif::no-quarkus-oidc-token-propagation-reactive[] -ifndef::no-quarkus-oidc-token-propagation[] [[token-propagation]] == Token Propagation @@ -1010,7 +1004,6 @@ However, the direct end-to-end Bearer token propagation should be avoided. For e Additionally, a complex application might need to exchange or update the tokens before propagating them. For example, the access context might be different when `Service A` is accessing `Service B`. In this case, `Service A` might be granted a narrow or completely different set of scopes to access `Service B`. The following sections show how `AccessTokenRequestFilter` and `JsonWebTokenRequestFilter` can help. -endif::no-quarkus-oidc-token-propagation[] === RestClient AccessTokenRequestFilter @@ -1152,7 +1145,6 @@ As mentioned, use `AccessTokenRequestFilter` if you work with Keycloak or an Ope You can generate the tokens as described in xref:security-oidc-bearer-token-authentication.adoc#integration-testing[OpenID Connect Bearer Token Integration testing] section. Prepare the REST test endpoints. You can have the test front-end endpoint, which uses the injected MP REST client with a registered token propagation filter, call the downstream endpoint. For example, see the `integration-tests/oidc-token-propagation` in the `main` Quarkus repository. -ifndef::no-quarkus-oidc-token-propagation[] [[reactive-token-propagation]] == Token Propagation Reactive @@ -1170,7 +1162,6 @@ The `quarkus-oidc-token-propagation-reactive` extension provides `io.quarkus.oid The `quarkus-oidc-token-propagation-reactive` extension (as opposed to the non-reactive `quarkus-oidc-token-propagation` extension) does not currently support the exchanging or resigning of the tokens before the propagation. However, these features might be added in the future. -endif::no-quarkus-oidc-token-propagation[] ifndef::no-quarkus-oidc-client-graphql[] [[quarkus-oidc-client-graphql]] diff --git a/docs/src/main/asciidoc/security-openid-connect-client.adoc b/docs/src/main/asciidoc/security-openid-connect-client.adoc index 9a11e0baa3961..2d84e20f5dc24 100644 --- a/docs/src/main/asciidoc/security-openid-connect-client.adoc +++ b/docs/src/main/asciidoc/security-openid-connect-client.adoc @@ -64,7 +64,6 @@ The solution is in the `security-openid-connect-client-quickstart` link:{quickst First, you need a new project. Create a new project with the following command: -ifndef::no-quarkus-oidc-token-propagation[] :create-app-artifact-id: security-openid-connect-client-quickstart :create-app-extensions: oidc,oidc-client-reactive-filter,oidc-token-propagation-reactive,resteasy-reactive include::{includes}/devtools/create-app.adoc[] @@ -75,25 +74,9 @@ If you already have your Quarkus project configured, you can add these extension :add-extension-extensions: oidc,oidc-client-reactive-filter,oidc-token-propagation-reactive,resteasy-reactive include::{includes}/devtools/extension-add.adoc[] -endif::no-quarkus-oidc-token-propagation[] - -ifdef::no-quarkus-oidc-token-propagation[] -:create-app-artifact-id: security-openid-connect-client-quickstart -:create-app-extensions: oidc,oidc-client-reactive-filter,resteasy-reactive - -include::{includes}/devtools/create-app.adoc[] - -It generates a Maven project, importing the `oidc`, `oidc-client-reactive-filter`, and `resteasy-reactive` extensions. - -If you already have your Quarkus project configured, you can add these extensions to your project by running the following command in your project base directory: - -:add-extension-extensions: oidc,oidc-client-reactive-filter,resteasy-reactive -include::{includes}/devtools/extension-add.adoc[] -endif::no-quarkus-oidc-token-propagation[] This command adds the following extensions to your build file: -ifndef::no-quarkus-oidc-token-propagation[] [source,xml,role="primary asciidoc-tabs-target-sync-cli asciidoc-tabs-target-sync-maven"] .pom.xml ---- @@ -120,31 +103,6 @@ ifndef::no-quarkus-oidc-token-propagation[] ---- implementation("io.quarkus:quarkus-oidc,oidc-client-reactive-filter,oidc-token-propagation-reactive,resteasy-reactive") ---- -endif::no-quarkus-oidc-token-propagation[] -ifdef::no-quarkus-oidc-token-propagation[] -[source,xml,role="primary asciidoc-tabs-target-sync-cli asciidoc-tabs-target-sync-maven"] -.pom.xml ----- - - io.quarkus - quarkus-oidc - - - io.quarkus - quarkus-oidc-client-reactive-filter - - - io.quarkus - quarkus-resteasy-reactive - ----- - -[source,gradle,role="secondary asciidoc-tabs-target-sync-gradle"] -.build.gradle ----- -implementation("io.quarkus:quarkus-oidc,oidc-client-reactive-filter,resteasy-reactive") ----- -endif::no-quarkus-oidc-token-propagation[] == Writing the application