Wildfly 25 and configuration of Elytron Token Realm
Domenico Briganti
Hi all!
I've migrated a simple application from Wildfly 23 to 25. I used keycloak adapter to validate the calling bearer token and now I switched to the new Elytron module that suppport OIDC.
The application wokrs, but now I want to make the configuration more flexible. I use this CLI script to configure Elytron (inspirated from https://github.com/wildfly/quickstart/tree/main/jaxrs-jwt):
batch
# Add a new token security realm to elytron for authentication using JWTs
/subsystem=elytron/token-realm=jwt-realm:add(jwt={issuer=[${env.OIDC_ISSUER}],principal-claim="sub",key-map={${env.OIDC_KID}=${env.OIDC_PUBLIC_KEY}}})
# Add a new security domain, which uses the jwt security realm
/subsystem=elytron/security-domain=jwt-domain:add(realms=[{realm=jwt-realm,role-decoder=groups-to-roles}],permission-mapper=default-permission-mapper,default-realm=jwt-realm)
# Create http authentication factory that uses BEARER_TOKEN authentication
/subsystem=elytron/http-authentication-factory=jwt-http-authentication:add(security-domain=jwt-domain,http-server-mechanism-factory=global,mechanism-configurations=[{mechanism-name="BEARER_TOKEN",mechanism-realm-configurations=[{realm-name="jwt-realm"}]}])
# Configure Undertow to use our http authentication factory for authentication
/subsystem=undertow/application-security-domain=other:remove()
/subsystem=undertow/application-security-domain=other:add(http-authentication-factory=jwt-http-authentication)
/subsystem=ejb3/application-security-domain=other:write-attribute(name=security-domain,value=jwt-domain)
run-batch
And now the problem. I can't set the KID parameter as expression. Debugging with Eclipse I see (in /org.wildfly.core.wildfly-controller/src/main/java/org/jboss/as/controller/AbstractAddStepHandler.java):
In the KEY-MAP there isn't no "expression" before "${env.OIDC_KID:}", and I do not understand why.
Following the debugging I see the expression resolved, but not KID:
Have you any suggestion?
Regards,
Domenico
