EJB timers/@RunAs in app with elytron's OIDC client

[Björn Mosler]

Hi

I am trying to upgrade an application from WF 21 to 32. It's a single WAR where users authenticate using elytron's OIDC client (<auth-method>OIDC</auth-method> in web.xml). There are also a number of EJB timers and JBeret batch jobs, which can be triggered by the web users. The timers are annotated with @RunAs/@RunAsPrincipal and I have created an identity-realm with the appropriate user and role decoder which I added to the ApplicationDomain.

The problem I am facing is that the EJB timer user never gets the role I put into @RunAs because at [1] WF always tries to look up the user in the realm "virtual", which I cannot manipulate, i.e. it is not visible to the WF CLI.

Is there a way to make this work?

When I use jakarta.security.enterprise.authentication.mechanism.http.OpenIdAuthenticationMechanismDefinition the EJB timers run with the correct principal and roles.

Thanks and kind regards

[1]

https://github.com/wildfly/wildfly/blob/1f68b0ad54b7899650a782a8efdde0cec196865c/ejb3/src/main/java/org/jboss/as/ejb3/security/RunAsPrincipalInterceptor.java#L56

[Prarthona Paul]

Hello there, 
You can use another security domain to secure your EJB. 
Please refer to this guide: https://prarthonapaul.github.io/wildfly-elytron/blog/wildfly-oidc-identity-propagation/, specifically the section titled Securing an EJB using a Different Security Domain: https://prarthonapaul.github.io/wildfly-elytron/blog/wildfly-oidc-identity-propagation/#securing-an-ejb-using-a-different-security-domain

Please feel free to add follow-up questions here if you have any. 

Best, 

Prarthona