How to use Bearer Tokens Wildfly for programmatic login?

[Ralph Soika]

I am trying to to setup a Web application running on Wildfly 29.0.1 and using Keycloak for authentication.

I am trying to understand how to setup Wildfy and my application in the correct way. I think there are a lot of changes from Wildfly 20 to 29 regarding supported authentication mechansims. The support of  OAuth2 Bearer Tokens seems to be the latest feature when securing a application with OAuth2 via Keycloak.

What I have done is the following

I defined a token-realm in my standalone.xml from my Wildfly Application server

```
....
<token-realm name="MyRealm" principal-claim="sub">
    <oauth2-introspection client-id="my-client-id"
                          client-secret="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
                          introspection-url="https://my-keycloak.server/realms/my-keycloak-realm/protocol/openid-connect/token/introspect"
                          client-ssl-context="user-defined-ssl-context"
                          host-name-verification-policy="ANY" />
</token-realm>
....
```


In my Web Application I use the jboss-web.xml deployment descriptor to point to this realm:

```
<?xml version="1.0" encoding="UTF-8"?>
<jboss-web>
  <security-domain>my-realm}</security-domain>
</jboss-web>
```

In addition I was adding Securitybean into my application code with the annotation @OpenIdAuthenticationMechanismDefinition(....)

So I am able - as a user - to authenticate through my keycloak server into my app. This is great.

The big question to me is the following: How can I do a programmatic login in such a setup? For example I have backend services that need to connect to my applications Rest API. And I guess this should be possible also using just a curl command.

So first I request a bearer token

```
curl -X POST \
  -d "grant_type=password" \
  -d "client_id=my-clientid" \
  -d "client_secret=xxxxxxxxxx" \
  -d "username=anna" \
  -d "password=anna" \
  "https://my-keycloak.server/realms/my-keycloak-realm/protocol/openid-connect/token"
```

With this request I get a valid JSON Web token. I can validate it and all looks good.

Now my Expectation is that I can use the 'access_token' part of my JWT to request a URL from my Rest API with a Bearer Authentication header like this:

```
curl -v -X GET \
  -H "Authorization: Bearer myacces-token-yyyyyyyyyyyyyyy" \
  "https://my-app/api/documents/123"
```

But this request results in a 302 redirect - back to the login page.

Why does this result in a 302 redirect?

Or did I need a login-config for 'BEARER_TOKEN' in addition (this is what I have not done so far)?

```
<login-config>
<auth-method>BEARER_TOKEN</auth-method>
<realm-name>${imixs-office.realm}</realm-name>
</login-config>
```


Can someone help me with this issue? I just can't find a new tutorial that shows this scenario:  User registration via Keycloak Web Login form and programmatic login from the backend.

[Ralph Soika]

OK, I can now answer my own question:

You don't need any special configuration in Wildfly. Wildfly 29.0.1 works out of the box.

The only things you need to do is:

1.) create a file 'oidc.json' in your /WEB-INF/ folder

{

"client-id" : "imixs",

"provider-url" : "https://my-keycloak.server/realms/my-keycloak-realm",

"bearer-only" : "false",

"credentials" : {

   "secret" : "xxxxxxxxx"

  }

}

2.) change the login-config in your web.xml to 'oidc'

<login-config>

<auth-method>OIDC</auth-method>

</login-config>

That's it!

[Bartosz Baranowski]

Well. Thank you for follow up. This will certainly make it easier for people to followup/search.