diff --git a/docs/src/main/asciidoc/security-openid-connect.adoc b/docs/src/main/asciidoc/security-openid-connect.adoc index 1d4f1adbca9e1..2f82bf23fb744 100644 --- a/docs/src/main/asciidoc/security-openid-connect.adoc +++ b/docs/src/main/asciidoc/security-openid-connect.adoc @@ -14,29 +14,29 @@ The Bearer Tokens are issued by OIDC and OAuth 2.0 compliant authorization serve Bearer Token Authorization is the process of authorizing HTTP requests based on the existence and validity of a Bearer Token. The Bearer Token provides information about the subject of the call which is used to determine whether or not an HTTP resource can be accessed. -The following figures outline the Bearer Token Authorization mechanism in Quarkus: +The following diagrams outline the Bearer Token Authorization mechanism in Quarkus: -.Bearer Token Authorization mechanism in Quarkus +.Bearer Token Authorization mechanism in Quarkus with Single-page application image::security-bearer-token-authorization-mechanism-1.png[alt=Bearer Token Authorization, align=center] -In the previous figure: +In the previous diagram: -. First, the Quarkus service retrieves verification keys from the OpenID Connect provider. -. The Quarkus user accesses the single-page application. -. The single-page application uses Authorization Code Flow to authenticate the user and retrieve tokens from the OpenID Connect provider. -. The single-page application uses the access token to retrieve the service data from the Quarkus service. -. The Quarkus service verifies the bearer access token and returns data to the single-page application. -. The single-page application returns the same data to the Quarkus user. +1. The Quarkus service retrieves verification keys from the OpenID Connect provider. The verification keys are used to verify the bearer access token signatures. +2. The Quarkus user accesses the Single-page application. +3. The Single-page application uses Authorization Code Flow to authenticate the user and retrieve tokens from the OpenID Connect provider. +4. The Single-page application uses the access token to retrieve the service data from the Quarkus service. +5. The Quarkus service verifies the bearer access token signature using the verification keys, checks the token expiry date and other claims, allows the request to proceed if the token is valid, and returns the service response to the Single-page application. +6. The Single-page application returns the same data to the Quarkus user. -.Bearer Token Authorization mechanism with Client in Quarkus +.Bearer Token Authorization mechanism in Quarkus with Java or command line client image::security-bearer-token-authorization-mechanism-2.png[alt=Bearer Token Authorization, align=center] -In the previous figure: +In the previous diagram: -. First, the Quarkus service retrieves verification keys from the OpenID Connect provider. -. The Client uses provided credentials to retrieve the access token from the OpenID Connect provider. -. The Client uses the access token to retrieve the service data from the Quarkus service. -. The Quarkus service verifies the bearer access token and returns data to the Client. +1. The Quarkus service retrieves verification keys from the OpenID Connect provider. The verification keys are used to verify the bearer access token signatures. +2. The Client uses `client_credentials` that requires client ID and secret or password grant, which also requires client ID, secret, user name, and password to retrieve the access token from the OpenID Connect provider. +3. The Client uses the access token to retrieve the service data from the Quarkus service. +4. The Quarkus service verifies the bearer access token signature using the verification keys, checks the token expiry date and other claims, allows the request to proceed if the token is valid, and returns the service response to the Client. If you need to authenticate and authorize the users using OpenID Connect Authorization Code Flow, see xref:security-openid-connect-web-authentication.adoc[Using OpenID Connect to Protect Web Applications]. Also, if you use Keycloak and Bearer Tokens, see xref:security-keycloak-authorization.adoc[Using Keycloak to Centralize Authorization].