OIDC Client in Wildfly 25 in bearer-only mode.
1,373 views
Skip to first unread message
Rafał Krzewski
Oct 12, 2021, 11:01:30 AM10/12/21
to WildFly
Hi,
I'm laying the groundwork for a new application and I'm trying to set up authentication a Keycloak server, Angular 12 frontend and Wildfly 25 EE9 preview as backend.
Keycloak and fronted part went smoothly, but I'm having a hard time figuring out the Wildfly side. I can see the XMLHttpRequests carry Authorization: Bearer header but the backend responds with an redirect to login page.
my oidc.json looks as follows:
{
"auth-server-url": "http://keycloak-http.mvp.svc.cluster.local/auth/",
"provider-url": "http://keycloak-http.mvp.svc.cluster.local/auth/realms/mvp",
"realm": "mvp",
"client-id": "backend",
"bearer-only": true
}
I'm setting both auth-server-url and provider-url because otherwise I'm getting an exception here:
This seems a bit suspicious to me. Also, https://docs.wildfly.org/25/Admin_Guide.html#configuration-8 doesn't really say what should go into provider-url so I'm just guessing from the example. I was also looking at Keycloak documentation https://www.keycloak.org/docs/latest/securing_apps/index.html#jboss-eap-wildfly-adapter but it uses auth-server-url and no provider-url AFAICT.
Configuration aside, I was trying to do dig around Elytron OIDC adapter code trying to find how handles Bearer authorization, and so far I was able to find only one place where the code touches Authorization HTTP header: https://github.com/wildfly-security/wildfly-elytron/blob/master/http/oidc/src/main/java/org/wildfly/security/http/oidc/ClientIdAndSecretCredentialsProvider.java#L65 which seems to be completely unrelated to what I need.
Is there something I'm missing about OIDC client configuration? Or is the bearer-only mode not supported?
Best regards,
Rafał
Farah Juma
Oct 12, 2021, 12:27:42 PM10/12/21
to Rafał Krzewski, WildFly
Support for bearer-only mode with the elytron-oidc-client subsystem still needs to be added. The following issue tracks this:
--
You received this message because you are subscribed to the Google Groups "WildFly" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wildfly+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wildfly/315296b2-62a4-4008-89e7-4e8973f85146n%40googlegroups.com.
Rafał Krzewski
Oct 12, 2021, 5:27:37 PM10/12/21
to WildFly
Thanks Farah, I'll keep an eye on this issue.
So, in order to use bearer-only authentication at this time I need to use the legacy Keycloak adapter, correct? I don't think I can install it onto Wildly 25 EE9 preview, because it's compiled against EE8 APIs. I know that Galleon does some bytecode hijinx to convert libraries from EE8 to EE9 while provisioning wildfly-preview servers. Maybe it can be used to deploy Keycloak adapter?
I'm still early in the process so switching to EE8 is still a possibility, but I was hoping to start with EE9 early to make the application more future-proof.
Best regards,
Rafał
Farah Juma
Oct 18, 2021, 11:11:01 AM10/18/21
to WildFly
Correct, if bearer-only authentication is needed, the legacy Keycloak adapter will still need to be installed. There's some info about that here (https://wildfly-security.github.io/wildfly-elytron/blog/galleon-cli-keycloak/) but you're correct that it's still compiled against EE8 APIs.
Robert Strauch
Jan 31, 2022, 10:23:31 AM1/31/22
to WildFly
I'm experiencing the same behavior as described by Rafal. I also read the linked WildFly issue and commented on it but I still have the impression I'm missing something.
According to Farah, using they Keycloak adapter for bearer-only authentication should still work in WildFly 25/26. However I haven't managed to get it running yet. All I can see is the following exception although the adapter installation was successful and I can see the Keycloak subsystem in the configuration.
java.lang.IllegalStateException: The required mechanism 'KEYCLOAK' is not available in mechanisms [BASIC, CLIENT_CERT, DIGEST, FORM] from the HttpAuthenticationFactory
Farah Juma
Jan 31, 2022, 2:17:47 PM1/31/22
to WildFly
Just added a comment on the linked WildFly issue but will also mention it here as well.
That's actually due to a bug in the adapter-elytron-install-offline.cli script. Undertow and EJB aren't already configured with Keycloak. To correct your setup, running the following commands should work:
batch
/subsystem=undertow/application-security-domain=other:undefine-attribute(name=security-domain)
/subsystem=undertow/application-security-domain=other:write-attribute(name=http-authentication-factory,value=keycloak-http-authentication)
run-batch
/subsystem=ejb3/application-security-domain=other:write-attribute(name=security-domain,value=KeycloakDomain)
reload
I just tried running Keycloak's adapter-elytron-install-offline.cli script with WildFly 26 and noticed the following output:
Undertow already configured with Keycloak
EJB already configured with Keycloak
Undertow already configured with Keycloak
EJB already configured with Keycloak
That's actually due to a bug in the adapter-elytron-install-offline.cli script. Undertow and EJB aren't already configured with Keycloak. To correct your setup, running the following commands should work:
batch
/subsystem=undertow/application-security-domain=other:undefine-attribute(name=security-domain)
/subsystem=undertow/application-security-domain=other:write-attribute(name=http-authentication-factory,value=keycloak-http-authentication)
run-batch
/subsystem=ejb3/application-security-domain=other:write-attribute(name=security-domain,value=KeycloakDomain)
reload
Reply all
Reply to author
Forward
0 new messages