Sync documentation of main branch

Author: actions-user

_generated-doc/main/config/quarkus-all-config.adoc

@@ -23400,27 +23400,6 @@ endif::add-copy-button-to-env-var[]
 |boolean
 |`+++true+++`
 
-a|icon:lock[title=Fixed at build time] [[quarkus-grpc_quarkus-grpc-server-allow-incomplete-classpath]] [.property-path]##link:#quarkus-grpc_quarkus-grpc-server-allow-incomplete-classpath[`quarkus.grpc.server.allow-incomplete-classpath`]##
-ifdef::add-copy-button-to-config-props[]
-config_property_copy_button:+++quarkus.grpc.server.allow-incomplete-classpath+++[]
-endif::add-copy-button-to-config-props[]
-
-
-[.description]
---
-Do we allow incomplete classpath for native build. This is useful for some legacy stuff that doesn't yet fully support Protobuf v4, only v3, which is missing some classes from v4, but can still work at runtime.
-
-
-ifdef::add-copy-button-to-env-var[]
-Environment variable: env_var_with_copy_button:+++QUARKUS_GRPC_SERVER_ALLOW_INCOMPLETE_CLASSPATH+++[]
-endif::add-copy-button-to-env-var[]
-ifndef::add-copy-button-to-env-var[]
-Environment variable: `+++QUARKUS_GRPC_SERVER_ALLOW_INCOMPLETE_CLASSPATH+++`
-endif::add-copy-button-to-env-var[]
---
-|boolean
-|`+++false+++`
-
 h|[[quarkus-grpc_section_quarkus-grpc-dev-mode]] [.section-name.section-level0]##link:#quarkus-grpc_section_quarkus-grpc-dev-mode[Configuration gRPC dev mode]##
 h|Type
 h|Default

_generated-doc/main/config/quarkus-grpc_quarkus.grpc.adoc

@@ -49,27 +49,6 @@ endif::add-copy-button-to-env-var[]
 |boolean
 |`+++true+++`
 
-a|icon:lock[title=Fixed at build time] [[quarkus-grpc_quarkus-grpc-server-allow-incomplete-classpath]] [.property-path]##link:#quarkus-grpc_quarkus-grpc-server-allow-incomplete-classpath[`quarkus.grpc.server.allow-incomplete-classpath`]##
-ifdef::add-copy-button-to-config-props[]
-config_property_copy_button:+++quarkus.grpc.server.allow-incomplete-classpath+++[]
-endif::add-copy-button-to-config-props[]
-
-
-[.description]
---
-Do we allow incomplete classpath for native build. This is useful for some legacy stuff that doesn't yet fully support Protobuf v4, only v3, which is missing some classes from v4, but can still work at runtime.
-
-
-ifdef::add-copy-button-to-env-var[]
-Environment variable: env_var_with_copy_button:+++QUARKUS_GRPC_SERVER_ALLOW_INCOMPLETE_CLASSPATH+++[]
-endif::add-copy-button-to-env-var[]
-ifndef::add-copy-button-to-env-var[]
-Environment variable: `+++QUARKUS_GRPC_SERVER_ALLOW_INCOMPLETE_CLASSPATH+++`
-endif::add-copy-button-to-env-var[]
---
-|boolean
-|`+++false+++`
-
 h|[[quarkus-grpc_section_quarkus-grpc-dev-mode]] [.section-name.section-level0]##link:#quarkus-grpc_section_quarkus-grpc-dev-mode[Configuration gRPC dev mode]##
 h|Type
 h|Default

_generated-doc/main/infra/quarkus-all-build-items.adoc

@@ -9616,6 +9616,10 @@ Annotation name, for example `BasicAuthentication` .
 
 Authentication mechanism scheme, as defined by `HttpAuthenticationMechanism#value()` .
 
+`java.util.Set<DotName> excludedTargetInterfaces` 
+
+Classes annotated with `#annotationName` excluded from additional security checks. In other words, we do not register `io.quarkus.security.Authenticated` security check for these interfaces when no other standard security annotation is not present.
+
 
 
 

_versions/main/guides/_attributes.adoc

@@ -22,8 +22,8 @@
 :jandex-version: 3.4.0
 :jandex-gradle-plugin-version: 1.0.0
 :kotlin-version: 2.2.0
-:grpc-version: 1.73.0
-:protoc-version: 4.31.1
+:grpc-version: 1.69.1
+:protoc-version: 3.25.5
 :gcf-invoker-version: 1.4.1
 // Cannot simply use the name 'hibernate-*-version' here as it somehow gets
 // overridden to the full version, at least when building locally.

_versions/main/guides/security-oidc-bearer-token-authentication.adoc

@@ -1552,6 +1552,34 @@ public class DiscoveryEndpointResponseFilter implements OidcResponseFilter {
 <3> Use `OidcRequestContextProperties` request properties to get the tenant id.
 <4> Get the response data as String.
 
+[[restrict-oidc-filter-to-bearer-auth-flow]]
+=== Restricting OIDC request and response filters to bearer token flow
+
+When you have both the bearer access token and xref:security-oidc-code-flow-authentication.adoc[authorization code] flows supported by xref:security-openid-connect-multitenancy.adoc[multiple OIDC tenants] and the filters have to deal with a flow specific logic, you can instead have them restricted to the bearer token flow with the `io.quarkus.oidc.BearerTokenAuthentication` annotation and xref:security-oidc-code-flow-authentication.adoc#restrict-oidc-filter-to-code-flow[the authorization code flow with the 'io.quarkus.oidc.AuthorizationCodeFlow' annotation].
+
+For example:
+
+[source,java]
+----
+package io.quarkus.it.keycloak;
+
+import io.quarkus.arc.Unremovable;
+import io.quarkus.oidc.BearerTokenAuthentication;
+import io.quarkus.oidc.common.OidcRequestFilter;
+import jakarta.enterprise.context.ApplicationScoped;
+
+@BearerTokenAuthentication
+@ApplicationScoped
+@Unremovable
+public class CustomOidcRequestFilter implements OidcRequestFilter {
+
+    @Override
+    public void filter(OidcRequestContext requestContext) {
+        requestContext.request().putHeader("custom-header-name", "custom-header-value");
+    }
+}
+----
+
 == Programmatic OIDC start-up
 
 OIDC tenants can be created programmatically like in the example below:

_versions/main/guides/security-oidc-code-flow-authentication.adoc

@@ -508,6 +508,34 @@ public class TokenResponseFilter implements OidcResponseFilter {
 }
 ----
 
+[[restrict-oidc-filter-to-code-flow]]
+=== Restricting OIDC request and response filters to authorization code flow
+
+When you have both the authorization code and xref:security-oidc-bearer-token-authentication.adoc[bearer access token] flows supported by xref:security-openid-connect-multitenancy.adoc[multiple OIDC tenants] and the filters have to deal with a flow specific logic, you can instead have them restricted to the authorization code flow with the `io.quarkus.oidc.AuthorizationCodeFlow` annotation and xref:security-oidc-bearer-token-authentication.adoc#restrict-oidc-filter-to-bearer-auth-flow[the bearer access token flow with the 'io.quarkus.oidc.BearerTokenAuthentication' annotation].
+
+For example:
+
+[source,java]
+----
+package io.quarkus.it.keycloak;
+
+import io.quarkus.arc.Unremovable;
+import io.quarkus.oidc.AuthorizationCodeFlow;
+import io.quarkus.oidc.common.OidcRequestFilter;
+import jakarta.enterprise.context.ApplicationScoped;
+
+@AuthorizationCodeFlow
+@ApplicationScoped
+@Unremovable
+public class CustomOidcRequestFilter implements OidcRequestFilter {
+
+    @Override
+    public void filter(OidcRequestContext requestContext) {
+        requestContext.request().putHeader("custom-header-name", "custom-header-value");
+    }
+}
+----
+
 === Redirecting to and from the OIDC provider
 
 When a user is redirected to the OIDC provider to authenticate, the redirect URL includes a `redirect_uri` query parameter, which indicates to the provider where the user has to be redirected to when the authentication is complete.

_versions/main/guides/security-openid-connect-multitenancy.adoc

@@ -974,6 +974,33 @@ quarkus.oidc.tenant-b.credentials.secret=${tenant-b-client-secret}
 <2> Tenant `tenant-a` discovers the `issuer` from the OIDC provider's well-known configuration endpoint.
 <3> Tenant `tenant-b` configures the `issuer` because its OIDC provider does not support the discovery.
 
+[[restrict-oidc-filter-to-tenants]]
+==== Restricting OIDC request and response filters to specific tenants
+
+Both the `io.quarkus.oidc.common.OidcRequestFilter` and the `io.quarkus.oidc.common.OidcResponseFilter` filters can be restricted to specific tenants like in the example below:
+
+[source,java]
+----
+package io.quarkus.it.oidc;
+
+import io.quarkus.oidc.TenantFeature;
+import io.quarkus.oidc.common.OidcRequestFilter;
+import jakarta.enterprise.context.ApplicationScoped;
+
+@ApplicationScoped
+@TenantFeature({ "tenant-one", "tenant-two" }) <1>
+public class CustomOidcRequestFilter implements OidcRequestFilter {
+
+    @Override
+    public void filter(OidcRequestContext requestContext) {
+        requestContext.request().putHeader("custom-header-name", "custom-header-value");
+    }
+}
+----
+<1> Restrict the `CustomOidcRequestFilter` filter to OIDC tenants `tenant-one` and `tenant-two`.
+
+An OIDC response filter can be restricted to the specific OIDC endpoint or endpoints with the `quarkus.oidc.common.OidcEndpoint` annotation.
+
 [[tenant-resolution-for-web-app]]
 === Tenant resolution for OIDC web-app applications