Merge pull request #44374 from sberyozkin/optimize_oidc_tenants_grouping

Improve the way OIDC tenants are grouped and their properties are generated

Author: sberyozkin

extensions/keycloak-authorization/runtime/src/main/java/io/quarkus/keycloak/pep/runtime/DefaultPolicyEnforcerResolver.java

@@ -49,7 +49,7 @@ public class DefaultPolicyEnforcerResolver implements PolicyEnforcerResolver {
             this.tlsSupport = OidcTlsSupport.empty();
         }
 
-        var defaultTenantConfig = new OidcTenantConfig(oidcConfig.defaultTenant(), OidcUtils.DEFAULT_TENANT_ID);
+        var defaultTenantConfig = new OidcTenantConfig(OidcConfig.getDefaultTenant(oidcConfig), OidcUtils.DEFAULT_TENANT_ID);
         var defaultTenantTlsSupport = tlsSupport.forConfig(defaultTenantConfig.tls);
         this.defaultPolicyEnforcer = createPolicyEnforcer(defaultTenantConfig, config.defaultTenant(),
                 defaultTenantTlsSupport);

extensions/keycloak-authorization/runtime/src/main/java/io/quarkus/keycloak/pep/runtime/KeycloakPolicyEnforcerUtil.java

@@ -226,7 +226,7 @@ private static boolean isNotComplexConfigKey(String key) {
 
     static OidcTenantConfig getOidcTenantConfig(OidcConfig oidcConfig, String tenant) {
         if (tenant == null || DEFAULT_TENANT_ID.equals(tenant)) {
-            return new OidcTenantConfig(oidcConfig.defaultTenant(), DEFAULT_TENANT_ID);
+            return new OidcTenantConfig(OidcConfig.getDefaultTenant(oidcConfig), DEFAULT_TENANT_ID);
         }
 
         var oidcTenantConfig = oidcConfig.namedTenants().get(tenant);

extensions/oidc-common/runtime/src/main/java/io/quarkus/oidc/common/runtime/config/OidcClientCommonConfig.java

@@ -4,6 +4,7 @@
 import java.util.Optional;
 
 import io.quarkus.runtime.annotations.ConfigDocMapKey;
+import io.quarkus.runtime.annotations.ConfigDocSection;
 import io.quarkus.runtime.annotations.ConfigGroup;
 import io.smallrye.config.WithDefault;
 
@@ -36,10 +37,14 @@ public interface OidcClientCommonConfig extends OidcCommonConfig {
     Optional<String> clientName();
 
     /**
-     * Credentials the OIDC adapter uses to authenticate to the OIDC server.
+     * Different authentication options for OIDC client to access OIDC token and other secured endpoints.
      */
+    @ConfigDocSection
     Credentials credentials();
 
+    /**
+     * Credentials used by OIDC client to authenticate to OIDC token and other secured endpoints.
+     */
     interface Credentials {
 
         /**

extensions/oidc-common/runtime/src/main/java/io/quarkus/oidc/common/runtime/config/OidcCommonConfig.java

@@ -6,6 +6,7 @@
 import java.util.OptionalInt;
 
 import io.quarkus.runtime.annotations.ConfigDocDefault;
+import io.quarkus.runtime.annotations.ConfigDocSection;
 import io.quarkus.runtime.annotations.ConfigGroup;
 import io.smallrye.config.WithDefault;
 
@@ -77,13 +78,15 @@ public interface OidcCommonConfig {
     boolean followRedirects();
 
     /**
-     * Options to configure the proxy the OIDC adapter uses to talk with the OIDC server.
+     * HTTP proxy configuration.
      */
+    @ConfigDocSection
     Proxy proxy();
 
     /**
-     * TLS configurations
+     * TLS configuration.
      */
+    @ConfigDocSection
     Tls tls();
 
     interface Tls {

extensions/oidc/deployment/src/main/java/io/quarkus/oidc/deployment/OidcBuildTimeConfig.java

@@ -1,6 +1,7 @@
 package io.quarkus.oidc.deployment;
 
 import io.quarkus.oidc.runtime.OidcConfig;
+import io.quarkus.runtime.annotations.ConfigDocSection;
 import io.quarkus.runtime.annotations.ConfigRoot;
 import io.smallrye.config.ConfigMapping;
 import io.smallrye.config.WithDefault;
@@ -18,8 +19,9 @@ public interface OidcBuildTimeConfig {
     boolean enabled();
 
     /**
-     * Dev UI configuration.
+     * OIDC Dev UI configuration which is effective in dev mode only.
      */
+    @ConfigDocSection
     DevUiConfig devui();
 
     /**

extensions/oidc/deployment/src/test/java/io/quarkus/oidc/test/ProtectedResource.java

@@ -45,7 +45,7 @@ public void logout() {
     @Path("access-token-name")
     @GET
     public String accessTokenName() {
-        if (!config.defaultTenant().authentication().verifyAccessToken()) {
+        if (!OidcConfig.getDefaultTenant(config).authentication().verifyAccessToken()) {
             throw new IllegalStateException("Access token verification should be enabled");
         }
         return accessToken.getName();

extensions/oidc/deployment/src/test/java/io/quarkus/oidc/test/ProtectedResourceWithJwtAccessToken.java

@@ -26,6 +26,6 @@ public class ProtectedResourceWithJwtAccessToken {
 
     @GET
     public String getName() {
-        return idToken.getName() + ":" + config.defaultTenant().authentication().verifyAccessToken();
+        return idToken.getName() + ":" + OidcConfig.getDefaultTenant(config).authentication().verifyAccessToken();
     }
 }

extensions/oidc/deployment/src/test/java/io/quarkus/oidc/test/ProtectedResourceWithoutJwtAccessToken.java

@@ -23,6 +23,6 @@ public class ProtectedResourceWithoutJwtAccessToken {
 
     @GET
     public String getName() {
-        return idToken.getName() + ":" + config.defaultTenant().authentication().verifyAccessToken();
+        return idToken.getName() + ":" + OidcConfig.getDefaultTenant(config).authentication().verifyAccessToken();
     }
 }

extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/BackChannelLogoutHandler.java

@@ -37,7 +37,7 @@ public BackChannelLogoutHandler(OidcConfig oidcConfig) {
     }
 
     public void setup(@Observes Router router) {
-        addRoute(router, new OidcTenantConfig(oidcConfig.defaultTenant(), OidcUtils.DEFAULT_TENANT_ID));
+        addRoute(router, new OidcTenantConfig(OidcConfig.getDefaultTenant(oidcConfig), OidcUtils.DEFAULT_TENANT_ID));
 
         for (var nameToOidcTenantConfig : oidcConfig.namedTenants().entrySet()) {
             addRoute(router, new OidcTenantConfig(nameToOidcTenantConfig.getValue(), nameToOidcTenantConfig.getKey()));

extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/OidcConfig.java

@@ -10,31 +10,31 @@
 import io.quarkus.runtime.annotations.ConfigRoot;
 import io.smallrye.config.ConfigMapping;
 import io.smallrye.config.WithDefault;
+import io.smallrye.config.WithDefaults;
 import io.smallrye.config.WithParentName;
+import io.smallrye.config.WithUnnamedKey;
 
 @ConfigMapping(prefix = "quarkus.oidc")
 @ConfigRoot(phase = ConfigPhase.RUN_TIME)
 public interface OidcConfig {
 
-    /**
-     * The default tenant.
-     */
-    @WithParentName
-    OidcTenantConfig defaultTenant();
+    String DEFAULT_TENANT_KEY = "<default>";
 
     /**
      * Additional named tenants.
      */
-    @ConfigDocSection
     @ConfigDocMapKey("tenant")
     @WithParentName
+    @WithUnnamedKey(DEFAULT_TENANT_KEY)
+    @WithDefaults
     Map<String, OidcTenantConfig> namedTenants();
 
     /**
-     * Default TokenIntrospection and UserInfo Cache configuration which is used for all the tenants if it is enabled
-     * with the build-time 'quarkus.oidc.default-token-cache-enabled' property ('true' by default) and also activated,
-     * see its `max-size` property.
+     * Default TokenIntrospection and UserInfo Cache configuration.
+     * It is used for all the tenants if it is enabled with the build-time 'quarkus.oidc.default-token-cache-enabled' property
+     * ('true' by default) and also activated, see its `max-size` property.
      */
+    @ConfigDocSection
     TokenCache tokenCache();
 
     /**
@@ -66,4 +66,13 @@ interface TokenCache {
          */
         Optional<Duration> cleanUpTimerInterval();
     }
+
+    static io.quarkus.oidc.runtime.OidcTenantConfig getDefaultTenant(OidcConfig config) {
+        for (var tenant : config.namedTenants().entrySet()) {
+            if (OidcConfig.DEFAULT_TENANT_KEY.equals(tenant.getKey())) {
+                return tenant.getValue();
+            }
+        }
+        return null;
+    }
 }