Support for OAuth2 Demonstrating Proof of Possession

extensions/devservices/keycloak/src/main/java/io/quarkus/devservices/keycloak/KeycloakDevServicesProcessor.java

@@ -112,7 +112,7 @@ public class KeycloakDevServicesProcessor {
     private static final String KEYCLOAK_QUARKUS_ADMIN_PROP = "KC_BOOTSTRAP_ADMIN_USERNAME";
     private static final String KEYCLOAK_QUARKUS_ADMIN_PASSWORD_PROP = "KC_BOOTSTRAP_ADMIN_PASSWORD";
     private static final String KEYCLOAK_QUARKUS_START_CMD = "start --http-enabled=true --hostname-strict=false "
-            + "--spi-user-profile-declarative-user-profile-config-file=/opt/keycloak/upconfig.json";
+            + "--features=preview --spi-user-profile-declarative-user-profile-config-file=/opt/keycloak/upconfig.json";
 
     private static final String JAVA_OPTS = "JAVA_OPTS";
     private static final String OIDC_USERS = "oidc.users";

integration-tests/oidc-dpop/pom.xml

@@ -0,0 +1,145 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <parent>
+        <artifactId>quarkus-integration-tests-parent</artifactId>
+        <groupId>io.quarkus</groupId>
+        <version>999-SNAPSHOT</version>
+        <relativePath>../</relativePath>
+    </parent>
+    <modelVersion>4.0.0</modelVersion>
+
+    <artifactId>quarkus-integration-test-oidc-dpop</artifactId>
+    <name>Quarkus - Integration Tests - OpenID Connect DPoP</name>
+    <description>Module that contains OpenID Connect DPoP tests</description>
+
+    <dependencies>
+        <dependency>
+            <groupId>io.quarkus</groupId>
+            <artifactId>quarkus-oidc</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>io.quarkus</groupId>
+            <artifactId>quarkus-oidc-deployment</artifactId>
+            <version>${project.version}</version>
+            <type>pom</type>
+            <scope>test</scope>
+            <exclusions>
+                <exclusion>
+                    <groupId>*</groupId>
+                    <artifactId>*</artifactId>
+                </exclusion>
+            </exclusions>
+        </dependency>
+        <dependency>
+            <groupId>io.quarkus</groupId>
+            <artifactId>quarkus-rest</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>io.quarkus</groupId>
+            <artifactId>quarkus-rest-deployment</artifactId>
+            <version>${project.version}</version>
+            <type>pom</type>
+            <scope>test</scope>
+            <exclusions>
+                <exclusion>
+                    <groupId>*</groupId>
+                    <artifactId>*</artifactId>
+                </exclusion>
+            </exclusions>
+        </dependency>
+        <!-- test dependencies -->
+        <dependency>
+            <groupId>io.quarkus</groupId>
+            <artifactId>quarkus-junit5</artifactId>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>io.rest-assured</groupId>
+            <artifactId>rest-assured</artifactId>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.htmlunit</groupId>
+            <artifactId>htmlunit</artifactId>
+            <scope>test</scope>
+        </dependency>
+    </dependencies>
+
+    <build>
+        <resources>
+            <resource>
+                <directory>src/main/resources</directory>
+                <filtering>true</filtering>
+            </resource>
+        </resources>
+        <plugins>
+            <plugin>
+                <artifactId>maven-surefire-plugin</artifactId>
+                <configuration>
+                    <skip>true</skip>
+                </configuration>
+            </plugin>
+            <plugin>
+                <artifactId>maven-failsafe-plugin</artifactId>
+                <configuration>
+                    <skip>true</skip>
+                </configuration>
+            </plugin>
+            <plugin>
+                <groupId>io.quarkus</groupId>
+                <artifactId>quarkus-maven-plugin</artifactId>
+                <executions>
+                    <execution>
+                        <goals>
+                            <goal>build</goal>
+                        </goals>
+                    </execution>
+                </executions>
+            </plugin>
+        </plugins>
+    </build>
+
+    <profiles>
+        <profile>
+            <id>test-keycloak</id>
+            <activation>
+                <property>
+                    <name>test-containers</name>
+                </property>
+            </activation>
+            <build>
+                <plugins>
+                    <plugin>
+                        <artifactId>maven-surefire-plugin</artifactId>
+                        <configuration>
+                            <skip>false</skip>
+                        </configuration>
+                    </plugin>
+                    <plugin>
+                        <artifactId>maven-failsafe-plugin</artifactId>
+                        <configuration>
+                            <skip>false</skip>
+                            <systemPropertyVariables>
+                                <keycloak.url>${keycloak.url}</keycloak.url>
+                            </systemPropertyVariables>
+                        </configuration>
+                    </plugin>
+                    <plugin>
+                        <groupId>io.quarkus</groupId>
+                        <artifactId>quarkus-maven-plugin</artifactId>
+                        <executions>
+                            <execution>
+                                <goals>
+                                    <goal>build</goal>
+                                </goals>
+                            </execution>
+                        </executions>
+                    </plugin>
+                </plugins>
+            </build>
+        </profile>
+    </profiles>
+
+</project>

integration-tests/oidc-dpop/src/main/java/io/quarkus/it/keycloak/ProtectedResource.java

@@ -0,0 +1,35 @@
+package io.quarkus.it.keycloak;
+
+import java.security.Principal;
+
+import jakarta.annotation.security.RolesAllowed;
+import jakarta.inject.Inject;
+import jakarta.ws.rs.GET;
+import jakarta.ws.rs.Path;
+import jakarta.ws.rs.Produces;
+
+import io.quarkus.security.Authenticated;
+
+@Path("/protected")
+@Authenticated
+public class ProtectedResource {
+
+    @Inject
+    Principal principal;
+
+    @GET
+    @RolesAllowed("user")
+    @Produces("text/plain")
+    @Path("userName")
+    public String principalName() {
+        return principal.getName();
+    }
+
+    @GET
+    @RolesAllowed("user")
+    @Produces("text/plain")
+    @Path("userNameReactive")
+    public String principalNameReactive() {
+        return principal.getName();
+    }
+}

integration-tests/oidc-dpop/src/main/resources/application.properties

@@ -0,0 +1,46 @@
+quarkus.oidc.client-id=backend-service
+quarkus.oidc.credentials.secret=secret
+
+quarkus.keycloak.devservices.realm-path=${project.build.directory}/classes/quarkus-realm.json
+
+quarkus.oidc-client.auth-server-url=${quarkus.oidc.auth-server-url}
+quarkus.oidc-client.client-id=${quarkus.oidc.client-id}
+quarkus.oidc-client.credentials.secret=${quarkus.oidc.credentials.secret}
+quarkus.oidc-client.grant.type=password
+quarkus.oidc-client.grant-options.password.username=alice
+quarkus.oidc-client.grant-options.password.password=alice
+
+quarkus.oidc-client.disabled-client.auth-server-url=${quarkus.oidc.auth-server-url}
+quarkus.oidc-client.disabled-client.client-id=${quarkus.oidc.client-id}
+quarkus.oidc-client.disabled-client.client-enabled=false
+quarkus.oidc-client.disabled-client.credentials.secret=${quarkus.oidc.credentials.secret}
+quarkus.oidc-client.disabled-client.grant.type=password
+quarkus.oidc-client.disabled-client.grant-options.password.username=alice
+quarkus.oidc-client.disabled-client.grant-options.password.password=alice
+
+quarkus.oidc-client.named-client.auth-server-url=${quarkus.oidc.auth-server-url}
+quarkus.oidc-client.named-client.client-id=${quarkus.oidc.client-id}
+quarkus.oidc-client.named-client.credentials.secret=${quarkus.oidc.credentials.secret}
+quarkus.oidc-client.named-client.grant.type=password
+quarkus.oidc-client.named-client.grant-options.password.username=jdoe
+quarkus.oidc-client.named-client.grant-options.password.password=jdoe
+
+quarkus.oidc-client.misconfigured-client.auth-server-url=${quarkus.oidc.auth-server-url}
+quarkus.oidc-client.misconfigured-client.client-id=${quarkus.oidc.client-id}
+quarkus.oidc-client.misconfigured-client.credentials.secret=${quarkus.oidc.credentials.secret}
+quarkus.oidc-client.misconfigured-client.grant.type=password
+quarkus.oidc-client.misconfigured-client.grant-options.password.username=jdoe
+quarkus.oidc-client.misconfigured-client.grant-options.password.password=bob
+
+io.quarkus.it.keycloak.ProtectedResourceServiceCustomFilter/mp-rest/url=http://localhost:8081/protected
+io.quarkus.it.keycloak.ProtectedResourceServiceReactiveFilter/mp-rest/url=http://localhost:8081/protected
+io.quarkus.it.keycloak.ProtectedResourceServiceNamedFilter/mp-rest/url=http://localhost:8081/protected
+io.quarkus.it.keycloak.ProtectedResourceServiceDisabledClient/mp-rest/url=http://localhost:8081/protected
+io.quarkus.it.keycloak.MisconfiguredClientFilter/mp-rest/url=http://localhost:8081/protected
+
+quarkus.log.category."io.quarkus.oidc.client.runtime.OidcClientImpl".min-level=TRACE
+quarkus.log.category."io.quarkus.oidc.client.runtime.OidcClientImpl".level=TRACE
+quarkus.log.category."io.quarkus.it.keycloak.TokenEndpointResponseFilter".min-level=TRACE
+quarkus.log.category."io.quarkus.it.keycloak.TokenEndpointResponseFilter".level=TRACE
+quarkus.log.file.enable=true
+quarkus.log.file.format=%C - %s%n