Session creation with token-based Authentication?

[tf19]

Hello, 

i am working on a project where I need to secure my deployment with Form-based Authentication and also the SAML Keycloak adapter. 

So it is a requirement that the user has the possibility to login using a form (authenticating against JAAS-Realm.) or presses a Button to log in on a SAML IdP.

As I researched it isnt possible to secure one deployment/directory this way. (Correct me if I am wrong...)

So my plan was that  i made two "helper"-deployments which generate a JWT.

One is secured per Form, the other one Is secured with the Keycloak Adapter. -> After successful authentication they create a JWT with the User and the Roles.

After they generated the JWT they should authenticate with the Token against the "main"-Deployment and redirect to the secured ressource in the "main"-deployment..

Ideally that would write the JSessionID in the cookies of the Client, but it seems like Wildfly does not create a Session when using Token-based Authentication (which makes sense).

I tried setting the "session=true" parameter in the .jsp. When testing with Postman I saw that the Server created a cookie, but when trying to access the ressource again, it only "looks" for the authoruzation header. When reading the logs I saw that the Wildfly actually gets the JSessionID but does not use it.

Is there a way to enable Session-based authentication while using tokens?

So that I authenticate once with the token and get a session with that identity?

Any help is appreciated! :-) 

(Please let me know if there is a better way to meet my requirements)

 

[Bartosz Baranowski]

Does this help?
https://github.com/wildfly/wildfly/blob/main/docs/src/main/asciidoc/_elytron/Bearer_Token_Authorization.adoc
https://www.keycloak.org/docs/latest/authorization_services/index.html