# An example role decoder which would work if JWT contains 'roles' claim
/subsystem=elytron/simple-role-decoder=from-roles-attribute:add(attribute=roles)

# A constant role mapper which addes a UserRole role. This roles means a user is authenticated
#/subsystem=elytron/constant-role-mapper=authenticated:add(roles=["UserRole"])

# Create jwt realm with paramters for i3-access. This config doesn't validate JWT signature! (SSL context for the jku claim is required )
/subsystem=elytron/token-realm=jwt-realm:add(jwt={issuer=["http://tex-service.sys"], audience=["TEX"]}, principal-claim="sub")

# Use add UserRole and copy all groups to roles (still not what we need.)
/subsystem=elytron/security-domain=jwt-domain:add(realms=[{realm=jwt-realm,role-decoder=from-roles-attribute}], permission-mapper=default-permission-mapper,default-realm=jwt-realm)

# Create http authentication factory that uses BEARER_TOKEN authentication
/subsystem=elytron/http-authentication-factory=jwt-http-authentication:add(security-domain=jwt-domain,http-server-mechanism-factory=global,mechanism-configurations=[{mechanism-name="BEARER_TOKEN",mechanism-realm-configurations=[{realm-name="jwt-realm"}]}])

# Configure Undertow to use our http authentication factory for authentication
/subsystem=undertow/application-security-domain=ejb-domain:add(http-authentication-factory=jwt-http-authentication)

# Add security domain mapping in the EJB3 subsystem to enable elytron for the EJBs
/subsystem=ejb3/application-security-domain=ejb-domain:add(security-domain=jwt-domain)