Previously, with the Keycloak OIDC adapter, it was possible to propagate an identity from a WAR to an EJB when the WAR and EJB were packaged in an EAR. This was done by configuring Undertow and EJB to use the KeycloakDomain. 

With the elytron-oidc-client subsystem, we now use a virtual security domain. With this approach, the identity can be successfully propagated from the web layer to the EJB layer when the EJB is contained in the same WAR. However, if the EJB is located outside the WAR and packaged in an EAR then the identity won't be propagated as described in this example.

More details can also be found in the comments in WFCORE-5178.

A related problem was also mention on the user forum about identity propagation across EARs.