Wildfly 26 - Migration from Keycloak to Elytron OIDC - OIDC + Bearer-Token

[Daniel Schmidt]

Hi, 

I currently try to migrate from the Keycloak OIDC adapter to the elytron-oidc-client.

In the Keycloak adapter the Bearer-Token is checked first whether it already contains a valid token (https://github.com/keycloak/keycloak/blob/main/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/RequestAuthenticator.java#L62).

If there is valid token the user is authenticated and is not redirected to the Authorization Server.

In the elytron-oidc-client the implementation is different: In fact as far as I see the Bearer token is not checked at all?

Are there any plans to include the check of the Bearer token before starting with the Authorization Code Flow?

Is this part of https://issues.redhat.com/browse/WFLY-15485 or a different issue?

Background: We are developing an application that is used in the browser but also by a RCP-client. Currently the RCP client handles the communication with the Authorization Server by itself and then sets the Bearer token in the Authorization header. This works fine with the keycloak adapter but fails with the elytron-oidc-client.

On the other hand I could get the RCP client to work with the <token-realm> but then we loose the redirect in the browser.

I also could not find any possibility to combine the two mechanisms as the elytron-oidc-client is a separate subsystem and no realm. If it was perhaps a <distributedRealm> could combine the 2 mechanisms.

Any other ideas what I might have missed?

Best regards
Daniel

[Farah Juma]

Support for bearer tokens will be added as part of WFLY-15485. Please keep an eye on that issue for updates.

[Farah Juma]

Just FYI, WildFly 26.1.2 has support for bearer tokens with the Elytron OIDC Client subsystem. More details can be found here:

https://wildfly-security.github.io/wildfly-elytron/blog/bearer-only-support-openid-connect/