wildflykeycloakwildfly-26

Using Keycloak adapter with Wildfly 26 does not provide "KEYCLOAK" as mechanism


I have a JAX-RS application deployed in WildFly. The application's endpoints shall be protected by Keycloak with Access Type: bearer-only. This works perfectly fine for WildFly versions up to 24.

Starting from WildFly 25 the Keycloak adapter is deprecated and one should migrate to the new Elytron subsystem. According to this WildFly issue https://issues.redhat.com/browse/WFLY-15485 however the OIDC adapter is not ready yet to work with bearer-only. But it is mentioned that it should still be possible using the Keycloak Wildfly adapter.

Also the latest Keycloak documentation and this thread in Google Groups states this.

So I installed the adapter from this location and ran the installation script:

https://github.com/keycloak/keycloak/releases/download/16.1.1/keycloak-oidc-wildfly-adapter-16.1.1.zip

./bin/jboss-cli.sh --file=bin/adapter-elytron-install-offline.cli -Dserver.config=standalone-full.xml

When deploying the application I get thte following error message:

java.lang.IllegalStateException: The required mechanism 'KEYCLOAK' is not available in mechanisms [BASIC, CLIENT_CERT, DIGEST, FORM] from the HttpAuthenticationFactory

Setup

web.xml

<web-app xmlns="http://java.sun.com/xml/ns/javaee"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
         version="3.0">

    <!-- Security configuration -->
    <security-constraint>
        <web-resource-collection>
            <web-resource-name>admin-api</web-resource-name>
            <url-pattern>/administration/*</url-pattern>
            <url-pattern>/operations/*</url-pattern>
            <url-pattern>/applications/*</url-pattern>
            <url-pattern>/entities/*</url-pattern>
        </web-resource-collection>
    </security-constraint>

    <login-config>
        <auth-method>KEYCLOAK</auth-method>
        <realm-name>this is ignored currently</realm-name>
    </login-config>

    <security-role>
        <role-name>*</role-name>
    </security-role>

</web-app>

Solution

  • I finally got it working without the Keycloak adapter, i.e. using the new built-in Elytron subsystem.

    oidc.json (located in the WEB-INF directory)

    {
      "realm": "myrealm",
      "client-id": "my-client-app",
      "auth-server-url": "${keycloak.url}/auth",
      "provider-url": "${keycloak.url}/auth/realms/myrealm",
      "bearer-only": true,
      "enable-cors": true,
      "ssl-required": "none"
    }
    

    web.xml

    <web-app xmlns="http://java.sun.com/xml/ns/javaee"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
             version="3.0">
    
        <!-- other configuration -->
    
        <login-config>
            <auth-method>OIDC</auth-method>
        </login-config>
    
    </web-app>