feat(oidc): add step up auth support for bearer token

Author: michalvavrik

docs/src/main/asciidoc/security-oidc-bearer-token-authentication.adoc

@@ -1604,6 +1604,113 @@ public class OidcStartup {
 For more complex setup involving multiple tenants please see the xref:security-openid-connect-multitenancy.adoc#programmatic-startup[Programmatic OIDC start-up for multitenant application]
 section of the OpenID Connect Multi-Tenancy guide.
 
+== Step Up Authentication
+
+The `io.quarkus.oidc.AuthenticationContext` annotation can be used to list one or more Authentication Context Class Reference (ACR) values to enforce a required authentication level for the Jakarta REST resource classes and methods.
+The https://datatracker.ietf.org/doc/rfc9470/[OAuth 2.0 Step Up Authentication Challenge Protocol] introduces a mechanism for resource servers to request stronger authentication methods when the token does not have expected Authentication Context Class Reference (ACR) values.
+Consider the following example:
+
+[source,java]
+----
+package io.quarkus.it.oidc;
+
+import io.quarkus.oidc.AuthenticationContext;
+import io.quarkus.oidc.BearerTokenAuthentication;
+import jakarta.ws.rs.GET;
+import jakarta.ws.rs.Path;
+
+@BearerTokenAuthentication
+@Path("/")
+public class GreetingsResource {
+
+    @Path("hello")
+    @AuthenticationContext("myACR") <1>
+    @GET
+    public String hello() {
+        return "hello";
+    }
+
+    @Path("hi")
+    @AuthenticationContext(value = "myACR", maxAge = "PT120m") <2>
+    @GET
+    public String hi() {
+        return "hi";
+    }
+}
+----
+<1> Bearer access token must have an `acr` claim with the `myACR` ACR value.
+<2> Bearer access token must have an `acr` claim with the `myACR` ACR value and be in use for no longer than 120 minutes since the authentication time.
+
+[source,properties]
+----
+quarkus.http.auth.proactive=false <1>
+----
+<1> Disable proactive authentication so that the `@AuthenticationContext` annotation can be matched with the endpoint before Quarkus authenticates incoming requests.
+
+If the bearer access token claim `acr` does not contain `myACR`, Quarkus returns an authentication requirements challenge indicating required `acr_values`:
+
+----
+HTTP/1.1 401 Unauthorized
+WWW-Authenticate: Bearer error="insufficient_user_authentication",
+ error_description="A different authentication level is required",
+ acr_values="myACR"
+----
+
+When a client such as Single-page application (SPA) receives a challenge with the `insufficient_user_authentication` error code, it must parse `acr_values`, request a new user login which must meet the `acr_values` constraints, and use a new access token to access Quarkus.
+
+[NOTE]
+====
+The `io.quarkus.oidc.AuthenticationContext` annotation can also be used to enforce required authentication level for a WebSockets Next server endpoint.
+The annotation must be placed on the endpoint class, because the `SecurityIdentity` is created before the HTTP connection is upgraded to a WebSocket connection.
+For more information about the HTTP upgrade security, see the xref:websockets-next-reference.adoc#secure-http-upgrade[Secure HTTP upgrade] section of the Quarkus "WebSockets Next reference" guide.
+====
+
+It is also possible to enforce the required authentication level for an OIDC tenant:
+
+[source,properties]
+----
+quarkus.oidc.hr.token.required-claims.acr=myACR
+----
+
+Or, if you need more flexibility, write a <<jose4j-validator>>:
+
+[source,java]
+----
+package io.quarkus.it.oidc;
+
+import java.util.Map;
+
+import jakarta.enterprise.context.ApplicationScoped;
+
+import org.jose4j.jwt.MalformedClaimException;
+import org.jose4j.jwt.consumer.JwtContext;
+import org.jose4j.jwt.consumer.Validator;
+
+import io.quarkus.arc.Unremovable;
+import io.quarkus.oidc.TenantFeature;
+import io.quarkus.oidc.common.runtime.OidcConstants;
+import io.quarkus.security.AuthenticationFailedException;
+
+@Unremovable
+@ApplicationScoped
+@TenantFeature("hr")
+public class AcrValueValidator implements Validator {
+
+    @Override
+    public String validate(JwtContext jwtContext) throws MalformedClaimException {
+        var jwtClaims = jwtContext.getJwtClaims();
+        if (jwtClaims.hasClaim("acr")) {
+            var acrClaim = jwtClaims.getStringListClaimValue("acr");
+            if (acrClaim.contains("myACR") && acrClaim.contains("yourACR")) {
+                return null;
+            }
+        }
+        String requiredAcrValues = "myACR,yourACR";
+        throw new AuthenticationFailedException(Map.of(OidcConstants.ACR_VALUES, requiredAcrValues));
+    }
+}
+----
+
 == References
 
 * xref:security-oidc-configuration-properties-reference.adoc[OIDC configuration properties]

extensions/oidc-common/runtime/src/main/java/io/quarkus/oidc/common/runtime/OidcConstants.java

@@ -98,4 +98,8 @@ public final class OidcConstants {
     public static final String DPOP_ACCESS_TOKEN_THUMBPRINT = "ath";
     public static final String DPOP_HTTP_METHOD = "htm";
     public static final String DPOP_HTTP_REQUEST_URI = "htu";
+
+    public static final String ACR = "acr";
+    public static final String ACR_VALUES = "acr_values";
+    public static final String MAX_AGE = "max_age";
 }

extensions/oidc/deployment/src/main/java/io/quarkus/oidc/deployment/OidcBuildStep.java

@@ -6,7 +6,13 @@
 import static io.quarkus.arc.processor.DotNames.NAMED;
 import static io.quarkus.oidc.common.runtime.OidcConstants.BEARER_SCHEME;
 import static io.quarkus.oidc.common.runtime.OidcConstants.CODE_FLOW_CODE;
+import static io.quarkus.oidc.runtime.OidcRecorder.ACR_VALUES_TO_MAX_AGE_SEPARATOR;
 import static io.quarkus.oidc.runtime.OidcUtils.DEFAULT_TENANT_ID;
+import static io.quarkus.security.spi.ClassSecurityAnnotationBuildItem.useClassLevelSecurity;
+import static io.quarkus.vertx.http.deployment.EagerSecurityInterceptorBindingBuildItem.toTargetName;
+import static io.quarkus.vertx.http.deployment.HttpSecurityProcessor.collectAnnotatedClasses;
+import static io.quarkus.vertx.http.deployment.HttpSecurityProcessor.collectClassMethodsWithoutRbacAnnotation;
+import static io.quarkus.vertx.http.deployment.HttpSecurityProcessor.collectMethodsWithoutRbacAnnotation;
 import static org.jboss.jandex.AnnotationTarget.Kind.CLASS;
 import static org.jboss.jandex.AnnotationTarget.Kind.METHOD;
 
@@ -15,6 +21,7 @@
 import java.util.Optional;
 import java.util.Set;
 import java.util.function.BooleanSupplier;
+import java.util.function.Predicate;
 
 import jakarta.enterprise.context.RequestScoped;
 import jakarta.inject.Singleton;
@@ -25,8 +32,10 @@
 import org.jboss.jandex.AnnotationInstance;
 import org.jboss.jandex.AnnotationTarget;
 import org.jboss.jandex.AnnotationValue;
+import org.jboss.jandex.ClassInfo;
 import org.jboss.jandex.ClassType;
 import org.jboss.jandex.DotName;
+import org.jboss.jandex.MethodInfo;
 import org.jboss.jandex.ParameterizedType;
 import org.jboss.jandex.Type;
 import org.jboss.logging.Logger;
@@ -63,6 +72,7 @@
 import io.quarkus.deployment.builditem.RunTimeConfigurationDefaultBuildItem;
 import io.quarkus.deployment.builditem.RuntimeConfigSetupCompleteBuildItem;
 import io.quarkus.deployment.builditem.SystemPropertyBuildItem;
+import io.quarkus.oidc.AuthenticationContext;
 import io.quarkus.oidc.AuthorizationCodeFlow;
 import io.quarkus.oidc.BearerTokenAuthentication;
 import io.quarkus.oidc.IdToken;
@@ -90,11 +100,17 @@
 import io.quarkus.oidc.runtime.OidcUtils;
 import io.quarkus.oidc.runtime.TenantConfigBean;
 import io.quarkus.oidc.runtime.providers.AzureAccessTokenCustomizer;
+import io.quarkus.runtime.configuration.ConfigurationException;
+import io.quarkus.security.Authenticated;
 import io.quarkus.security.runtime.SecurityConfig;
+import io.quarkus.security.spi.AdditionalSecuredMethodsBuildItem;
+import io.quarkus.security.spi.ClassSecurityAnnotationBuildItem;
+import io.quarkus.security.spi.RegisterClassSecurityCheckBuildItem;
 import io.quarkus.tls.deployment.spi.TlsRegistryBuildItem;
 import io.quarkus.vertx.core.deployment.CoreVertxBuildItem;
 import io.quarkus.vertx.http.deployment.EagerSecurityInterceptorBindingBuildItem;
 import io.quarkus.vertx.http.deployment.HttpAuthMechanismAnnotationBuildItem;
+import io.quarkus.vertx.http.deployment.HttpSecurityUtils;
 import io.quarkus.vertx.http.deployment.PreRouterFinalizationBuildItem;
 import io.quarkus.vertx.http.deployment.SecurityInformationBuildItem;
 import io.quarkus.vertx.http.runtime.VertxHttpBuildTimeConfig;
@@ -112,6 +128,7 @@ public class OidcBuildStep {
             DotNames.INJECTABLE_INSTANCE);
     private static final DotName TENANT_NAME = DotName.createSimple(Tenant.class);
     private static final DotName TENANT_FEATURE_NAME = DotName.createSimple(TenantFeature.class);
+    private static final DotName AUTHENTICATION_CONTEXT_NAME = DotName.createSimple(AuthenticationContext.class);
     private static final DotName TENANT_IDENTITY_PROVIDER_NAME = DotName.createSimple(TenantIdentityProvider.class);
     private static final Logger LOG = Logger.getLogger(OidcBuildStep.class);
     private static final DotName USER_INFO_NAME = DotName.createSimple(UserInfo.class);
@@ -348,7 +365,8 @@ public void registerTenantResolverInterceptor(Capabilities capabilities, OidcRec
             BuildProducer<EagerSecurityInterceptorBindingBuildItem> bindingProducer,
             BuildProducer<SystemPropertyBuildItem> systemPropertyProducer) {
         if (!httpBuildTimeConfig.auth().proactive()
-                && (capabilities.isPresent(Capability.RESTEASY_REACTIVE) || capabilities.isPresent(Capability.RESTEASY))) {
+                && (capabilities.isPresent(Capability.RESTEASY_REACTIVE) || capabilities.isPresent(Capability.RESTEASY)
+                        || capabilities.isPresent(Capability.WEBSOCKETS_NEXT))) {
             boolean foundTenantResolver = combinedIndexBuildItem
                     .getIndex()
                     .getAnnotations(TENANT_NAME)
@@ -399,6 +417,73 @@ RunTimeConfigBuilderBuildItem useOidcTenantDefaultIdConfigBuilder() {
         return new RunTimeConfigBuilderBuildItem(OidcTenantDefaultIdConfigBuilder.class);
     }
 
+    @BuildStep
+    @Record(ExecutionTime.STATIC_INIT)
+    public void registerAuthenticationContextInterceptor(Capabilities capabilities, OidcRecorder recorder,
+            VertxHttpBuildTimeConfig httpBuildTimeConfig, CombinedIndexBuildItem combinedIndexBuildItem,
+            BuildProducer<RegisterClassSecurityCheckBuildItem> registerClassSecurityCheckProducer,
+            List<ClassSecurityAnnotationBuildItem> classSecurityAnnotations,
+            BuildProducer<AdditionalSecuredMethodsBuildItem> additionalSecuredMethodsProducer,
+            BuildProducer<EagerSecurityInterceptorBindingBuildItem> bindingProducer) {
+        var authCtxAnnotations = combinedIndexBuildItem.getIndex().getAnnotations(AUTHENTICATION_CONTEXT_NAME);
+        if (authCtxAnnotations.isEmpty() || !areEagerSecInterceptorsSupported(capabilities, httpBuildTimeConfig)) {
+            return;
+        }
+        bindingProducer.produce(new EagerSecurityInterceptorBindingBuildItem(recorder.authenticationContextInterceptorCreator(),
+                ai -> {
+                    AnnotationValue maxAgeAnnotationValue = ai.value("maxAge");
+                    String maxAge = maxAgeAnnotationValue == null ? "" : maxAgeAnnotationValue.asString();
+
+                    String acrValues = "";
+                    AnnotationValue annotationValue = ai.value();
+                    String[] annotationValues = annotationValue == null ? null : annotationValue.asStringArray();
+                    if (annotationValues == null || annotationValues.length == 0) {
+                        // no acr values and no max age
+                        throw new ConfigurationException("Annotation '" + AUTHENTICATION_CONTEXT_NAME + "' placed on '"
+                                + toTargetName(ai.target()) + "' specifies no 'acr' value");
+                    } else {
+                        acrValues = String.join(",", annotationValues);
+                    }
+
+                    return acrValues + ACR_VALUES_TO_MAX_AGE_SEPARATOR + maxAge;
+                }, true, AUTHENTICATION_CONTEXT_NAME));
+
+        // @AuthenticationContext -> authentication required
+        // register @Authenticated for annotated methods
+        Set<MethodInfo> annotatedMethods = collectMethodsWithoutRbacAnnotation(authCtxAnnotations
+                .stream()
+                .map(AnnotationInstance::target)
+                .filter(at -> at.kind() == METHOD)
+                .map(AnnotationTarget::asMethod)
+                .toList());
+        additionalSecuredMethodsProducer
+                .produce(new AdditionalSecuredMethodsBuildItem(annotatedMethods, Optional.of(List.of("**"))));
+        // method-level security; this registers @Authenticated if no RBAC is explicitly declared
+        Predicate<ClassInfo> useClassLevelSecurity = useClassLevelSecurity(classSecurityAnnotations);
+        Set<MethodInfo> annotatedClassMethods = collectClassMethodsWithoutRbacAnnotation(
+                collectAnnotatedClasses(authCtxAnnotations, Predicate.not(useClassLevelSecurity)));
+        additionalSecuredMethodsProducer
+                .produce(new AdditionalSecuredMethodsBuildItem(annotatedClassMethods, Optional.of(List.of("**"))));
+        // class-level security; this registers @Authenticated if no RBAC is explicitly declared
+        collectAnnotatedClasses(authCtxAnnotations, useClassLevelSecurity).stream()
+                .filter(Predicate.not(HttpSecurityUtils::hasSecurityAnnotation))
+                .forEach(c -> registerClassSecurityCheckProducer.produce(
+                        new RegisterClassSecurityCheckBuildItem(c.name(), AnnotationInstance
+                                .builder(Authenticated.class).buildWithTarget(c))));
+    }
+
+    private static boolean areEagerSecInterceptorsSupported(Capabilities capabilities,
+            VertxHttpBuildTimeConfig httpBuildTimeConfig) {
+        if (httpBuildTimeConfig.auth().proactive()) {
+            throw new RuntimeException("The '%s' annotation is only supported when proactive authentication is disabled"
+                    .formatted(AUTHENTICATION_CONTEXT_NAME));
+        } else if (capabilities.isMissing(Capability.WEBSOCKETS_NEXT) && capabilities.isMissing(Capability.RESTEASY_REACTIVE)
+                && capabilities.isMissing(Capability.RESTEASY)) {
+            throw new RuntimeException("The '%s' can only be used on Jakarta REST or WebSockets Next endpoints");
+        }
+        return true;
+    }
+
     private static boolean isInjected(BeanRegistrationPhaseBuildItem beanRegistrationPhaseBuildItem, DotName requiredType,
             DotName withoutQualifier) {
         for (InjectionPointInfo injectionPoint : beanRegistrationPhaseBuildItem.getInjectionPoints()) {

extensions/oidc/deployment/src/test/java/io/quarkus/oidc/test/EmptyAuthenticationContextValidationFailureTest.java

@@ -0,0 +1,50 @@
+package io.quarkus.oidc.test;
+
+import jakarta.ws.rs.GET;
+import jakarta.ws.rs.Path;
+
+import org.jboss.shrinkwrap.api.asset.StringAsset;
+import org.junit.jupiter.api.Assertions;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.RegisterExtension;
+
+import io.quarkus.oidc.AuthenticationContext;
+import io.quarkus.runtime.util.ExceptionUtil;
+import io.quarkus.test.QuarkusUnitTest;
+
+public class EmptyAuthenticationContextValidationFailureTest {
+
+    @RegisterExtension
+    static final QuarkusUnitTest test = new QuarkusUnitTest()
+            .withApplicationRoot(jar -> jar
+                    // starting the dev service would be a waste
+                    .addClass(StepUpAuthResource.class)
+                    .addAsResource(new StringAsset("""
+                            quarkus.devservices.enabled=false
+                            quarkus.http.auth.proactive=false
+                            """), "application.properties"))
+            .assertException(t -> {
+                Throwable rootCause = ExceptionUtil.getRootCause(t);
+                Assertions.assertNotNull(rootCause);
+                String message = rootCause.getMessage();
+                Assertions.assertNotNull(message);
+                Assertions.assertTrue(message.contains("io.quarkus.oidc.AuthenticationContext"), message);
+                Assertions.assertTrue(message.contains("specifies no 'acr' value"), message);
+            });
+
+    @Test
+    public void test() {
+        Assertions.fail("Validation should fail");
+    }
+
+    @AuthenticationContext({})
+    @Path("step-up-auth")
+    public static class StepUpAuthResource {
+
+        @GET
+        public String stepUpAuth() {
+            return "step-up-auth";
+        }
+
+    }
+}

extensions/oidc/deployment/src/test/java/io/quarkus/oidc/test/ProactiveAuthenticationContextValidationFailureTest.java

@@ -0,0 +1,46 @@
+package io.quarkus.oidc.test;
+
+import jakarta.ws.rs.GET;
+import jakarta.ws.rs.Path;
+
+import org.jboss.shrinkwrap.api.asset.StringAsset;
+import org.junit.jupiter.api.Assertions;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.RegisterExtension;
+
+import io.quarkus.oidc.AuthenticationContext;
+import io.quarkus.runtime.util.ExceptionUtil;
+import io.quarkus.test.QuarkusUnitTest;
+
+public class ProactiveAuthenticationContextValidationFailureTest {
+
+    @RegisterExtension
+    static final QuarkusUnitTest test = new QuarkusUnitTest()
+            .withApplicationRoot(jar -> jar
+                    // starting the dev service would be a waste
+                    .addClass(StepUpAuthResource.class)
+                    .addAsResource(new StringAsset("quarkus.devservices.enabled=false"), "application.properties"))
+            .assertException(t -> {
+                Throwable rootCause = ExceptionUtil.getRootCause(t);
+                Assertions.assertNotNull(rootCause);
+                String message = rootCause.getMessage();
+                Assertions.assertNotNull(message);
+                Assertions.assertTrue(message.contains("proactive authentication is disabled"), message);
+            });
+
+    @Test
+    public void test() {
+        Assertions.fail("Validation should fail");
+    }
+
+    @AuthenticationContext("ignored")
+    @Path("step-up-auth")
+    public static class StepUpAuthResource {
+
+        @GET
+        public String stepUpAuth() {
+            return "step-up-auth";
+        }
+
+    }
+}