Add OIDC Client SPI

bom/application/pom.xml

@@ -918,6 +918,11 @@
                 <artifactId>quarkus-oidc-client-deployment</artifactId>
                 <version>${project.version}</version>
             </dependency>
+            <dependency>
+                <groupId>io.quarkus</groupId>
+                <artifactId>quarkus-oidc-client-spi</artifactId>
+                <version>${project.version}</version>
+            </dependency>
             <dependency>
                 <groupId>io.quarkus</groupId>
                 <artifactId>quarkus-resteasy-client-oidc-filter</artifactId>

docs/src/main/asciidoc/security-openid-connect-client-reference.adoc

@@ -934,6 +934,42 @@ quarkus.oidc-client.tls.trust-store-password=${trust-store-password}
 #quarkus.oidc-client.tls.trust-store-alias=certAlias
 ----
 
+=== OIDC Client SPI
+
+When your custom extension must acquire OIDC tokens using one of the OIDC token grants supported by OIDC client, this extension can depend on the OIDC Client SPI only and let OIDC client itself acquire and refresh access tokens as necessary.
+
+Add the following dependency:
+
+[source,xml]
+----
+<dependency>
+    <groupId>io.quarkus</groupId>
+    <artifactId>quarkus-oidc-client-spi</artifactId>
+</dependency>
+----
+
+Next update your extension to use `io.quarkus.oidc.client.spi.TokenProvider` CDI bean as required, for example:
+
+[source,java]
+----
+package org.acme.extension;
+
+import jakarta.inject.Inject;
+import io.quarkus.oidc.client.spi.TokenProvider;
+
+public class ExtensionOAuth2Support {
+
+   @Inject
+   TokenProvider tokenProvider;
+
+   public Uni<String> getAccessToken() {
+       return tokenProvider.getAccessToken();
+   }
+}
+----
+
+Currently, `io.quarkus.oidc.client.spi.TokenProvider` is only available for default OIDC clients, since custom extensions are unlikely to be aware of multiple named OIDC clients.
+
 [[integration-testing-oidc-client]]
 === Testing
 

extensions/oidc-client/deployment/src/main/java/io/quarkus/oidc/client/deployment/OidcClientBuildStep.java

@@ -48,6 +48,7 @@
 import io.quarkus.oidc.client.runtime.OidcClientBuildTimeConfig;
 import io.quarkus.oidc.client.runtime.OidcClientRecorder;
 import io.quarkus.oidc.client.runtime.OidcClientsConfig;
+import io.quarkus.oidc.client.runtime.TokenProviderProducer;
 import io.quarkus.oidc.client.runtime.TokensHelper;
 import io.quarkus.oidc.client.runtime.TokensProducer;
 import io.quarkus.oidc.token.propagation.AccessToken;
@@ -66,7 +67,10 @@ ExtensionSslNativeSupportBuildItem enableSslInNative() {
 
     @BuildStep
     void registerProvider(BuildProducer<AdditionalBeanBuildItem> additionalBeans) {
-        additionalBeans.produce(AdditionalBeanBuildItem.unremovableOf(TokensProducer.class));
+        AdditionalBeanBuildItem.Builder builder = AdditionalBeanBuildItem.builder().setUnremovable();
+        builder.addBeanClass(TokensProducer.class);
+        builder.addBeanClass(TokenProviderProducer.class);
+        additionalBeans.produce(builder.build());
     }
 
     @BuildStep

extensions/oidc-client/deployment/src/test/java/io/quarkus/oidc/client/OidcClientResource.java

@@ -6,6 +6,7 @@
 import jakarta.ws.rs.Path;
 import jakarta.ws.rs.QueryParam;
 
+import io.quarkus.oidc.client.spi.TokenProvider;
 import io.smallrye.mutiny.Uni;
 
 @Path("/client")
@@ -14,6 +15,9 @@ public class OidcClientResource {
     @Inject
     OidcClient client;
 
+    @Inject
+    TokenProvider tokenProvider;
+
     @Inject
     @NamedOidcClient("key")
     OidcClient keyClient;
@@ -30,6 +34,12 @@ public Uni<String> tokenUni() {
         return client.getTokens().flatMap(tokens -> Uni.createFrom().item(tokens.getAccessToken()));
     }
 
+    @GET
+    @Path("tokenprovider")
+    public Uni<String> tokenProvider() {
+        return tokenProvider.getAccessToken();
+    }
+
     @GET
     @Path("tokens")
     public Uni<String> grantTokensUni() {

extensions/oidc-client/deployment/src/test/java/io/quarkus/oidc/client/OidcClientUserPasswordTestCase.java

@@ -44,6 +44,17 @@ public void testPasswordGrantToken() {
 
     }
 
+    @Test
+    public void testPasswordGrantTokenProvider() {
+        String token = RestAssured.when().get("/client/tokenprovider").body().asString();
+        RestAssured.given().auth().oauth2(token)
+                .when().get("/protected")
+                .then()
+                .statusCode(200)
+                .body(equalTo("alice"));
+
+    }
+
     @Test
     public void testPublicClientPasswordGrantToken() {
         String token = RestAssured.when().get("/public-client/token").body().asString();

extensions/oidc-client/pom.xml

@@ -16,5 +16,6 @@
     <modules>
         <module>deployment</module>
         <module>runtime</module>
+        <module>spi</module>
     </modules>
 </project>

extensions/oidc-client/runtime/pom.xml

@@ -25,6 +25,10 @@
             <groupId>io.quarkus</groupId>
             <artifactId>quarkus-oidc-common</artifactId>
         </dependency>
+        <dependency>
+            <groupId>io.quarkus</groupId>
+            <artifactId>quarkus-oidc-client-spi</artifactId>
+        </dependency>
         <dependency>
             <groupId>io.quarkus</groupId>
             <artifactId>quarkus-junit5-internal</artifactId>

extensions/oidc-client/runtime/src/main/java/io/quarkus/oidc/client/runtime/TokenProviderProducer.java

@@ -0,0 +1,27 @@
+package io.quarkus.oidc.client.runtime;
+
+import jakarta.enterprise.context.RequestScoped;
+import jakarta.enterprise.inject.Produces;
+import jakarta.inject.Singleton;
+
+import io.quarkus.oidc.client.spi.TokenProvider;
+import io.smallrye.mutiny.Uni;
+
+@Singleton
+public class TokenProviderProducer extends AbstractTokensProducer {
+
+    @Produces
+    @RequestScoped
+    public TokenProvider produceTokenProvider() {
+        return new TokenProviderImpl();
+    }
+
+    class TokenProviderImpl implements TokenProvider {
+
+        @Override
+        public Uni<String> getAccessToken() {
+            return TokenProviderProducer.super.getTokens().onItem().transform(t -> t.getAccessToken());
+        }
+
+    };
+}

extensions/oidc-client/spi/pom.xml

@@ -0,0 +1,47 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <parent>
+        <artifactId>quarkus-oidc-client-parent</artifactId>
+        <groupId>io.quarkus</groupId>
+        <version>999-SNAPSHOT</version>
+    </parent>
+    <modelVersion>4.0.0</modelVersion>
+
+    <artifactId>quarkus-oidc-client-spi</artifactId>
+    <name>Quarkus - OIDC Client - SPI</name>
+
+    <dependencies>
+        <dependency>
+            <groupId>io.quarkus</groupId>
+            <artifactId>quarkus-core</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>io.smallrye.reactive</groupId>
+            <artifactId>mutiny</artifactId>
+        </dependency>
+    </dependencies>
+
+    <build>
+        <plugins>
+            <plugin>
+                <artifactId>maven-compiler-plugin</artifactId>
+                <executions>
+                    <execution>
+                        <id>default-compile</id>
+                        <configuration>
+                            <annotationProcessorPaths>
+                                <path>
+                                    <groupId>io.quarkus</groupId>
+                                    <artifactId>quarkus-extension-processor</artifactId>
+                                    <version>${project.version}</version>
+                                </path>
+                            </annotationProcessorPaths>
+                        </configuration>
+                    </execution>
+                </executions>
+            </plugin>
+        </plugins>
+    </build>
+</project>

extensions/oidc-client/spi/src/main/java/io/quarkus/oidc/client/spi/TokenProvider.java

@@ -0,0 +1,13 @@
+package io.quarkus.oidc.client.spi;
+
+import io.smallrye.mutiny.Uni;
+
+public interface TokenProvider {
+
+    /**
+     * Get a valid, if necessary refreshed, access token.
+     *
+     * @return the access token
+     */
+    Uni<String> getAccessToken();
+}