Added ability to define some OpenAPI Security in Config

[phillip-kruger]

As discussed in the OpenAPI Quarkus Insights session.

This allows adding basic, JWT, OIDC and Implicit flow OAuth2 security via config.

Signed-off-by:Phillip Kruger phillip.kruger@gmail.com

[geoand]

Very nice!

I can't say I know much about this stuff, so maybe best if @sberyozkin takes a look?

[sberyozkin]

@phillip-kruger agree with @geoand it looks good; perhaps they can be made mutually exclusive ? I.e, one should only see one of those security schemes as opposed to for ex Basic and OIDC ? (though we actually have a pending issue where Basic is preferred for a specific resource while OIDC - for the rest of the space but for now we don't support such a resource specific authentication)

[phillip-kruger]

@sberyozkin - how do you mean ? Should we only allow one type at a time in config ? In OpenAPI you can define multiple security schemes, in fact, you can even for instance have multiple basic schemes (That is not possible in this PR, as I thinks that is not used that much)

This only adds the definition(s), the developer will still have to annotate the individual methods (operations) with the Security Requirement.

Let me know, happy to make any changes you suggest.

[sberyozkin]

@phillip-kruger I only meant that even if OpenApi allows it (multiple sec schemes) we can't back it up at the Quarkus level at a per-method level, for ex, let's say a user typed Basic and OIDC or Basic and JWT - we can't support one for one method and another one for another method - combining the schemes works but not a per-method/per-resource level.
So my only suggestion was to check if more than one scheme is declared and if yes then warn or probably fail...
Sorry if I'm missing something

[phillip-kruger]

Hi @sberyozkin - as discussed, I changed this to only allow one of the types (mutually exclusive). Please can you review.
Thanks :)