Using jakartaee 10 security OIDC with wildfly 27 preview

Today a very quick entry about the jakarta security OpenID Connect is going to be presented. The new version 3.0 of the jakarta security spec allows as to configure an OpenID Connect authentication mechanism. The idea of this entry is testing the mechanism using keycloak as the authentication server and wildfly 27 preview (current alpha5 version) as the jakartaee 10 compatible server. This repository developed by hantsy will be used as the test application, specifically the folder called security-oidc which is a sample OIDC application.

The application defines a ProtectedServlet.java which has the OpenIdAuthenticationMechanismDefinition defined in it.

@OpenIdAuthenticationMechanismDefinition(
        providerURI = "${openIdConfig.issuerUri}",
        clientId = "${openIdConfig.clientId}",
        clientSecret = "${openIdConfig.clientSecret}", 
        redirectURI = "${baseURL}/callback" 
  )

The configuration is loaded from a CDI Named (openIdConfig) bean which is defined in the class Auth0OpenIdConfig.java. This class in turn loads the final data from a file openid.properties located in the classpath. The file should be configured to specify the OpenID Connect server information (which will be the local keycloak installation).

Once the demo app has been explained (thanks hantsy!) all the detailed steps to make it run in the commented setup are presented.

1. Install keycloak and start it in dev mode.

   
   wget https://github.com/keycloak/keycloak/releases/download/19.0.2/keycloak-19.0.2.zip
   unzip keycloak-19.0.2.zip
   cd keycloak-19.0.2/bin/
   ./kc.sh start-dev
   

2. Go to the console (http://localhost:8080) and create the initial admin user. Then login with that user to the console.

3. Create a client in keycloak called wildfly in the master realm. Go to the Clients menu option and click Create client. Fill first form in the following way.

   

   Click next and continue with the second form.

   

   Click Save. In the Settings tab add the valid redirect URIs for the client (the wildfly server will run in port 8081 to not collide with keycloak).

   
   And take note of the client secret which is displayed in the Credentials tab (this information will be needed to configure the openid.properties file in the application).
   

4. The sample app requires a user called user. So let's create it. In the Users menu click the Add User button and fill the information.

   

Click Create. In the Credentials tab set a password using Set password.



Click Save and Set password.

5. Time to install the wildfly server. As previously commented it is started with an offset of 1 to use port 8081 (and avoid collision with keycloak).

   
   wget https://github.com/wildfly/wildfly/releases/download/27.0.0.Alpha5/wildfly-preview-27.0.0.Alpha5.zip
   unzip wildfly-preview-27.0.0.Alpha5.zip
   cd wildfly-preview-27.0.0.Alpha5/bin/
   ./add-user.sh -u admin -p admin
   ./standalone.sh -Djboss.socket.binding.port-offset=1
   

6. In order to build the application clone the repository and go to the security-oidc project.

   
   git clone https://github.com/hantsy/jakartaee10-sandbox.git
   cd jakartaee10-sandbox/security-oidc
   

   At this point we need to configure the file src/main/resources/openid.properties with our keycloak information. Note the secret was taken from a previous step.

   
   domain=localhost:8080/realms/master
   clientId=wildfly
   clientSecret=4R9Akb1bCYc7TkW9up0cYUgBB9h4u5Mv
   

   And finally I did some little modifications to fully set my environment for the application. Check this diff.

   
   git diff
   diff --git a/pom.xml b/pom.xml
   index 2c53f21..28940ac 100644
   --- a/pom.xml
   +++ b/pom.xml
   @@ -13,7 +13,7 @@
        <properties>
            <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
            <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
   -        <maven.compiler.release>17</maven.compiler.release>
   +        <maven.compiler.release>11</maven.compiler.release>
    
            <!-- Official Maven Plugins -->
            vmaven-compiler-plugin.version>3.10.1</maven-compiler-plugin.version>
   diff --git a/security-oidc/src/main/java/com/example/Auth0OpenIdConfig.java b/security-oidc/src/main/java/com/example/Auth0OpenIdConfig.java
   index 3326125..2c1da58 100644
   --- a/security-oidc/src/main/java/com/example/Auth0OpenIdConfig.java
   +++ b/security-oidc/src/main/java/com/example/Auth0OpenIdConfig.java
   @@ -28,7 +28,7 @@ public class Auth0OpenIdConfig {
                domain = properties.getProperty("domain");
                clientId = properties.getProperty("clientId");
                clientSecret = properties.getProperty("clientSecret");
   -            issuerUri = "https://" + this.domain + "/";
   +            issuerUri = "http://" + this.domain + "/";
                LOGGER.log(
                        Level.INFO,
                        "domain: {0}, clientId: {1}, clientSecret:{2}, issuerUri: {3}",
   diff --git a/security-oidc/src/main/java/com/example/CallbackServlet.java b/security-oidc/src/main/java/com/example/CallbackServlet.java
   index c739173..57dd4a2 100644
   --- a/security-oidc/src/main/java/com/example/CallbackServlet.java
   +++ b/security-oidc/src/main/java/com/example/CallbackServlet.java
   @@ -23,7 +23,7 @@ public class CallbackServlet extends HttpServlet {
            LOGGER.log(Level.FINEST, "Enter callback servlet");
            // response.getWriter().println(context.getAccessToken());
            String referer = (String) request.getSession().getAttribute("Referer");
   -        String redirectTo = referer != null ? referer : "/protected";
   +        String redirectTo = referer != null ? referer : "/security-oidc-examples/protected";
            LOGGER.log(Level.FINEST, "In /callback, redirect to: {0}", redirectTo);
    
            response.sendRedirect(redirectTo);
   

   Java 11 (which is my default java) is used instead of 17, the issuerUri is http and not https (because keycloak was started in dev mode to not complicate the demo with certificates) and finally the application will be deployed normally from the war, so the context will be /security-oidc-examples (not deployed as the ROOT app).

7. One tricky point is that by default the elytron subsystem enforces the logged user to be in the default other domain (by default application users are placed in the application-users.properties file in wildfly). The integrated-jaspi option was set to false to avoid that. Now the logged users via jakartaee security will not be mapped to local elytron users.

   
   ./jboss-cli.sh --connect --controller=remote+http://localhost:9991
   /subsystem=undertow/application-security-domain=other:write-attribute(name=integrated-jaspi, value=false)
   reload
   

8. Everything is OK to compile the sample app and deploy it to the server.

   
   cd jakartaee10-sandbox/security-oidc
   mvn clean package
   cd ${JBOSS_HOME}/bin
   ./jboss-cli.sh --connect --controller=remote+http://localhost:9991
   deploy /path/to/jakartaee10-sandbox/security-oidc/target/security-oidc-examples.war
   

9. You can now go the protected servlet http://localhost:8081/security-oidc-examples/protected and check performing a login into the app. The browser will be redirected to the keycloak login screen and, after a successful login with user, it will be redirected back to the app. The token information is displayed by the protected page in this application. I was about to record a video but it seems that my fedora laptop is not in the mood. So no video this time.

That's all folks! Today's entry is a quick review of the steps needed to configure jakartaee 10 OIDC security with keycloak and wildfly 27 preview. All these specs are very new so there will be issues for sure (note wildfly is a preview in alpha state, beta will be reached soon) but seeing it working is nice.

Brest regards!