Hi everyone,
I have a problem that the Wildfly documentation doesn’t really help me with. I hope you can help me at least a bit further.
I have a Jakarta EE 10 application packaged in a WAR deployable running on a Wildfly 34.0.0.Final under Java 21. The application is connected to a Keycloak 26.0.2 for access control and user management.
Users log in via web browser using their username/password. A corresponding client with name “web-client” and type “OpenID Connect” was created in Keycloak for this purpose. The application has a file oidc.json in its WEB-INF folder, in which the access data for Keycloak is stored accordingly. Everything works fine in this respect.
However, the application also has a service that runs under the hood on a time-controlled basis to do some chores. To be able to do this, a regular login (with an appropriately authorized technical user) must take place so that the principal is regularly propagated into the EBJ/session context with its respective authorizations. Otherwise, the backend will not grant the necessary access. For this purpose, another client with the name “direct-access-client” (also of type “OpenID Connect”) was created in Keycloak, which defines a client secret and against which the programmatic login with the technical user should take place.
My problem is, I don’t know how to actually implement this programmatic login. My attempt was to have the keycloak issue me a bearer token from the direct-access client and authenticate the token against the security domain. Like this:
SecurityDomain securityDomain = SecurityDomain.getCurrent();
SecurityIdentity identity = securityDomain.authenticate(new BearerTokenEvidence(token));
Identity.runAs(() -> {
ebjService.doTheChores();
});
But the Wildfly only tells me: „java.lang.SecurityException: ELY01151: Evidence Verification Failed.“
What am I doing wrong and am I following the right approach? I can provide more detailed information or configurations if required.