-
Bug
-
Resolution: Won't Do
-
Major
-
None
-
29.0.1.Final
-
None
-
---
-
---
I am trying to setup an application running in Wildfly 29.0.1.Final-jdk17 and Keycloak 23.0.5.
When I just use the oidc.yaml file like this:
{ "client-id" : "my-client-id", "provider-url" : "https://my-keycloak.server/realms/my-keycloak-realm", "principal-attribute" : "preferred_username", "credentials" : { "secret" : "xxxxxxxxxxxxxxx" } }
and the login-config in my web.xml like this:
<login-config> <auth-method>OIDC</auth-method> </login-config>
I can login to my application and also I can do a programmatic login when requesting the access token with:
curl -X POST \ -d "grant_type=password" \ -d "client_id=imixs" \ -d "client_secret=xxxxxxxxxxxxxxxxxxx" \ -d "username=anna" \ -d "password=123" \ "https://my-keycloak.server/realms/my-keycloak-realm/protocol/openid-connect/token"
and use the access-token as a bearer token to request a resource from my application Rest API:
curl -X GET \ -H "Authorization: Bearer eyyyyyyyyyyyyyyyyyy" \ "https://my-app/api/documents/ABC"
This is what I call here a programmatic login.
Now the issue is that I need to use the @OpenIdAuthenticationMechanismDefinition annotation to get more control about the users subjects after a login. For that reason I use a CDI Security bean like this:
@RequestScoped @Path("/oidc") @Produces({ MediaType.TEXT_PLAIN }) @OpenIdAuthenticationMechanismDefinition( // clientId = "${oidcConfig.clientId}", // clientSecret = "${oidcConfig.clientSecret}", // redirectURI = "${baseURL}/callback", // providerURI = "${oidcConfig.issuerUri}" // ) public class Securitybean implements Serializable { private static final long serialVersionUID = 1L; }
To get the authentication mechanism working in Wildfly 29 I need to remove the login-config from my web.xml file and I need to disable the integrated jaspi module:
... <subsystem xmlns="urn:jboss:domain:undertow:14.0" default-virtual-host="default-host" default-servlet-container="default" default-server="default-server" statistics-enabled="${wildfly.undertow.statistics-enabled:${wildfly.statistics-enabled:false}}" default-security-domain="other"> ...... <application-security-domains> <application-security-domain name="other" security-domain="ApplicationDomain" integrated-jaspi="false" /> </application-security-domains> ....... </subsystem> .....
With this setup I can login as a user via the keycloak login page.
But the programmatic login is no longer working. Each request with a access-token used as a 'Bearer Token' like in the curl example above results in a 302 redirect to the Keycloak login page again.
My expectation is that the programmatic login also should work with the @OpenIdAuthenticationMechanismDefinition annotation. I have this problem since a very long time and I wonder if this is a bug or if the wildfly server need to be configured in a different way?