Uploaded image for project: 'WildFly'
  1. WildFly
  2. WFLY-20498

Programmatic login with Jakarta @OpenIdAuthenticationMechanismDefinition not possible

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Won't Do
    • Icon: Major Major
    • None
    • 29.0.1.Final
    • Security
    • None
    • ---
    • ---

      I am trying to setup an application running in Wildfly 29.0.1.Final-jdk17 and Keycloak 23.0.5.

      When I just use the oidc.yaml file like this:

       

      {
          "client-id" : "my-client-id",
          "provider-url" : "https://my-keycloak.server/realms/my-keycloak-realm",    
          "principal-attribute" : "preferred_username",  
          "credentials" : {
              "secret" : "xxxxxxxxxxxxxxx"
          }
      }

      and the login-config in my web.xml like this:

       

        <login-config>
          <auth-method>OIDC</auth-method>
        </login-config>

      I can login to my application and also I can do a programmatic login when requesting the access token with:

       

      curl -X POST \
        -d "grant_type=password" \
        -d "client_id=imixs" \
        -d "client_secret=xxxxxxxxxxxxxxxxxxx" \
        -d "username=anna" \
        -d "password=123" \
        "https://my-keycloak.server/realms/my-keycloak-realm/protocol/openid-connect/token"

      and use the access-token as a bearer token to request a resource from my application Rest API:
       

       curl -X GET \
        -H "Authorization: Bearer eyyyyyyyyyyyyyyyyyy" \
        "https://my-app/api/documents/ABC"

      This is what I call here a programmatic login.
       
      Now the issue is that I need to use the @OpenIdAuthenticationMechanismDefinition annotation to get more control about the users subjects after a login. For that reason I use a CDI Security bean like this:

      @RequestScoped
      @Path("/oidc")
      @Produces({ MediaType.TEXT_PLAIN })
      @OpenIdAuthenticationMechanismDefinition( //
              clientId = "${oidcConfig.clientId}", //
              clientSecret = "${oidcConfig.clientSecret}", //
              redirectURI = "${baseURL}/callback", //
              providerURI = "${oidcConfig.issuerUri}" //
      )
      public class Securitybean implements Serializable {
          private static final long serialVersionUID = 1L;
      }
      

      To get the authentication mechanism working in Wildfly 29 I need to remove the login-config from my web.xml file and I need to disable the integrated jaspi module: 

      ...
              <subsystem xmlns="urn:jboss:domain:undertow:14.0" default-virtual-host="default-host"
                  default-servlet-container="default" default-server="default-server"
                  statistics-enabled="${wildfly.undertow.statistics-enabled:${wildfly.statistics-enabled:false}}"
                  default-security-domain="other">
                  ......
                  <application-security-domains>
                      <application-security-domain name="other" security-domain="ApplicationDomain"
                          integrated-jaspi="false" />
                  </application-security-domains>
                  .......
              </subsystem>            
      .....  

      With this setup I can login as a user via the keycloak login page. 

      But the programmatic login is no longer working. Each request with a access-token used as a 'Bearer Token' like in the curl example above results in a 302 redirect to the Keycloak login page again. 

      My expectation is that the programmatic login also should work with the @OpenIdAuthenticationMechanismDefinition annotation. I have this problem since a very long time and I wonder if this is a bug or if the wildfly server need to be configured in a different way?

              rhn-support-pesilva Pedro Silva
              rsoika ralph Soika (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: