diff --git a/docs/src/main/asciidoc/security-authentication-mechanisms.adoc b/docs/src/main/asciidoc/security-authentication-mechanisms.adoc index 704e7d3d3359d..d0155fda55ca8 100644 --- a/docs/src/main/asciidoc/security-authentication-mechanisms.adoc +++ b/docs/src/main/asciidoc/security-authentication-mechanisms.adoc @@ -370,9 +370,9 @@ For more information about OIDC authentication and authorization methods that yo |Multiple tenants that can support the Bearer token authentication or Authorization Code Flow mechanisms|xref:security-openid-connect-multitenancy.adoc[Using OpenID Connect (OIDC) multi-tenancy] |Securing Quarkus with commonly used OpenID Connect providers|xref:security-openid-connect-providers.adoc[Configuring well-known OpenID Connect providers] |Using Keycloak to centralize authorization |xref:security-keycloak-authorization.adoc[Using OpenID Connect (OIDC) and Keycloak to centralize authorization] -ifndef::no-quarkus-keycloak-admin-client[] +ifndef::no-quarkus-keycloak-admin-resteasy-client[] |Configuring Keycloak programmatically |xref:security-keycloak-admin-client.adoc[Using the Keycloak admin client] -endif::no-quarkus-keycloak-admin-client[] +endif::no-quarkus-keycloak-admin-resteasy-client[] |==== [NOTE] diff --git a/docs/src/main/asciidoc/security-csrf-prevention.adoc b/docs/src/main/asciidoc/security-csrf-prevention.adoc index 7cc847dfe5dce..a5a2baa0f6080 100644 --- a/docs/src/main/asciidoc/security-csrf-prevention.adoc +++ b/docs/src/main/asciidoc/security-csrf-prevention.adoc @@ -126,8 +126,8 @@ At this stage no additional configuration is needed - by default the CSRF form f [source,properties] ---- -quarkus.csrf-reactive.form-field-name=csrftoken -quarkus.csrf-reactive.cookie-name=csrftoken +quarkus.rest-csrf.form-field-name=csrftoken +quarkus.rest-csrf.cookie-name=csrftoken ---- == Sign CSRF token @@ -136,7 +136,7 @@ You can get `HMAC` signatures created for the generated CSRF tokens and have the [source,properties] ---- -quarkus.csrf-reactive.token-signature-key=AyM1SysPpbyDfgZld3umj1qzKObwVMkoqQ-EstJQLr_T-1qS0gZH75aKtMN3Yj0iPS4hcgUuTwjAzZr1Z9CAow +quarkus.rest-csrf.token-signature-key=AyM1SysPpbyDfgZld3umj1qzKObwVMkoqQ-EstJQLr_T-1qS0gZH75aKtMN3Yj0iPS4hcgUuTwjAzZr1Z9CAow ---- [[csrf-request-header]] @@ -151,18 +151,18 @@ If HTML `form` tags are not used and you need to pass CSRF token as a header, th ---- <1> This expression is used to inject a CSRF token header and token. This token will be verified by the CSRF filter against a CSRF cookie. -Default header name is `X-CSRF-TOKEN`, you can customize it with `quarkus.csrf-reactive.token-header-name`, for example: +Default header name is `X-CSRF-TOKEN`, you can customize it with `quarkus.rest-csrf.token-header-name`, for example: [source,properties] ---- -quarkus.csrf-reactive.token-header-name=CUSTOM-X-CSRF-TOKEN +quarkus.rest-csrf.token-header-name=CUSTOM-X-CSRF-TOKEN ---- If you need to access the CSRF cookie from JavaScript in order to pass its value as a header, use `{inject:csrf.cookieName}` and `{inject:csrf.headerName}` to inject the cookie name which has to be read as a CSRF header value and allow accessing this cookie: [source,properties] ---- -quarkus.csrf-reactive.cookie-http-only=false +quarkus.rest-csrf.cookie-http-only=false ---- == Cross-origin resource sharing @@ -255,11 +255,11 @@ As you can see a CSRF token verification will be required at the `/service/user` [source,properties] ---- # Verify CSRF token only for the `/service/user` path, ignore other paths such as `/service/users` -quarkus.csrf-reactive.create-token-path=/service/user +quarkus.rest-csrf.create-token-path=/service/user # If `/service/user` path accepts not only `application/x-www-form-urlencoded` payloads but also other ones such as JSON then allow them # Setting this property is not necessary when the token is submitted as a header value -quarkus.csrf-reactive.require-form-url-encoded=false +quarkus.rest-csrf.require-form-url-encoded=false ---- == Verify CSRF token in the application code @@ -316,7 +316,7 @@ Also disable the token verification in the filter: [source,properties] ---- -quarkus.csrf-reactive.verify-token=false +quarkus.rest-csrf.verify-token=false ---- [[csrf-reactive-configuration-reference]] diff --git a/docs/src/main/asciidoc/security-oidc-bearer-token-authentication-tutorial.adoc b/docs/src/main/asciidoc/security-oidc-bearer-token-authentication-tutorial.adoc index 3ab3219bf63f3..b10c6752e4525 100644 --- a/docs/src/main/asciidoc/security-oidc-bearer-token-authentication-tutorial.adoc +++ b/docs/src/main/asciidoc/security-oidc-bearer-token-authentication-tutorial.adoc @@ -228,13 +228,13 @@ docker run --name keycloak -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=ad For more information, see the Keycloak documentation about link:https://www.keycloak.org/docs/latest/server_admin/index.html#configuring-realms[creating and configuring a new realm]. -ifndef::no-quarkus-keycloak-admin-client[] +ifndef::no-quarkus-keycloak-admin-resteasy-client[] [NOTE] ==== If you want to use the Keycloak Admin Client to configure your server from your application, you need to include either the `quarkus-keycloak-admin-rest-client` or the `quarkus-keycloak-admin-resteasy-client` (if the application uses `quarkus-rest-client`) extension. For more information, see the xref:security-keycloak-admin-client.adoc[Quarkus Keycloak Admin Client] guide. ==== -endif::no-quarkus-keycloak-admin-client[] +endif::no-quarkus-keycloak-admin-resteasy-client[] @@ -368,6 +368,6 @@ For information about writing integration tests that depend on `Dev Services for * xref:security-jwt-build.adoc[Sign and encrypt JWT tokens with SmallRye JWT Build] * xref:security-authentication-mechanisms.adoc#combining-authentication-mechanisms[Combining authentication mechanisms] * xref:security-overview.adoc[Quarkus Security overview] -ifndef::no-quarkus-keycloak-admin-client[] +ifndef::no-quarkus-keycloak-admin-resteasy-client[] * xref:security-keycloak-admin-client.adoc[Quarkus Keycloak Admin Client] -endif::no-quarkus-keycloak-admin-client[] +endif::no-quarkus-keycloak-admin-resteasy-client[] diff --git a/docs/src/main/asciidoc/security-oidc-bearer-token-authentication.adoc b/docs/src/main/asciidoc/security-oidc-bearer-token-authentication.adoc index 0e77fe0e1ffb2..7cea9ed900d8a 100644 --- a/docs/src/main/asciidoc/security-oidc-bearer-token-authentication.adoc +++ b/docs/src/main/asciidoc/security-oidc-bearer-token-authentication.adoc @@ -1358,7 +1358,7 @@ For more information, see xref:security-oidc-code-flow-authentication#code-flow- * xref:security-authentication-mechanisms.adoc#oidc-jwt-oauth2-comparison[Choosing between OpenID Connect, SmallRye JWT, and OAuth2 authentication mechanisms] * xref:security-authentication-mechanisms.adoc#combining-authentication-mechanisms[Combining authentication mechanisms] * xref:security-overview.adoc[Quarkus Security overview] -ifndef::no-quarkus-keycloak-admin-client[] +ifndef::no-quarkus-keycloak-admin-resteasy-client[] * xref:security-keycloak-admin-client.adoc[Quarkus Keycloak Admin Client] -endif::no-quarkus-keycloak-admin-client[] +endif::no-quarkus-keycloak-admin-resteasy-client[] * xref:security-openid-connect-multitenancy.adoc[Using OpenID Connect Multi-Tenancy] diff --git a/docs/src/main/asciidoc/security-oidc-code-flow-authentication-tutorial.adoc b/docs/src/main/asciidoc/security-oidc-code-flow-authentication-tutorial.adoc index d4e523cb6025d..d3de2e1b260b0 100644 --- a/docs/src/main/asciidoc/security-oidc-code-flow-authentication-tutorial.adoc +++ b/docs/src/main/asciidoc/security-oidc-code-flow-authentication-tutorial.adoc @@ -287,9 +287,9 @@ After you have completed this tutorial, explore xref:security-oidc-bearer-token- * xref:security-openid-connect-dev-services.adoc[Dev Services for Keycloak] * xref:security-jwt-build.adoc[Sign and encrypt JWT tokens with SmallRye JWT Build] * xref:security-authentication-mechanisms.adoc#oidc-jwt-oauth2-comparison[Choosing between OpenID Connect, SmallRye JWT, and OAuth2 authentication mechanisms] -ifndef::no-quarkus-keycloak-admin-client[] +ifndef::no-quarkus-keycloak-admin-resteasy-client[] * xref:security-keycloak-admin-client.adoc[Quarkus Keycloak Admin Client] -endif::no-quarkus-keycloak-admin-client[] +endif::no-quarkus-keycloak-admin-resteasy-client[] * https://www.keycloak.org/documentation.html[Keycloak Documentation] * xref:security-oidc-auth0-tutorial.adoc[Protect Quarkus web application by using Auth0 OpenID Connect provider] * https://openid.net/connect/[OpenID Connect] diff --git a/docs/src/main/asciidoc/security-openid-connect-client-reference.adoc b/docs/src/main/asciidoc/security-openid-connect-client-reference.adoc index cf106e8bfdaec..2de1e8a175bf7 100644 --- a/docs/src/main/asciidoc/security-openid-connect-client-reference.adoc +++ b/docs/src/main/asciidoc/security-openid-connect-client-reference.adoc @@ -1155,7 +1155,7 @@ quarkus.oidc-client.credentials.secret=secret quarkus.oidc-client.grant.type=exchange quarkus.oidc-client.grant-options.exchange.audience=quarkus-app-exchange -quarkus.oidc-token-propagation.exchange-token=true <1> +quarkus.resteasy-client-oidc-token-propagation.exchange-token=true <1> ---- <1> Please note that the `exchange-token` configuration property is ignored when the OidcClient name is set with the `io.quarkus.oidc.token.propagation.AccessToken#exchangeTokenClient` annotation attribute. @@ -1173,10 +1173,10 @@ quarkus.oidc-client.grant.type=jwt quarkus.oidc-client.grant-options.jwt.requested_token_use=on_behalf_of quarkus.oidc-client.scopes=https://graph.microsoft.com/user.read,offline_access -quarkus.oidc-token-propagation.exchange-token=true +quarkus.resteasy-client-oidc-token-propagation.exchange-token=true ---- -`AccessTokenRequestReactiveFilter` uses a default `OidcClient` by default. A named `OidcClient` can be selected with a `quarkus.oidc-token-propagation-reactive.client-name` configuration property or with the `io.quarkus.oidc.token.propagation.AccessToken#exchangeTokenClient` annotation attribute. +`AccessTokenRequestReactiveFilter` uses a default `OidcClient` by default. A named `OidcClient` can be selected with a `quarkus.rest-client-oidc-token-propagation.client-name` configuration property or with the `io.quarkus.oidc.token.propagation.AccessToken#exchangeTokenClient` annotation attribute. [[token-propagation]] == Token Propagation @@ -1231,7 +1231,7 @@ public interface ProtectedResourceService { } ---- -Alternatively, `AccessTokenRequestFilter` can be registered automatically with all MP Rest or Jakarta REST clients if the `quarkus.oidc-token-propagation.register-filter` property is set to `true` and `quarkus.oidc-token-propagation.json-web-token` property is set to `false` (which is a default value). +Alternatively, `AccessTokenRequestFilter` can be registered automatically with all MP Rest or Jakarta REST clients if the `quarkus.resteasy-client-oidc-token-propagation.register-filter` property is set to `true` and `quarkus.resteasy-client-oidc-token-propagation.json-web-token` property is set to `false` (which is a default value). ==== Exchange token before propagation @@ -1245,7 +1245,7 @@ quarkus.oidc-client.credentials.secret=secret quarkus.oidc-client.grant.type=exchange quarkus.oidc-client.grant-options.exchange.audience=quarkus-app-exchange -quarkus.oidc-token-propagation.exchange-token=true +quarkus.resteasy-client-oidc-token-propagation.exchange-token=true ---- If you work with providers such as `Azure` that link:https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-on-behalf-of-flow#example[require using] link:https://www.rfc-editor.org/rfc/rfc7523#section-2.1[JWT bearer token grant] to exchange the current token, then you can configure `AccessTokenRequestFilter` to exchange the token like this: @@ -1260,12 +1260,12 @@ quarkus.oidc-client.grant.type=jwt quarkus.oidc-client.grant-options.jwt.requested_token_use=on_behalf_of quarkus.oidc-client.scopes=https://graph.microsoft.com/user.read,offline_access -quarkus.oidc-token-propagation.exchange-token=true +quarkus.resteasy-client-oidc-token-propagation.exchange-token=true ---- Note `AccessTokenRequestFilter` will use `OidcClient` to exchange the current token, and you can use `quarkus.oidc-client.grant-options.exchange` to set the additional exchange properties expected by your OpenID Connect Provider. -`AccessTokenRequestFilter` uses a default `OidcClient` by default. A named `OidcClient` can be selected with a `quarkus.oidc-token-propagation.client-name` configuration property. +`AccessTokenRequestFilter` uses a default `OidcClient` by default. A named `OidcClient` can be selected with a `quarkus.resteasy-client-oidc-token-propagation.client-name` configuration property. === RestClient JsonWebTokenRequestFilter @@ -1307,7 +1307,7 @@ public interface ProtectedResourceService { } ---- -Alternatively, `JsonWebTokenRequestFilter` can be registered automatically with all MicroProfile REST or Jakarta REST clients if both `quarkus.oidc-token-propagation.register-filter` and `quarkus.resteasy-client-oidc-token-propagation.json-web-token` properties are set to `true`. +Alternatively, `JsonWebTokenRequestFilter` can be registered automatically with all MicroProfile REST or Jakarta REST clients if both `quarkus.resteasy-client-oidc-token-propagation.register-filter` and `quarkus.resteasy-client-oidc-token-propagation.json-web-token` properties are set to `true`. ==== Update token before propagation