OIDC Client in Wildfly 25: Realm roles vs Resource roles mappings

[Zeta]

By default, the OIDC client configuration (OidcClientConfiguration class) sets the useRealmRoleMappings to true. If use-resource-role-mappings is set to true through the oidc.json file, then both attributes are set to true.

With this configuration client roles are ignored, as the code from the class OidcSecurityRealm does not join roles from both sources (realm and client), as you can see in the getRolesFromSecurityContext() method:

The roles Set initialized from the isUseResourceRoleMappings block is overwritten with the isUseRealmRoleMappings block. Therefore, it is required to disable the useRealmRoleMapping to be able to get the role mappings from the client.

Is this the expected behavior?

Should this method return all roles, from realm and from client mappings?

Thanks in advance

[Farah Juma]

This is a known issue that will be fixed in the next release. More details are available here:

https://issues.redhat.com/browse/ELY-2303

[Ralph Soika]

I still did not figure out how to configure the latest Jakarta EE 10 / Wildfly 27 Release using only the  @OpenIdAuthenticationMechanismDefinition annotation:

@OpenIdAuthenticationMechanismDefinition( //

clientId = "${oidcConfig.clientId}", //

clientSecret = "${oidcConfig.clientSecret}", //

redirectURI = "${baseURL}/callback", //

providerURI = "${oidcConfig.issuerUri}", //

scope = {

"email", "openid", "profile" }, //

jwksConnectTimeout = 5000, //

jwksReadTimeout = 5000, //

redirectToOriginalResource = true, //

extraParameters = { "audience=https://xxxxxxxxxxxx.eu.auth0.com/api/v2/" }, //

claimsDefinition = @ClaimsDefinition(callerGroupsClaim = "http://www.imixs.org/roles")

)

I am using auth0.com which I have configured with roles. The login process is fine but I get no roles mapped and so my I always got a ELY01177: Authorization failed Exception.

When I exam the:  context.getClaimsJson() I can see that my roles are received correctly:

{"sub":"auth0|647b4f18xxx9305539","nickname":"ralph.soika",......,"http://www.imixs.org/roles":["org.imixs.ACCESSLEVEL.MANAGERACCESS"]}

So it looks like my claimsDefinition is wrong? In my wildfly 27 standalone.xml I have not added any additional configuration. Is it necessary to configure the OIDC in standalone.xml too?

Can someone post a Link to a OIDC example/tutorial for Wildfly 27. The blogpost from auth0.com is a little bit outdated regarding the Wildfly configuration.

Thanks for any tips

===
Ralph

[Zeta]

Hi Ralph!!!

If you are deploying to WildFly, first you have to diable JASPIC (Java Authentication Service Provider Interface for Container), as stated in the following link:

https://github.com/wildfly/quickstart/tree/main/ee-security#configure-the-server

Then, let's give it a try to your application.

Bear in mind the mapping of roles from the access token and the claims definition of @OpenIdAuthenticationMechanismDefinition, which it seems to be correct.

Good luck!