OIDC authentization in cluster
44 views
Skip to first unread message
Zdeněk Machač
May 7, 2026, 7:49:19 AMMay 7
to WildFly
Hallo all,
we (university in Czech republic) are using Wildfly 39 Preview with Elytron OIDC client subsystem for our web app authentization. We have cluster environment with 3 nodes, infinispan session replication.
But we have problems preserving authentization by transfering from primary node to other node after shutdown/restart. Problem tested in version 37, 38, 39 with same end.
But we have problems preserving authentization by transfering from primary node to other node after shutdown/restart. Problem tested in version 37, 38, 39 with same end.
Is this bug or bad configuration ?
Thanks and best regards
Zdeněk Machač
In log:
java.lang.NullPointerException: Cannot invoke "org.wildfly.security.http.oidc.OidcClientConfiguration.getProviderUrl()" because the return value of "org.wildfly.security.http.oidc.RefreshableOidcSecurityContext.getOidcClientConfiguration()" is null
at org.wildfly.securit...@2.8.2.Final//org.wildfly.security.http.oidc.Oidc.checkCachedAccountMatchesRequest(Oidc.java:455)
at org.wildfly.securit...@2.8.2.Final//org.wildfly.security.http.oidc.OidcSessionTokenStore.isCached(OidcSessionTokenStore.java:92)
at org.wildfly.securit...@2.8.2.Final//org.wildfly.security.http.oidc.RequestAuthenticator.doAuthenticate(RequestAuthenticator.java:158)
at org.wildfly.securit...@2.8.2.Final//org.wildfly.security.http.oidc.RequestAuthenticator.authenticate(RequestAuthenticator.java:56)
at org.wildfly.securit...@2.8.2.Final//org.wildfly.security.http.oidc.OidcAuthenticationMechanism.evaluateRequest(OidcAuthenticationMechanism.java:84)
at org.wildfly.secu...@2.8.2.Final//org.wildfly.security.auth.server.SecurityIdentityServerMechanismFactory$1.evaluateRequest(SecurityIdentityServerMechanismFactory.java:86)
at org.wildfly.secu...@2.8.2.Final//org.wildfly.security.http.HttpAuthenticator$AuthenticationExchange.authenticate(HttpAuthenticator.java:331)
at org.wildfly.secu...@2.8.2.Final//org.wildfly.security.http.HttpAuthenticator.authenticate(HttpAuthenticator.java:93)
at org.wildfly.security.ely...@4.1.2.Final//org.wildfly.elytron.web.undertow.server.SecurityContextImpl.authenticate(SecurityContextImpl.java:107)
at org.wildfly.security.elytron...@4.1.2.Final//org.wildfly.elytron.web.undertow.server.servlet.ServletSecurityContextImpl.authenticate(ServletSecurityContextImpl.java:117)
at io.undert...@2.0.0.Alpha2//io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:55)
at io.under...@2.4.0.Alpha1//io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:53)
at io.under...@2.4.0.Alpha1//io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
at io.undert...@2.0.0.Alpha2//io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
at io.undert...@2.0.0.Alpha2//io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:60)
at io.under...@2.4.0.Alpha1//io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
at org.wildfly.security.elytron...@4.1.2.Final//org.wildfly.elytron.web.undertow.server.servlet.CleanUpHandler.handleRequest(CleanUpHandler.java:38)
at io.under...@2.4.0.Alpha1//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at org.wildfly.ext...@39.0.1.Final//org.wildfly.extension.undertow.deployment.ControlPointDeploymentInfoConfigurator$ControlPointRequestAttributeHandler.handleRequest(ControlPointDeploymentInfoConfigurator.java:175)
at org.wildfly.ext...@39.0.1.Final//org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:44)
at io.under...@2.4.0.Alpha1//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undert...@2.0.0.Alpha2//io.undertow.servlet.handlers.SendErrorPageHandler.handleRequest(SendErrorPageHandler.java:52)
at io.under...@2.4.0.Alpha1//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undert...@2.0.0.Alpha2//io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:271)
at io.undert...@2.0.0.Alpha2//io.undertow.servlet.handlers.ServletInitialHandler$1.call(ServletInitialHandler.java:130)
at io.undert...@2.0.0.Alpha2//io.undertow.servlet.handlers.ServletInitialHandler$1.call(ServletInitialHandler.java:127)
at io.undert...@2.0.0.Alpha2//io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
at io.undert...@2.0.0.Alpha2//io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
at org.wildfly.ext...@39.0.1.Final//org.wildfly.extension.undertow.deployment.ControlPointDeploymentInfoConfigurator$1.call(ControlPointDeploymentInfoConfigurator.java:100)
at org.wildfly.ext...@39.0.1.Final//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1431)
at org.wildfly.ext...@39.0.1.Final//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1431)
at org.wildfly.ext...@39.0.1.Final//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1431)
at org.wildfly.ext...@39.0.1.Final//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1431)
at io.undert...@2.0.0.Alpha2//io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:251)
at io.undert...@2.0.0.Alpha2//io.undertow.servlet.handlers.ServletInitialHandler.lambda$new$1(ServletInitialHandler.java:99)
at io.under...@2.4.0.Alpha1//io.undertow.server.Connectors.executeRootHandler(Connectors.java:418)
at io.under...@2.4.0.Alpha1//io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:901)
at org.jbos...@3.9.2//org.jboss.threads.ContextHandler$1.runWith(ContextHandler.java:18)
at org.jbos...@3.9.2//org.jboss.threads.EnhancedQueueExecutor$Task.doRunWith(EnhancedQueueExecutor.java:2651)
at org.jbos...@3.9.2//org.jboss.threads.EnhancedQueueExecutor$Task.run(EnhancedQueueExecutor.java:2630)
at org.jbos...@3.9.2//org.jboss.threads.EnhancedQueueExecutor.runThreadBody(EnhancedQueueExecutor.java:1622)
at org.jbos...@3.9.2//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1589)
at org.jbo...@3.8.16.Final//org.xnio.XnioWorker$WorkerThreadFactory$1$1.run(XnioWorker.java:1282)
at java.base/java.lang.Thread.run(Thread.java:1474)
Our configuration:
oidc.json
java.lang.NullPointerException: Cannot invoke "org.wildfly.security.http.oidc.OidcClientConfiguration.getProviderUrl()" because the return value of "org.wildfly.security.http.oidc.RefreshableOidcSecurityContext.getOidcClientConfiguration()" is null
at org.wildfly.securit...@2.8.2.Final//org.wildfly.security.http.oidc.Oidc.checkCachedAccountMatchesRequest(Oidc.java:455)
at org.wildfly.securit...@2.8.2.Final//org.wildfly.security.http.oidc.OidcSessionTokenStore.isCached(OidcSessionTokenStore.java:92)
at org.wildfly.securit...@2.8.2.Final//org.wildfly.security.http.oidc.RequestAuthenticator.doAuthenticate(RequestAuthenticator.java:158)
at org.wildfly.securit...@2.8.2.Final//org.wildfly.security.http.oidc.RequestAuthenticator.authenticate(RequestAuthenticator.java:56)
at org.wildfly.securit...@2.8.2.Final//org.wildfly.security.http.oidc.OidcAuthenticationMechanism.evaluateRequest(OidcAuthenticationMechanism.java:84)
at org.wildfly.secu...@2.8.2.Final//org.wildfly.security.auth.server.SecurityIdentityServerMechanismFactory$1.evaluateRequest(SecurityIdentityServerMechanismFactory.java:86)
at org.wildfly.secu...@2.8.2.Final//org.wildfly.security.http.HttpAuthenticator$AuthenticationExchange.authenticate(HttpAuthenticator.java:331)
at org.wildfly.secu...@2.8.2.Final//org.wildfly.security.http.HttpAuthenticator.authenticate(HttpAuthenticator.java:93)
at org.wildfly.security.ely...@4.1.2.Final//org.wildfly.elytron.web.undertow.server.SecurityContextImpl.authenticate(SecurityContextImpl.java:107)
at org.wildfly.security.elytron...@4.1.2.Final//org.wildfly.elytron.web.undertow.server.servlet.ServletSecurityContextImpl.authenticate(ServletSecurityContextImpl.java:117)
at io.undert...@2.0.0.Alpha2//io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:55)
at io.under...@2.4.0.Alpha1//io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:53)
at io.under...@2.4.0.Alpha1//io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
at io.undert...@2.0.0.Alpha2//io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
at io.undert...@2.0.0.Alpha2//io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:60)
at io.under...@2.4.0.Alpha1//io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
at org.wildfly.security.elytron...@4.1.2.Final//org.wildfly.elytron.web.undertow.server.servlet.CleanUpHandler.handleRequest(CleanUpHandler.java:38)
at io.under...@2.4.0.Alpha1//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at org.wildfly.ext...@39.0.1.Final//org.wildfly.extension.undertow.deployment.ControlPointDeploymentInfoConfigurator$ControlPointRequestAttributeHandler.handleRequest(ControlPointDeploymentInfoConfigurator.java:175)
at org.wildfly.ext...@39.0.1.Final//org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:44)
at io.under...@2.4.0.Alpha1//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undert...@2.0.0.Alpha2//io.undertow.servlet.handlers.SendErrorPageHandler.handleRequest(SendErrorPageHandler.java:52)
at io.under...@2.4.0.Alpha1//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undert...@2.0.0.Alpha2//io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:271)
at io.undert...@2.0.0.Alpha2//io.undertow.servlet.handlers.ServletInitialHandler$1.call(ServletInitialHandler.java:130)
at io.undert...@2.0.0.Alpha2//io.undertow.servlet.handlers.ServletInitialHandler$1.call(ServletInitialHandler.java:127)
at io.undert...@2.0.0.Alpha2//io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
at io.undert...@2.0.0.Alpha2//io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
at org.wildfly.ext...@39.0.1.Final//org.wildfly.extension.undertow.deployment.ControlPointDeploymentInfoConfigurator$1.call(ControlPointDeploymentInfoConfigurator.java:100)
at org.wildfly.ext...@39.0.1.Final//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1431)
at org.wildfly.ext...@39.0.1.Final//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1431)
at org.wildfly.ext...@39.0.1.Final//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1431)
at org.wildfly.ext...@39.0.1.Final//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1431)
at io.undert...@2.0.0.Alpha2//io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:251)
at io.undert...@2.0.0.Alpha2//io.undertow.servlet.handlers.ServletInitialHandler.lambda$new$1(ServletInitialHandler.java:99)
at io.under...@2.4.0.Alpha1//io.undertow.server.Connectors.executeRootHandler(Connectors.java:418)
at io.under...@2.4.0.Alpha1//io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:901)
at org.jbos...@3.9.2//org.jboss.threads.ContextHandler$1.runWith(ContextHandler.java:18)
at org.jbos...@3.9.2//org.jboss.threads.EnhancedQueueExecutor$Task.doRunWith(EnhancedQueueExecutor.java:2651)
at org.jbos...@3.9.2//org.jboss.threads.EnhancedQueueExecutor$Task.run(EnhancedQueueExecutor.java:2630)
at org.jbos...@3.9.2//org.jboss.threads.EnhancedQueueExecutor.runThreadBody(EnhancedQueueExecutor.java:1622)
at org.jbos...@3.9.2//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1589)
at org.jbo...@3.8.16.Final//org.xnio.XnioWorker$WorkerThreadFactory$1$1.run(XnioWorker.java:1282)
at java.base/java.lang.Thread.run(Thread.java:1474)
Our configuration:
oidc.json
{
"client-id": "${inet.oidc.jp.client-id}",
"provider-url": "${inet.oidc.jp.provider-url}",
"credentials": {
"secret": "${inet.oidc.jp.secret}"
},
"public-client": false,
"ssl-required": "external",
"redirect-rewrite-rules": {
".*": "/auth/oidc-login"
}
}
"client-id": "${inet.oidc.jp.client-id}",
"provider-url": "${inet.oidc.jp.provider-url}",
"credentials": {
"secret": "${inet.oidc.jp.secret}"
},
"public-client": false,
"ssl-required": "external",
"redirect-rewrite-rules": {
".*": "/auth/oidc-login"
}
}
standalone.xml
...
<subsystem xmlns="urn:wildfly:elytron-oidc-client:preview:3.0"/>
...
...
<subsystem xmlns="urn:jboss:domain:infinispan:15.0">
<cache-container name="web" default-cache="dist" modules="org.wildfly.clustering.session.infinispan.embedded" marshaller="PROTOSTREAM">
<transport lock-timeout="60000"/>
<replicated-cache name="sso">
<locking isolation="REPEATABLE_READ"/>
<transaction mode="BATCH"/>
<expiration interval="0"/>
</replicated-cache>
<replicated-cache name="routing">
<expiration interval="0"/>
</replicated-cache>
<distributed-cache name="dist">
<locking isolation="REPEATABLE_READ"/>
<transaction mode="BATCH"/>
<expiration interval="0"/>
<file-store passivation="true" purge="true"/>
</distributed-cache>
</cache-container>
<transport lock-timeout="60000"/>
<replicated-cache name="sso">
<locking isolation="REPEATABLE_READ"/>
<transaction mode="BATCH"/>
<expiration interval="0"/>
</replicated-cache>
<replicated-cache name="routing">
<expiration interval="0"/>
</replicated-cache>
<distributed-cache name="dist">
<locking isolation="REPEATABLE_READ"/>
<transaction mode="BATCH"/>
<expiration interval="0"/>
<file-store passivation="true" purge="true"/>
</distributed-cache>
</cache-container>
</subsystem>
...
<subsystem xmlns="urn:jboss:domain:distributable-web:community:5.0">
<session-management default="default">
<infinispan-session-management name="default" cache-container="web" granularity="ATTRIBUTE">
<primary-owner-affinity/>
</infinispan-session-management>
</session-management>
<single-sign-on-management default="default">
<infinispan-single-sign-on-management name="default" cache-container="web" cache="sso"/>
</single-sign-on-management>
<infinispan-routing cache-container="web" cache="routing"/>
</subsystem>
<session-management default="default">
<infinispan-session-management name="default" cache-container="web" granularity="ATTRIBUTE">
<primary-owner-affinity/>
</infinispan-session-management>
</session-management>
<single-sign-on-management default="default">
<infinispan-single-sign-on-management name="default" cache-container="web" cache="sso"/>
</single-sign-on-management>
<infinispan-routing cache-container="web" cache="routing"/>
</subsystem>
...
Zdeněk Machač
May 17, 2026, 1:47:05 PM (5 days ago) May 17
to WildFly
Has anyone in community successfully run Elytron OIDC with distributable WAR in WildFly cluster (with preserved authentication) ?
Thanks Zdeněk Machač
Thanks Zdeněk Machač
Dne čtvrtek 7. května 2026 v 13:49:19 UTC+2 uživatel Zdeněk Machač napsal:
Reply all
Reply to author
Forward
0 new messages