The RH-SSO OIDC adapter makes use of the KeycloakSecurityRealm once an identity has been successfully established using OIDC. This security realm uses a KeycloakPrincipal to represent a realm identity principal.

The problem occurs when attempting to outflow a security identity from the corresponding KeycloakDomain to another Elytron security domain. In particular, Elytron's security realm implementations require a realm identity principal to be a NamePrincipal (as shown in a realm here). Because the principal that we're trying to outflow is a KeycloakPrincipal instead of a NamePrincipal, the outflow step fails since the target realm's getRealmIdentity method will just return a NON_EXISTENT identity. This causes security context propagation across deployments to fail.

Environment: JBoss EAP 7.4.x