I am currently running a web application in Wildfly with a couple of REST endpoints which I want to secure by means of Authorization Bearer tokens. This works seamlessly in Wildfly 24, with a KeyCloak server, and Keycloak client adaptors that I have installed into my wildfly installation.

I am trying to do the same in the newly released Wildfly 25 and the build-in OIDC client adapter, but I am running into some problems with it. When trying to access the secured REST endpoints in this setup by means of a Bearer token get redirected to KeyCloak login screen. This behaviour is incorrect and you should just be presented with a 403 response code instead, if the token was invalid.

When using the Keycloak client adapter I was achieving this behaviour (e.g. returning 403 for invalid token), by setting the bearer-only property in keycloak.json to true.

With the OIDC client adaptor, setting the bearer-only property in iodc.json seem to have any effect.

Can somebody perhaps confirm if bearer-only works with the OIDC client adaptor in Wildfly 25, and if so, can a working example perhaps be provided?