diff --git a/docs/src/main/asciidoc/databases-dev-services.adoc b/docs/src/main/asciidoc/databases-dev-services.adoc index 72e64e7afeff5..e8a640c5dd1fe 100644 --- a/docs/src/main/asciidoc/databases-dev-services.adoc +++ b/docs/src/main/asciidoc/databases-dev-services.adoc @@ -166,7 +166,7 @@ quarkus.datasource.db-kind=mysql quarkus.datasource.devservices.volumes."/local/test/data"=/var/lib/mysql ---- -When starting Dev Services (for example, in tests or in DEV mode), you will see that the folder "/local/test/data" will be created at your file sytem and that will contain all the database data. When rerunning again the same dev services, this data will contain all the data you might have created beforehand. +When starting Dev Services (for example, in tests or in dev mode), you will see that the folder "/local/test/data" will be created at your file sytem and that will contain all the database data. When rerunning again the same dev services, this data will contain all the data you might have created beforehand. [IMPORTANT] ==== diff --git a/docs/src/main/asciidoc/native-and-ssl.adoc b/docs/src/main/asciidoc/native-and-ssl.adoc index 23e8bb0779209..86e14bf517349 100644 --- a/docs/src/main/asciidoc/native-and-ssl.adoc +++ b/docs/src/main/asciidoc/native-and-ssl.adoc @@ -233,7 +233,7 @@ However, this comes with a few drawbacks: * If you use the same executable in all environments, and a certificate expires, the application needs to be rebuilt, and redeployed into production with the new certificate, which is an inconvenience. * Even worse, if a certificate gets revoked because of a security breach, all applications that embed this certificate need to be rebuilt and redeployed in a timely manner. - * This requires also to add into the application all certificates for all environments (e.g. DEV, TEST, PROD), which means that a certificate that is required for DEV but should not be used elsewhere, will make its way anyway in production. + * This requires also to add into the application all certificates for all environments (e.g. `dev`, `test`, `prod`), which means that a certificate that is required for dev mode but should not be used elsewhere, will make its way anyway in production. * Providing all certificates at build time complicates the CI, specifically in dynamic environments such as Kubernetes where valid certificates are provided by the platform in the `/var/run/secrets/kubernetes.io/serviceaccount/ca.crt` PEM file. * Lastly, this does not play well with third party software that do not provide a dedicated build for each customer environment. diff --git a/docs/src/main/asciidoc/security-oidc-code-flow-authentication-tutorial.adoc b/docs/src/main/asciidoc/security-oidc-code-flow-authentication-tutorial.adoc index 2a8c6219970bf..c0bc3c54661dc 100644 --- a/docs/src/main/asciidoc/security-oidc-code-flow-authentication-tutorial.adoc +++ b/docs/src/main/asciidoc/security-oidc-code-flow-authentication-tutorial.adoc @@ -15,7 +15,7 @@ Discover how to secure application HTTP endpoints by using the Quarkus OpenID Co For more information, see xref:security-oidc-code-flow-authentication.adoc[OIDC code flow mechanism for protecting web applications]. -To learn about how well-known social providers such as Apple, Facebook, GitHub, Google, Mastodon, Microsoft, Twitch, Twitter (X), and Spotify can be used with Quarkus OIDC, see xref:security-openid-connect-providers.adoc[Configuring well-known OpenID Connect providers]. +To learn about how well-known social providers such as Apple, Facebook, GitHub, Google, Mastodon, Microsoft, Spotify, Twitch, and X (formerly Twitter) can be used with Quarkus OIDC, see xref:security-openid-connect-providers.adoc[Configuring well-known OpenID Connect providers]. See also, xref:security-authentication-mechanisms.adoc#other-supported-authentication-mechanisms[Authentication mechanisms in Quarkus]. If you want to protect your service applications by using OIDC Bearer token authentication, see xref:security-oidc-bearer-token-authentication.adoc[OIDC Bearer token authentication]. diff --git a/docs/src/main/asciidoc/security-oidc-code-flow-authentication.adoc b/docs/src/main/asciidoc/security-oidc-code-flow-authentication.adoc index 8972e1bc8c9d3..15ecefed83af4 100644 --- a/docs/src/main/asciidoc/security-oidc-code-flow-authentication.adoc +++ b/docs/src/main/asciidoc/security-oidc-code-flow-authentication.adoc @@ -1314,7 +1314,7 @@ Most well-known social OAuth2 providers enforce rate-limiting so there is a high OAuth2 servers might not support a well-known configuration endpoint. In this case, you must disable the discovery and configure the authorization, token, and introspection and `UserInfo` endpoint paths manually. -For well-known OIDC or OAuth2 providers, such as Apple, Facebook, GitHub, Google, Microsoft, Spotify, and Twitter, Quarkus can help significantly simplify your application's configuration with the `quarkus.oidc.provider` property. +For well-known OIDC or OAuth2 providers, such as Apple, Facebook, GitHub, Google, Microsoft, Spotify, and X (formerly Twitter), Quarkus can help significantly simplify your application's configuration with the `quarkus.oidc.provider` property. Here is how you can integrate `quarkus-oidc` with GitHub after you have link:https://docs.github.com/en/developers/apps/building-oauth-apps/creating-an-oauth-app[created a GitHub OAuth application]. Configure your Quarkus endpoint like this: diff --git a/docs/src/main/asciidoc/security-openid-connect-providers.adoc b/docs/src/main/asciidoc/security-openid-connect-providers.adoc index d6df9101c8a95..2015d1160f206 100644 --- a/docs/src/main/asciidoc/security-openid-connect-providers.adoc +++ b/docs/src/main/asciidoc/security-openid-connect-providers.adoc @@ -29,6 +29,177 @@ This property can be used in `application.properties`, in xref:security-openid-c == Well Known Providers +[[apple]] +=== Apple + +In order to set up OIDC for Apple you need to create a developer account, and sign up for the 99€/year program, but you cannot test your application on `localhost` like most other OIDC providers: +you will need to run it over HTTPS and make it publicly accessible, so for development purposes +you may want to use a service such as https://ngrok.com. + +Go to https://developer.apple.com/account/resources/identifiers/list[Create a new identifier] and press `+` + +image::oidc-apple-1.png[role="thumb"] + +Don't touch anything, keep `App IDs` selected, and press `Continue`: + +image::oidc-apple-2.png[role="thumb"] + +Don't touch anything, keep `App` selected, and press `Continue`: + +image::oidc-apple-3.png[role="thumb"] + +Enter a description and a Bundle ID (use your application package name): + +image::oidc-apple-4.png[role="thumb"] + +Then scroll down to find the `Sign in with Apple` Capability, select it, and press `Continue`: + +image::oidc-apple-5.png[role="thumb"] + +Write down your App ID Prefix, then press `Register`: + +image::oidc-apple-6.png[role="thumb"] + +Back on the `Identifiers` page, press `+`: + +image::oidc-apple-7.png[role="thumb"] + +Select `Service IDs` and press `Continue`: + +image::oidc-apple-8.png[role="thumb"] + +Enter a description and Bundle ID (use your application package name), then press `Continue`: + +image::oidc-apple-9.png[role="thumb"] + +Now press `Register`: + +image::oidc-apple-10.png[role="thumb"] + +Back on the service list, click on your newly created service: + +image::oidc-apple-11.png[role="thumb"] + +Enable `Sign in with Apple` and press `Configure`: + +image::oidc-apple-12.png[role="thumb"] + +Add your domain and return URL (set to `/_renarde/security/oidc-success`) and press `Next`: + +image::oidc-apple-13.png[role="thumb"] + +Now press `Done`: + +image::oidc-apple-14.png[role="thumb"] + +Now press `Continue`: + +image::oidc-apple-15.png[role="thumb"] + +And now press `Save`: + +image::oidc-apple-16.png[role="thumb"] + +Go to the https://developer.apple.com/account/resources/authkeys/list[Keys] page on the left menu, and press `+`: + +image::oidc-apple-17.png[role="thumb"] + +Fill in a key name, enable `Sign in with Apple`, and press `Configure`: + +image::oidc-apple-18.png[role="thumb"] + +Select your Primary App ID and press `Save`: + +image::oidc-apple-19.png[role="thumb"] + +Back on the key page, press `Continue`: + +image::oidc-apple-20.png[role="thumb"] + +Now press `Register`: + +image::oidc-apple-21.png[role="thumb"] + +Write down your `Key ID`, download your key and save it to your Quarkus application in `src/main/resources/AuthKey_.p8`: + +image::oidc-apple-22.png[role="thumb"] + +You can now configure your `application.properties`: + +[source,properties] +---- +quarkus.oidc.provider=apple +quarkus.oidc.client-id= +quarkus.oidc.credentials.jwt.key-file=AuthKey_.p8 +quarkus.oidc.credentials.jwt.token-key-id= +quarkus.oidc.credentials.jwt.issuer= +quarkus.oidc.credentials.jwt.subject=> section. + +[[discord]] +=== Discord + +Create a https://discord.com/developers/applications[Discord application]: + +image::oidc-discord-1.png[role="thumb"] + +You now can get your client id and secret: + +image::oidc-discord-2.png[role="thumb"] + +You can now configure your `application.properties`: + +[source,properties] +---- +quarkus.oidc.provider=discord +quarkus.oidc.client-id= +quarkus.oidc.credentials.client-secret= +---- + +[[facebook]] +=== Facebook + +Facebook you will not be let you test your application on `localhost` like most other OIDC providers: +you will need to run it over HTTPS and make it publicly accessible, so for development purposes +you may want to use a service such as https://ngrok.com. + +In order to set up OIDC for Facebook start by https://developers.facebook.com/apps/create/[Creating an application], select `None` as an app type, and press `Next`: + +image::oidc-facebook-1.png[role="thumb"] + +Now enter an application name, and contact email, and press `Create app`: + +image::oidc-facebook-2.png[role="thumb"] + +On the app page, click `Set up` on the `Facebook login` product: + +image::oidc-facebook-3.png[role="thumb"] + +Quick the `Quickstarts` page and click on `Facebook login > Settings` on the left menu: + +image::oidc-facebook-4.png[role="thumb"] + +Enter your `Redirect URIs` (set to `/_renarde/security/oidc-success`) and press `Save changes`: + +image::oidc-facebook-5.png[role="thumb"] + +Now go to `Settings > Basic` on the left-hand menu, and write down your `App ID` and `App secret`: + +image::oidc-facebook-6.png[role="thumb"] + +You can now configure your `application.properties`: + +[source,properties] +---- +quarkus.oidc.provider=facebook +quarkus.oidc.client-id= +quarkus.oidc.credentials.secret= +---- + +`quarkus.oidc.provider=facebook` will request Facebook to add `email` and `public_profile` scopes to issued access tokens. For information about overriding these scopes or requesting more scopes, see the <> section. + [[github]] === GitHub @@ -37,7 +208,7 @@ In order to set up OIDC for GitHub you need to create a new OAuth application in image::oidc-github-1.png[role="thumb"] Make sure to fill in the appropriate details, but more importantly the Authorization Callback URL, set to `http://localhost:8080/_renarde/security/github-success` -(if you intend to test this using the Quarkus DEV mode). +(if you intend to test this using the Quarkus dev mode). Now click on `Register application` and you'll be shown your application page: @@ -58,9 +229,9 @@ quarkus.oidc.client-id= quarkus.oidc.credentials.secret= ---- -`quarkus.oidc.provider=github` will request `GitHub` to add a `user:email` scope to issued access tokens. For information about overriding this scope or requesting more scopes, see the <> section. +`quarkus.oidc.provider=github` will request GitHub to add a `user:email` scope to issued access tokens. For information about overriding this scope or requesting more scopes, see the <> section. -TIP: You can also send access tokens issued by `GitHub` to `quarkus.oidc.application-type=service` or `quarkus.oidc.application-type=hybrid` Quarkus applications. +TIP: You can also send access tokens issued by GitHub to `quarkus.oidc.application-type=service` or `quarkus.oidc.application-type=hybrid` Quarkus applications. [[google]] === Google @@ -113,9 +284,33 @@ quarkus.oidc.client-id= quarkus.oidc.credentials.secret= ---- -`quarkus.oidc.provider=google` will request `Google` to add `openid`, `email` and `profile` scopes to issued access tokens. For information about overriding these scopes or requesting more scopes, see the <> section. +`quarkus.oidc.provider=google` will request Google to add `openid`, `email` and `profile` scopes to issued access tokens. For information about overriding these scopes or requesting more scopes, see the <> section. -TIP: You can also send access tokens issued by `Google` to `quarkus.oidc.application-type=service` or `quarkus.oidc.application-type=hybrid` Quarkus applications. +TIP: You can also send access tokens issued by Google to `quarkus.oidc.application-type=service` or `quarkus.oidc.application-type=hybrid` Quarkus applications. + +[[linkedin]] +=== LinkedIn + +Create a https://developer.linkedin.com/[LinkedIn application]: + +image::oidc-linkedin-1.png[role="thumb"] + +Add the `Sign In with LinkedIn using OpenId Connect` product: + +image::oidc-linkedin-2.png[role="thumb"] + +You now can get your client id and secret. Don't forget to also add the authorized redirect URLs for your application: + +image::oidc-linkedin-3.png[role="thumb"] + +You can now configure your `application.properties`: + +[source,properties] +---- +quarkus.oidc.provider=linkedin +quarkus.oidc.client-id= +quarkus.oidc.credentials.client-secret= +---- [[mastodon]] === Mastodon @@ -192,9 +387,9 @@ quarkus.oidc.client-id= quarkus.oidc.credentials.secret= ---- -`quarkus.oidc.provider=microsoft` will request `Microsoft` to add `openid`, `email` and `profile` scopes to issued access tokens. For information about overriding these scopes or requesting more scopes, see the <> section. +`quarkus.oidc.provider=microsoft` will request Microsoft to add `openid`, `email` and `profile` scopes to issued access tokens. For information about overriding these scopes or requesting more scopes, see the <> section. -TIP: You can also send access tokens issued by `Microsoft` to `quarkus.oidc.application-type=service` or `quarkus.oidc.application-type=hybrid` Quarkus applications but you may need to set `quarkus.oidc.verify-access-token-with-user-info` configuration property to `true` if access tokens issued by Microsoft are not in JWT format. +TIP: You can also send access tokens issued by Microsoft to `quarkus.oidc.application-type=service` or `quarkus.oidc.application-type=hybrid` Quarkus applications but you may need to set `quarkus.oidc.verify-access-token-with-user-info` configuration property to `true` if access tokens issued by Microsoft are not in JWT format. [NOTE] ==== @@ -211,164 +406,73 @@ quarkus.oidc.token.customizer-name=azure-access-token-customizer ==== -[[apple]] -=== Apple - -In order to set up OIDC for Apple you need to create a developer account, and sign up for the 99€/year program, but you cannot test your application on `localhost` like most other OIDC providers: -you will need to run it over `https` and make it publicly accessible, so for development purposes -you may want to use a service such as https://ngrok.com. - -Go to https://developer.apple.com/account/resources/identifiers/list[Create a new identifier] and press `+` - -image::oidc-apple-1.png[role="thumb"] - -Don't touch anything, keep `App IDs` selected, and press `Continue`: - -image::oidc-apple-2.png[role="thumb"] - -Don't touch anything, keep `App` selected, and press `Continue`: - -image::oidc-apple-3.png[role="thumb"] - -Enter a description and a Bundle ID (use your application package name): - -image::oidc-apple-4.png[role="thumb"] - -Then scroll down to find the `Sign in with Apple` Capability, select it, and press `Continue`: - -image::oidc-apple-5.png[role="thumb"] - -Write down your App ID Prefix, then press `Register`: - -image::oidc-apple-6.png[role="thumb"] - -Back on the `Identifiers` page, press `+`: - -image::oidc-apple-7.png[role="thumb"] - -Select `Service IDs` and press `Continue`: - -image::oidc-apple-8.png[role="thumb"] - -Enter a description and Bundle ID (use your application package name), then press `Continue`: - -image::oidc-apple-9.png[role="thumb"] - -Now press `Register`: - -image::oidc-apple-10.png[role="thumb"] - -Back on the service list, click on your newly created service: - -image::oidc-apple-11.png[role="thumb"] - -Enable `Sign in with Apple` and press `Configure`: - -image::oidc-apple-12.png[role="thumb"] - -Add your domain and return URL (set to `/_renarde/security/oidc-success`) and press `Next`: - -image::oidc-apple-13.png[role="thumb"] - -Now press `Done`: - -image::oidc-apple-14.png[role="thumb"] - -Now press `Continue`: - -image::oidc-apple-15.png[role="thumb"] - -And now press `Save`: - -image::oidc-apple-16.png[role="thumb"] - -Go to the https://developer.apple.com/account/resources/authkeys/list[Keys] page on the left menu, and press `+`: - -image::oidc-apple-17.png[role="thumb"] - -Fill in a key name, enable `Sign in with Apple`, and press `Configure`: - -image::oidc-apple-18.png[role="thumb"] - -Select your Primary App ID and press `Save`: - -image::oidc-apple-19.png[role="thumb"] - -Back on the key page, press `Continue`: - -image::oidc-apple-20.png[role="thumb"] +[[spotify]] +=== Spotify -Now press `Register`: +Create a https://developer.spotify.com/documentation/general/guides/authorization/app-settings/[Spotify application]: -image::oidc-apple-21.png[role="thumb"] +image::oidc-spotify-1.png[role="thumb"] -Write down your `Key ID`, download your key and save it to your Quarkus application in `src/main/resources/AuthKey_.p8`: +Don't forget to add `http://localhost:8080` as a redirect URI for testing during development purposes. You should get a client id and secret generated once a Spotify application setup has been complete, for example: -image::oidc-apple-22.png[role="thumb"] +image::oidc-spotify-2.png[role="thumb"] You can now configure your `application.properties`: [source,properties] ---- -quarkus.oidc.provider=apple -quarkus.oidc.client-id= -quarkus.oidc.credentials.jwt.key-file=AuthKey_.p8 -quarkus.oidc.credentials.jwt.token-key-id= -quarkus.oidc.credentials.jwt.issuer= -quarkus.oidc.credentials.jwt.subject= +quarkus.oidc.credentials.secret= ---- -`quarkus.oidc.provider=apple` will request `Apple` to add `openid`, `email` and `name` scopes to issued access tokens. For information about overriding these scopes or requesting more scopes, see the <> section. - -[[facebook]] -=== Facebook - -Facebook you will not be let you test your application on `localhost` like most other OIDC providers: -you will need to run it over `https` and make it publicly accessible, so for development purposes -you may want to use a service such as https://ngrok.com. - -In order to set up OIDC for Facebook start by https://developers.facebook.com/apps/create/[Creating an application], select `None` as an app type, and press `Next`: - -image::oidc-facebook-1.png[role="thumb"] - -Now enter an application name, and contact email, and press `Create app`: +`quarkus.oidc.provider=spotify` will request Spotify to add `user-read-private` and `user-read-email` scopes to issued access tokens. For information about overriding these scopes or requesting more scopes, see the <> section. -image::oidc-facebook-2.png[role="thumb"] +[[strava]] +=== Strava -On the app page, click `Set up` on the `Facebook login` product: +Create a https://www.strava.com/settings/api[Strava application]: -image::oidc-facebook-3.png[role="thumb"] +image::oidc-strava-1.png[role="thumb"] -Quick the `Quickstarts` page and click on `Facebook login > Settings` on the left menu: +For example, set `Category` to `SocialMotivation`, and set `ApplicationCallbackDomain` to either `localhost` or the domain name provided by Ngrok, see the <> for more information. -image::oidc-facebook-4.png[role="thumb"] +You can now configure your `application.properties`: -Enter your `Redirect URIs` (set to `/_renarde/security/oidc-success`) and press `Save changes`: +[source,properties] +---- +quarkus.oidc.provider=strava +quarkus.oidc.client-id= +quarkus.oidc.credentials.client-secret= +# default value is '/strava' +quarkus.oidc.authentication.redirect-path=/fitness/welcome <1> +---- +<1> Strava does not enforce that the redirect (callback) URI which is provided as an authorization code flow parameter is equal to the URI registered in the Strava application because it only requires configuring `ApplicationCallbackDomain`. For example, if `ApplicationCallbackDomain` is set to `www.my-strava-example.com`, Strava will accept redirect URIs such as `www.my-strava-example.com/a`, `www.my-strava-example.com/path/a`, which is not recommended by OAuth2 best security practices, see link:https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics#name-insufficient-redirect-uri-v[Insufficent redirect_uri validation] for more information. +Therefore you must configure a redirect path when working with the Strava provider and Quarkus will enforce that the current request path matches the configured `quarkus.oidc.authentication.redirect-path` value before completing the authotization code flow. See the <> for more information. -image::oidc-facebook-5.png[role="thumb"] +[[twitch]] +=== Twitch -Now go to `Settings > Basic` on the left-hand menu, and write down your `App ID` and `App secret`: +Create a https://dev.twitch.tv/console/apps[Twitch application]: -image::oidc-facebook-6.png[role="thumb"] +image::oidc-twitch-1.png[role="thumb"] You can now configure your `application.properties`: [source,properties] ---- -quarkus.oidc.provider=facebook -quarkus.oidc.client-id= -quarkus.oidc.credentials.secret= +quarkus.oidc.provider=twitch +quarkus.oidc.client-id= +quarkus.oidc.credentials.client-secret.value= ---- -`quarkus.oidc.provider=facebook` will request `Facebook` to add `email` and `public_profile` scopes to issued access tokens. For information about overriding these scopes or requesting more scopes, see the <> section. - -[[twitter]] -=== Twitter +[[x]] +=== [[twitter]] X (formerly Twitter) -You can use Twitter for OIDC login, but at the moment, it restricts access to the user's email, which means you +You can use X (formerly Twitter) for OIDC login, but at the moment, it restricts access to the user's email, which means you will have to obtain it and verify it yourself. -In order to set up OIDC for Twitter start by https://developer.twitter.com/en/portal/projects/new[Creating a project], enter a project name, and press `Next`: +In order to set up OIDC for X, start by https://developer.twitter.com/en/portal/projects/new[Creating a project], enter a project name, and press `Next`: image::oidc-twitter-1.png[role="thumb"] @@ -399,7 +503,7 @@ image::oidc-twitter-7.png[role="thumb"] Select `Web App` as application type, then fill in your application details (use `/_renarde/security/twitter-success` for the `Callback URI`). -NOTE: Twitter doesn't require https usage in practice, but won't accept your `Website URL` without it, so +NOTE: X doesn't require https usage in practice, but won't accept your `Website URL` without it, so you can still use ngrok for it. Now press `Save`: @@ -414,17 +518,17 @@ You can now configure your `application.properties`: [source,properties] ---- -quarkus.oidc.provider=twitter +quarkus.oidc.provider=x quarkus.oidc.client-id= quarkus.oidc.credentials.secret= ---- -`quarkus.oidc.provider=twitter` will request `Twitter` to add `offline.access`, `tweet.read` and `users.read` scopes to issued access tokens. For information about overriding these scopes or requesting more scopes, see the <> section. +`quarkus.oidc.provider=x` will request X to add `offline.access`, `tweet.read` and `users.read` scopes to issued access tokens. For information about overriding these scopes or requesting more scopes, see the <> section. [NOTE] ==== -Twitter provider requires Proof Key for Code Exchange (PKCE) which is supported by the `quarkus.oidc.provider=twitter` declaration. -Quarkus has to encrypt the current PKCE code verifier in a state cookie while the authorization code flow with Twitter is in progress and it will +X provider requires Proof Key for Code Exchange (PKCE) which is supported by the `quarkus.oidc.provider=x` declaration. +Quarkus has to encrypt the current PKCE code verifier in a state cookie while the authorization code flow with X is in progress and it will generate a secure random secret key for encrypting it. You can provide your own secret key for encrypting the PKCE code verifier if you prefer with the `quarkus.oidc.authentication.state-secret` property but @@ -433,120 +537,9 @@ note that this secret should be 32 characters long, and an error will be reporte [NOTE] ==== -`X` is a new name for `Twitter`, see <>. You can continue using `quarkus.oidc.provider=twitter` but it might need to be changed to `quarkus.oidc.provider=x` in the future. +X is the new name of Twitter. You can continue using `quarkus.oidc.provider=twitter` for the time being but it might become deprecated in the future. ==== -[[x]] -=== X - -`X` is a new name for `Twitter`. You can currently use either `quarkus.oidc.provider=x` or `quarkus.oidc.provider=twitter` but only `quarkus.oidc.provider=x` may end up supported in the future. - -Please see <> for more information about registering your Quarkus application in `X` (`Twitter`). - -[[spotify]] -=== Spotify - -Create a https://developer.spotify.com/documentation/general/guides/authorization/app-settings/[Spotify application]: - -image::oidc-spotify-1.png[role="thumb"] - -Don't forget to add `http://localhost:8080` as a redirect URI for testing during development purposes. You should get a client id and secret generated once a Spotify application setup has been complete, for example: - -image::oidc-spotify-2.png[role="thumb"] - -You can now configure your `application.properties`: - -[source,properties] ----- -quarkus.oidc.provider=spotify -quarkus.oidc.client-id= -quarkus.oidc.credentials.secret= ----- - -`quarkus.oidc.provider=spotiify` will request `Spotify` to add `user-read-private` and `user-read-email` scopes to issued access tokens. For information about overriding these scopes or requesting more scopes, see the <> section. - -[[twitch]] -=== Twitch - -Create a https://dev.twitch.tv/console/apps[Twitch application]: - -image::oidc-twitch-1.png[role="thumb"] - -You can now configure your `application.properties`: - -[source,properties] ----- -quarkus.oidc.provider=twitch -quarkus.oidc.client-id= -quarkus.oidc.credentials.client-secret.value= ----- - -[[discord]] -=== Discord - -Create a https://discord.com/developers/applications[Discord application]: - -image::oidc-discord-1.png[role="thumb"] - -You now can get your client id and secret: - -image::oidc-discord-2.png[role="thumb"] - -You can now configure your `application.properties`: - -[source,properties] ----- -quarkus.oidc.provider=discord -quarkus.oidc.client-id= -quarkus.oidc.credentials.client-secret= ----- - -[[linkedin]] -=== LinkedIn - -Create a https://developer.linkedin.com/[LinkedIn application]: - -image::oidc-linkedin-1.png[role="thumb"] - -Add the `Sign In with LinkedIn using OpenId Connect` product: - -image::oidc-linkedin-2.png[role="thumb"] - -You now can get your client id and secret. Don't forget to also add the authorized redirect URLs for your application: - -image::oidc-linkedin-3.png[role="thumb"] - -You can now configure your `application.properties`: - -[source,properties] ----- -quarkus.oidc.provider=linkedin -quarkus.oidc.client-id= -quarkus.oidc.credentials.client-secret= ----- - -[[strava]] -=== Strava - -Create a https://www.strava.com/settings/api[Strava application]: - -image::oidc-strava-1.png[role="thumb"] - -For example, set `Category` to `SocialMotivation`, and set `ApplicationCallbackDomain` to either `localhost` or the domain name provided by Ngrok, see the <> for more information. - -You can now configure your `application.properties`: - -[source,properties] ----- -quarkus.oidc.provider=strava -quarkus.oidc.client-id= -quarkus.oidc.credentials.client-secret= -# default value is '/strava' -quarkus.oidc.authentication.redirect-path=/fitness/welcome <1> ----- -<1> Strava does not enforce that the redirect (callback) URI which is provided as an authorization code flow parameter is equal to the URI registered in the Strava application because it only requires configuring `ApplicationCallbackDomain`. For example, if `ApplicationCallbackDomain` is set to `www.my-strava-example.com`, Strava will accept redirect URIs such as `www.my-strava-example.com/a`, `www.my-strava-example.com/path/a`, which is not recommended by OAuth2 best security practices, see link:https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics#name-insufficient-redirect-uri-v[Insufficent redirect_uri validation] for more information. -Therefore you must configure a redirect path when working with the Strava provider and Quarkus will enforce that the current request path matches the configured `quarkus.oidc.authentication.redirect-path` value before completing the authotization code flow. See the <> for more information. - [[provider-scope]] == Provider scopes diff --git a/docs/src/main/asciidoc/security-webauthn.adoc b/docs/src/main/asciidoc/security-webauthn.adoc index 1edac265a39ee..fc47d17acb45a 100644 --- a/docs/src/main/asciidoc/security-webauthn.adoc +++ b/docs/src/main/asciidoc/security-webauthn.adoc @@ -67,8 +67,8 @@ Just in case you get there wondering what's the relation with https://fidoallian and whether we support it: sure, yes, PassKeys is a way that your authenticator devices can share and sync their credentials, which you can then use with our WebAuthn authentication. -NOTE: The WebAuthn specification requires `https` to be used for communication with the server, though -some browsers allow `localhost`. If you must use `https` in `DEV` mode, you can always use the +NOTE: The WebAuthn specification requires HTTPS to be used for communication with the server, though +some browsers allow `localhost`. If you must use HTTPS in dev mode, you can always use the https://docs.quarkiverse.io/quarkus-ngrok/dev/index.html[quarkus-ngrok] extension. == Architecture