Dekstop client, remote EJB and OIDC / Keycloak

42 views
Skip to first unread message

PorkLip

unread,
Aug 26, 2025, 5:41:26 PM (10 days ago) Aug 26
to WildFly
I'm trying to migrate a WildFly web and desktop application from LDAP to OpenID Connect (OIDC ) / Keycloak for authentication/authorization. The desktop application is invoking remote EJB:s deployed in WildFly. The previous server configuration used LDAP and the desktop application was using a programatic approach to configuring the Elytron client configuration where username and password was sent to WildFly.

Migrating the web interface of the application was really simple following the example at Securing WildFly Apps with OpenID Connect.

Migrating the client seems to be a bit more complicated. I have not found any working example where the authentication/authorization of a desktop client ( invoking EJBs in WildFly ) is performed using OIDC / KeyCloak. So my questions now is:
  1. How shall the client wildfly-config.xml be configured to use OIDC? Do I need to fetch a bearer token programatically myself from KeyCloak or is there already logic supporting this that can be specified in META-INF/wildfly-config.xml ?
  2. How shall WildFly be configured to use OIDC / bearer token for EJB:s being invoked using "remote+http://" ?
  3. Is it possible somehow to reference the virtual security stuff created by oidc.json when securing the "remote+http://" EJB access on the server side? Or is this maybe already in place somehow when oidc.json is present in WEB-INF/ and I just need to configure the META-INF/wildfly-config.xml on the client correctly?
I have looked at Identity Propagation with OpenID Connect and other examples but none use remote desktop clients.
Reply all
Reply to author
Forward
0 new messages