DRAFT: [jaxrs-spec][quarkus] Emit @Authenticated for HTTP Basic, Bearer, api-key and OAuth2 or OpenID with empty scopes array

[Ignacio-Vidal]

[[ Dependent on #23699 to hide the annotation generation behind the cli flag ]]

This is part of #23691 to improve the support for Authentication and Authorisation in the jaxrx-spec/quarkus server generator.

It emits @io.quarkus.security.Authenticated on JAX-RS interface methods and implementation stubs when an operation security has either:

• Http: basic or bearer authentication

security:
  - http_admin: []

• ApiKey authentication

security:
  - api_admin: []

• OAuth2 or OpenIdConnect with empty scopes, e.g.:

security:
  - oauth2_admin: []

• An OR list where at least one alternative of OAuth2 or OpenIdConnect has empty scopes, e.g:

security:
  - oauth2_read: [read:items]
  - oauth2_admin: []

PR checklist

• Read the contribution guidelines.
• Pull Request title clearly describes the work in the pull request and Pull Request description provides details about how to validate the work. Missing information here may result in delayed response from the community.
• Run the following to build the project and update samples:

  ./mvnw clean package || exit
  ./bin/generate-samples.sh ./bin/configs/*.yaml || exit
  ./bin/utils/export_docs_generators.sh || exit
  

  (For Windows users, please run the script in WSL)
  Commit all changed files.
  This is important, as CI jobs will verify all generator outputs of your HEAD commit as it would merge with master.
  These must match the expectations made by your contribution.
  You may regenerate an individual generator by passing the relevant config(s) as an argument to the script, for example ./bin/generate-samples.sh bin/configs/java*.
  IMPORTANT: Do NOT purge/delete any folders/files (e.g. tests) when regenerating the samples as manually written tests may be removed.
• File the PR against the correct branch: master (upcoming 7.x.0 minor release - breaking changes with fallbacks), 8.0.x (breaking changes without fallbacks)
• If your PR solves a reported issue, reference it using GitHub's linking syntax (e.g., having "fixes #123" present in the PR description)
• If your PR is targeting a particular programming language, @mention the technical committee members, so they are more likely to review the pull request.

---

Summary by cubic

Emit @io.quarkus.security.Authenticated on Quarkus JAX-RS endpoints that require auth without scopes, so generated APIs enforce authentication but not role scopes. Covers OAuth2/OpenID with empty scopes, basic, bearer, and apiKey, with correct handling of multi-flow and OR cases and no duplicate annotations.

• New Features
  • Set x-quarkus-authenticated in JavaJAXRSSpecServerCodegen (Quarkus only) and render @io.quarkus.security.Authenticated in apiInterface.mustache and apiMethod.mustache.
  • Add parameterized tests for OAuth2/OpenID (scoped vs unscoped, multi-flow, OR), basic, bearer, and apiKey; new fixtures include quarkus-oauth2-*, quarkus-openidconnect-*, quarkus-http-*, and quarkus-api-key.yaml. Regenerated Quarkus samples to include the annotation where applicable.

^{Written for commit 5daad84. Summary will update on new commits.}