OIDC Client in Wildfly 25 in bearer-only mode.

679 views
Skip to first unread message

Rafał Krzewski

unread,
Oct 12, 2021, 11:01:30 AM10/12/21
to WildFly
Hi,

I'm laying the groundwork for a new application and I'm trying to set up authentication a Keycloak server, Angular 12 frontend and Wildfly 25 EE9 preview as backend.

Keycloak and fronted part went smoothly, but I'm having a hard time figuring out the Wildfly side. I can see the XMLHttpRequests carry Authorization: Bearer header but the backend responds with an redirect to login page.

my oidc.json looks as follows:

{
  "realm": "mvp",
  "client-id": "backend",
  "bearer-only": true
}

I'm setting both auth-server-url and provider-url because otherwise I'm getting an exception here:
This seems a bit suspicious to me. Also, https://docs.wildfly.org/25/Admin_Guide.html#configuration-8 doesn't really say what should go into provider-url so I'm just guessing from the example.  I was also looking at Keycloak documentation https://www.keycloak.org/docs/latest/securing_apps/index.html#jboss-eap-wildfly-adapter but it uses auth-server-url and no provider-url AFAICT.

Configuration aside, I was trying to do dig around Elytron OIDC adapter code trying to find how handles Bearer authorization, and so far I was able to find only one place where the code touches Authorization HTTP header: https://github.com/wildfly-security/wildfly-elytron/blob/master/http/oidc/src/main/java/org/wildfly/security/http/oidc/ClientIdAndSecretCredentialsProvider.java#L65 which seems to be completely unrelated to what I need.

Is there something I'm missing about OIDC client configuration? Or is the bearer-only mode not supported?

Best regards,
Rafał

Farah Juma

unread,
Oct 12, 2021, 12:27:42 PM10/12/21
to Rafał Krzewski, WildFly
Support for bearer-only mode with the elytron-oidc-client subsystem still needs to be added. The following issue tracks this:


--
You received this message because you are subscribed to the Google Groups "WildFly" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wildfly+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wildfly/315296b2-62a4-4008-89e7-4e8973f85146n%40googlegroups.com.

Rafał Krzewski

unread,
Oct 12, 2021, 5:27:37 PM10/12/21
to WildFly
Thanks Farah, I'll keep an eye on this issue.  

So, in order to use bearer-only authentication at this time I need to use the legacy Keycloak adapter, correct? I don't think I can install it onto Wildly 25 EE9 preview, because it's compiled against EE8 APIs. I know that Galleon does some bytecode hijinx to convert libraries from EE8 to EE9 while provisioning wildfly-preview servers. Maybe it can be used to deploy Keycloak adapter?

I'm still early in the process so switching to EE8 is still a possibility, but I was hoping to start with EE9 early to make the application more future-proof.

Best regards,
Rafał

Farah Juma

unread,
Oct 18, 2021, 11:11:01 AM10/18/21
to WildFly
Correct, if bearer-only authentication is needed, the legacy Keycloak adapter will still need to be installed. There's some info about that here (https://wildfly-security.github.io/wildfly-elytron/blog/galleon-cli-keycloak/) but you're correct that it's still compiled against EE8 APIs.

Robert Strauch

unread,
Jan 31, 2022, 10:23:31 AMJan 31
to WildFly
I'm experiencing the same behavior as described by Rafal. I also read the linked WildFly issue and commented on it but I still have the impression I'm missing something.

According to Farah, using they Keycloak adapter for bearer-only authentication should still work in WildFly 25/26. However I haven't managed to get it running yet. All I can see is the following exception although the adapter installation was successful and I can see the Keycloak subsystem in the configuration.

java.lang.IllegalStateException: The required mechanism 'KEYCLOAK' is not available in mechanisms [BASIC, CLIENT_CERT, DIGEST, FORM] from the HttpAuthenticationFactory

Farah Juma

unread,
Jan 31, 2022, 2:17:47 PMJan 31
to WildFly
Just added a comment on the linked WildFly issue but will also mention it here as well.

I just tried running Keycloak's adapter-elytron-install-offline.cli script with WildFly 26 and noticed the following output:

Undertow already configured with Keycloak
EJB already configured with Keycloak

That's actually due to a bug in the adapter-elytron-install-offline.cli script. Undertow and EJB aren't already configured with Keycloak. To correct your setup, running the following commands should work:

batch
/subsystem=undertow/application-security-domain=other:undefine-attribute(name=security-domain)
/subsystem=undertow/application-security-domain=other:write-attribute(name=http-authentication-factory,value=keycloak-http-authentication)
run-batch

/subsystem=ejb3/application-security-domain=other:write-attribute(name=security-domain,value=KeycloakDomain)

reload


Reply all
Reply to author
Forward
0 new messages