Sync documentation of main branch

Author: actions-user

_generated-doc/main/infra/quarkus-all-build-items.adoc

@@ -8843,6 +8843,10 @@ _No Javadoc found_
 
 If this interceptor is always accompanied by `io.quarkus.security.spi.runtime.SecurityCheck` . For example, we know that endpoint annotated with `HttpAuthenticationMechanism` is always secured.
 
+`java.util.function.Function<AnnotationInstance,String> bindingValueExtractor` 
+
+_No Javadoc found_
+
 
 
 

_versions/main/guides/getting-started-testing.adoc

@@ -457,9 +457,6 @@ org.acme.getting.started.testing.MyQuarkusTestBeforeEachCallback
 
 TIP: It is possible to read annotations from the test class or method to control what the callback shall be doing.
 
-WARNING: While it is possible to use JUnit Jupiter callback interfaces like `BeforeEachCallback`, you might run into classloading issues because Quarkus has
-         to run tests in a custom classloader which JUnit is not aware of.
-
 [[testing_different_profiles]]
 == Testing Different Profiles
 
@@ -705,6 +702,11 @@ match the value of `quarkus.test.profile.tags`.
 * `quarkus.test.profile.tags=test2,test3`: In this case only `MultipleTagsTest` will be run because `MultipleTagsTest` is the only `QuarkusTestProfile` implementation whose `tags` method
 matches the value of `quarkus.test.profile.tags`.
 
+== Nested Tests
+
+JUnit 5 https://junit.org/junit5/docs/current/user-guide/#writing-tests-nested[@Nested tests] are useful for structuring more complex test scenarios.
+However, note that it is not possible to assign different test profiles or resources to nested tests within the same parent class.
+
 == Mock Support
 
 Quarkus supports the use of mock objects using two different approaches. You can either use CDI alternatives to

_versions/main/guides/security-oidc-bearer-token-authentication.adoc

@@ -1604,6 +1604,113 @@ public class OidcStartup {
 For more complex setup involving multiple tenants please see the xref:security-openid-connect-multitenancy.adoc#programmatic-startup[Programmatic OIDC start-up for multitenant application]
 section of the OpenID Connect Multi-Tenancy guide.
 
+== Step Up Authentication
+
+The `io.quarkus.oidc.AuthenticationContext` annotation can be used to list one or more Authentication Context Class Reference (ACR) values to enforce a required authentication level for the Jakarta REST resource classes and methods.
+The https://datatracker.ietf.org/doc/rfc9470/[OAuth 2.0 Step Up Authentication Challenge Protocol] introduces a mechanism for resource servers to request stronger authentication methods when the token does not have expected Authentication Context Class Reference (ACR) values.
+Consider the following example:
+
+[source,java]
+----
+package io.quarkus.it.oidc;
+
+import io.quarkus.oidc.AuthenticationContext;
+import io.quarkus.oidc.BearerTokenAuthentication;
+import jakarta.ws.rs.GET;
+import jakarta.ws.rs.Path;
+
+@BearerTokenAuthentication
+@Path("/")
+public class GreetingsResource {
+
+    @Path("hello")
+    @AuthenticationContext("myACR") <1>
+    @GET
+    public String hello() {
+        return "hello";
+    }
+
+    @Path("hi")
+    @AuthenticationContext(value = "myACR", maxAge = "PT120m") <2>
+    @GET
+    public String hi() {
+        return "hi";
+    }
+}
+----
+<1> Bearer access token must have an `acr` claim with the `myACR` ACR value.
+<2> Bearer access token must have an `acr` claim with the `myACR` ACR value and be in use for no longer than 120 minutes since the authentication time.
+
+[source,properties]
+----
+quarkus.http.auth.proactive=false <1>
+----
+<1> Disable proactive authentication so that the `@AuthenticationContext` annotation can be matched with the endpoint before Quarkus authenticates incoming requests.
+
+If the bearer access token claim `acr` does not contain `myACR`, Quarkus returns an authentication requirements challenge indicating required `acr_values`:
+
+----
+HTTP/1.1 401 Unauthorized
+WWW-Authenticate: Bearer error="insufficient_user_authentication",
+ error_description="A different authentication level is required",
+ acr_values="myACR"
+----
+
+When a client such as Single-page application (SPA) receives a challenge with the `insufficient_user_authentication` error code, it must parse `acr_values`, request a new user login which must meet the `acr_values` constraints, and use a new access token to access Quarkus.
+
+[NOTE]
+====
+The `io.quarkus.oidc.AuthenticationContext` annotation can also be used to enforce required authentication level for a WebSockets Next server endpoint.
+The annotation must be placed on the endpoint class, because the `SecurityIdentity` is created before the HTTP connection is upgraded to a WebSocket connection.
+For more information about the HTTP upgrade security, see the xref:websockets-next-reference.adoc#secure-http-upgrade[Secure HTTP upgrade] section of the Quarkus "WebSockets Next reference" guide.
+====
+
+It is also possible to enforce the required authentication level for an OIDC tenant:
+
+[source,properties]
+----
+quarkus.oidc.hr.token.required-claims.acr=myACR
+----
+
+Or, if you need more flexibility, write a <<jose4j-validator>>:
+
+[source,java]
+----
+package io.quarkus.it.oidc;
+
+import java.util.Map;
+
+import jakarta.enterprise.context.ApplicationScoped;
+
+import org.jose4j.jwt.MalformedClaimException;
+import org.jose4j.jwt.consumer.JwtContext;
+import org.jose4j.jwt.consumer.Validator;
+
+import io.quarkus.arc.Unremovable;
+import io.quarkus.oidc.TenantFeature;
+import io.quarkus.oidc.common.runtime.OidcConstants;
+import io.quarkus.security.AuthenticationFailedException;
+
+@Unremovable
+@ApplicationScoped
+@TenantFeature("hr")
+public class AcrValueValidator implements Validator {
+
+    @Override
+    public String validate(JwtContext jwtContext) throws MalformedClaimException {
+        var jwtClaims = jwtContext.getJwtClaims();
+        if (jwtClaims.hasClaim("acr")) {
+            var acrClaim = jwtClaims.getStringListClaimValue("acr");
+            if (acrClaim.contains("myACR") && acrClaim.contains("yourACR")) {
+                return null;
+            }
+        }
+        String requiredAcrValues = "myACR,yourACR";
+        throw new AuthenticationFailedException(Map.of(OidcConstants.ACR_VALUES, requiredAcrValues));
+    }
+}
+----
+
 == References
 
 * xref:security-oidc-configuration-properties-reference.adoc[OIDC configuration properties]

_versions/main/guides/smallrye-fault-tolerance.adoc

@@ -576,7 +576,7 @@ implementation("io.quarkus:quarkus-smallrye-fault-tolerance")
 == Additional resources
 
 SmallRye Fault Tolerance has more features than shown here.
-Please check the link:https://smallrye.io/docs/smallrye-fault-tolerance/6.9.0/index.html[SmallRye Fault Tolerance documentation] to learn about them.
+Please check the link:https://smallrye.io/docs/smallrye-fault-tolerance/6.9.1/index.html[SmallRye Fault Tolerance documentation] to learn about them.
 
 In Quarkus, you can use the SmallRye Fault Tolerance optional features out of the box.
 
@@ -608,7 +608,7 @@ quarkus.fault-tolerance.mp-compatibility=true
 ----
 ====
 
-The link:https://smallrye.io/docs/smallrye-fault-tolerance/6.9.0/reference/programmatic-api.html[programmatic API] is present and integrated with the declarative, annotation-based API.
+The link:https://smallrye.io/docs/smallrye-fault-tolerance/6.9.1/reference/programmatic-api.html[programmatic API] is present and integrated with the declarative, annotation-based API.
 You can use the `Guard`, `TypedGuard` and `@ApplyGuard` APIs out of the box.
 
 Support for Kotlin is present (assuming you use the Quarkus extension for Kotlin), so you can guard your `suspend` functions with fault tolerance annotations.