Loading...

XML

Word

Printable

Type: Bug
Resolution: Unresolved
Priority: Critical
Fix Version/s: None
Affects Version/s: 8.0.0.GA, 8.1.0.GA, 8.2.0.GA
Component/s: Documentation, Security
Labels:
- intersmash

Blocked:
False
Blocked Reason:

Hide

None

Show
None
Ready:
False
CDW devel_ack:
CDW docs_ack:
CDW pm_ack:
CDW qa_ack:
CDW release:
Target Release:

8.1.z.GA
Intelligence Requested:
Market:

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

In our documentation https://docs.redhat.com/en/documentation/red_hat_jboss_enterprise_application_platform/8.1/html-single/using_jboss_eap_on_openshift_container_platform/index#ref_environment-variable-based-configuration_assembly_using-openid-connect-to-secure-jboss-eap-applications-on-openshift, we mention "Dynamic client registration" when describing a couple of S2I env variables:

OIDC_USER_NAME	OIDC_USER_PASSWORD
Dynamic client registration requires the username to receive a token.	Dynamic client registration requires the user password to receive a token.

But information on how-to configure "automatic registration of the OIDC client" is missing;

We suggest adding the following:

OIDC Client Automatic Registration

JBoss EAP can automatically register the OIDC Client into Red Hat build of Keycloak by leveraging a capability of the "elytron-oidc-client" layer called "Automatic Registration of the OIDC Client" (or "Dynamic Registration of the OIDC Client" - the former is actually more descriptive).
Here is how this feature works and is configured:

pre-requisite: a user is configured in Red Hat build of Keycloak: this user must be granted the create-client "Client Role" (this can be achieved both through the admin interface or the KeycloakRealmImport Custom Resource when using the Red Hat build of Keycloak Operator); an example with pictures for both options would be a "nice to have" here
this user's credentials are then passed to the JBoss EAP 8.x web application by setting the OIDC_USER_NAME and OIDC_USER_PASSWORD env variables (see [oidc.sh](https://github.com/wildfly/wildfly-cekit-modules/blob/main/jboss/container/wildfly/launch/oidc/added/oidc.sh) and [oidc-keycloak-hooks.sh](https://github.com/wildfly/wildfly-cekit-modules/blob/main/jboss/container/wildfly/launch/oidc/added/oidc-keycloak-hooks.sh) for the logic details;
when the JBoss EAP 8.x web application starts, the "elytron-oidc-client" layer (more precisely, the logic this layer adds to the server startup script) takes care of using the provided credentials to register a new OIDC client into Red Hat build of Keycloak
When connecting to Red Hat build of Keycloak to register the OIDC client either you set "OIDC_DISABLE_SSL_CERTIFICATE_VALIDATION=true" to skip certificate validation or use the following env variables to set the truststore:
- OIDC_PROVIDER_TRUSTSTORE e.g. "truststore.pkcs12"
- OIDC_PROVIDER_TRUSTSTORE_DIR e.g. "/etc/secrets"
- OIDC_PROVIDER_TRUSTSTORE_CERTIFICATE_ALIAS e.g. "keycloak"
- OIDC_PROVIDER_TRUSTSTORE_PASSWORD
The "OIDC_SECURE_DEPLOYMENT_SECRET" is used to hold the password of the new OIDC client that will be set in Red Hat build of Keycloak; once the OIDC client is registered, JBoss EAP will use this password to authenticate to Red Hat build of Keycloak;
OIDC_PROVIDER_NAME=rh-sso
OIDC_PROVIDER_URL=<KEYCLOAK_URL>/realms/<REALM_NAME>

clones

JBEAP-31486 Application security with SAML in JBoss EAP: missing "automatic registration of the SAML client" info

Assignee:: Chinyere Acholonu

Reporter:: Tommaso Borgato

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Created:: 2025/12/16 10:29 AM

Updated:: 2026/01/09 9:48 AM

Details

Description

OIDC Client Automatic Registration

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates