DRAFT: [jaxrs-spec][quarkus] Emit @Authenticated for HTTP Basic, Bearer, api-key and OAuth2 or OpenID with empty scopes

[Ignacio-Vidal]

This is part of #23691 to improve the support for Authentication and Authorisation in the jaxrx-spec/quarkus server generator.

It emits @io.quarkus.security.Authenticated on JAX-RS interface methods and implementation stubs when an operation security has either:

• Http: basic or bearer authentication

security:
  - http_admin: []

• ApiKey authentication

security:
  - api_admin: []

• OAuth2 or OpenIdConnect with empty scopes, e.g.:

security:
  - oauth2_admin: []

• An OR list where at least one alternative of OAuth2 or OpenIdConnect has empty scopes, e.g:

security:
  - oauth2_read: [read:items]
  - oauth2_admin: []

PR checklist

• Read the contribution guidelines.
• Pull Request title clearly describes the work in the pull request and Pull Request description provides details about how to validate the work. Missing information here may result in delayed response from the community.
• Run the following to build the project and update samples:

  ./mvnw clean package || exit
  ./bin/generate-samples.sh ./bin/configs/*.yaml || exit
  ./bin/utils/export_docs_generators.sh || exit
  

  (For Windows users, please run the script in WSL)
  Commit all changed files.
  This is important, as CI jobs will verify all generator outputs of your HEAD commit as it would merge with master.
  These must match the expectations made by your contribution.
  You may regenerate an individual generator by passing the relevant config(s) as an argument to the script, for example ./bin/generate-samples.sh bin/configs/java*.
  IMPORTANT: Do NOT purge/delete any folders/files (e.g. tests) when regenerating the samples as manually written tests may be removed.
• File the PR against the correct branch: master (upcoming 7.x.0 minor release - breaking changes with fallbacks), 8.0.x (breaking changes without fallbacks)
• If your PR solves a reported issue, reference it using GitHub's linking syntax (e.g., having "fixes #123" present in the PR description)
• If your PR is targeting a particular programming language, @mention the technical committee members, so they are more likely to review the pull request.

---

Summary by cubic

Emit @io.quarkus.security.Authenticated on Quarkus JAX-RS endpoints that require authentication without scopes, so generated APIs enforce auth but not role scopes. Supports OAuth2/OpenID with empty scopes, basic, bearer, and apiKey, handles multi-flow and mixed OR lists, and respects global security with per-operation overrides; gated by useQuarkusSecurityAnnotations.

• New Features
  • Quarkus-only: set x-quarkus-authenticated in JavaJAXRSSpecServerCodegen (via shouldAddAuthenticatedAnnotation) and render in apiInterface.mustache and apiMethod.mustache.
  • Expanded tests and YAML fixtures: OAuth2/OpenID (scoped vs unscoped, multi-flow), HTTP Basic/Bearer, apiKey, mixed-type OR, and global security with security: [] overrides; covers interface-only and implementation stubs and ensures a single annotation per method.

^{Written for commit 0e19ebe. Summary will update on new commits.}

[cubic-dev-ai]

1 issue found across 17 files

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="quarkus-security-github-issue.md">

<violation number="1" location="quarkus-security-github-issue.md:59">
P1: OpenAPI scope requirements are conjunctive, but this mapping uses `@RolesAllowed` OR semantics and can under-enforce multi-scope authorization.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[cubic-dev-ai]

P1: OpenAPI scope requirements are conjunctive, but this mapping uses @RolesAllowed OR semantics and can under-enforce multi-scope authorization.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At quarkus-security-github-issue.md, line 59:

<comment>OpenAPI scope requirements are conjunctive, but this mapping uses `@RolesAllowed` OR semantics and can under-enforce multi-scope authorization.</comment>

<file context>
@@ -0,0 +1,209 @@
+| `apiKey` | `@Authenticated` | An API key validates identity only. No role check is applicable. |
+| `oauth2` with empty scopes (`[]`) | `@Authenticated` | An empty scope list means "any authenticated user" — no specific authorization is required beyond a valid token. |
+| `openIdConnect` with empty scopes (`[]`) | `@Authenticated` | Same reasoning as OAuth2 with empty scopes. |
+| `oauth2` with explicit scopes | `@RolesAllowed({"scope1", "scope2"})` | In Quarkus, OAuth2/OIDC token scopes are mapped to `SecurityIdentity` roles. `@RolesAllowed` receives the scopes as role names. |
+| `openIdConnect` with explicit scopes | `@RolesAllowed({"scope1"})` | Same as OAuth2 with scopes. |
+| OR list with at least one empty-scope scheme | `@Authenticated` | The least restrictive alternative dominates: if any scheme allows any authenticated user, the effective gate is authentication only. |
</file context>