WildFly OIDC + custom roles decoder/mapper?

[Olivier Bruchez]

Hello all,

I'm new to WildFly and I was wondering if it was possible to use the OIDC subsystem for authentication and "something else" for authorization (i.e. add roles from another source).

I'm using the latest version of WildFly.

OIDC is configured and working (I'm using Microsoft Entra ID).

The roles decoded from the OIDC tokens are not what I want to use to secure my application (i.e. security-constraint in web.xml). I'd like to retrieve the roles from the authenticated principal by using some custom code.

My naive approach was to write a custom role decoder. So I have some code that implements the org.wildfly.security.authz.RoleDecoder interface and the decodeRoles(AuthorizationIdentity authorizationIdentity) method. It's packaged in a JAR and configured as a WildFly module. WildFly loads the module without problem. So far so good.

I've also declared a custom-role-decoder in subsystem xmlns="urn:wildfly:elytron:community:18.0">/mappers. Again, WildFly doesn't complain.

I'm stuck at this point. I can't seem to use my custom role decoder for anything.

Can anybody point me in the right direction? How should I configure this? Or which completely different approach should I follow?

Thanks,

Olivier

[Farah Juma]

Hi,

It should be possible to configure this by configuring OIDC from the Elytron subsystem instead of using the Elytron OIDC Client subsystem, as described in a comment here.

The Elytron OIDC Client subsystem was meant to simplify configuration for most use cases. Since roles aren't actually part of the OIDC specification, this use case is a bit more advanced so more control over the configuration is needed. For cases like this, OIDC can be configured via the Elytron subsystem instead.

[Olivier Bruchez]

Thanks Farah, and sorry for the late reply. We'll investigate if this is a possible approach for us.

Olivier