OIDC and JWT token
158 views
Skip to first unread message
Naresh Shrestha
Nov 14, 2025, 12:55:22 AM11/14/25
to WildFly
I have mapped my Wildfly server with OIDC which works smooth as butter with the servlets, I am curious will I able to use the APIs to your JWT as the token has been issued from the same issuer and can be validated using a public key.
Diana Krepinska
Nov 19, 2025, 8:42:00 AM11/19/25
to WildFly
I did not fully understand what you are looking for but maybe look into the bearer support for the elytron OIDC client subsystem https://wildfly-security.github.io/wildfly-elytron/blog/bearer-token-support-for-the-elytron-oidc-client-subsystem/ , but the bearer support is used with access tokens instead of JWT.
Naresh Shrestha
Nov 19, 2025, 7:26:46 PM11/19/25
to WildFly
Thank you for your reply, Diana. I’m using an IDaaS provider to manage my users, and the OIDC integration with WildFly is working smoothly for the web application. My next goal is to protect the APIs by validating the access tokens generated by this same IDaaS provider.
for example:
"http://localhost:8080/todo-wf26/site/todos" access from browser works well with OIDC redirect from IDAAS
I want "http://localhost:8080/todo-wf26/api/todos" access with third party client(say postman for now) to work with access token(JWT) provided by IDAAS
Is this doable?
Right now when I am accessing the APIs from postman, wildfly is throwing "error: Failed verification of token: Invalid bearer token"
Where I found that:
My web app login works because WildFly is using OIDC code flow + session cookie (JSESSIONID).
My API calls fail with 401 because WildFly is not yet configured to trust the bearer token you’re sending – even if it comes from the same IDAAS client and uses the same clientId/clientSecret.
for example:
"http://localhost:8080/todo-wf26/site/todos" access from browser works well with OIDC redirect from IDAAS
I want "http://localhost:8080/todo-wf26/api/todos" access with third party client(say postman for now) to work with access token(JWT) provided by IDAAS
Is this doable?
Right now when I am accessing the APIs from postman, wildfly is throwing "error: Failed verification of token: Invalid bearer token"
Where I found that:
My web app login works because WildFly is using OIDC code flow + session cookie (JSESSIONID).
My API calls fail with 401 because WildFly is not yet configured to trust the bearer token you’re sending – even if it comes from the same IDAAS client and uses the same clientId/clientSecret.
Diana Krepinska
Nov 26, 2025, 8:36:19 AM11/26/25
to WildFly
It sounds like you need to configure bearer-only option for your API deployment. You can check the blog post I linked and this associated example https://github.com/wildfly-security-incubator/elytron-examples/tree/main/oidc-with-bearer .
Naresh Shrestha
Nov 26, 2025, 7:54:11 PM11/26/25
to WildFly
Thank you so much for your response
Diana, I found out we can use JSessionId for calling the API for external_client (i am using flutter for this). I am moving forward with this.
Reply all
Reply to author
Forward
0 new messages