quarkusio · michalvavrik · May 3, 2025 · sberyozkin · May 4, 2025 · michalvavrik
diff --git a/docs/src/main/asciidoc/websockets-next-reference.adoc b/docs/src/main/asciidoc/websockets-next-reference.adoc
@@ -1073,6 +1073,51 @@ When you plan to use bearer access tokens during the opening WebSocket handshake
 * Use a custom WebSocket ticket system which supplies a random token with the HTML page which hosts the JavaScript WebSockets client which must provide this token during the initial handshake request as a query parameter.
 ====
 
+Before the bearer access token sent on the initial HTTP request expires, you can send a new bearer access token as part of a message and update current `SecurityIdentity` attached to the WebSocket server connection:
+
+[source, java]
+----
+package io.quarkus.websockets.next.test.security;
+
+import io.quarkus.security.Authenticated;
+import io.quarkus.security.identity.SecurityIdentity;
+import io.quarkus.websockets.next.OnTextMessage;
+import io.quarkus.websockets.next.WebSocket;
+import io.quarkus.websockets.next.WebSocketSecurity;
+import jakarta.inject.Inject;
+
+@Authenticated
+@WebSocket(path = "/end")
+public class Endpoint {
+
+    record RequestDto(String accessToken, String message) {}
+
+    @Inject
+    SecurityIdentity securityIdentity;
+
+    @Inject
+    WebSocketSecurity webSocketSecurity;
+
+    @OnTextMessage
+    String echo(RequestDto request) {
+        if (request.accessToken != null) {
+            webSocketSecurity.updateSecurityIdentity(request.accessToken); <1>
+        }
+        String principalName = securityIdentity.getPrincipal().getName(); <2>
+        return request.message + " " + principalName;
+    }
+
+}
+----
+<1> Asynchronously update the `SecurityIdentity` attached to the WebSocket server connection.
+<2> The `SecurityIdentity` instance injected into the `Endpoint` will represent the updated identity after Quarkus has finished the asynchronous identity update.
+The update process should be imperceptible, because the `SecurityIdentity` before and after update should only differ in the token expiration time.
+
+The xref:security-oidc-bearer-token-authentication.adoc[OIDC Bearer token authentication] mechanism has builtin support for the `SecurityIdentity` update.
+If you use other authentication mechanisms, you must implement the `io.quarkus.security.identity.IdentityProvider` provider that supports the `io.quarkus.websockets.next.runtime.spi.telemetry.WebSocketIdentityUpdateRequest` authentication request.
+
+IMPORTANT: Always use the `wss` protocol to enforce encrypted HTTP connection via TLS when sending credentials as part of the WebSocket message.
+
 === Inspect and/or reject HTTP upgrade
 
 To inspect an HTTP upgrade, you must provide a CDI bean implementing the `io.quarkus.websockets.next.HttpUpgradeCheck` interface.

diff --git a/extensions/oidc/deployment/src/main/java/io/quarkus/oidc/deployment/OidcBuildStep.java b/extensions/oidc/deployment/src/main/java/io/quarkus/oidc/deployment/OidcBuildStep.java
@@ -99,6 +99,7 @@
 import io.quarkus.oidc.runtime.OidcTokenCredentialProducer;
 import io.quarkus.oidc.runtime.OidcUtils;
 import io.quarkus.oidc.runtime.TenantConfigBean;
+import io.quarkus.oidc.runtime.WebSocketIdentityUpdateProvider;
 import io.quarkus.oidc.runtime.providers.AzureAccessTokenCustomizer;
 import io.quarkus.runtime.configuration.ConfigurationException;
 import io.quarkus.security.Authenticated;
@@ -472,6 +473,14 @@ public void registerAuthenticationContextInterceptor(Capabilities capabilities,
                                 .builder(Authenticated.class).buildWithTarget(c))));
     }
 
+    @BuildStep
+    void supportIdentityUpdateForWebSocketConnections(Capabilities capabilities,
+            BuildProducer<AdditionalBeanBuildItem> additionalBeanProducer) {
+        if (capabilities.isPresent(Capability.WEBSOCKETS_NEXT)) {
+            additionalBeanProducer.produce(AdditionalBeanBuildItem.unremovableOf(WebSocketIdentityUpdateProvider.class));
+        }
+    }
+
     private static boolean areEagerSecInterceptorsSupported(Capabilities capabilities,
             VertxHttpBuildTimeConfig httpBuildTimeConfig) {
         if (httpBuildTimeConfig.auth().proactive()) {

diff --git a/extensions/oidc/runtime/pom.xml b/extensions/oidc/runtime/pom.xml
@@ -37,6 +37,10 @@
             <groupId>io.quarkus</groupId>
             <artifactId>quarkus-oidc-common</artifactId>
         </dependency>
+        <dependency>
+            <groupId>io.quarkus</groupId>
+            <artifactId>quarkus-websockets-next-spi</artifactId>
+        </dependency>
         <dependency>
             <groupId>io.smallrye</groupId>
             <artifactId>smallrye-jwt</artifactId>

diff --git a/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/OidcRecorder.java b/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/OidcRecorder.java
@@ -1,11 +1,8 @@
 package io.quarkus.oidc.runtime;
 
 import static io.quarkus.runtime.configuration.DurationConverter.parseDuration;
-import static io.quarkus.vertx.http.runtime.security.HttpSecurityUtils.getRoutingContextAttribute;
 
 import java.time.Duration;
-import java.util.HashMap;
-import java.util.Map;
 import java.util.function.Consumer;
 import java.util.function.Function;
 import java.util.function.Supplier;
@@ -18,22 +15,15 @@
 
 import io.quarkus.arc.Arc;
 import io.quarkus.arc.SyntheticCreationalContext;
-import io.quarkus.oidc.AccessTokenCredential;
-import io.quarkus.oidc.OIDCException;
 import io.quarkus.oidc.Oidc;
 import io.quarkus.oidc.OidcTenantConfig;
 import io.quarkus.oidc.TenantIdentityProvider;
 import io.quarkus.runtime.annotations.Recorder;
 import io.quarkus.runtime.annotations.RuntimeInit;
 import io.quarkus.runtime.annotations.StaticInit;
 import io.quarkus.security.AuthenticationFailedException;
-import io.quarkus.security.identity.AuthenticationRequestContext;
-import io.quarkus.security.identity.SecurityIdentity;
-import io.quarkus.security.identity.request.TokenAuthenticationRequest;
 import io.quarkus.security.runtime.SecurityConfig;
-import io.quarkus.security.spi.runtime.BlockingSecurityExecutor;
 import io.quarkus.tls.TlsConfigurationRegistry;
-import io.smallrye.mutiny.Uni;
 import io.vertx.core.Vertx;
 import io.vertx.ext.web.RoutingContext;
 
@@ -173,52 +163,4 @@ public void accept(RoutingContext routingContext) {
             }
         };
     }
-
-    private static final class TenantSpecificOidcIdentityProvider extends OidcIdentityProvider
-            implements TenantIdentityProvider {
-
-        private final String tenantId;
-        private final BlockingSecurityExecutor blockingExecutor;
-
-        private TenantSpecificOidcIdentityProvider(String tenantId) {
-            super(Arc.container().instance(DefaultTenantConfigResolver.class).get(),
-                    Arc.container().instance(BlockingSecurityExecutor.class).get());
-            this.blockingExecutor = Arc.container().instance(BlockingSecurityExecutor.class).get();
-            this.tenantId = tenantId;
-        }
-
-        @Override
-        public Uni<SecurityIdentity> authenticate(AccessTokenCredential token) {
-            return authenticate(new TokenAuthenticationRequest(token));
-        }
-
-        @Override
-        protected Uni<TenantConfigContext> resolveTenantConfigContext(TokenAuthenticationRequest request,
-                AuthenticationRequestContext context) {
-            return tenantResolver.resolveContext(tenantId).onItem().ifNull().failWith(new Supplier<Throwable>() {
-                @Override
-                public Throwable get() {
-                    return new OIDCException("Failed to resolve tenant context");
-                }
-            });
-        }
-
-        @Override
-        protected Map<String, Object> getRequestData(TokenAuthenticationRequest request) {
-            RoutingContext context = getRoutingContextAttribute(request);
-            if (context != null) {
-                return context.data();
-            }
-            return new HashMap<>();
-        }
-
-        private Uni<SecurityIdentity> authenticate(TokenAuthenticationRequest request) {
-            return authenticate(request, new AuthenticationRequestContext() {
-                @Override
-                public Uni<SecurityIdentity> runBlocking(Supplier<SecurityIdentity> function) {
-                    return blockingExecutor.executeBlocking(function);
-                }
-            });
-        }
-    }
 }
diff --git a/...idc/runtime/src/main/java/io/quarkus/oidc/runtime/TenantSpecificOidcIdentityProvider.java b/...idc/runtime/src/main/java/io/quarkus/oidc/runtime/TenantSpecificOidcIdentityProvider.java
@@ -0,0 +1,70 @@
+package io.quarkus.oidc.runtime;
+
+import static io.quarkus.vertx.http.runtime.security.HttpSecurityUtils.getRoutingContextAttribute;
+
+import java.util.HashMap;
+import java.util.Map;
+import java.util.function.Supplier;
+
+import io.quarkus.arc.Arc;
+import io.quarkus.oidc.AccessTokenCredential;
+import io.quarkus.oidc.OIDCException;
+import io.quarkus.oidc.TenantIdentityProvider;
+import io.quarkus.security.identity.AuthenticationRequestContext;
+import io.quarkus.security.identity.SecurityIdentity;
+import io.quarkus.security.identity.request.TokenAuthenticationRequest;
+import io.quarkus.security.spi.runtime.BlockingSecurityExecutor;
+import io.smallrye.mutiny.Uni;
+import io.vertx.ext.web.RoutingContext;
+
+final class TenantSpecificOidcIdentityProvider extends OidcIdentityProvider implements TenantIdentityProvider {
+
+    private final String tenantId;
+    private final BlockingSecurityExecutor blockingExecutor;
+
+    TenantSpecificOidcIdentityProvider(String tenantId, DefaultTenantConfigResolver resolver,
+            BlockingSecurityExecutor blockingExecutor) {
+        super(resolver, blockingExecutor);
+        this.blockingExecutor = blockingExecutor;
+        this.tenantId = tenantId;
+    }
+
+    TenantSpecificOidcIdentityProvider(String tenantId) {
+        this(tenantId, Arc.container().instance(DefaultTenantConfigResolver.class).get(),
+                Arc.container().instance(BlockingSecurityExecutor.class).get());
+    }
+
+    @Override
+    public Uni<SecurityIdentity> authenticate(AccessTokenCredential token) {
+        return authenticate(new TokenAuthenticationRequest(token));
+    }
+
+    @Override
+    protected Uni<TenantConfigContext> resolveTenantConfigContext(TokenAuthenticationRequest request,
+            AuthenticationRequestContext context) {
+        return tenantResolver.resolveContext(tenantId).onItem().ifNull().failWith(new Supplier<Throwable>() {
+            @Override
+            public Throwable get() {
+                return new OIDCException("Failed to resolve tenant context");
+            }
+        });
+    }
+
+    @Override
+    protected Map<String, Object> getRequestData(TokenAuthenticationRequest request) {
+        RoutingContext context = getRoutingContextAttribute(request);
+        if (context != null) {
+            return context.data();
+        }
+        return new HashMap<>();
+    }
+
+    private Uni<SecurityIdentity> authenticate(TokenAuthenticationRequest request) {
+        return authenticate(request, new AuthenticationRequestContext() {
+            @Override
+            public Uni<SecurityIdentity> runBlocking(Supplier<SecurityIdentity> function) {
+                return blockingExecutor.executeBlocking(function);
+            }
+        });
+    }
+}
diff --git a/...s/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/WebSocketIdentityUpdateProvider.java b/...s/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/WebSocketIdentityUpdateProvider.java
@@ -0,0 +1,53 @@
+package io.quarkus.oidc.runtime;
+
+import static io.quarkus.vertx.http.runtime.security.HttpSecurityUtils.getRoutingContextAttribute;
+
+import jakarta.enterprise.context.ApplicationScoped;
+import jakarta.inject.Inject;
+
+import io.quarkus.oidc.AccessTokenCredential;
+import io.quarkus.oidc.OidcTenantConfig;
+import io.quarkus.security.AuthenticationFailedException;
+import io.quarkus.security.identity.AuthenticationRequestContext;
+import io.quarkus.security.identity.IdentityProvider;
+import io.quarkus.security.identity.SecurityIdentity;
+import io.quarkus.security.spi.runtime.BlockingSecurityExecutor;
+import io.quarkus.websockets.next.runtime.spi.telemetry.WebSocketIdentityUpdateRequest;
+import io.smallrye.mutiny.Uni;
+import io.vertx.ext.web.RoutingContext;
+
+@ApplicationScoped
+public class WebSocketIdentityUpdateProvider implements IdentityProvider<WebSocketIdentityUpdateRequest> {
+
+    @Inject
+    DefaultTenantConfigResolver resolver;
+
+    @Inject
+    BlockingSecurityExecutor blockingExecutor;
+
+    WebSocketIdentityUpdateProvider() {
+    }
+
+    @Override
+    public Class<WebSocketIdentityUpdateRequest> getRequestType() {
+        return WebSocketIdentityUpdateRequest.class;
+    }
+
+    @Override
+    public Uni<SecurityIdentity> authenticate(WebSocketIdentityUpdateRequest request,
+            AuthenticationRequestContext authenticationRequestContext) {
+        return authenticate(request.getCredential().getToken(), getRoutingContextAttribute(request));
+    }
+
+    private Uni<SecurityIdentity> authenticate(String accessToken, RoutingContext routingContext) {
+        final OidcTenantConfig tenantConfig = routingContext.get(OidcTenantConfig.class.getName());
+        if (tenantConfig == null) {
+            return Uni.createFrom().failure(new AuthenticationFailedException(
+                    "Cannot update SecurityIdentity because OIDC tenant wasn't resolved for current WebSocket connection"));
+        }
+        final var tenantId = tenantConfig.tenantId().get();
+        final var identityProvider = new TenantSpecificOidcIdentityProvider(tenantId, resolver, blockingExecutor);
+        final var credential = new AccessTokenCredential(accessToken);
+        return identityProvider.authenticate(credential);
+    }
+}
diff --git a/...xt/deployment/src/main/java/io/quarkus/websockets/next/deployment/WebSocketProcessor.java b/...xt/deployment/src/main/java/io/quarkus/websockets/next/deployment/WebSocketProcessor.java
@@ -12,6 +12,7 @@
 import java.util.Iterator;
 import java.util.List;
 import java.util.Map;
+import java.util.Objects;
 import java.util.Optional;
 import java.util.Set;
 import java.util.function.Consumer;
@@ -21,6 +22,7 @@
 import java.util.regex.Pattern;
 import java.util.stream.Collectors;
 
+import jakarta.enterprise.context.ApplicationScoped;
 import jakarta.enterprise.context.SessionScoped;
 import jakarta.enterprise.inject.Instance;
 import jakarta.enterprise.invoke.Invoker;
@@ -40,6 +42,7 @@
 import org.jboss.jandex.PrimitiveType;
 import org.jboss.jandex.Type;
 import org.jboss.jandex.Type.Kind;
+import org.jboss.jandex.WildcardType;
 import org.objectweb.asm.Opcodes;
 
 import io.quarkus.arc.deployment.AdditionalBeanBuildItem;
@@ -95,6 +98,8 @@
 import io.quarkus.gizmo.ResultHandle;
 import io.quarkus.gizmo.TryBlock;
 import io.quarkus.runtime.metrics.MetricsFactory;
+import io.quarkus.security.identity.IdentityProvider;
+import io.quarkus.security.identity.IdentityProviderManager;
 import io.quarkus.security.spi.ClassSecurityAnnotationBuildItem;
 import io.quarkus.security.spi.ClassSecurityCheckStorageBuildItem;
 import io.quarkus.security.spi.PermissionsAllowedMetaAnnotationBuildItem;
@@ -113,6 +118,7 @@
 import io.quarkus.websockets.next.WebSocketClientException;
 import io.quarkus.websockets.next.WebSocketConnection;
 import io.quarkus.websockets.next.WebSocketException;
+import io.quarkus.websockets.next.WebSocketSecurity;
 import io.quarkus.websockets.next.WebSocketServerException;
 import io.quarkus.websockets.next.deployment.Callback.MessageType;
 import io.quarkus.websockets.next.deployment.Callback.Target;
@@ -161,6 +167,7 @@ public class WebSocketProcessor {
     static final String CLIENT_ENDPOINT_SUFFIX = "_WebSocketClientEndpoint";
     static final String NESTED_SEPARATOR = "$_";
     static final DotName HTTP_UPGRADE_CHECK_NAME = DotName.createSimple(HttpUpgradeCheck.class);
+    private static final DotName WEBSOCKET_SECURITY_NAME = DotName.createSimple(WebSocketSecurity.class);
 
     // Parameter names consist of alphanumeric characters and underscore
     private static final Pattern PATH_PARAM_PATTERN = Pattern.compile("\\{[a-zA-Z0-9_]+\\}");
@@ -791,6 +798,32 @@ void createTelemetryProvider(BuildProducer<SyntheticBeanBuildItem> syntheticBean
         }
     }
 
+    @BuildStep
+    @Record(STATIC_INIT)
+    void supportSecurityIdentityUpdate(BeanDiscoveryFinishedBuildItem beanDiscoveryFinishedBuildItem,
+            WebSocketServerRecorder recorder, Capabilities capabilities,
+            BuildProducer<SyntheticBeanBuildItem> syntheticBeanProducer) {
+        if (capabilities.isMissing(Capability.SECURITY)) {
+            return;
+        }
+        boolean isWsSecurityInjected = beanDiscoveryFinishedBuildItem.getInjectionPoints().stream()
+                .map(InjectionPointInfo::getType)
+                .filter(Objects::nonNull)
+                .map(Type::name)
+                .anyMatch(WEBSOCKET_SECURITY_NAME::equals);
+        if (isWsSecurityInjected) {
+            syntheticBeanProducer.produce(SyntheticBeanBuildItem
+                    .configure(WEBSOCKET_SECURITY_NAME)
+                    .addInjectionPoint(ClassType.create(IdentityProviderManager.class))
+                    // Instance<IdentityProvider<?>>
+                    .addInjectionPoint(ParameterizedType.create(Instance.class,
+                            ParameterizedType.create(DotName.createSimple(IdentityProvider.class), WildcardType.UNBOUNDED)))
+                    .createWith(recorder.createWebSocketSecurity())
+                    .scope(ApplicationScoped.class)
+                    .done());
+        }
+    }
+
     private static boolean isTracesSupportEnabled(Capabilities capabilities) {
         return capabilities.isPresent(Capability.OPENTELEMETRY_TRACER);
     }