Wildfly OIDC role mapping
201 views
Skip to first unread message
ion
Apr 9, 2025, 11:00:13 AM4/9/25
to WildFly
I'm trying to use OIDC/OAuth to authenticate the user against Microsoft Azure and have the roles claim from the ID token assigned to the authenticated user.
I managed to get the authentication portion working, the user is redirected to Azure, after logging in it's authenticated but I can't figure out how to map the roles.
In the logs I see:
02:04:13,301 DEBUG [io.undertow.request.security] (default task-1) Authenticated as user1, roles []
I used the elytron-oidc-client, here is my configuration.
standalone.xml snippet:
<subsystem xmlns="urn:wildfly:elytron-oidc-client:2.0">
<secure-deployment name="simple-webapp-rest.war">
<provider-url>https://login.microsoftonline.com/tennant-id/v2.0</provider-url>
<ssl-required>NONE</ssl-required>
<use-resource-role-mappings>true</use-resource-role-mappings>
<principal-attribute>sub</principal-attribute>
<client-id>client-id</client-id>
<credential name="secret" secret="secret"/>
</secure-deployment>
</subsystem>
JWT snippet:
{
"iat": 1744145825,
"nbf": 1744145825,
"exp": 1744149725,
...
"roles": [
"3d45e2c8-4693-4b9f-8669-e9b0deafc1b2",
"f8700e8f-0179-49c9-b651-6a498840ca32",
"7f68cea5-fefc-46bf-a32b-61bf6ab5eb44"
],
...
"ver": "2.0"
}
I would like the roles to be assigned to the user.
Furthermore, the ID token gives the ID of the roles, i would like to be also able to map the id to the actual role name.
From varios posts it seems that this is possible but i have not seen an example.
Can you please help me figure out how to configure this?
I managed to get the authentication portion working, the user is redirected to Azure, after logging in it's authenticated but I can't figure out how to map the roles.
In the logs I see:
02:04:13,301 DEBUG [io.undertow.request.security] (default task-1) Authenticated as user1, roles []
I used the elytron-oidc-client, here is my configuration.
standalone.xml snippet:
<subsystem xmlns="urn:wildfly:elytron-oidc-client:2.0">
<secure-deployment name="simple-webapp-rest.war">
<provider-url>https://login.microsoftonline.com/tennant-id/v2.0</provider-url>
<ssl-required>NONE</ssl-required>
<use-resource-role-mappings>true</use-resource-role-mappings>
<principal-attribute>sub</principal-attribute>
<client-id>client-id</client-id>
<credential name="secret" secret="secret"/>
</secure-deployment>
</subsystem>
JWT snippet:
{
"iat": 1744145825,
"nbf": 1744145825,
"exp": 1744149725,
...
"roles": [
"3d45e2c8-4693-4b9f-8669-e9b0deafc1b2",
"f8700e8f-0179-49c9-b651-6a498840ca32",
"7f68cea5-fefc-46bf-a32b-61bf6ab5eb44"
],
...
"ver": "2.0"
}
I would like the roles to be assigned to the user.
Furthermore, the ID token gives the ID of the roles, i would like to be also able to map the id to the actual role name.
From varios posts it seems that this is possible but i have not seen an example.
Can you please help me figure out how to configure this?
Any help would be appreciated.
Thanks,
Ion
Gabriel Padilha
Jul 16, 2025, 9:35:07 PM7/16/25
to WildFly
Hey,
The "roles" claim is read by default on the Wildfly Elytron OIDC subsystem.
Regarding the ID of the roles, I think you should map the name of the roles in Azure to send the Name and not the ID. It seems you should be doing that by using the scope based on https://stackoverflow.com/a/79513978
So you can add something like this(using a preview feature) in your secure deployment configuration:
<subsystem xmlns="urn:wildfly:elytron-oidc-client:2.0">
<secure-deployment name="simple-webapp-rest.war">
<provider-url>https://login.microsoftonline.com/tennant-id/v2.0</provider-url>
<ssl-required>NONE</ssl-required>
<use-resource-role-mappings>true</use-resource-role-mappings>
<principal-attribute>sub</principal-attribute>
<client-id>client-id</client-id>
<credential name="secret" secret="secret"/>
<secure-deployment name="simple-webapp-rest.war">
<provider-url>https://login.microsoftonline.com/tennant-id/v2.0</provider-url>
<ssl-required>NONE</ssl-required>
<use-resource-role-mappings>true</use-resource-role-mappings>
<principal-attribute>sub</principal-attribute>
<client-id>client-id</client-id>
<credential name="secret" secret="secret"/>
<!-- USING THE SCOPE -->
<scope>api://client-id/User.Access</scope>
</secure-deployment>
</subsystem>
</subsystem>
For troubleshooting, you can use the following log categories:
/subsystem=logging/logger=org.wildfly.security:add(level=ALL)
/subsystem=logging/logger=org.wildfly.elytron:add(level=ALL)
/subsystem=logging/logger=org.wildfly.elytron:add(level=ALL)
Hope it helps!
Theo Chiu
Jul 25, 2025, 4:05:28 PM7/25/25
to WildFly
Hi Gabriel,
Thank you for your post, I tried with Wildfly 36, from the documentation, it states that the scope is a preview feature
I started a Wildfly 36 docker, e.g. $WF_HOME/bin/standalone.sh --stability=preview
but it still complains about the scope element,
| 361: <scope>api://<application-id>/.default</scope>
| ^^^^ 'scope' isn't an allowed element here
| ^^^^ 'scope' isn't an allowed element here
Would you know how I can enable this feature?
Thanks
Theo
Brian Stansberry
Jul 25, 2025, 4:11:05 PM7/25/25
to WildFly
Hi Gabriel,
<subsystem xmlns="urn:wildfly:elytron-oidc-client:preview:3.0">
Try using this for the root element for the subsystem:
The xmlns drives what parser is used. I expect you're hitting a parsing failure, which then triggers the generic logic that compares the config against the declared schema and reports an illegal element for that schema.
Best regards,
Brian
Gabriel Padilha
Jul 25, 2025, 7:14:30 PM7/25/25
to WildFly
Hey Theo,
For Wildfly 36.0.1 this is the link for the download https://github.com/wildfly/wildfly/releases/download/36.0.1.Final/wildfly-preview-36.0.1.Final.zip
/wildfly-preview-36.0.1.Final/docs/schema$ grep -i scopes wildfly-elytron-oidc-client_preview_3_0.xsd -A3 -B5
<xs:element name="scope" type="xs:string" minOccurs="0" maxOccurs="1">
<xs:annotation>
<xs:documentation>
<![CDATA[
A space separated list of scope values that should be used in the OIDC authentication request.
Scopes can be used to request that specific sets of information be made available as Claim Values.
]]>
</xs:documentation>
</xs:annotation>
<xs:element name="scope" type="xs:string" minOccurs="0" maxOccurs="1">
<xs:annotation>
<xs:documentation>
<![CDATA[
A space separated list of scope values that should be used in the OIDC authentication request.
Scopes can be used to request that specific sets of information be made available as Claim Values.
]]>
</xs:documentation>
</xs:annotation>
Gabriel Padilha
Jul 25, 2025, 7:18:26 PM7/25/25
to WildFly
Hey Theo,
Can you try to run with `--stability=experimental` as well ?
Hantsy Bai
Jul 26, 2025, 9:58:39 PM7/26/25
to WildFly
Why not use the standard Oidc Client support in Jakarta EE 10, there is an example of using WildFly and 3rd party IDP created by me,
https://itnext.io/what-is-new-in-jakarta-security-3-98db53317e19
https://itnext.io/what-is-new-in-jakarta-security-3-98db53317e19
Theo Chiu
Jul 28, 2025, 10:05:53 AM7/28/25
to WildFly
Thank you all for the responses.,
Hi Brian,
Thank you, this works.
I was able to deploy the application with your suggestion.
<subsystem xmlns="urn:wildfly:elytron-oidc-client:preview:3.0">
With
$WF_HOME/bin/standalone.sh --stability=preview
Theo
Dj Apal
Mar 2, 2026, 5:11:46 AM (yesterday) Mar 2
to WildFly
Hello all.
I have a similar problem.
We have multiple apps so we dont want to set the same roles for each and every app.
So we agreed to create security groups and add the users to the appropriate group.
So the problem now is the following:
jwt token returns a list of groups (group property) while ID token returns same groups (as UUIDs) but with property "roles".
I used role-decoder from groups property but always the result is
Authenticated as XXXXXX, roles []
How can i retrieve at least the uuids of the groups as roles?
Is graph API querying the only solution?
I use oidc.json not oidc client with .war file.
Thank you
Reply all
Reply to author
Forward
0 new messages