geoand
diff --git a/‎docs/src/main/asciidoc/security-openid-connect-client-reference.adoc‎
Lines changed: 46 additions & 0 deletions b/‎docs/src/main/asciidoc/security-openid-connect-client-reference.adoc‎
Lines changed: 46 additions & 0 deletions
diff --git a/‎extensions/oidc-client-filter/deployment/src/main/java/io/quarkus/oidc/client/filter/deployment/OidcClientFilterBuildStep.java‎
Lines changed: 2 additions & 2 deletions b/‎extensions/oidc-client-filter/deployment/src/main/java/io/quarkus/oidc/client/filter/deployment/OidcClientFilterBuildStep.java‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎extensions/oidc-client-filter/deployment/src/test/java/io/quarkus/oidc/client/filter/AbstractRevokedAccessTokenDevModeTest.java‎
Lines changed: 42 additions & 32 deletions b/‎extensions/oidc-client-filter/deployment/src/test/java/io/quarkus/oidc/client/filter/AbstractRevokedAccessTokenDevModeTest.java‎
Lines changed: 42 additions & 32 deletions
diff --git a/‎extensions/oidc-client-filter/deployment/src/test/java/io/quarkus/oidc/client/filter/OidcClientFilterRevokedAccessTokenDevModeTest.java‎
Lines changed: 107 additions & 3 deletions b/‎extensions/oidc-client-filter/deployment/src/test/java/io/quarkus/oidc/client/filter/OidcClientFilterRevokedAccessTokenDevModeTest.java‎
Lines changed: 107 additions & 3 deletions
diff --git a/‎extensions/oidc-client-filter/deployment/src/test/java/io/quarkus/oidc/client/filter/OidcClientRequestFilterRevokedTokenDevModeTest.java‎
Lines changed: 11 additions & 0 deletions b/‎extensions/oidc-client-filter/deployment/src/test/java/io/quarkus/oidc/client/filter/OidcClientRequestFilterRevokedTokenDevModeTest.java‎
Lines changed: 11 additions & 0 deletions
@@ -551,6 +551,30 @@ public interface ProtectedResourceService {
 
 or
 
+[source,java]
+----
+import org.eclipse.microprofile.rest.client.inject.RegisterRestClient;
+import io.quarkus.oidc.client.filter.OidcClientFilter;
+import io.smallrye.mutiny.Uni;
+import jakarta.ws.rs.GET;
+import jakarta.ws.rs.Path;
+
+@RegisterRestClient
+@Path("/")
+public interface InformationService {
+
+    @OidcClientFilter
+    @GET
+    Uni<String> getUserName();
+
+    @OidcClientFilter
+    @GET
+    Uni<String> getPublicInformation();
+}
+----
+
+or
+
 [source,java]
 ----
 import org.eclipse.microprofile.rest.client.annotation.RegisterProvider;
@@ -659,6 +683,28 @@ public interface ProtectedResourceService {
 
 or
 
+[source,java]
+----
+import org.eclipse.microprofile.rest.client.inject.RegisterRestClient;
+import io.quarkus.oidc.client.filter.OidcClientFilter;
+import jakarta.ws.rs.GET;
+import jakarta.ws.rs.Path;
+
+@RegisterRestClient
+@Path("/")
+public interface InformationService {
+
+    @OidcClientFilter
+    @GET
+    String getUserName();
+
+    @GET
+    String getPublicInformation();
+}
+----
+
+or
+
 [source,java]
 ----
 import org.eclipse.microprofile.rest.client.annotation.RegisterProvider;
 
@@ -99,8 +99,8 @@ NamedOidcClientFilterBuildItem registerNamedProviders(BuildProducer<ReflectiveCl
             }
 
             // we generate exactly one custom filter for each @OidcClientFilter client specified through annotation
-            final var generatedProvider = helper.getOrCreateNamedTokensProducerFor(clientName);
-            final var targetRestClient = instance.target().asClass().name().toString();
+            final var generatedProvider = helper.getOrCreateNamedTokensProducerFor(clientName, instance);
+            final var targetRestClient = OidcClientFilterDeploymentHelper.getTargetRestClientName(instance);
             namedFilterClientClasses.add(targetRestClient);
 
             // register for reflection
 
@@ -71,41 +71,20 @@ protected static QuarkusDevModeTest createQuarkusDevModeTest(String additionalPr
                 .addClasses(BASE_TEST_CLASSES));
     }
 
-    @Test
-    void verifyNamedClientHasTokenRefreshedOn401() {
+    void verifyTokenRefreshedOn401(MyClientCategory myClientCategory) {
         RestAssured.given()
-                .body(MyClientCategory.NAMED_CLIENT)
+                .body(myClientCategory)
                 .post(MY_CLIENT_RESOURCE_PATH)
                 .then().statusCode(200)
                 .body(Matchers.is(RESPONSE));
         // access token is revoked now
         RestAssured.given()
-                .body(MyClientCategory.NAMED_CLIENT)
+                .body(myClientCategory)
                 .post(MY_CLIENT_RESOURCE_PATH)
                 .then().statusCode(401);
         // response filter recognized 401 and told the request token to refresh the token on next request
         RestAssured.given()
-                .body(MyClientCategory.NAMED_CLIENT)
-                .post(MY_CLIENT_RESOURCE_PATH)
-                .then().statusCode(200)
-                .body(Matchers.is(RESPONSE));
-    }
-
-    @Test
-    void verifyDefaultClientHasTokenRefreshedOn401() {
-        RestAssured.given()
-                .body(MyClientCategory.DEFAULT_CLIENT)
-                .post(MY_CLIENT_RESOURCE_PATH)
-                .then().statusCode(200)
-                .body(Matchers.is(RESPONSE));
-        // access token is revoked now
-        RestAssured.given()
-                .body(MyClientCategory.DEFAULT_CLIENT)
-                .post(MY_CLIENT_RESOURCE_PATH)
-                .then().statusCode(401);
-        // response filter recognized 401 and told the request token to refresh the token on next request
-        RestAssured.given()
-                .body(MyClientCategory.DEFAULT_CLIENT)
+                .body(myClientCategory)
                 .post(MY_CLIENT_RESOURCE_PATH)
                 .then().statusCode(200)
                 .body(Matchers.is(RESPONSE));
@@ -186,13 +165,19 @@ public abstract static class MyClientResource {
 
         @POST
         public String talkToServerAndRespond(MyClientCategory clientCategory) {
-            MyClient client = switch (clientCategory) {
-                case NAMED_CLIENT -> myNamedClient();
-                case DEFAULT_CLIENT -> myDefaultClient();
-                case DEFAULT_CLIENT_WITHOUT_REFRESH -> myDefaultClientWithoutRefresh();
-                case NAMED_CLIENT_WITHOUT_REFRESH -> myNamedClientWithoutRefresh();
+            String named = clientCategory.named + "";
+            return switch (clientCategory) {
+                case NAMED_CLIENT -> myNamedClient().revokeAccessTokenAndRespond(named);
+                case DEFAULT_CLIENT -> myDefaultClient().revokeAccessTokenAndRespond(named);
+                case DEFAULT_CLIENT_WITHOUT_REFRESH -> myDefaultClientWithoutRefresh().revokeAccessTokenAndRespond(named);
+                case NAMED_CLIENT_WITHOUT_REFRESH -> myNamedClientWithoutRefresh().revokeAccessTokenAndRespond(named);
+                // calls the same endpoint as ones above, however with filter applied on individual RESTEasy client methods
+                case NAMED_CLIENT_ANNOTATION_ON_METHOD -> myNamedClient_AnnotationOnMethod(named);
+                case DEFAULT_CLIENT_ANNOTATION_ON_METHOD -> myDefaultClient_AnnotationOnMethod(named);
+                case NAMED_CLIENT_MULTIPLE_METHODS -> myNamedClient_MultipleMethods(named);
+                case DEFAULT_CLIENT_MULTIPLE_METHODS -> myDefaultClient_MultipleMethods(named);
+                case NO_ACCESS_TOKEN -> multipleMethods_noAccessToken();
             };
-            return client.revokeAccessTokenAndRespond(clientCategory.named + "");
         }
 
         protected abstract MyClient myDefaultClient();
@@ -203,6 +188,26 @@ public String talkToServerAndRespond(MyClientCategory clientCategory) {
 
         protected abstract MyClient myNamedClientWithoutRefresh();
 
+        protected String myDefaultClient_AnnotationOnMethod(String named) {
+            return null;
+        }
+
+        protected String myNamedClient_AnnotationOnMethod(String named) {
+            return null;
+        }
+
+        protected String myDefaultClient_MultipleMethods(String named) {
+            return null;
+        }
+
+        protected String myNamedClient_MultipleMethods(String named) {
+            return null;
+        }
+
+        protected String multipleMethods_noAccessToken() {
+            return null;
+        }
+
     }
 
     public interface MyClient {
@@ -216,7 +221,12 @@ public enum MyClientCategory {
         DEFAULT_CLIENT(false),
         NAMED_CLIENT(true),
         DEFAULT_CLIENT_WITHOUT_REFRESH(false),
-        NAMED_CLIENT_WITHOUT_REFRESH(true);
+        NAMED_CLIENT_WITHOUT_REFRESH(true),
+        DEFAULT_CLIENT_ANNOTATION_ON_METHOD(false),
+        NAMED_CLIENT_ANNOTATION_ON_METHOD(true),
+        NAMED_CLIENT_MULTIPLE_METHODS(true),
+        DEFAULT_CLIENT_MULTIPLE_METHODS(false),
+        NO_ACCESS_TOKEN(false);
 
         public final boolean named;
 
 
@@ -4,27 +4,62 @@
 
 import jakarta.annotation.Priority;
 import jakarta.inject.Inject;
+import jakarta.ws.rs.POST;
 import jakarta.ws.rs.Path;
 import jakarta.ws.rs.Priorities;
 
 import org.eclipse.microprofile.rest.client.annotation.RegisterProvider;
 import org.eclipse.microprofile.rest.client.inject.RegisterRestClient;
 import org.eclipse.microprofile.rest.client.inject.RestClient;
+import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.RegisterExtension;
 
 import io.quarkus.oidc.client.filter.runtime.AbstractOidcClientRequestFilter;
 import io.quarkus.test.QuarkusDevModeTest;
 import io.quarkus.test.common.QuarkusTestResource;
 import io.quarkus.test.keycloak.server.KeycloakTestResourceLifecycleManager;
+import io.restassured.RestAssured;
 
 @QuarkusTestResource(KeycloakTestResourceLifecycleManager.class)
 public class OidcClientFilterRevokedAccessTokenDevModeTest extends AbstractRevokedAccessTokenDevModeTest {
 
     @RegisterExtension
-    static final QuarkusDevModeTest test = createQuarkusDevModeTest(
-            "quarkus.resteasy-client-oidc-filter.refresh-on-unauthorized=true", MyDefaultClient.class, MyNamedClient.class,
+    static final QuarkusDevModeTest test = createQuarkusDevModeTest("""
+            quarkus.resteasy-client-oidc-filter.refresh-on-unauthorized=true
+            %s/mp-rest/url=http://localhost:${quarkus.http.port}
+            %s/mp-rest/url=http://localhost:${quarkus.http.port}
+            %s/mp-rest/url=http://localhost:${quarkus.http.port}
+            """.formatted(MyDefaultClient_AnnotationOnMethod.class.getName(), MyNamedClient_AnnotationOnMethod.class.getName(),
+            MyClient_MultipleMethods.class.getName()),
+            MyDefaultClient.class, MyNamedClient.class,
             MyNamedClientWithoutRefresh.class, MyDefaultClientWithoutRefresh.class, MyClientResourceImpl.class,
-            DefaultClientRefreshDisabled.class, NamedClientRefreshDisabled.class);
+            DefaultClientRefreshDisabled.class, NamedClientRefreshDisabled.class, MyDefaultClient_AnnotationOnMethod.class,
+            MyNamedClient_AnnotationOnMethod.class, MyClient_MultipleMethods.class);
+
+    @Test
+    void verifyNamedClientHasTokenRefreshedOn401() {
+        verifyTokenRefreshedOn401(MyClientCategory.NAMED_CLIENT_ANNOTATION_ON_METHOD);
+        verifyTokenRefreshedOn401(MyClientCategory.NAMED_CLIENT_MULTIPLE_METHODS);
+        verifyTokenRefreshedOn401(MyClientCategory.NAMED_CLIENT);
+    }
+
+    @Test
+    void verifyDefaultClientHasTokenRefreshedOn401() {
+        verifyTokenRefreshedOn401(MyClientCategory.DEFAULT_CLIENT_ANNOTATION_ON_METHOD);
+        verifyTokenRefreshedOn401(MyClientCategory.DEFAULT_CLIENT_MULTIPLE_METHODS);
+        verifyTokenRefreshedOn401(MyClientCategory.DEFAULT_CLIENT);
+    }
+
+    @Test
+    void verifyNotAnnotatedMethodHasAccessDenied() {
+        // this client method is not annotated with the '@OidcClientFilter' annotation, but the client server
+        // requires authentication
+        RestAssured.given()
+                .body(MyClientCategory.NO_ACCESS_TOKEN)
+                .post(MY_CLIENT_RESOURCE_PATH)
+                .then()
+                .statusCode(401);
+    }
 
     @RegisterRestClient
     @OidcClientFilter
@@ -66,6 +101,38 @@ protected Optional<String> clientId() {
         }
     }
 
+    @RegisterRestClient
+    @Path(MY_SERVER_RESOURCE_PATH)
+    public interface MyDefaultClient_AnnotationOnMethod {
+        @OidcClientFilter
+        @POST
+        String revokeAccessTokenAndRespond(String named);
+    }
+
+    @RegisterRestClient
+    @Path(MY_SERVER_RESOURCE_PATH)
+    public interface MyNamedClient_AnnotationOnMethod {
+        @OidcClientFilter(NAMED_CLIENT)
+        @POST
+        String revokeAccessTokenAndRespond(String named);
+    }
+
+    @RegisterRestClient
+    @Path(MY_SERVER_RESOURCE_PATH)
+    public interface MyClient_MultipleMethods {
+
+        @OidcClientFilter(NAMED_CLIENT)
+        @POST
+        String revokeAccessTokenAndRespond_NamedClient(String named);
+
+        @OidcClientFilter
+        @POST
+        String revokeAccessTokenAndRespond_DefaultClient(String named);
+
+        @POST
+        String noAccessToken();
+    }
+
     public static class MyClientResourceImpl extends MyClientResource {
 
         @Inject
@@ -84,6 +151,18 @@ public static class MyClientResourceImpl extends MyClientResource {
         @RestClient
         MyNamedClientWithoutRefresh myNamedClientWithoutRefresh;
 
+        @Inject
+        @RestClient
+        MyDefaultClient_AnnotationOnMethod myDefaultClientAnnotationOnMethod;
+
+        @Inject
+        @RestClient
+        MyNamedClient_AnnotationOnMethod myNamedClientAnnotationOnMethod;
+
+        @Inject
+        @RestClient
+        MyClient_MultipleMethods myClientMultipleMethods;
+
         @Override
         protected MyClient myDefaultClient() {
             return myDefaultClient;
@@ -103,6 +182,31 @@ protected MyClient myDefaultClientWithoutRefresh() {
         protected MyClient myNamedClientWithoutRefresh() {
             return myNamedClientWithoutRefresh;
         }
+
+        @Override
+        protected String myDefaultClient_AnnotationOnMethod(String named) {
+            return myDefaultClientAnnotationOnMethod.revokeAccessTokenAndRespond(named);
+        }
+
+        @Override
+        protected String myNamedClient_AnnotationOnMethod(String named) {
+            return myNamedClientAnnotationOnMethod.revokeAccessTokenAndRespond(named);
+        }
+
+        @Override
+        protected String myDefaultClient_MultipleMethods(String named) {
+            return myClientMultipleMethods.revokeAccessTokenAndRespond_DefaultClient(named);
+        }
+
+        @Override
+        protected String myNamedClient_MultipleMethods(String named) {
+            return myClientMultipleMethods.revokeAccessTokenAndRespond_NamedClient(named);
+        }
+
+        @Override
+        protected String multipleMethods_noAccessToken() {
+            return myClientMultipleMethods.noAccessToken();
+        }
     }
 
 }
@@ -10,6 +10,7 @@
 import org.eclipse.microprofile.rest.client.annotation.RegisterProvider;
 import org.eclipse.microprofile.rest.client.inject.RegisterRestClient;
 import org.eclipse.microprofile.rest.client.inject.RestClient;
+import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.RegisterExtension;
 
 import io.quarkus.oidc.client.filter.runtime.AbstractOidcClientRequestFilter;
@@ -26,6 +27,16 @@ public class OidcClientRequestFilterRevokedTokenDevModeTest extends AbstractRevo
             DefaultClientRefreshEnabled.class, NamedClientRefreshEnabled.class, DefaultClientRefreshDisabled.class,
             NamedClientRefreshDisabled.class);
 
+    @Test
+    void verifyNamedClientHasTokenRefreshedOn401() {
+        verifyTokenRefreshedOn401(MyClientCategory.NAMED_CLIENT);
+    }
+
+    @Test
+    void verifyDefaultClientHasTokenRefreshedOn401() {
+        verifyTokenRefreshedOn401(MyClientCategory.DEFAULT_CLIENT);
+    }
+
     @RegisterRestClient
     @RegisterProvider(value = DefaultClientRefreshEnabled.class)
     @Path(MY_SERVER_RESOURCE_PATH)
Original file line number	Diff line number	Diff line change
`@@ -99,8 +99,8 @@ NamedOidcClientFilterBuildItem registerNamedProviders(BuildProducer<ReflectiveCl`
`99`	`99`	`}`
`100`	`100`
`101`	`101`	`// we generate exactly one custom filter for each @OidcClientFilter client specified through annotation`
`102`		`- final var generatedProvider = helper.getOrCreateNamedTokensProducerFor(clientName);`
`103`		`- final var targetRestClient = instance.target().asClass().name().toString();`
	`102`	`+ final var generatedProvider = helper.getOrCreateNamedTokensProducerFor(clientName, instance);`
	`103`	`+ final var targetRestClient = OidcClientFilterDeploymentHelper.getTargetRestClientName(instance);`
`104`	`104`	`namedFilterClientClasses.add(targetRestClient);`
`105`	`105`
`106`	`106`	`// register for reflection`