Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Inconsistent Bearer token authentication in docs #34321

Merged
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -242,15 +242,15 @@ For more information, see the xref:security-openid-connect-client.adoc[OpenID Co
The `quarkus-smallrye-jwt` extension provides a MicroProfile JSON Web Token (JWT) 2.1 implementation and multiple options to verify signed and encrypted `JWT` tokens.
It represents them as `org.eclipse.microprofile.jwt.JsonWebToken`.

`quarkus-smallrye-jwt` is an alternative to the `quarkus-oidc` Bearer authentication mechanism and verifies only `JWT` tokens by using either Privacy Enhanced Mail (PEM) keys or the refreshable `JWK` key set.
`quarkus-smallrye-jwt` is an alternative to the `quarkus-oidc` Bearer token authentication mechanism and verifies only `JWT` tokens by using either Privacy Enhanced Mail (PEM) keys or the refreshable `JWK` key set.
`quarkus-smallrye-jwt` also provides the JWT generation API, which you can use to easily create `signed`, `inner-signed`, and `encrypted` `JWT` tokens.

For more information, see the xref:security-jwt.adoc[Using JWT RBAC] guide.

[[oauth2-authentication]]
=== OAuth2 authentication

`quarkus-elytron-security-oauth2` provides an alternative to the Quarkus `quarkus-oidc` Bearer authentication mechanism extension.
`quarkus-elytron-security-oauth2` provides an alternative to the Quarkus `quarkus-oidc` Bearer token authentication mechanism extension.
`quarkus-elytron-security-oauth2` is based on `Elytron` and is primarily intended for introspecting opaque tokens remotely.
For more information, see the Quarkus xref:security-oauth2.adoc[Using OAuth2] guide.

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -547,7 +547,7 @@ You have learned how to create and test a secure Quarkus application by combinin
After you have completed this tutorial, explore some of the more advanced security mechanisms in Quarkus.
Use the following information to learn how you can securely use `OpenID Connect` to provide secure single sign-on access to your Quarkus endpoints:

* xref:security-oidc-bearer-token-authentication.adoc[OIDC Bearer authentication]
* xref:security-oidc-bearer-token-authentication.adoc[OIDC Bearer token authentication]
* xref:security-oidc-code-flow-authentication.adoc[OIDC code flow mechanism for protecting web applications]

== References
Expand All @@ -556,7 +556,7 @@ Use the following information to learn how you can securely use `OpenID Connect`
* xref:security-architecture.adoc[Quarkus Security architecture]
* xref:security-authentication-mechanisms.adoc#other-supported-authentication-mechanisms[Authentication mechanisms in Quarkus]
* xref:security-identity-providers.adoc[Identity providers]
* xref:security-oidc-bearer-token-authentication.adoc[OIDC Bearer authentication]
* xref:security-oidc-bearer-token-authentication.adoc[OIDC Bearer token authentication]
* xref:security-oidc-code-flow-authentication.adoc[OIDC code flow mechanism for protecting web applications]
* xref:hibernate-orm-panache.adoc[Simplified Hibernate ORM with Panache]
* xref:hibernate-orm.adoc[Using Hibernate ORM and Jakarta Persistence]
2 changes: 1 addition & 1 deletion docs/src/main/asciidoc/security-jwt-build.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -346,6 +346,6 @@ SmallRye JWT supports the following properties which can be used to customize th
* link:https://tools.ietf.org/html/rfc7516[JSON Web Encryption]
* link:https://tools.ietf.org/html/rfc7518[JSON Web Algorithms]
* link:https://bitbucket.org/b_c/jose4j/wiki/Home[Jose4J]
* xref:security-oidc-bearer-token-authentication.adoc[OIDC Bearer authentication]
* xref:security-oidc-bearer-token-authentication.adoc[OIDC Bearer token authentication]
* xref:security-jwt.adoc[Using Smallrye JWT to Protect Service Applications]
* xref:security-overview.adoc[Quarkus Security overview]
2 changes: 1 addition & 1 deletion docs/src/main/asciidoc/security-jwt.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ to verify https://tools.ietf.org/html/rfc7519[JSON Web Token]s, represent them a
and provide secured access to the Quarkus HTTP endpoints using Bearer Token Authorization and https://en.wikipedia.org/wiki/Role-based_access_control[Role-Based Access Control].

NOTE: Quarkus OpenID Connect `quarkus-oidc` extension also supports Bearer Token Authorization and uses `smallrye-jwt` to represent the bearer tokens as `JsonWebToken`.
For more information, read the xref:security-oidc-bearer-token-authentication.adoc[OIDC Bearer authentication] guide.
For more information, read the xref:security-oidc-bearer-token-authentication.adoc[OIDC Bearer token authentication] guide.
OpenID Connect extension has to be used if the Quarkus application needs to authenticate the users using OIDC Authorization Code Flow.
For more information, see xref:security-oidc-code-flow-authentication.adoc[OIDC code flow mechanism for protecting web applications]

Expand Down
2 changes: 1 addition & 1 deletion docs/src/main/asciidoc/security-keycloak-admin-client.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -202,6 +202,6 @@ include::{generated-dir}/config/quarkus-keycloak-admin-client.adoc[leveloffset=+
* https://www.keycloak.org/documentation.html[Keycloak Documentation]
* xref:security-keycloak-authorization.adoc[Keycloak Authorization extension]
* xref:security-oidc-code-flow-authentication.adoc[OIDC code flow mechanism for protecting web applications]
* xref:security-oidc-bearer-token-authentication.adoc[OIDC Bearer authentication]
* xref:security-oidc-bearer-token-authentication.adoc[OIDC Bearer token authentication]
* xref:security-openid-connect-client.adoc[OpenID Connect Client and Token Propagation Quickstart]
* xref:security-overview.adoc[Quarkus Security overview]
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ Use `quarkus-keycloak-authorization` only if you work with Keycloak and have Key

By externalizing authorization from your application, you are allowed to protect your applications using different access control mechanisms as well as avoid re-deploying your application every time your security requirements change, where Keycloak will be acting as a centralized authorization service from where your protected resources and their associated permissions are managed.

See the xref:security-oidc-bearer-token-authentication.adoc[OIDC Bearer authentication] guide for more information about `Bearer Token` authentication mechanism. It is important to realize that it is the `Bearer Token` authentication mechanism which does the authentication and creates a security identity - while the `quarkus-keycloak-authorization` extension is responsible for applying a Keycloak Authorization Policy to this identity based on the current request path and other policy settings.
See the xref:security-oidc-bearer-token-authentication.adoc[OIDC Bearer token authentication] guide for more information about `Bearer Token` authentication mechanism. It is important to realize that it is the `Bearer Token` authentication mechanism which does the authentication and creates a security identity - while the `quarkus-keycloak-authorization` extension is responsible for applying a Keycloak Authorization Policy to this identity based on the current request path and other policy settings.

Please see https://www.keycloak.org/docs/latest/authorization_services/index.html#_enforcer_overview[Keycloak Authorization Services documentation] for more information.

Expand Down
2 changes: 1 addition & 1 deletion docs/src/main/asciidoc/security-oauth2.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ It can be used to implement an application authentication mechanism based on tok

This extension provides a light-weight support for using the opaque Bearer Tokens and validating them by calling an introspection endpoint.

If the OAuth2 Authentication server provides JWT Bearer Tokens, consider using either xref:security-oidc-bearer-token-authentication.adoc[OIDC Bearer authentication] or xref:security-jwt.adoc[SmallRye JWT] extensions instead.
If the OAuth2 Authentication server provides JWT Bearer Tokens, consider using either xref:security-oidc-bearer-token-authentication.adoc[OIDC Bearer token authentication] or xref:security-jwt.adoc[SmallRye JWT] extensions instead.
OpenID Connect extension has to be used if the Quarkus application needs to authenticate the users using OIDC Authorization Code Flow. For more information, see the xref:security-oidc-code-flow-authentication.adoc[OIDC code flow mechanism for protecting web applications] guide.

include::{includes}/extension-status.adoc[]
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -4,15 +4,15 @@ and pull requests should be submitted there:
https://github.com/quarkusio/quarkus/tree/main/docs/src/main/asciidoc
////
[id="security-oidc-bearer-token-authentication-tutorial"]
= Protect a service application by using OpenID Connect (OIDC) bearer authentication
= Protect a service application by using OpenID Connect (OIDC) Bearer token authentication
include::_attributes.adoc[]
:diataxis-type: tutorial
:categories: security

Here, you use the Quarkus OpenID Connect (OIDC) extension to secure a Jakarta REST application using Bearer authentication.
Here, you use the Quarkus OpenID Connect (OIDC) extension to secure a Jakarta REST application using Bearer token authentication.
The bearer tokens are issued by OIDC and OAuth 2.0 compliant authorization servers, such as link:https://www.keycloak.org[Keycloak].

To better understand OIDC Bearer authentication, see xref:security-oidc-bearer-token-authentication.adoc[OIDC Bearer authentication].
To better understand OIDC Bearer token authentication, see xref:security-oidc-bearer-token-authentication.adoc[OIDC Bearer token authentication].

If you want to protect web applications by using OIDC Authorization Code Flow authentication, see xref:security-oidc-code-flow-authentication-concept.adoc[OIDC authorization code flow authentication].

Expand Down Expand Up @@ -269,7 +269,7 @@ See the <<keycloak-dev-mode,Running the Application in Dev mode>> section above

You can test the application launched in JVM or Native modes with `curl`.

The application is using Bearer authentication and the first thing to do is obtain an access token from the Keycloak Server in order to access the application resources:
The application is using Bearer token authentication and the first thing to do is obtain an access token from the Keycloak Server in order to access the application resources:

[source,bash]
----
Expand Down Expand Up @@ -314,12 +314,12 @@ export access_token=$(\
)
----

Please also see the xref:security-oidc-bearer-token-authentication.adoc#integration-testing-keycloak-devservices[OIDC Bearer authentication, Dev Services for Keycloak] section, about writing the integration tests which depend on `Dev Services for Keycloak`.
Please also see the xref:security-oidc-bearer-token-authentication.adoc#integration-testing-keycloak-devservices[OIDC Bearer token authentication, Dev Services for Keycloak] section, about writing the integration tests which depend on `Dev Services for Keycloak`.

== References

* xref:security-oidc-configuration-properties-reference.adoc[OIDC configuration properties]
* xref:security-oidc-bearer-token-authentication.adoc[OIDC Bearer authentication]
* xref:security-oidc-bearer-token-authentication.adoc[OIDC Bearer token authentication]
* link:https://www.keycloak.org/documentation.html[Keycloak Documentation]
* link:https://openid.net/connect/[OpenID Connect]
* link:https://tools.ietf.org/html/rfc7519[JSON Web Token]
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -4,26 +4,26 @@ and pull requests should be submitted there:
https://github.com/quarkusio/quarkus/tree/main/docs/src/main/asciidoc
////
[id="security-oidc-bearer-token-authentication"]
= OpenID Connect (OIDC) Bearer authentication
= OpenID Connect (OIDC) Bearer token authentication
include::_attributes.adoc[]
:diataxis-type: concept
:categories: security,web

Secure HTTP access to Jakarta REST (formerly known as JAX-RS) endpoints in your application with Bearer authentication by using the Quarkus OpenID Connect (OIDC) extension.
Secure HTTP access to Jakarta REST (formerly known as JAX-RS) endpoints in your application with Bearer token authentication by using the Quarkus OpenID Connect (OIDC) extension.

== Overview of the Bearer authentication mechanism in Quarkus
== Overview of the Bearer token authentication mechanism in Quarkus

Quarkus supports the Bearer authentication mechanism through the Quarkus OpenID Connect (OIDC) extension.
Quarkus supports the Bearer token authentication mechanism through the Quarkus OpenID Connect (OIDC) extension.

The bearer tokens are issued by OIDC and OAuth 2.0 compliant authorization servers, such as link:https://www.keycloak.org[Keycloak].

Bearer authentication is the process of authorizing HTTP requests based on the existence and validity of a bearer token.
Bearer token authentication is the process of authorizing HTTP requests based on the existence and validity of a bearer token.
The bearer token provides information about the subject of the call, which is used to determine whether or not an HTTP resource can be accessed.

The following diagrams outline the Bearer authentication mechanism in Quarkus:
The following diagrams outline the Bearer token authentication mechanism in Quarkus:

.Bearer authentication mechanism in Quarkus with Single-page application
image::security-bearer-token-authorization-mechanism-1.png[alt=Bearer authentication, width="60%", align=center]
.Bearer token authentication mechanism in Quarkus with Single-page application
image::security-bearer-token-authorization-mechanism-1.png[alt=Bearer token authentication, width="60%", align=center]

1. The Quarkus service retrieves verification keys from the OpenID Connect provider. The verification keys are used to verify the bearer access token signatures.
2. The Quarkus user accesses the Single-page application.
Expand All @@ -32,8 +32,8 @@ image::security-bearer-token-authorization-mechanism-1.png[alt=Bearer authentica
5. The Quarkus service verifies the bearer access token signature using the verification keys, checks the token expiry date and other claims, allows the request to proceed if the token is valid, and returns the service response to the Single-page application.
6. The Single-page application returns the same data to the Quarkus user.

.Bearer authentication mechanism in Quarkus with Java or command line client
image::security-bearer-token-authorization-mechanism-2.png[alt=Bearer authentication, width="60%", align=center]
.Bearer token authentication mechanism in Quarkus with Java or command line client
image::security-bearer-token-authorization-mechanism-2.png[alt=Bearer token authentication, width="60%", align=center]

1. The Quarkus service retrieves verification keys from the OpenID Connect provider. The verification keys are used to verify the bearer access token signatures.
2. The Client uses `client_credentials` that requires client ID and secret or password grant, which also requires client ID, secret, user name, and password to retrieve the access token from the OpenID Connect provider.
Expand All @@ -43,7 +43,7 @@ image::security-bearer-token-authorization-mechanism-2.png[alt=Bearer authentica
If you need to authenticate and authorize the users using OpenID Connect Authorization Code Flow, see xref:security-oidc-code-flow-authentication.adoc[OIDC code flow mechanism for protecting web applications].
Also, if you use Keycloak and bearer tokens, see xref:security-keycloak-authorization.adoc[Using Keycloak to Centralize Authorization].

To learn about how you can protect service applications by using OIDC Bearer authentication, see xref:security-oidc-bearer-token-authentication-tutorial.adoc[OIDC Bearer authentication tutorial].
To learn about how you can protect service applications by using OIDC Bearer token authentication, see xref:security-oidc-bearer-token-authentication-tutorial.adoc[OIDC Bearer token authentication tutorial].

If you want to protect web applications by using OIDC authorization code flow authentication, see xref:security-oidc-code-flow-authentication-concept.adoc[OIDC authorization code flow authentication].

Expand Down Expand Up @@ -915,8 +915,8 @@ Note Quarkus `web-app` applications always require `quarkus.oidc.client-id` prop
== References

* xref:security-oidc-configuration-properties-reference.adoc[OIDC configuration properties]
* xref:security-oidc-bearer-token-authentication-tutorial.adoc[Protect a service application by using OIDC Bearer authentication]
* xref:security-protect-service-applications-by-using-oidc-bearer-authentication-how-to.adoc[Protect service applications by using OIDC Bearer authentication]
* xref:security-oidc-bearer-token-authentication-tutorial.adoc[Protect a service application by using OIDC Bearer token authentication]
* xref:security-protect-service-applications-by-using-oidc-bearer-authentication-how-to.adoc[Protect service applications by using OIDC Bearer token authentication]
* https://www.keycloak.org/documentation.html[Keycloak Documentation]
* https://openid.net/connect/[OpenID Connect]
* https://tools.ietf.org/html/rfc7519[JSON Web Token]
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ To learn more about the OIDC authorization code flow mechanism, see xref:securit
To learn about how well-known social providers such as Google, GitHub, Microsoft, Twitter, Apple, Facebook, and Spotify can be used with Quarkus OIDC, see xref:security-openid-connect-providers.adoc[Configuring Well-Known OpenID Connect Providers].
See also, xref:security-authentication-mechanisms.adoc#other-supported-authentication-mechanisms[Authentication mechanisms in Quarkus].

If you want to protect your service applications by using OIDC Bearer authentication, see xref:security-oidc-bearer-token-authentication-concept.adoc[OIDC Bearer authentication].
If you want to protect your service applications by using OIDC Bearer token authentication, see xref:security-oidc-bearer-token-authentication-concept.adoc[OIDC Bearer token authentication].

== Prerequisites

Expand Down Expand Up @@ -252,7 +252,7 @@ For more information about writing the integration tests that depend on `Dev Ser

Congratulations!
You have learned how to set up and use the OIDC authorization code flow mechanism to protect and test application HTTP endpoints.
After you have completed this tutorial, explore xref:security-oidc-bearer-token-authentication.adoc[OIDC Bearer authentication] and xref:security-authentication-mechanisms.adoc[other authentication mechanisms].
After you have completed this tutorial, explore xref:security-oidc-bearer-token-authentication.adoc[OIDC Bearer token authentication] and xref:security-authentication-mechanisms.adoc[other authentication mechanisms].

== References
* xref:security-overview.adoc[Quarkus Security overview]
Expand Down
Loading