Migration Guide 2.6

Deprecated OIDC TokenConfigResolver and TokenStateManager methods, quarkus.oidc.authentication.auto-refresh-timeout property removed

OIDC TokenConfigResolver methods deprecated in 2.2 and TokenStateManager methods deprecated in 2.3 have now been removed.

It should have a minimum impact if any at all since only TokenConfigResolver and TokenStateManager methods returning Uni can work without blocking the IO thread and thus should be used in the real world applications.

A long time deprecated quarkus.oidc.authentication.auto-refresh-timeout property has also been removed - please use a better named quarkus.oidc.authentication.refresh-token-time-skew from now on.

Access to RoutingContext in OIDC SecurityIdentityAugmentor

The way a Vert.x RoutingContext can be accessed in the custom OIDC SecurityIdentityAugmentors has changed. If it is required then please access it as a SecurityIdentity attribute which will be more portable:

import javax.enterprise.context.ApplicationScoped;
import io.quarkus.security.identity.AuthenticationRequestContext;
import io.quarkus.security.identity.SecurityIdentity;
import io.quarkus.security.identity.SecurityIdentityAugmentor;
import io.quarkus.security.runtime.QuarkusSecurityIdentity;
import io.smallrye.mutiny.Uni;
import io.vertx.ext.web.RoutingContext;

@ApplicationScoped
public class CustomOidcSecurityIdentityAugmentor implements SecurityIdentityAugmentor {
    @Override
    public Uni<SecurityIdentity> augment(SecurityIdentity identity, AuthenticationRequestContext context) {
        // Instead of 
        // IdTokenCredential cred = identity.getCredential(IdTokenCredential.class);
        // RoutingContext context = cred.getRoutingContext();
        RoutingContext context = identity.getAttribute(RoutingContext.class.getName());

        QuarkusSecurityIdentity.Builder builder = QuarkusSecurityIdentity.builder(identity);
        // Use RoutingContext as required
        return Uni.createFrom().item(builder.build);
    }
}

The old way of accessing RoutingContext as an OIDC IdTokenCredential or AccessTokenCredential property prevents the use of OIDC tokens for running the background tasks when no RoutingContext is available.

Reactive Routes produces changes

The produces attribute of the @Route annotation was only used for content negotiation. Starting Quarkus 2.6, it is also used to indicate how Multi instances need to be serialized in the HTTP response.

When a route returns a Multi<T>, it can:

• send the item one by one, without any modification (raw stream)
• wrap the Multi as a JSON Array, where each item is sent one by one
• produce a server-sent-event stream
• produce JSON (also named ND-JSON) stream

Before Quarkus 2.6, to express the three last possibilities you had to wrap the produced Multi using ReactiveRoutes.asJsonArray, ReactiveRoutes.asEventStream and ReactiveRoutes.asJsonStream. Unfortunately, this approach does not work when Quarkus security is enabled.

To work around that problem, starting Quarkus 2.6, you can indicate the serialization you need using the produces attribute of @Route. If the first value of the produces array is application/json, text/event-stream, application/x-ndjson (or application/stream+json), the associated serialization is used.

So, instead of:

1. returning ReactiveRoutes.asJsonArray(multi), return multi directly and set produces="application/json"
2. returning ReactiveRoutes.asEventStream(multi), return multi directly and set produces="text/event-stream"
3. returning ReactiveRoutes.asJsonStream(multi), return multi directly and set produces="application/x-ndjson"