Identity providers

In the Quarkus Security framework, identity providers play a crucial role in authentication and authorization by verifying user identities. IdentityProvider creates a SecurityIdentity instance, which gets used during user authentication to verify and authorize access requests to your Quarkus application.

IdentityProvider converts the authentication credentials provided by HttpAuthenticationMechanism to a SecurityIdentity instance.

Some extensions, for example, OIDC, OAuth2, and SmallRye JWT, have inline IdentityProvider implementations specific to the supported authentication flow. For example, quarkus-oidc uses its own IdentityProvider to convert a token to a SecurityIdentity instance.

If you use Basic or form-based authentication, you must add an IdentityProvider instance to convert a username and password to a SecurityIdentity instance.

To get started with security in Quarkus, consider combining the Quarkus built-in Basic HTTP authentication with the Jakarta Persistence identity provider to enable role-based access control (RBAC).

For more information about Basic authentication, its mechanisms, and related identity providers, see the following resources: