WF26 + elytron-oidc-client + cant access EJB from WAR

[Stig William Antonsen]

Hi 

We have installed WF26 and configured elytron-oidc-client  with secure-deployment so we can authenticate against our Keycloak server. 

We used the secure-deployment  to add our wars, just like the sample bellow:

<subsystem xmlns="urn:wildfly:elytron-oidc-client:1.0">
            <realm name="MyRealm">
                <auth-server-url>https://my.auth.keyk.../</auth-server-url>
                <ssl-required>NONE</ssl-required>
                <enable-cors>true</enable-cors>
                <principal-attribute>preferred_username</principal-attribute>
            </realm>
             
            <secure-deployment name="my-application-info-web.war">
                <realm>MyRealm</realm>
                <resource>myResource</resource>
                <public-client>true</public-client>
            </secure-deployment>            
        </subsystem>

This seams to work fine as we are able to access our secure webpages in the war and the user is logged in and do get the correct roles set.

But when the WAR try to connect to our EJB's that are deployed in another EAR the logged in user become "anonymous" and have none of the required roles and therefore no access when accessing our EJB's.

I have added ApplicationDomain to the ejb3 system:

<application-security-domains>
                <application-security-domain name="other" security-domain="ApplicationDomain"/>
            </application-security-domains>

Do the login with elytron-oidc-client get another securitydomain ?

 

Is there a way I can configure the security login from elytron-oidc-client so those users can reach our EJB layer.

[Farah Juma]

The elytron-oidc-client subsystem makes use of a virtual security domain. Currently, this virtual security domain can't be referenced from other deployments.

However, the identity would get propagated to EJBs within the same deployment.

[Stig William Antonsen]

Will it be possible to access EJB from WAR that are in two different deployments with the elytron-oidc-client subsystem?

We have a large system that is installed on Wildfly 24, and we are currently stuck with this version because the Keycloak client has been deprecated and it is claimed that users can now use elytron-oidc-client subsystem instead. 

Is there a way we can connect Wildfly 26/27 to a Keycloak server for security that makes it possible for logged in users to access the whole system even if it is deployed in several EAR files? 

[Farah Juma]

Would you be able to create a feature request for this in the WFLY JIRA project?

This might be something that we can look at when we work on WFLY-16793 (identity propagation from a WAR to an EJB contained in a JAR in an EAR).

Thanks.

[Stig William Antonsen]

Hi Farah,

 

Thank you for your quick reply.

I think WFLY-16793 is a good description for our problem.  When do you think this bug will be fixed?

 

Best regards

Stig William Antonsen (Mob +47 90125413)

--
You received this message because you are subscribed to the Google Groups "WildFly" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wildfly+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wildfly/95207cfc-6d99-43c4-9209-85bb1aa9ad78n%40googlegroups.com.

[Farah Juma]

Thanks for adding the details to WFLY-16793!

Please keep an eye on that issue for updates on when this will be fixed. Thanks.