Recomposing security overview content to diataxis

Recomposing security overview content to diataxis

docs/src/main/asciidoc/security-architecture-concept.adoc

@@ -0,0 +1,38 @@
+////
+This document is maintained in the main Quarkus repository
+and pull requests should be submitted there:
+https://github.com/quarkusio/quarkus/tree/main/docs/src/main/asciidoc
+////
+[id="security-architecture-concept"]
+= Quarkus Security architecture
+include::_attributes.adoc[]
+:categories: security
+The Quarkus Security architecture provides several built-in authentication mechanisms. The `HttpAuthenticationMechanism` interface is the main entry mechanism for securing HTTP applications in Quarkus. Quarkus Security is also highly customizable.
+
+== Core components of Quarkus Security
+
+Quarkus Security uses `HttpAuthenticationMechanism` to extract the authentication credentials from the HTTP request and delegates them to `IdentityProvider` to convert the credentials to `SecurityIdentity`.
+For example, the credentials can come from the `Authorization` header, client HTTPS certificates, or cookies.
+
+`IdentityProvider` verifies the authentication credentials and maps them to `SecurityIdentity`, which has the username, roles, original authentication credentials, and other attributes.
+
+For every authenticated resource, you can inject a `SecurityIdentity` instance to get the authenticated identity information.
+
+In other contexts, it is possible to have other parallel representations of the same information or parts of it, for example, `SecurityContext` for JAX-RS or `JsonWebToken` for JSON Web Tokens (JWT).
+
+For more information, see xref:security-built-in-authentication-support.adoc[Built-in authentication support].
+
+== Proactive authentication
+
+By default, Quarkus does proactive authentication, which means that all incoming requests with credentials are authenticated regardless of whether the target page requires authentication.
+For more information, see xref:security-built-in-authentication-support-concept.adoc#proactive-authentication[Proactive authentication].
+
+== Quarkus Security customization
+
+Quarkus Security is also highly customizable. You can customize the following core security components of Quarkus:
+
+* `HttpAuthenticationMechanism`
+* `IdentityProvider`
+* `SecurityidentityAugmentor`
+
+For more information about customizing Quarkus Security including reactive security and how to register a security provider, see xref:security-customization.adoc[Security customization].

docs/src/main/asciidoc/security-authentication-mechanisms-concept.adoc

@@ -5,50 +5,48 @@ https://github.com/quarkusio/quarkus/tree/main/docs/src/main/asciidoc
 ////
 
 [id="security-authentication-mechanisms-concept"]
-= Supported authentication mechanisms in Quarkus
+= Authentication mechanisms in Quarkus
 include::_attributes.adoc[]
-:categories: security
+:categories: security,web
 
 The Quarkus Security framework supports multiple authentication mechanisms, which you can use to secure your applications.
+xref:security-basic-authentication-concept.adoc[Basic authentication] and xref:security-built-in-authentication-support-concept.adoc#form-auth[form-based authentication] are the core authentication mechanisms supported in Quarkus.
+You can also combine authentication mechanisms. 
 
-== Basic and Form HTTP authentication
+Before you choose an authentication mechanism for securing your Quarkus applications, review the information provided.
 
-xref:security-basic-authentication-concept.adoc[Basic HTTP Authentication] and xref:security-built-in-authentication-support-concept.adoc#form-auth[Form HTTP authentication] are the core authentication mechanisms supported in Quarkus.
+== Supported authentication mechanisms in Quarkus
 
-== WebAuthn authentication
+The following authentication mechanisms are supported in Quarkus.
+
+=== Basic authentication
+
+See xref:security-basic-authentication-concept.adoc[Basic HTTP Authentication].
+
+=== Form-based authentication
+
+See xref:security-built-in-authentication-support-concept.adoc#form-auth[Form-based HTTP authentication].
+
+=== WebAuthn authentication
 
 https://webauthn.guide/[WebAuthn] is an authentication mechanism that replaces passwords.
 When you write a service for registering new users, or logging them in, instead of asking for a password, you can use WebAuthn, which replaces the password.
 For more information, see xref:security-webauthn.adoc[Secure a Quarkus application by using the WebAuthn authentication mechanism].
 
-== Mutual TLS (mTLS) authentication
+=== Mutual TLS (mTLS) authentication
 
 Quarkus provides mutual TLS (mTLS) authentication so that you can authenticate users based on their X.509 certificates.
 For more information, see xref:security-built-in-authentication-support-concept.adoc#mutual-tls[mutual TLS authentication].
 
-== OpenID Connect authentication
-
-OpenID Connect (OIDC) i== OpenID Connect client and filters
-
-The `quarkus-oidc-client` extension provides `OidcClient` for acquiring and refreshing access tokens from OpenID Connect and OAuth2 providers that support the following token grants:
-* `client-credentials`
-* `password`
-* `refresh_token`
-
-The `quarkus-oidc-client-filter` extension requires the `quarkus-oidc-client` extension and provides JAX-RS `OidcClientRequestFilter`, which sets the access token acquired by `OidcClient` as the `Bearer` scheme value of the HTTP `Authorization` header.
-This filter can be registered with MP RestClient implementations injected into the current Quarkus endpoint, but it is not related to the authentication requirements of this service endpoint.
-For example, it can be a public endpoint, or it can be protected with mTLS.
+=== OpenID Connect authentication
 
-[IMPORTANT]
-====
-In this scenario, you do not need to protect your Quarkus endpoint by using the Quarkus OpenID Connect adapter.
-====
+OpenID Connect (OIDC) is an identity layer that works on top of the OAuth 2.0 protocol. OIDC enables client applications to verify the identity of a user based on the authentication performed by the OIDC provider and to retrieve basic information about that user.
 
-The `quarkus-oidc-token-propagation` extension requires the `quarkus-oidc` extension and provides JAX-RS `TokenCredentialRequestFilter`, which sets the OpenID Connect Bearer or Authorization Code Flow access token as the `Bearer` scheme value of the HTTP `Authorization` header.
-This filter can be registered with MP RestClient implementations injected into the current Quarkus endpoint, which in turn must be protected by using the Quarkus OpenID Connect adapter.
-This filter can be used to propagate the access token to the downstream services.
+The Quarkus `quarkus-oidc` extension provides a reactive, interoperable, multitenant-enabled OIDC adapter that supports Bearer Token and Authorization Code Flow authentication mechanisms.
+The Bearer Token mechanism extracts the token from the HTTP Authorization header.
+The Authorization Code Flow mechanism redirects the user to an OIDC provider to authenticate the identity of the user.
+After the user is redirected back to Quarkus, the mechanism completes the authentication process by exchanging the provided code that was granted for the ID, access, and refresh tokens.
 
-For more information, see the xref:security-openid-connect-client.adoc[OpenID Connect client and token propagation quickstart] and xref:security-openid-connect-client-reference.adoc[OpenID Connect (OIDC) and OAuth2 client and filters reference] guides.
 You can verify ID and access JWT tokens by using the refreshable JSON Web Key (JWK) set or you can introspect them remotely.
 However, opaque (binary) tokens can only be introspected remotely.
 
@@ -57,14 +55,14 @@ However, opaque (binary) tokens can only be introspected remotely.
 Using the Quarkus OIDC extension, both Bearer Token and Authorization Code Flow mechanisms use <<smallrye-jwt, SmallRye JWT>> to represent JWT tokens as MicroProfile JWT `org.eclipse.microprofile.jwt.JsonWebToken`.
 ====
 
-=== Additional Quarkus resources for OIDC authentication
+==== Additional Quarkus resources for OIDC authentication
 
 For more information about OIDC authentication and authorization methods you can use to secure your Quarkus applications, see the following detailed resources:
 
 [options="header"]
 |====
 |OIDC topic |Quarkus information resource
-|Bearer Token authentication mechanism|xref:security-openid-connect.adoc[Using OpenID Connect (OIDC) to protect service applications using Bearer Token authorization]
+|Bearer Token authentication mechanism|xref:security-oidc-bearer-authentication-concept.adoc[OIDC Bearer authentication]
 |Authorization Code Flow authentication mechanism|xref:security-openid-connect-web-authentication.adoc[OpenID Connect (OIDC) authorization code flow mechanism]
 |Multiple tenants that can support Bearer Token or Authorization Code Flow mechanisms|xref:security-openid-connect-multitenancy.adoc[Using OpenID Connect (OIDC) multi-tenancy]
 |Using Keycloak to centralize authorization|xref:security-keycloak-authorization.adoc[Using OpenID Connect (OIDC) and Keycloak to centralize authorization]
@@ -77,7 +75,7 @@ For more information about OIDC authentication and authorization methods you can
 For more information about managing the individual tenant configurations in multitenant OIDC deployments, see the _Disabling tenant configurations_ section in the xref:security-openid-connect-multitenancy.adoc#disable-tenant[Using OpenID Connect (OIDC) multi-tenancy] guide.
 ====
 
-== OpenID Connect client and filters
+=== OpenID Connect client and filters
 
 The `quarkus-oidc-client` extension provides `OidcClient` for acquiring and refreshing access tokens from OpenID Connect and OAuth2 providers that support the following token grants:
 * `client-credentials`
@@ -100,7 +98,7 @@ This filter can be used to propagate the access token to the downstream services
 For more information, see the xref:security-openid-connect-client.adoc[OpenID Connect client and token propagation quickstart] and xref:security-openid-connect-client-reference.adoc[OpenID Connect (OIDC) and OAuth2 client and filters reference] guides.
 
 [[smallrye-jwt]]
-== SmallRye JWT authentication
+=== SmallRye JWT authentication
 
 The `quarkus-smallrye-jwt` extension provides a MicroProfile JSON Web Token (JWT) 1.2.1 implementation and multiple options to verify signed and encrypted `JWT` tokens and represents them as `org.eclipse.microprofile.jwt.JsonWebToken`.
 
@@ -109,12 +107,13 @@ The `quarkus-smallrye-jwt` extension provides a MicroProfile JSON Web Token (JWT
 
 For more information, see xref:security-jwt.adoc[Using SmallRye JWT role-based access control].
 
-== OAuth2 authentication
+=== OAuth2 authentication
 
 `quarkus-elytron-security-oauth2` provides an alternative to the `quarkus-oidc` Bearer Token authentication mechanism. `quarkus-elytron-security-oauth2` is based on `Elytron` and is primarily intended for introspecting opaque tokens remotely.
 For more information, see xref:security-oauth2.adoc[Using OAuth2].
 
 [[oidc-jwt-oauth2-comparison]]
+
 == Choosing between OpenID Connect, SmallRye JWT, and OAuth2 authentication mechanisms
 
 Use the following information to help you to decide which authentication mechanism to use to secure your Quarkus applications:
@@ -210,3 +209,33 @@ The following table provides a summary of the options for each authentication me
 |No
 |===
 
+== Combining authentication mechanisms
+
+If the user credentials are provided by different sources, you can combine  authentication mechanisms.
+For example, you can combine built-in `Basic` and `quarkus-oidc` `Bearer` authentication mechanisms.
+
+[IMPORTANT]
+====
+You cannot combine the `quarkus-oidc` `Bearer` and `smallrye-jwt` authentication mechanisms because both mechanisms attempt to verify the token extracted from the HTTP `Authorization Bearer` scheme.
+====
+
+=== Path-specific authentication mechanisms
+
+The following configuration example demonstrates how you can enforce a single selectable authentication mechanism for a given request path:
+
+[source,properties]
+----
+quarkus.http.auth.permission.basic-or-bearer.paths=/service
+quarkus.http.auth.permission.basic-or-bearer.policy=authenticated
+
+quarkus.http.auth.permission.basic.paths=/basic-only
+quarkus.http.auth.permission.basic.policy=authenticated
+quarkus.http.auth.permission.basic.auth-mechanism=basic
+
+quarkus.http.auth.permission.bearer.paths=/bearer-only
+quarkus.http.auth.permission.bearer.policy=authenticated
+quarkus.http.auth.permission.bearer.auth-mechanism=bearer
+----
+
+Ensure that the value of the `auth-mechanism` property matches the authentication scheme supported by `HttpAuthenticationMechanism`, for example, `basic`, `bearer`, or `form`.
+

docs/src/main/asciidoc/security-basic-authentication-concept.adoc

@@ -1,5 +1,5 @@
 [id="security-basic-authentication-concept"]
-= Basic Authentication
+= Basic authentication
 include::_attributes.adoc[]
 :categories: security,web
 

docs/src/main/asciidoc/security-built-in-authentication-support-concept.adoc

@@ -17,7 +17,7 @@ include::security-basic-authentication-concept.adoc[leveloffset=+1]
 
 
 [[form-auth]]
-== Form Based Authentication
+== Form-based authentication
 
 Quarkus provides form based authentication that works in a similar manner to traditional Servlet form based auth. Unlike
 traditional form authentication, the authenticated user is not stored in an HTTP session, as Quarkus does not provide

docs/src/main/asciidoc/security-identity-providers-concept.adoc

@@ -0,0 +1,27 @@
+////
+This document is maintained in the main Quarkus repository
+and pull requests should be submitted there:
+https://github.com/quarkusio/quarkus/tree/main/docs/src/main/asciidoc
+////
+[id="security-identity-providers-concept"]
+= Identity providers
+include::_attributes.adoc[]
+:categories: security
+In the Quarkus Security framework, identity providers play a key role in authentication and authorization, providing services for storing and verifying user identities.
+The JPA `IdentityProvider` creates a `SecurityIdentity` instance, which is used during user authentication to verify and authorize access requests making your Quarkus application secure.
+[[identity-providers]]
+
+`IdentityProvider` converts the authentication credentials provided by `HttpAuthenticationMechanism` to a `SecurityIdentity` instance.
+
+Some extensions, for example, `OIDC`, `OAuth2`, and `SmallRye JWT` have inline `IdentityProvider` implementations specific to the supported authentication flow.
+For example, `quarkus-oidc` uses its own `IdentityProvider` to convert a token to a `SecurityIdentity` instance.
+
+If you use Basic or form-based authentication then you must add an `IdentityProvider` instance that can convert a username and password to a `SecurityIdentity` instance.
+
+To get started with security in Quarkus, we recommend that you first combine the Quarkus built-in Basic HTTP authentication with the JPA identity provider to enable role-based access control (RBAC).  
+
+* For more information about Basic authentication or form-based authentication, see the following resources:
+** xref:security-basic-authentication-tutorial.adoc[Secure a Quarkus application with Basic authentication]
+** xref:security-built-in-authentication-support-concept.adoc#form-auth[Form-based authentication]
+** xref:security-jdbc.adoc[Using security with JDBC]
+** xref:security-ldap.adoc[Using security with an LDAP realm]