Uploaded image for project: 'WildFly'
  1. WildFly
  2. WFLY-20498

Programmatic login with Jakarta @OpenIdAuthenticationMechanismDefinition not possible

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Won't Do
    • Icon: Major Major
    • None
    • 29.0.1.Final
    • Security
    • None
    • ---
    • ---

      I am trying to setup an application running in Wildfly 29.0.1.Final-jdk17 and Keycloak 23.0.5.

      When I just use the oidc.yaml file like this:

       

      {
    "client-id" : "my-client-id",
    "provider-url" : "https://my-keycloak.server/realms/my-keycloak-realm",    
    "principal-attribute" : "preferred_username",  
    "credentials" : {
        "secret" : "xxxxxxxxxxxxxxx"
    }
}

      and the login-config in my web.xml like this:

       

        <login-config>
    <auth-method>OIDC</auth-method>
  </login-config>

      I can login to my application and also I can do a programmatic login when requesting the access token with:

       

      curl -X POST \
  -d "grant_type=password" \
  -d "client_id=imixs" \
  -d "client_secret=xxxxxxxxxxxxxxxxxxx" \
  -d "username=anna" \
  -d "password=123" \
  "https://my-keycloak.server/realms/my-keycloak-realm/protocol/openid-connect/token"

      and use the access-token as a bearer token to request a resource from my application Rest API:
       

       curl -X GET \
  -H "Authorization: Bearer eyyyyyyyyyyyyyyyyyy" \
  "https://my-app/api/documents/ABC"

      This is what I call here a programmatic login.
       
      Now the issue is that I need to use the @OpenIdAuthenticationMechanismDefinition annotation to get more control about the users subjects after a login. For that reason I use a CDI Security bean like this:

      @RequestScoped
@Path("/oidc")
@Produces({ MediaType.TEXT_PLAIN })
@OpenIdAuthenticationMechanismDefinition( //
        clientId = "${oidcConfig.clientId}", //
        clientSecret = "${oidcConfig.clientSecret}", //
        redirectURI = "${baseURL}/callback", //
        providerURI = "${oidcConfig.issuerUri}" //
)
public class Securitybean implements Serializable {
    private static final long serialVersionUID = 1L;
}

      To get the authentication mechanism working in Wildfly 29 I need to remove the login-config from my web.xml file and I need to disable the integrated jaspi module: 

      ...
        <subsystem xmlns="urn:jboss:domain:undertow:14.0" default-virtual-host="default-host"
            default-servlet-container="default" default-server="default-server"
            statistics-enabled="${wildfly.undertow.statistics-enabled:${wildfly.statistics-enabled:false}}"
            default-security-domain="other">
            ......
            <application-security-domains>
                <application-security-domain name="other" security-domain="ApplicationDomain"
                    integrated-jaspi="false" />
            </application-security-domains>
            .......
        </subsystem>            
.....  

      With this setup I can login as a user via the keycloak login page. 

      But the programmatic login is no longer working. Each request with a access-token used as a 'Bearer Token' like in the curl example above results in a 302 redirect to the Keycloak login page again. 

      My expectation is that the programmatic login also should work with the @OpenIdAuthenticationMechanismDefinition annotation. I have this problem since a very long time and I wonder if this is a bug or if the wildfly server need to be configured in a different way?

              rhn-support-pesilva Pedro Silva
              rsoika ralph Soika (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: