Extend Wildfly Login with FORM and OIDC for the same .war

[utka]

I have to extend the Login: Users Company1 should use the old Login with FORM (jdbc realm), users Company2 insist on Login with OIDC.

App structure:

myApp.ear

- myOffice.war (FORM, OIDC)

- myAdmin.war (BASIC, same jdbc realm as FORM)

- myPublic.war (no login, public data display)

- ejb.jar

- some more jar-files

I can not double myOffice.war due to some lock mechanism to prevent two users working on the same data.

At the moment Wildfly33, but willing to migrate to a higher version if necessary.

Is there any way to use parallel the login methods FORM and OIDC for myOffice.war?

myAdmin.war and myPublic.war should not be affected.

ejb.jar should continue to know the principal (not anonymous).

(No experience with CLI, I am used to edit standalone.xml.)

[Diana Krepinska]

Hi, the elytron-oidc-client uses virtual security domains to ease configuration in most cases. It has a disadvantage of having to do a more involved configuration in cases where it needs to make use of other elytron subsystem resources, like other security realms, to secure the same application. 

This is undocumented right now, but part of the steps are described in this comment https://issues.redhat.com/browse/WFLY-18829?focusedId=24583623&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-24583623 . 

To use OIDC and FORM, you should setup OIDC security realm like described in the comment above, and another security realm that stores users credentials which should be used with FORM mechanism. Create a security domain that references security realms, and configure HTTP authentication factory to use the OIDC security realm with the  OIDC mechanism, and the other security realm with the FORM mechanism. 

I will be working on an example and the guide for similar configurations.