Skip to content

Commit

Permalink
Updates to reflect current extension names and configuration roots
Browse files Browse the repository at this point in the history
  • Loading branch information
@rolfedh
rolfedh committed Aug 13, 2024
1 parent 64f0196 commit 558e4a3
Show file tree
Hide file tree
Showing 6 changed files with 27 additions and 27 deletions.
4 changes: 2 additions & 2 deletions docs/src/main/asciidoc/security-authentication-mechanisms.adoc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -370,9 +370,9 @@ For more information about OIDC authentication and authorization methods that yo
|Multiple tenants that can support the Bearer token authentication or Authorization Code Flow mechanisms|xref:security-openid-connect-multitenancy.adoc[Using OpenID Connect (OIDC) multi-tenancy]
|Securing Quarkus with commonly used OpenID Connect providers|xref:security-openid-connect-providers.adoc[Configuring well-known OpenID Connect providers]
|Using Keycloak to centralize authorization |xref:security-keycloak-authorization.adoc[Using OpenID Connect (OIDC) and Keycloak to centralize authorization]
ifndef::no-quarkus-keycloak-admin-client[]
ifndef::no-quarkus-keycloak-admin-resteasy-client[]
|Configuring Keycloak programmatically |xref:security-keycloak-admin-client.adoc[Using the Keycloak admin client]
endif::no-quarkus-keycloak-admin-client[]
endif::no-quarkus-keycloak-admin-resteasy-client[]
|====

[NOTE]
Expand Down
18 changes: 9 additions & 9 deletions docs/src/main/asciidoc/security-csrf-prevention.adoc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -126,8 +126,8 @@ At this stage no additional configuration is needed - by default the CSRF form f

[source,properties]
----
quarkus.csrf-reactive.form-field-name=csrftoken
quarkus.csrf-reactive.cookie-name=csrftoken
quarkus.rest-csrf.form-field-name=csrftoken
quarkus.rest-csrf.cookie-name=csrftoken

Check warning on line 130 in docs/src/main/asciidoc/security-csrf-prevention.adoc

View workflow job for this annotation

GitHub Actions / Linting with Vale 

[vale] reported by reviewdog 🐶
[Quarkus.Headings] Use sentence-style capitalization in 'Sign CSRF token'.

Raw Output:
{"message": "[Quarkus.Headings] Use sentence-style capitalization in 'Sign CSRF token'.", "location": {"path": "docs/src/main/asciidoc/security-csrf-prevention.adoc", "range": {"start": {"line": 130, "column": 39}}}, "severity": "INFO"}
----

== Sign CSRF token
Expand All @@ -136,7 +136,7 @@ You can get `HMAC` signatures created for the generated CSRF tokens and have the

[source,properties]
----
quarkus.csrf-reactive.token-signature-key=AyM1SysPpbyDfgZld3umj1qzKObwVMkoqQ-EstJQLr_T-1qS0gZH75aKtMN3Yj0iPS4hcgUuTwjAzZr1Z9CAow
quarkus.rest-csrf.token-signature-key=AyM1SysPpbyDfgZld3umj1qzKObwVMkoqQ-EstJQLr_T-1qS0gZH75aKtMN3Yj0iPS4hcgUuTwjAzZr1Z9CAow
----

[[csrf-request-header]]
Expand All @@ -151,18 +151,18 @@ If HTML `form` tags are not used and you need to pass CSRF token as a header, th
----
<1> This expression is used to inject a CSRF token header and token. This token will be verified by the CSRF filter against a CSRF cookie.

Default header name is `X-CSRF-TOKEN`, you can customize it with `quarkus.csrf-reactive.token-header-name`, for example:
Default header name is `X-CSRF-TOKEN`, you can customize it with `quarkus.rest-csrf.token-header-name`, for example:

[source,properties]
----
quarkus.csrf-reactive.token-header-name=CUSTOM-X-CSRF-TOKEN
quarkus.rest-csrf.token-header-name=CUSTOM-X-CSRF-TOKEN
----

If you need to access the CSRF cookie from JavaScript in order to pass its value as a header, use `{inject:csrf.cookieName}` and `{inject:csrf.headerName}` to inject the cookie name which has to be read as a CSRF header value and allow accessing this cookie:

Check warning on line 161 in docs/src/main/asciidoc/security-csrf-prevention.adoc

View workflow job for this annotation

GitHub Actions / Linting with Vale 

[vale] reported by reviewdog 🐶
[Quarkus.SentenceLength] Try to keep sentences to an average of 32 words or fewer.

Raw Output:
{"message": "[Quarkus.SentenceLength] Try to keep sentences to an average of 32 words or fewer.", "location": {"path": "docs/src/main/asciidoc/security-csrf-prevention.adoc", "range": {"start": {"line": 161, "column": 1}}}, "severity": "INFO"}

Check warning on line 161 in docs/src/main/asciidoc/security-csrf-prevention.adoc

View workflow job for this annotation

GitHub Actions / Linting with Vale 

[vale] reported by reviewdog 🐶
[Quarkus.Fluff] Depending on the context, consider using 'Rewrite the sentence, or use 'must', instead of' rather than 'need to'.

Raw Output:
{"message": "[Quarkus.Fluff] Depending on the context, consider using 'Rewrite the sentence, or use 'must', instead of' rather than 'need to'.", "location": {"path": "docs/src/main/asciidoc/security-csrf-prevention.adoc", "range": {"start": {"line": 161, "column": 8}}}, "severity": "INFO"}

Check warning on line 161 in docs/src/main/asciidoc/security-csrf-prevention.adoc

View workflow job for this annotation

GitHub Actions / Linting with Vale 

[vale] reported by reviewdog 🐶
[Quarkus.TermsWarnings] Consider using 'to' rather than 'in order to' unless updating existing content that uses the term.

Raw Output:
{"message": "[Quarkus.TermsWarnings] Consider using 'to' rather than 'in order to' unless updating existing content that uses the term.", "location": {"path": "docs/src/main/asciidoc/security-csrf-prevention.adoc", "range": {"start": {"line": 161, "column": 55}}}, "severity": "WARNING"}

Check warning on line 161 in docs/src/main/asciidoc/security-csrf-prevention.adoc

View workflow job for this annotation

GitHub Actions / Linting with Vale 

[vale] reported by reviewdog 🐶
[Quarkus.Fluff] Depending on the context, consider using 'Be concise: use 'to' rather than' rather than 'in order to'.

Raw Output:
{"message": "[Quarkus.Fluff] Depending on the context, consider using 'Be concise: use 'to' rather than' rather than 'in order to'.", "location": {"path": "docs/src/main/asciidoc/security-csrf-prevention.adoc", "range": {"start": {"line": 161, "column": 55}}}, "severity": "INFO"}

Check warning on line 161 in docs/src/main/asciidoc/security-csrf-prevention.adoc

View workflow job for this annotation

GitHub Actions / Linting with Vale 

[vale] reported by reviewdog 🐶
[Quarkus.TermsSuggestions] Depending on the context, consider using 'because' or 'while' rather than 'as'.

Raw Output:
{"message": "[Quarkus.TermsSuggestions] Depending on the context, consider using 'because' or 'while' rather than 'as'.", "location": {"path": "docs/src/main/asciidoc/security-csrf-prevention.adoc", "range": {"start": {"line": 161, "column": 82}}}, "severity": "INFO"}

[source,properties]
----
quarkus.csrf-reactive.cookie-http-only=false
quarkus.rest-csrf.cookie-http-only=false
----

== Cross-origin resource sharing
Expand Down Expand Up @@ -255,11 +255,11 @@ As you can see a CSRF token verification will be required at the `/service/user`
[source,properties]
----
# Verify CSRF token only for the `/service/user` path, ignore other paths such as `/service/users`
quarkus.csrf-reactive.create-token-path=/service/user
quarkus.rest-csrf.create-token-path=/service/user
# If `/service/user` path accepts not only `application/x-www-form-urlencoded` payloads but also other ones such as JSON then allow them
# Setting this property is not necessary when the token is submitted as a header value
quarkus.csrf-reactive.require-form-url-encoded=false
quarkus.rest-csrf.require-form-url-encoded=false
----

== Verify CSRF token in the application code
Expand Down Expand Up @@ -316,7 +316,7 @@ Also disable the token verification in the filter:

[source,properties]
----
quarkus.csrf-reactive.verify-token=false
quarkus.rest-csrf.verify-token=false
----

[[csrf-reactive-configuration-reference]]
Expand Down
8 changes: 4 additions & 4 deletions docs/src/main/asciidoc/security-oidc-bearer-token-authentication-tutorial.adoc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -228,13 +228,13 @@ docker run --name keycloak -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=ad

For more information, see the Keycloak documentation about link:https://www.keycloak.org/docs/latest/server_admin/index.html#configuring-realms[creating and configuring a new realm].

ifndef::no-quarkus-keycloak-admin-client[]
ifndef::no-quarkus-keycloak-admin-resteasy-client[]
[NOTE]
====
If you want to use the Keycloak Admin Client to configure your server from your application, you need to include either the `quarkus-keycloak-admin-rest-client` or the `quarkus-keycloak-admin-resteasy-client` (if the application uses `quarkus-rest-client`) extension.
For more information, see the xref:security-keycloak-admin-client.adoc[Quarkus Keycloak Admin Client] guide.
====
endif::no-quarkus-keycloak-admin-client[]
endif::no-quarkus-keycloak-admin-resteasy-client[]



Expand Down Expand Up @@ -368,6 +368,6 @@ For information about writing integration tests that depend on `Dev Services for
* xref:security-jwt-build.adoc[Sign and encrypt JWT tokens with SmallRye JWT Build]
* xref:security-authentication-mechanisms.adoc#combining-authentication-mechanisms[Combining authentication mechanisms]
* xref:security-overview.adoc[Quarkus Security overview]
ifndef::no-quarkus-keycloak-admin-client[]
ifndef::no-quarkus-keycloak-admin-resteasy-client[]
* xref:security-keycloak-admin-client.adoc[Quarkus Keycloak Admin Client]
endif::no-quarkus-keycloak-admin-client[]
endif::no-quarkus-keycloak-admin-resteasy-client[]
4 changes: 2 additions & 2 deletions docs/src/main/asciidoc/security-oidc-bearer-token-authentication.adoc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1358,7 +1358,7 @@ For more information, see xref:security-oidc-code-flow-authentication#code-flow-
* xref:security-authentication-mechanisms.adoc#oidc-jwt-oauth2-comparison[Choosing between OpenID Connect, SmallRye JWT, and OAuth2 authentication mechanisms]
* xref:security-authentication-mechanisms.adoc#combining-authentication-mechanisms[Combining authentication mechanisms]
* xref:security-overview.adoc[Quarkus Security overview]
ifndef::no-quarkus-keycloak-admin-client[]
ifndef::no-quarkus-keycloak-admin-resteasy-client[]
* xref:security-keycloak-admin-client.adoc[Quarkus Keycloak Admin Client]
endif::no-quarkus-keycloak-admin-client[]
endif::no-quarkus-keycloak-admin-resteasy-client[]
* xref:security-openid-connect-multitenancy.adoc[Using OpenID Connect Multi-Tenancy]
4 changes: 2 additions & 2 deletions docs/src/main/asciidoc/security-oidc-code-flow-authentication-tutorial.adoc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -287,9 +287,9 @@ After you have completed this tutorial, explore xref:security-oidc-bearer-token-
* xref:security-openid-connect-dev-services.adoc[Dev Services for Keycloak]
* xref:security-jwt-build.adoc[Sign and encrypt JWT tokens with SmallRye JWT Build]
* xref:security-authentication-mechanisms.adoc#oidc-jwt-oauth2-comparison[Choosing between OpenID Connect, SmallRye JWT, and OAuth2 authentication mechanisms]
ifndef::no-quarkus-keycloak-admin-client[]
ifndef::no-quarkus-keycloak-admin-resteasy-client[]
* xref:security-keycloak-admin-client.adoc[Quarkus Keycloak Admin Client]
endif::no-quarkus-keycloak-admin-client[]
endif::no-quarkus-keycloak-admin-resteasy-client[]
* https://www.keycloak.org/documentation.html[Keycloak Documentation]
* xref:security-oidc-auth0-tutorial.adoc[Protect Quarkus web application by using Auth0 OpenID Connect provider]
* https://openid.net/connect/[OpenID Connect]
Expand Down
16 changes: 8 additions & 8 deletions docs/src/main/asciidoc/security-openid-connect-client-reference.adoc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1155,7 +1155,7 @@ quarkus.oidc-client.credentials.secret=secret
quarkus.oidc-client.grant.type=exchange
quarkus.oidc-client.grant-options.exchange.audience=quarkus-app-exchange
quarkus.oidc-token-propagation.exchange-token=true <1>
quarkus.resteasy-client-oidc-token-propagation.exchange-token=true <1>
----
<1> Please note that the `exchange-token` configuration property is ignored when the OidcClient name is set with the `io.quarkus.oidc.token.propagation.AccessToken#exchangeTokenClient` annotation attribute.

Check warning on line 1160 in docs/src/main/asciidoc/security-openid-connect-client-reference.adoc

View workflow job for this annotation

GitHub Actions / Linting with Vale 

[vale] reported by reviewdog 🐶
[Quarkus.Fluff] Depending on the context, consider using 'Be concise: rewrite the sentence to not use' rather than 'note that'.

Raw Output:
{"message": "[Quarkus.Fluff] Depending on the context, consider using 'Be concise: rewrite the sentence to not use' rather than 'note that'.", "location": {"path": "docs/src/main/asciidoc/security-openid-connect-client-reference.adoc", "range": {"start": {"line": 1160, "column": 12}}}, "severity": "INFO"}

Expand All @@ -1173,10 +1173,10 @@ quarkus.oidc-client.grant.type=jwt
quarkus.oidc-client.grant-options.jwt.requested_token_use=on_behalf_of
quarkus.oidc-client.scopes=https://graph.microsoft.com/user.read,offline_access
quarkus.oidc-token-propagation.exchange-token=true
quarkus.resteasy-client-oidc-token-propagation.exchange-token=true
----

`AccessTokenRequestReactiveFilter` uses a default `OidcClient` by default. A named `OidcClient` can be selected with a `quarkus.oidc-token-propagation-reactive.client-name` configuration property or with the `io.quarkus.oidc.token.propagation.AccessToken#exchangeTokenClient` annotation attribute.
`AccessTokenRequestReactiveFilter` uses a default `OidcClient` by default. A named `OidcClient` can be selected with a `quarkus.rest-client-oidc-token-propagation.client-name` configuration property or with the `io.quarkus.oidc.token.propagation.AccessToken#exchangeTokenClient` annotation attribute.

[[token-propagation]]
== Token Propagation

Check warning on line 1182 in docs/src/main/asciidoc/security-openid-connect-client-reference.adoc

View workflow job for this annotation

GitHub Actions / Linting with Vale 

[vale] reported by reviewdog 🐶
[Quarkus.Headings] Use sentence-style capitalization in 'Token Propagation'.

Raw Output:
{"message": "[Quarkus.Headings] Use sentence-style capitalization in 'Token Propagation'.", "location": {"path": "docs/src/main/asciidoc/security-openid-connect-client-reference.adoc", "range": {"start": {"line": 1182, "column": 4}}}, "severity": "INFO"}
Expand Down Expand Up @@ -1231,7 +1231,7 @@ public interface ProtectedResourceService {
}
----

Alternatively, `AccessTokenRequestFilter` can be registered automatically with all MP Rest or Jakarta REST clients if the `quarkus.oidc-token-propagation.register-filter` property is set to `true` and `quarkus.oidc-token-propagation.json-web-token` property is set to `false` (which is a default value).
Alternatively, `AccessTokenRequestFilter` can be registered automatically with all MP Rest or Jakarta REST clients if the `quarkus.resteasy-client-oidc-token-propagation.register-filter` property is set to `true` and `quarkus.resteasy-client-oidc-token-propagation.json-web-token` property is set to `false` (which is a default value).

Check warning on line 1234 in docs/src/main/asciidoc/security-openid-connect-client-reference.adoc

View workflow job for this annotation

GitHub Actions / Linting with Vale 

[vale] reported by reviewdog 🐶
[Quarkus.TermsSuggestions] Depending on the context, consider using 'because' or 'while' rather than 'as'.

Raw Output:
{"message": "[Quarkus.TermsSuggestions] Depending on the context, consider using 'because' or 'while' rather than 'as'.", "location": {"path": "docs/src/main/asciidoc/security-openid-connect-client-reference.adoc", "range": {"start": {"line": 1234, "column": 137}}}, "severity": "INFO"}

==== Exchange token before propagation

Expand All @@ -1245,7 +1245,7 @@ quarkus.oidc-client.credentials.secret=secret
quarkus.oidc-client.grant.type=exchange
quarkus.oidc-client.grant-options.exchange.audience=quarkus-app-exchange
quarkus.oidc-token-propagation.exchange-token=true
quarkus.resteasy-client-oidc-token-propagation.exchange-token=true
----

If you work with providers such as `Azure` that link:https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-on-behalf-of-flow#example[require using] link:https://www.rfc-editor.org/rfc/rfc7523#section-2.1[JWT bearer token grant] to exchange the current token, then you can configure `AccessTokenRequestFilter` to exchange the token like this:
Expand All @@ -1260,12 +1260,12 @@ quarkus.oidc-client.grant.type=jwt
quarkus.oidc-client.grant-options.jwt.requested_token_use=on_behalf_of
quarkus.oidc-client.scopes=https://graph.microsoft.com/user.read,offline_access
quarkus.oidc-token-propagation.exchange-token=true
quarkus.resteasy-client-oidc-token-propagation.exchange-token=true
----

Note `AccessTokenRequestFilter` will use `OidcClient` to exchange the current token, and you can use `quarkus.oidc-client.grant-options.exchange` to set the additional exchange properties expected by your OpenID Connect Provider.

`AccessTokenRequestFilter` uses a default `OidcClient` by default. A named `OidcClient` can be selected with a `quarkus.oidc-token-propagation.client-name` configuration property.
`AccessTokenRequestFilter` uses a default `OidcClient` by default. A named `OidcClient` can be selected with a `quarkus.resteasy-client-oidc-token-propagation.client-name` configuration property.

=== RestClient JsonWebTokenRequestFilter

Check warning on line 1270 in docs/src/main/asciidoc/security-openid-connect-client-reference.adoc

View workflow job for this annotation

GitHub Actions / Linting with Vale 

[vale] reported by reviewdog 🐶
[Quarkus.Headings] Use sentence-style capitalization in 'RestClient JsonWebTokenRequestFilter'.

Raw Output:
{"message": "[Quarkus.Headings] Use sentence-style capitalization in 'RestClient JsonWebTokenRequestFilter'.", "location": {"path": "docs/src/main/asciidoc/security-openid-connect-client-reference.adoc", "range": {"start": {"line": 1270, "column": 5}}}, "severity": "INFO"}

Expand Down Expand Up @@ -1307,7 +1307,7 @@ public interface ProtectedResourceService {
}
----

Alternatively, `JsonWebTokenRequestFilter` can be registered automatically with all MicroProfile REST or Jakarta REST clients if both `quarkus.oidc-token-propagation.register-filter` and `quarkus.resteasy-client-oidc-token-propagation.json-web-token` properties are set to `true`.
Alternatively, `JsonWebTokenRequestFilter` can be registered automatically with all MicroProfile REST or Jakarta REST clients if both `quarkus.resteasy-client-oidc-token-propagation.register-filter` and `quarkus.resteasy-client-oidc-token-propagation.json-web-token` properties are set to `true`.

==== Update token before propagation

Expand Down

0 comments on commit 558e4a3

Please sign in to comment.