openliberty openidConnectClient authFilter not working

I am trying to configure an OIDC client and I have been reading this documentation:

• https://openliberty.io/docs/latest/reference/feature/openidConnectClient-1.0.html
• https://openliberty.io/docs/latest/reference/config/openidConnectClient.html

OpenLiberty server (24.0.0.12) is using webProfile-8.0 and openidConnectClient-1.0 features.

The redacted openidConnectClient configuration (server.xml):

<openidConnectClient ...
    discoveryEndpointUrl="${AUTH_SERVER}/realms/foobar/.well-known/openid-configuration"
    ...>
    <authFilter>
        <requestUrl urlPattern="/foobar" matchType="contains" />
    </authFilter>
</openidConnectClient>

I am expecting a redirect to ${AUTH_SERVER}'s login page, but it seems like the auth-filter is not working at all. There is no errors or anything. Otherwise the app is working just fine.

snippets from my server log:

SRVE0169I: Loading Web Module: OpenID Connect Client Redirect Servlet.
SRVE0169I: Loading Web Module: ibm/api.
SRVE0169I: Loading Web Module: com.ibm.oauth.test.war.
SRVE0169I: Loading Web Module: com.ibm.ws.security.jwt.
SRVE0169I: Loading Web Module: foobar-app.

CWWKT0016I: Web application available (default_host): http://localhost:9080/ibm/api/
CWWKT0016I: Web application available (default_host): http://localhost:9080/oidcclient
CWWKT0016I: Web application available (default_host): http://localhost:9080/oauth2/
CWWKT0016I: Web application available (default_host): http://localhost:9080/jwt/
CWWKT0016I: Web application available (default_host): http://localhost:9080/foobar/

What am I doing wrong here? How am I able to troubleshoot this problem?

I found the problem: my app config was insufficient. OpenLiberty (server.xml) was configured correctly.

The web.xml did not contain any security constraints. After I added the security-constraint element to my web.xml, the auth-filter started working as expected.

web.xml

<security-constraint>
    <web-resource-collection>
        <web-resource-name>all-resources</web-resource-name>
        <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <role-name>foobar-user</role-name>
    </auth-constraint>
</security-constraint>
<security-role>
    <role-name>foobar-user</role-name>
</security-role>

Notice how:

• URL pattern in web.xml is already relative to the app context root and therefore "foobar" is omitted.
• URL pattern in server.xml is relative to the app server context root and therefore "foobar" is required.
• URL pattern in web.xml supports wildcard notation while OpenLiberty auth-filter does not.

Although I still don't know how I would've been able to debug this one...