Merge pull request quarkusio#44697 from michalvavrik/feature/add-oidc…

…-client-config-builder

Add OIDC Client config builder

docs/src/main/asciidoc/security-openid-connect-client-reference.adoc

@@ -355,8 +355,8 @@ import java.util.Map;
 import org.eclipse.microprofile.config.inject.ConfigProperty;
 
 import io.quarkus.oidc.client.OidcClient;
-import io.quarkus.oidc.client.OidcClientConfig;
-import io.quarkus.oidc.client.OidcClientConfig.Grant.Type;
+import io.quarkus.oidc.client.runtime.OidcClientConfig;
+import io.quarkus.oidc.client.runtime.OidcClientConfig.Grant.Type;
 import io.quarkus.oidc.client.OidcClients;
 import io.quarkus.runtime.StartupEvent;
 import io.smallrye.mutiny.Uni;
@@ -383,14 +383,14 @@ public class OidcClientCreator {
     }
 
     private Uni<OidcClient> createOidcClient() {
-        OidcClientConfig cfg = new OidcClientConfig();
-        cfg.setId("myclient");
-        cfg.setAuthServerUrl(oidcProviderAddress);
-        cfg.setClientId("backend-service");
-        cfg.getCredentials().setSecret("secret");
-        cfg.getGrant().setType(Type.PASSWORD);
-        cfg.setGrantOptions(Map.of("password",
-        		Map.of("username", "alice", "password", "alice")));
+        OidcClientConfig cfg = OidcClientConfig
+            .authServerUrl(oidcProviderAddress)
+            .id("myclient")
+            .clientId("backend-service")
+            .credentials("secret")
+            .grant(Type.PASSWORD)
+            .grantOptions("password", Map.of("username", "alice", "password", "alice"))
+            .build();
         return oidcClients.newClient(cfg);
     }
 }

docs/src/main/asciidoc/security-openid-connect-client.adoc

@@ -303,14 +303,14 @@ public class OidcClientCreator {
     }
 
     private Uni<OidcClient> createOidcClient() {
-        OidcClientConfig cfg = new OidcClientConfig();
-        cfg.setId("myclient");
-        cfg.setAuthServerUrl(oidcProviderAddress);
-        cfg.setClientId("backend-service");
-        cfg.getCredentials().setSecret("secret");
-        cfg.getGrant().setType(Type.PASSWORD);
-        cfg.setGrantOptions(Map.of("password",
-        		Map.of("username", "alice", "password", "alice")));
+        OidcClientConfig cfg = OidcClientConfig
+            .authServerUrl(oidcProviderAddress)
+            .id("myclient")
+            .clientId("backend-service")
+            .credentials("secret")
+            .grant(Type.PASSWORD)
+            .grantOptions("password", Map.of("username", "alice", "password", "alice"))
+            .build();
         return oidcClients.newClient(cfg);
     }
 }

extensions/keycloak-authorization/runtime/src/main/java/io/quarkus/keycloak/pep/runtime/DefaultPolicyEnforcerResolver.java

@@ -50,7 +50,7 @@ public class DefaultPolicyEnforcerResolver implements PolicyEnforcerResolver {
         }
 
         var defaultTenantConfig = new OidcTenantConfig(OidcConfig.getDefaultTenant(oidcConfig), OidcUtils.DEFAULT_TENANT_ID);
-        var defaultTenantTlsSupport = tlsSupport.forConfig(defaultTenantConfig.tls);
+        var defaultTenantTlsSupport = tlsSupport.forConfig(defaultTenantConfig.tls());
         this.defaultPolicyEnforcer = createPolicyEnforcer(defaultTenantConfig, config.defaultTenant(),
                 defaultTenantTlsSupport);
         this.namedPolicyEnforcers = createNamedPolicyEnforcers(oidcConfig, config, tlsSupport);
@@ -101,7 +101,7 @@ private Uni<PolicyEnforcer> getDynamicPolicyEnforcer(RoutingContext routingConte
                 .onItem().ifNotNull().transform(new Function<KeycloakPolicyEnforcerTenantConfig, PolicyEnforcer>() {
                     @Override
                     public PolicyEnforcer apply(KeycloakPolicyEnforcerTenantConfig tenant) {
-                        return createPolicyEnforcer(config, tenant, tlsSupport.forConfig(config.tls));
+                        return createPolicyEnforcer(config, tenant, tlsSupport.forConfig(config.tls()));
                     }
                 });
     }
@@ -116,7 +116,7 @@ private static Map<String, PolicyEnforcer> createNamedPolicyEnforcers(OidcConfig
         for (Map.Entry<String, KeycloakPolicyEnforcerTenantConfig> tenant : config.namedTenants().entrySet()) {
             OidcTenantConfig oidcTenantConfig = getOidcTenantConfig(oidcConfig, tenant.getKey());
             policyEnforcerTenants.put(tenant.getKey(),
-                    createPolicyEnforcer(oidcTenantConfig, tenant.getValue(), tlsSupport.forConfig(oidcTenantConfig.tls)));
+                    createPolicyEnforcer(oidcTenantConfig, tenant.getValue(), tlsSupport.forConfig(oidcTenantConfig.tls())));
         }
         return Map.copyOf(policyEnforcerTenants);
     }

extensions/keycloak-authorization/runtime/src/main/java/io/quarkus/keycloak/pep/runtime/KeycloakPolicyEnforcerUtil.java

@@ -18,8 +18,8 @@
 
 import io.quarkus.oidc.OIDCException;
 import io.quarkus.oidc.OidcTenantConfig;
-import io.quarkus.oidc.common.runtime.OidcCommonConfig;
 import io.quarkus.oidc.common.runtime.OidcTlsSupport.TlsConfigSupport;
+import io.quarkus.oidc.common.runtime.config.OidcCommonConfig;
 import io.quarkus.oidc.runtime.OidcConfig;
 import io.quarkus.runtime.configuration.ConfigurationException;
 
@@ -53,16 +53,16 @@ static PolicyEnforcer createPolicyEnforcer(OidcTenantConfig oidcConfig,
         adapterConfig.setCredentials(getCredentials(oidcConfig));
 
         if (!tlsConfigSupport.useTlsRegistry()) {
-            boolean trustAll = oidcConfig.tls.getVerification().isPresent()
-                    ? oidcConfig.tls.getVerification().get() == OidcCommonConfig.Tls.Verification.NONE
+            boolean trustAll = oidcConfig.tls().verification().isPresent()
+                    ? oidcConfig.tls().verification().get() == OidcCommonConfig.Tls.Verification.NONE
                     : tlsConfigSupport.isGlobalTrustAll();
             if (trustAll) {
                 adapterConfig.setDisableTrustManager(true);
                 adapterConfig.setAllowAnyHostname(true);
-            } else if (oidcConfig.tls.trustStoreFile.isPresent()) {
-                adapterConfig.setTruststore(oidcConfig.tls.trustStoreFile.get().toString());
-                adapterConfig.setTruststorePassword(oidcConfig.tls.trustStorePassword.orElse("password"));
-                if (OidcCommonConfig.Tls.Verification.CERTIFICATE_VALIDATION == oidcConfig.tls.verification
+            } else if (oidcConfig.tls().trustStoreFile().isPresent()) {
+                adapterConfig.setTruststore(oidcConfig.tls().trustStoreFile().get().toString());
+                adapterConfig.setTruststorePassword(oidcConfig.tls().trustStorePassword().orElse("password"));
+                if (OidcCommonConfig.Tls.Verification.CERTIFICATE_VALIDATION == oidcConfig.tls().verification()
                         .orElse(OidcCommonConfig.Tls.Verification.REQUIRED)) {
                     adapterConfig.setAllowAnyHostname(true);
                 }

extensions/oidc-client/deployment/src/main/java/io/quarkus/oidc/client/deployment/OidcClientBuildStep.java

@@ -34,6 +34,7 @@
 import io.quarkus.deployment.builditem.ApplicationArchivesBuildItem;
 import io.quarkus.deployment.builditem.CombinedIndexBuildItem;
 import io.quarkus.deployment.builditem.ExtensionSslNativeSupportBuildItem;
+import io.quarkus.deployment.builditem.RunTimeConfigBuilderBuildItem;
 import io.quarkus.deployment.builditem.nativeimage.RuntimeInitializedClassBuildItem;
 import io.quarkus.gizmo.ClassCreator;
 import io.quarkus.gizmo.ClassOutput;
@@ -46,6 +47,7 @@
 import io.quarkus.oidc.client.Tokens;
 import io.quarkus.oidc.client.runtime.AbstractTokensProducer;
 import io.quarkus.oidc.client.runtime.OidcClientBuildTimeConfig;
+import io.quarkus.oidc.client.runtime.OidcClientDefaultIdConfigBuilder;
 import io.quarkus.oidc.client.runtime.OidcClientRecorder;
 import io.quarkus.oidc.client.runtime.OidcClientsConfig;
 import io.quarkus.oidc.client.runtime.TokenProviderProducer;
@@ -184,6 +186,11 @@ private AccessTokenInstanceBuildItem build() {
         return index.getIndex().getAnnotations(ACCESS_TOKEN).stream().map(ItemBuilder::new).map(ItemBuilder::build).toList();
     }
 
+    @BuildStep
+    RunTimeConfigBuilderBuildItem useOidcClientDefaultIdConfigBuilder() {
+        return new RunTimeConfigBuilderBuildItem(OidcClientDefaultIdConfigBuilder.class);
+    }
+
     /**
      * Creates a Tokens producer class like follows:
      *

extensions/oidc-client/deployment/src/test/java/io/quarkus/oidc/client/OidcClientKeycloakDevServiceTest.java

@@ -5,10 +5,14 @@
 import static org.hamcrest.Matchers.is;
 import static org.hamcrest.Matchers.not;
 import static org.hamcrest.Matchers.notNullValue;
+import static org.junit.jupiter.api.Assertions.assertEquals;
+
+import jakarta.inject.Inject;
 
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.RegisterExtension;
 
+import io.quarkus.oidc.client.runtime.OidcClientsConfig;
 import io.quarkus.oidc.runtime.OidcUtils;
 import io.quarkus.test.QuarkusUnitTest;
 import io.restassured.RestAssured;
@@ -25,6 +29,23 @@ public class OidcClientKeycloakDevServiceTest {
                     .addClasses(NamedOidcClientResource.class)
                     .addAsResource("oidc-client-dev-service-test.properties", "application.properties"));
 
+    @Inject
+    OidcClientsConfig config;
+
+    @Test
+    public void testOidcClientDefaultIdIsSet() {
+        var defaultClientConfig = OidcClientsConfig.getDefaultClient(config);
+        // not set, so "Default" id should be set by Quarkus
+        assertEquals("Default", defaultClientConfig.id().orElse(null));
+        // not set, so named key "client1" should be set by Quarkus
+        assertEquals("client1", config.namedClients().get("client1").id().orElse(null));
+        // set to "client2" in application.properties
+        // we cannot set here any different value, because ATM OIDC client enforce that ID always equal named key anyway
+        assertEquals("client2", config.namedClients().get("client2").id().orElse(null));
+        // not set and named key "client3" is enclosed in double quotes, so named key "client3" should be set by Quarkus
+        assertEquals("client3", config.namedClients().get("client3").id().orElse(null));
+    }
+
     @Test
     public void testInjectedNamedOidcClients() {
         String token1 = doTestGetTokenByNamedClient("client1");

extensions/oidc-client/deployment/src/test/resources/oidc-client-dev-service-test.properties

@@ -13,3 +13,11 @@ quarkus.oidc-client.client2.credentials.secret=${quarkus.oidc-client.credentials
 quarkus.oidc-client.client2.grant.type=password
 quarkus.oidc-client.client2.grant-options.password.username=bob
 quarkus.oidc-client.client2.grant-options.password.password=bob
+quarkus.oidc-client.client2.id=client2
+
+quarkus.oidc-client."client3".auth-server-url=${quarkus.oidc-client.auth-server-url}
+quarkus.oidc-client."client3".client-id=${quarkus.oidc-client.client-id}
+quarkus.oidc-client."client3".credentials.secret=${quarkus.oidc-client.credentials.secret}
+quarkus.oidc-client."client3".grant.type=password
+quarkus.oidc-client."client3".grant-options.password.username=bob
+quarkus.oidc-client."client3".grant-options.password.password=bob

extensions/oidc-client/runtime/src/main/java/io/quarkus/oidc/client/OidcClientConfig.java

@@ -8,7 +8,12 @@
 import io.quarkus.oidc.common.runtime.OidcClientCommonConfig;
 import io.quarkus.oidc.common.runtime.OidcConstants;
 
-public class OidcClientConfig extends OidcClientCommonConfig {
+/**
+ * @deprecated create {@link io.quarkus.oidc.client.runtime.OidcClientConfig} with the {@link OidcClientConfigBuilder}
+ *             for example, you can use the {@link io.quarkus.oidc.client.runtime.OidcClientConfig#builder()} method.
+ */
+@Deprecated(since = "3.18")
+public class OidcClientConfig extends OidcClientCommonConfig implements io.quarkus.oidc.client.runtime.OidcClientConfig {
 
     public OidcClientConfig() {
 
@@ -67,7 +72,82 @@ public OidcClientConfig(io.quarkus.oidc.client.runtime.OidcClientConfig mapping)
 
     public Grant grant = new Grant();
 
-    public static class Grant {
+    @Override
+    public Optional<String> id() {
+        return id;
+    }
+
+    @Override
+    public boolean clientEnabled() {
+        return clientEnabled;
+    }
+
+    @Override
+    public Optional<List<String>> scopes() {
+        return scopes;
+    }
+
+    @Override
+    public Optional<Duration> refreshTokenTimeSkew() {
+        return refreshTokenTimeSkew;
+    }
+
+    @Override
+    public Optional<Duration> accessTokenExpiresIn() {
+        return accessTokenExpiresIn;
+    }
+
+    @Override
+    public boolean absoluteExpiresIn() {
+        return absoluteExpiresIn;
+    }
+
+    @Override
+    public io.quarkus.oidc.client.runtime.OidcClientConfig.Grant grant() {
+        return grant;
+    }
+
+    @Override
+    public Map<String, Map<String, String>> grantOptions() {
+        return grantOptions;
+    }
+
+    @Override
+    public boolean earlyTokensAcquisition() {
+        return earlyTokensAcquisition;
+    }
+
+    @Override
+    public Map<String, String> headers() {
+        return headers;
+    }
+
+    public static class Grant implements io.quarkus.oidc.client.runtime.OidcClientConfig.Grant {
+
+        @Override
+        public io.quarkus.oidc.client.runtime.OidcClientConfig.Grant.Type type() {
+            return type == null ? null : io.quarkus.oidc.client.runtime.OidcClientConfig.Grant.Type.valueOf(type.toString());
+        }
+
+        @Override
+        public String accessTokenProperty() {
+            return accessTokenProperty;
+        }
+
+        @Override
+        public String refreshTokenProperty() {
+            return refreshTokenProperty;
+        }
+
+        @Override
+        public String expiresInProperty() {
+            return expiresInProperty;
+        }
+
+        @Override
+        public String refreshExpiresInProperty() {
+            return refreshExpiresInProperty;
+        }
 
         public static enum Type {
             /**