The English version of is the official project site. Translated sites are community supported on a best-effort basis.

Authentication mechanisms in Quarkus

The Quarkus Security framework supports multiple authentication mechanisms, which you can use to secure your applications. You can also combine authentication mechanisms.

Before you choose an authentication mechanism for securing your Quarkus applications, review the information provided.

Overview of supported authentication mechanisms

Some supported authentication mechanisms are built into Quarkus, while others require you to add an extension. All of these mechanisms are detailed in the following sections:

The following table maps specific authentication requirements to a supported mechanism that you can use in Quarkus:

Table 1. Authentication requirements and mechanisms
Authentication requirement Authentication mechanism

Username and password

Basic, Form-based authentication

Bearer access token

OIDC Bearer token authentication, JWT, OAuth2

Single sign-on (SSO)

OIDC Code Flow, Form-based authentication

Client certificate

Mutual TLS authentication



Kerberos ticket


For more information, see the following Token authentication mechanism comparison table.

Built-in authentication mechanisms

Quarkus Security provides the following built-in authentication support:

Basic authentication

You can secure your Quarkus application endpoints with the built-in HTTP Basic authentication mechanism. For more information, see the following documentation:

Form-based authentication

Quarkus provides form-based authentication that works similarly to traditional Servlet form-based auth. Unlike traditional form authentication, the authenticated user is not stored in an HTTP session because Quarkus does not support clustered HTTP sessions. Instead, the authentication information is stored in an encrypted cookie, which can be read by all cluster members who share the same encryption key.

To apply encryption, add the quarkus.http.auth.session.encryption-key property, and ensure the value you set is at least 16 characters long. The encryption key is hashed by using SHA-256. The resulting digest is used as a key for AES-256 encryption of the cookie value. The cookie contains an expiry time as part of the encrypted value, so all nodes in the cluster must have their clocks synchronized. At one-minute intervals, a new cookie gets generated with an updated expiry time if the session is in use.

With single-page applications (SPA), you typically want to avoid redirects by removing default page paths, as shown in the following example:

# do not redirect, respond with HTTP 200 OK

# do not redirect, respond with HTTP 401 Unauthorized

# HttpOnly must be false if you want to logout on the client, it can be true if logging out on from the server

Now that you have disabled redirects for the SPA, you must login and logout programmatically from your client. Below are example JavaScript methods for logging into the j_security_check endpoint and logging out of the application by destroying the cookie.

const login = () => {
    // Create an object to represent the form data
    const formData = new URLSearchParams();
    formData.append("j_username", username);
    formData.append("j_password", password);

    // Make an HTTP POST request using fetch against j_security_check endpoint
    fetch("j_security_check", {
        method: "POST",
        body: formData,
        headers: {
            "Content-Type": "application/x-www-form-urlencoded",
    .then((response) => {
        if (response.status === 200) {
            // Authentication was successful
            console.log("Authentication successful");
        } else {
            // Authentication failed
            console.error("Invalid credentials");
    .catch((error) => {

To logout of the SPA from the client the cookie must be set to quarkus.http.auth.form.http-only-cookie=false so you can destroy the cookie and possibly redirect back to your main page.

const logout= () => {
    // delete the credential cookie essentially killing the session
    const removeCookie = `quarkus-credential=; Max-Age=0;path=/`;
    document.cookie = removeCookie;

    // perform post logout actions here such as redirecting back to your login page

To logout of the SPA from the server the cookie can be set to quarkus.http.auth.form.http-only-cookie=true and use this example code to destroy the cookie.

@ConfigProperty(name = "quarkus.http.auth.form.cookie-name")
String cookieName;

CurrentIdentityAssociation identity;

public Response logout() {
    if (identity.getIdentity().isAnonymous()) {
        throw new UnauthorizedException("Not authenticated");
    final NewCookie removeCookie = new NewCookie.Builder(cookieName)
    return Response.noContent().cookie(removeCookie).build();

The following properties can be used to configure form-based authentication:

Configuration property fixed at build time - All other configuration properties are overridable at runtime

Configuration property



If form authentication is enabled.


Show more



The post location.


Show more



Mutual TLS authentication

Quarkus provides mutual TLS (mTLS) authentication so that you can authenticate users based on their X.509 certificates.

To use this authentication method, you must first enable SSL/TLS for your application. For more information, see the Supporting secure connections with SSL section of the Quarkus "HTTP reference" guide.

After your application accepts secure connections, the next step is to configure the property with the name of that file that holds all the certificates your application trusts. The specified file also includes information about how your application asks for certificates when a client, such as a browser or other service, tries to access one of its protected resources.

quarkus.http.ssl.certificate.key-store-file=server-keystore.jks            (1)
quarkus.http.ssl.certificate.key-store-password=the_key_store_secret        (2)
quarkus.http.ssl.client-auth=required                                      (3)
quarkus.http.auth.permission.default.paths=/*                              (4)
1 The keystore where the server’s private key is located.
2 The truststore from which the trusted certificates are loaded.
3 With this value set to required, the server requires certificates from clients. To relax this requirement so that the server accepts requests without a certificate, set the value to REQUEST. This option is useful when you are also supporting authentication methods other than mTLS.
4 Defines a policy where only authenticated users should have access to resources from your application.

When the incoming request matches a valid certificate in the truststore, your application can obtain the subject by injecting a SecurityIdentity as follows:

Obtaining the subject
SecurityIdentity identity;

public String hello() {
    return String.format("Hello, %s", identity.getPrincipal().getName());

You can also get the certificate by using the code outlined in the following example:

Obtaining the certificate

CertificateCredential credential = identity.getCredential(CertificateCredential.class);
X509Certificate certificate = credential.getCertificate();


The information from the client certificate can be used to enhance Quarkus SecurityIdentity. For example, you can add new roles after checking a client certificate subject name, and so on. For more information about customizing SecurityIdentity, see the Security identity customization section in the Quarkus "Security tips and tricks" guide.

Other supported authentication mechanisms

Quarkus Security also supports the following authentication mechanisms through extensions:

WebAuthn authentication

WebAuthn is an authentication mechanism that replaces passwords. When you write a service for registering new users, or logging them in, instead of asking for a password, you can use WebAuthn, which replaces the password. For more information, see the Secure a Quarkus application by using the WebAuthn authentication mechanism guide.

OpenID Connect authentication

OpenID Connect (OIDC) is an identity layer that works on top of the OAuth 2.0 protocol. OIDC enables client applications to verify the identity of a user based on the authentication performed by the OIDC provider and retrieve basic information about that user.

The Quarkus quarkus-oidc extension provides a reactive, interoperable, multitenant-enabled OIDC adapter that supports Bearer token and Authorization Code Flow authentication mechanisms. The Bearer token authentication mechanism extracts the token from the HTTP Authorization header. The Authorization Code Flow mechanism redirects the user to an OIDC provider to authenticate the user’s identity. After the user is redirected back to Quarkus, the mechanism completes the authentication process by exchanging the provided code that was granted for the ID, access, and refresh tokens.

You can verify ID and access JSON Web Token (JWT) tokens by using the refreshable JSON Web Key (JWK) set or introspect them remotely. However, opaque, also known as binary tokens, can only be introspected remotely.

Using the Quarkus OIDC extension, both the Bearer token and Authorization Code Flow authentication mechanisms use SmallRye JWT authentication to represent JWT tokens as MicroProfile JWT org.eclipse.microprofile.jwt.JsonWebToken.

Additional Quarkus resources for OIDC authentication

For more information about OIDC authentication and authorization methods that you can use to secure your Quarkus applications, see the following resources:

OIDC topic Quarkus information resource

Bearer token authentication mechanism

OIDC Bearer token authentication

Authorization Code Flow authentication mechanism

OpenID Connect (OIDC) Authorization Code Flow mechanism

OIDC and SAML Identity broker

OpenID Connect (OIDC) Authorization Code Flow and SAML Identity broker

Multiple tenants that can support the Bearer token authentication or Authorization Code Flow mechanisms

Using OpenID Connect (OIDC) multi-tenancy

Securing Quarkus with commonly-used OpenID Connect providers

Configuring well-known OpenID Connect providers

Using Keycloak to centralize authorization

Using OpenID Connect (OIDC) and Keycloak to centralize authorization

Configuring Keycloak programmatically

Using the Keycloak admin client

To enable the Quarkus OIDC extension at runtime, set quarkus.oidc.tenant-enabled=false at build time. Then re-enable it at runtime by using a system property.

For more information about managing the individual tenant configurations in multitenant OIDC deployments, see the Disabling tenant configurations section in the "Using OpenID Connect (OIDC) multi-tenancy" guide.

OpenID Connect client and filters

The quarkus-oidc-client extension provides OidcClient for acquiring and refreshing access tokens from OpenID Connect and OAuth2 providers that support the following token grants:

  • client-credentials

  • password

  • refresh_token

The quarkus-oidc-client-filter extension requires the quarkus-oidc-client extension. It provides JAX-RS RESTful Web Services OidcClientRequestFilter, which sets the access token acquired by OidcClient as the Bearer scheme value of the HTTP Authorization header. This filter can be registered with MicroProfile REST client implementations injected into the current Quarkus endpoint, but it is not related to the authentication requirements of this service endpoint. For example, it can be a public endpoint or be protected with mTLS.

In this scenario, you do not need to protect your Quarkus endpoint by using the Quarkus OpenID Connect adapter.

The quarkus-oidc-token-propagation extension requires the quarkus-oidc extension. It provides Jakarta REST TokenCredentialRequestFilter, which sets the OpenID Connect Bearer token or Authorization Code Flow access token as the Bearer scheme value of the HTTP Authorization header. This filter can be registered with MicroProfile REST client implementations injected into the current Quarkus endpoint, which must be protected by using the Quarkus OIDC adapter. This filter can propagate the access token to the downstream services.

SmallRye JWT authentication

The quarkus-smallrye-jwt extension provides a MicroProfile JSON Web Token (JWT) 2.1 implementation and multiple options to verify signed and encrypted JWT tokens. It represents them as org.eclipse.microprofile.jwt.JsonWebToken.

quarkus-smallrye-jwt is an alternative to the quarkus-oidc Bearer token authentication mechanism and verifies only JWT tokens by using either Privacy Enhanced Mail (PEM) keys or the refreshable JWK key set. quarkus-smallrye-jwt also provides the JWT generation API, which you can use to easily create signed, inner-signed, and encrypted JWT tokens.

For more information, see the Using JWT RBAC guide.

OAuth2 authentication

quarkus-elytron-security-oauth2 provides an alternative to the Quarkus quarkus-oidc Bearer token authentication mechanism extension. quarkus-elytron-security-oauth2 is based on Elytron and is primarily intended for introspecting opaque tokens remotely. For more information, see the Quarkus Using OAuth2 guide.

Choosing between OpenID Connect, SmallRye JWT, and OAuth2 authentication mechanisms

Use the following information to select the appropriate token authentication mechanism to secure your Quarkus applications.

List of authentication mechanism use-cases
  • quarkus-oidc requires an OpenID Connect provider such as Keycloak, which can verify the bearer tokens or authenticate the end users with the Authorization Code flow. In both cases, quarkus-oidc requires a connection to the specified OpenID Connect provider.

  • If the user authentication requires Authorization Code flow, or you need to support multiple tenants, use quarkus-oidc. quarkus-oidc can also request user information by using both Authorization Code Flow and Bearer access tokens.

  • If your bearer tokens must be verified, use quarkus-oidc, quarkus-smallrye-jwt, or quarkus-elytron-security-oauth2.

  • If your bearer tokens are in a JSON web token (JWT) format, you can use any extensions in the preceding list. Both quarkus-oidc and quarkus-smallrye-jwt support refreshing the JsonWebKey (JWK) set when the OpenID Connect provider rotates the keys. Therefore, if remote token introspection must be avoided or is unsupported by the providers, use quarkus-oidc or quarkus-smallrye-jwt for verifying JWT tokens.

  • To introspect the JWT tokens remotely, you can use either quarkus-oidc or quarkus-elytron-security-oauth2 because they support verifying the opaque or binary tokens by using remote introspection. quarkus-smallrye-jwt does not support the remote introspection of both opaque or JWT tokens but instead relies on the locally available keys that are usually retrieved from the OpenID Connect provider.

  • quarkus-oidc and quarkus-smallrye-jwt support the JWT and opaque token injection into the endpoint code. Injected JWT tokens provide more information about the user. All extensions can have the tokens injected as Principal.

  • quarkus-smallrye-jwt supports more key formats than quarkus-oidc. quarkus-oidc uses only the JWK-formatted keys that are part of a JWK set, whereas quarkus-smallrye-jwt supports PEM keys.

  • quarkus-smallrye-jwt handles locally signed, inner-signed-and-encrypted, and encrypted tokens. In contrast, although quarkus-oidc and quarkus-elytron-security-oauth2 can also verify such tokens, they treat them as opaque tokens and verify them through remote introspection.

  • If you need a lightweight library for the remote introspection of opaque or JWT tokens, use quarkus-elytron-security-oauth2.

Architectural considerations drive your decision to use opaque or JSON web token (JWT) token format. Opaque tokens tend to be much shorter than JWT tokens but need most of the token-associated state to be maintained in the provider database. Opaque tokens are effectively database pointers.

JWT tokens are significantly longer than opaque tokens. Nonetheless, the providers effectively delegate most of the token-associated state to the client by storing it as the token claims and either signing or encrypting them.

Table 2. Token authentication mechanism comparison
Feature required Authentication mechanism




Bearer JWT verification

Local verification or introspection

Local verification


Bearer opaque token verification




Refreshing JsonWebKey set for verifying JWT tokens




Represent token as Principal




Inject JWT as MP JWT




Authorization code flow








User information support




PEM key format support




SecretKey support


In JSON Web Key (JWK) format


Inner-signed and encrypted or encrypted tokens


Local verification


Custom token verification


With injected JWT parser


JWT as a cookie support




Combining authentication mechanisms

If different sources provide the user credentials, you can combine authentication mechanisms. For example, you can combine the built-in Basic and the Quarkus quarkus-oidc Bearer token authentication mechanisms.

You cannot combine the Quarkus quarkus-oidc Bearer token and smallrye-jwt authentication mechanisms because both mechanisms attempt to verify the token extracted from the HTTP Bearer token authentication scheme.

Path-specific authentication mechanisms

The following configuration example demonstrates how you can enforce a single selectable authentication mechanism for a given request path:




Ensure that the value of the auth-mechanism property matches the authentication scheme supported by HttpAuthenticationMechanism, for example, basic, bearer, or form.

Proactive authentication

Proactive authentication is enabled in Quarkus by default. This means that if an incoming request has a credential, the request will always be authenticated, even if the target page does not require authentication. For more information, see the Quarkus Proactive authentication guide.

Related content