tessl/maven-io-quarkus--quarkus-oidc-client
Get and refresh access tokens from OpenID Connect providers
- Workspace
- tessl
- Visibility
- Public
- Created
- Last updated
'%3e%3cpath%20d='m7.15%205.779.281.877c-.001.502.003.991.124%201.48l.116-.082.229-1.265c.723%201.422%202.78%203.325%202.53%205.008-.022.154-.082.3-.158.435.349-.014.375-.38.578-.56.187%201.005.17%201.975-.22%202.932l1.428%203.159c-.007.07-.626.285-.744.226-.087-.044-.629-1.506-.742-1.754-.103-.224-.457-1.044-.592-1.165-.592-.534-2.033-.183-2.773-.256l.488-.115.148-.109c-.68-.08-1.363-.34-1.85-.815.531.046%201.052.121%201.592.087.1-.006.378-.02.432-.114-1.338-.016-2.398-.569-3.16-1.62-1.03-1.422-1.646-3.215-2.658-4.662-.203-.289-.474-.68-.776-.847-.015-.092.076-.054.137-.049.375.034.778.157%201.148.234l1.26.462c-.404-.737-1.332-.637-1.984-.994-.759-.416-1.2-1.386-1.487-2.149-.258-.68-.536-1.495-.492-2.217.282.262.529.573.896.73.087-.102-.838-1.102-.867-1.323C-.051.673.656-.051%201.328.003c1.128.09%202.44%201.953%202.87%202.886.074.069.145-.23.149-.25.029-.154.01-.306.054-.452.67.932%201.64%201.722%202.122%202.768l.626%201.778V5.78Z'/%3e%3cpath%20d='m10.851%206.733.626-1.778c.483-1.047%201.451-1.836%202.122-2.769.045.147.025.299.054.452.005.021.075.32.149.25.43-.932%201.742-2.796%202.87-2.885.672-.054%201.38.67%201.294%201.31-.03.22-.954%201.221-.867%201.322.367-.156.614-.467.896-.729.044.722-.234%201.536-.49%202.218-.288.763-.73%201.733-1.488%202.149-.652.356-1.58.256-1.984.993l1.26-.461c.37-.077.772-.2%201.148-.234.06-.006.152-.044.136.049-.301.166-.573.557-.775.847-.794%201.135-1.347%202.488-2.049%203.68-.635%201.081-1.285%202.087-2.613%202.432.148-.768.005-1.562-.173-2.316l-.32-.092c-.219-1.088-.84-2.001-1.466-2.908l.919-1.475.229%201.265.116.082c.12-.489.125-.979.123-1.48l.283-.877v.955ZM8.017%2014.984c-.238.57-.531%201.119-.78%201.686-.089.204-.446%201.24-.518%201.295-.145.114-.622-.087-.777-.2l1.207-2.78h.868ZM12.008%2013.75c-.059.174-.949.7-1.04.617l.12-.5.92-.117Z'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='a'%3e%3cpath%20fill='%23fff'%20d='M0%200h18v18H0z'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e){kind=small}
To install, run
npx @tessl/cli install tessl/maven-io-quarkus--quarkus-oidc-client@3.26.0index.mddocs/
Quarkus OIDC Client Extension
The Quarkus OIDC Client extension provides OpenID Connect (OIDC) client functionality for obtaining and refreshing access tokens from OIDC providers. It supports various OAuth2/OIDC grant types and integrates seamlessly with Quarkus's reactive programming model using Mutiny for asynchronous operations.
Package Information
- Package Name: quarkus-oidc-client
- Package Type: maven
- Language: Java
- Installation: Add dependency to your
pom.xml:
<dependency>
<groupId>io.quarkus</groupId>
<artifactId>quarkus-oidc-client</artifactId>
<version>3.26.2</version>
</dependency>Core Imports
import io.quarkus.oidc.client.OidcClient;
import io.quarkus.oidc.client.OidcClients;
import io.quarkus.oidc.client.Tokens;
import io.quarkus.oidc.client.runtime.OidcClientConfig;
import io.quarkus.oidc.client.OidcClientConfigBuilder;Basic Usage
import io.quarkus.oidc.client.OidcClient;
import io.quarkus.oidc.client.OidcClients;
import io.quarkus.oidc.client.Tokens;
import io.smallrye.mutiny.Uni;
import jakarta.enterprise.context.ApplicationScoped;
import jakarta.inject.Inject;
import java.util.Map;
@ApplicationScoped
public class TokenService {
@Inject
OidcClient oidcClient;
@Inject
OidcClients oidcClients;
public void getTokens() {
// Get tokens using default client
Uni<Tokens> tokens = oidcClient.getTokens();
// Get tokens with additional parameters
Map<String, String> additionalParams = Map.of("scope", "read write");
Uni<Tokens> tokensWithParams = oidcClient.getTokens(additionalParams);
// Refresh tokens
String refreshToken = "existing_refresh_token";
Uni<Tokens> refreshedTokens = oidcClient.refreshTokens(refreshToken);
// Use named client
OidcClient namedClient = oidcClients.getClient("my-provider");
Uni<Tokens> namedTokens = namedClient.getTokens();
}
}Architecture
The Quarkus OIDC Client extension is built around several key components:
- Client Interface:
OidcClientprovides reactive token operations with MutinyUni<T>return types - Client Factory:
OidcClientsmanages multiple OIDC client instances and configurations - Token Management:
Tokensclass encapsulates access and refresh tokens with expiration tracking - Configuration System: Builder pattern for programmatic configuration and annotation-based CDI integration
- Grant Support: Comprehensive OAuth2/OIDC grant type support including client credentials, authorization code, refresh token, and more
- Integration Layer: Seamless CDI injection, JAX-RS filter integration, and SPI for custom implementations
Capabilities
Client Interface
Core OIDC client functionality for token operations including obtaining, refreshing, and revoking tokens. All operations return Mutiny Uni<T> for reactive processing.
public interface OidcClient extends Closeable {
Uni<Tokens> getTokens();
Uni<Tokens> getTokens(Map<String, String> additionalGrantParameters);
Uni<Tokens> refreshTokens(String refreshToken);
Uni<Tokens> refreshTokens(String refreshToken, Map<String, String> additionalGrantParameters);
Uni<Boolean> revokeAccessToken(String accessToken);
Uni<Boolean> revokeAccessToken(String accessToken, Map<String, String> additionalParameters);
}
public interface OidcClients extends Closeable {
OidcClient getClient();
OidcClient getClient(String id);
Uni<OidcClient> newClient(OidcClientConfig clientConfig);
}Configuration
Configuration system supporting both builder pattern for programmatic setup and annotation-based configuration. Supports multiple OIDC providers and grant types.
public interface OidcClientConfig extends OidcClientCommonConfig {
Optional<String> id();
Optional<Boolean> clientEnabled();
Optional<List<String>> scopes();
Optional<List<String>> audience();
Optional<Duration> refreshTokenTimeSkew();
Grant grant();
static OidcClientConfigBuilder builder() { /* ... */ }
static OidcClientConfigBuilder authServerUrl(String authServerUrl) { /* ... */ }
}
public class OidcClientConfigBuilder {
public OidcClientConfigBuilder id(String id);
public OidcClientConfigBuilder scopes(List<String> scopes);
public OidcClientConfigBuilder audience(List<String> audience);
public GrantBuilder grant();
public OidcClientConfig build();
}Token Management
Token container and management functionality providing access to tokens, expiration tracking, and automatic refresh capabilities.
public class Tokens {
public Tokens(String accessToken, Long accessTokenExpiresAt, Duration refreshTokenTimeSkew,
String refreshToken, Long refreshTokenExpiresAt, JsonObject grantResponse, String clientId);
public String getAccessToken();
public String getRefreshToken();
public String getClientId();
public Object get(String propertyName);
public Long getAccessTokenExpiresAt();
public Duration getRefreshTokenTimeSkew();
public boolean isAccessTokenExpired();
public boolean isRefreshTokenExpired();
public boolean isAccessTokenWithinRefreshInterval();
}Integration
CDI injection support, JAX-RS client filter integration, and SPI interfaces for extending OIDC client functionality.
@Qualifier
@Retention(RUNTIME)
@Target({FIELD, PARAMETER, METHOD})
public @interface NamedOidcClient {
String value();
}
@Target({TYPE})
@Retention(RUNTIME)
public @interface OidcClientFilter {
String value() default "";
}
public interface TokenProvider {
Uni<String> getAccessToken();
}Grant Types Supported
The extension supports all major OAuth2/OIDC grant types:
- CLIENT (
client_credentials) - Client credentials grant - PASSWORD (
password) - Resource owner password credentials grant - CODE (
authorization_code) - Authorization code grant - EXCHANGE (
urn:ietf:params:oauth:grant-type:token-exchange) - Token exchange grant - JWT (
urn:ietf:params:oauth:grant-type:jwt-bearer) - JWT bearer grant - REFRESH (
refresh_token) - Refresh token grant - CIBA (
urn:openid:params:grant-type:ciba) - Client Initiated Backchannel Authentication - DEVICE (
urn:ietf:params:oauth:grant-type:device_code) - Device authorization grant