-
Feature Request
-
Resolution: Unresolved
-
Major
-
None
-
2.6.3.Final
-
None
-
None
I am trying to secure the Wildfly management console using OIDC auth without Keycloak - instead using Microsoft Entra. I am using https://www.wildfly.org/guides/security-oidc-management-console as a reference.
When I request the console in a browser (http://localhost:9990/console/index.html), I get this exception in the Wildfly (35.0.1.Final) logs.
23:03:31,293 ERROR [io.undertow.request] (management task-1) UT005071: Undertow request failed HttpServerExchange{ GET /oidc/wildfly-console//index.html}: java.lang.ArrayIndexOutOfBoundsException: Index 1 out of bounds for length 1
at org.wildfly.extension.elytron-oidc-client@35.0.1.Final//org.wildfly.extension.elytron.oidc.OidcConfigService.getJSON(OidcConfigService.java:242)
at org.wildfly.extension.elytron-oidc-client@35.0.1.Final//org.wildfly.extension.elytron.oidc.OidcConfigService.getJSON(OidcConfigService.java:193)
at org.wildfly.extension.elytron-oidc-client@35.0.1.Final//org.wildfly.extension.elytron.oidc.SecureServerDefinition$1$1.getResource(SecureServerDefinition.java:170)
at io.undertow.core@2.3.18.Final//io.undertow.server.handlers.resource.DefaultResourceSupplier.getResource(DefaultResourceSupplier.java:39)
at io.undertow.core@2.3.18.Final//io.undertow.server.handlers.resource.ResourceHandler$1.handleRequest(ResourceHandler.java:205)
at io.undertow.core@2.3.18.Final//io.undertow.server.Connectors.executeRootHandler(Connectors.java:395)
at io.undertow.core@2.3.18.Final//io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:861)
at org.jboss.threads@2.4.0.Final//org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
at org.jboss.threads@2.4.0.Final//org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1990)
at org.jboss.threads@2.4.0.Final//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486)
at org.jboss.threads@2.4.0.Final//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1377)
at org.jboss.xnio@3.8.16.Final//org.xnio.XnioWorker$WorkerThreadFactory$1$1.run(XnioWorker.java:1282)
at java.base/java.lang.Thread.run(Thread.java:1583)
Looking at the code for line 242: (https://github.com/wildfly/wildfly/blob/eae4ae1ecc66e817f35c2e0f3e521516c8caf7fc/elytron-oidc-client/src/main/java/org/wildfly/extension/elytron/oidc/OidcConfigService.java#L242):
String providerUrl = json.get(PROVIDER_URL).asStringOrNull(); if (providerUrl != null) { String[] authServerUrlAndRealm = providerUrl.split(Oidc.SLASH + Oidc.KEYCLOAK_REALMS_PATH); json.get(AUTH_SERVER_URL).set(authServerUrlAndRealm[0]); json.get(REALM).set(authServerUrlAndRealm[1]); json.remove(PROVIDER_URL); }
It looks like the function getJSON assumes that the OIDC provider URL be formatted in a KeyCloak style URL (i.e. contains a /realms/).
This does not exist in an Entra External Id Provider URL e.g. of the form https://<TenantId>.ciamlogin.com/<TenantId>/v2.0, so line 242 json.get(REALM).set(authServerUrlAndRealm[1]) throws an exception as the authServerUrlAndRealm array created by providerUrl.split has only one element.
