Wildfly OIDC - Updating a claim in a JWT token without re-login
Mert Gunes
Hi everyone, my colleague earlier this week asked the following on stackoverflow without any answers maybe someone here could help out:
I'm running a (rather large) JEE application on Wildfly 26.1.1.Final.
Recently this application has started to make use of Single Sign-On
construction. In order to facilitate this we've configured Wildfly to
connect to an OIDC-provider. This provider is a custom implementation
(so no keycloak or anything) made by someone else in the company and I
have no control over/access to.
On our (Wildfly) side we've made an
- oidc.json config file
- OidcConfigurationResolver.java
- Our web.xml has a context-param to the aforementioned OidcConfigurationResolver
- Our web.xml has OIDC in order to enable OIDC-based authentication
Now this setup works fine. When I fire up my wildfly server I get presented with the SSO login page and after succesful login I get redirected back to the homescreen of my application. Afterwards, in the code I can access a RefreshableOidcSecurityContext (from the wildfly-elytron library) wherein I can see a refresh-token, IDToken and AcessToken.
Inside the IDToken I can see a bunch of JWT-claims. Besides the standard OIDC claims (like issued-at, expires-at, etc), we've added a bunch of custom claims of our own. One of these claims is the current "region" a user is working for within our application. A user can work for multiple "regions" and during an active session the user should be able to switch between the "regions" he/she is authorized to.
What we like to accomplish is when a user switches to a different region, he/she gets a new token with an updated claims-set without having to login again. While I can access the custom OIDC-provider for such a new token, I cannot for the life of me figure out how I can tell the Wildfly container that I have a new token and I'd like to use that one instead of the one currently in the session.
With the way our entire suite is currently setup, we need to use this new token because our application will use this to communicate with other applications via REST-API calls. These applications will also use information from our JWT-claims.
So in short my question is basically: is there a way I can supply Wildfly with a new JWT-token without interrupting the end user's session?
I've looked at the code of the RefreshbleOidcSecurityContext and looked at how the refresh-token is being used in order to get a new token. Maybe there's a way there I could use to manually provide wildfly with a new JWT token with updated JWT-claims.- However I quickly felt I was "fighting against the OIDC-framework". I've also tried to use google to the best of my abilities, however I could not find anyone on the entire internet with a usecase similar to mine. Which either means I'm the very first person with this use-case (unlikely) or I'm using OIDC and JWT's the wrong way (more likely).
Prarthona Paul
You can do this using an attribute called always-refresh-token under the elytron-oidc-client subsystem. If you set it to true, then wildfly will reload the claims for the ID-Token at every web request.
https://docs.wildfly.org/32/wildscribe/subsystem/elytron-oidc-client/realm/index.html#:~:text=always-refresh-token%20If%20set,the%20performance%20of%20the%20application