Uploaded image for project: 'WildFly'
  1. WildFly
  2. WFLY-15485

OIDC client adapter doesn't work correct with Bearer-only


      I am currently running a web application in Wildfly with a couple of REST endpoints which I want to secure by means of Authorization Bearer tokens. This works seamlessly in Wildfly 24, with a KeyCloak server, and Keycloak client adaptors that I have installed into my wildfly installation.

      I am trying to do the same in the newly released Wildfly 25 and the build-in OIDC client adapter, but I am running into some problems with it. When trying to access the secured REST endpoints in this setup by means of a Bearer token get redirected to KeyCloak login screen. This behaviour is incorrect and you should just be presented with a 403 response code instead, if the token was invalid.

      When using the Keycloak client adapter I was achieving this behaviour (e.g. returning 403 for invalid token), by setting the bearer-only property in keycloak.json to true.

      With the OIDC client adaptor, setting the bearer-only property in iodc.json seem to have any effect.

      Can somebody perhaps confirm if bearer-only works with the OIDC client adaptor in Wildfly 25, and if so, can a working example perhaps be provided?

            fjuma1@redhat.com Farah Juma
            jj.steenkamp Johan Steenkmap (Inactive)
            14 Vote for this issue
            19 Start watching this issue