Keycloak Wildfly auth method

Question

I have created a wildfly container (wildfly 25.0.1 and keycloak 15.0.2) with the keycloak as subsystem. I have also a running keycloak container. Trying to deploy a simple jakarta app (build as war via maven and upload it into the wildfly) with a web.xml as follow leads to the following error:

{"WFLYCTL0080: Failed services" => {"jboss.deployment.unit.\"demo1-1.0- 
SNAPSHOT.war\".undertow-deployment" => "java.lang.RuntimeException: 
java.lang.IllegalStateException: The required mechanism 'KEYCLOAK' is not available 
in mechanisms [BASIC, CLIENT_CERT, DIGEST, FORM] from the HttpAuthenticationFactory.
    Caused by: java.lang.RuntimeException: java.lang.IllegalStateException: The 
required mechanism 'KEYCLOAK' is not available in mechanisms [BASIC, CLIENT_CERT, 
DIGEST, FORM] from the HttpAuthenticationFactory.
    Caused by: java.lang.IllegalStateException: The required mechanism 'KEYCLOAK' is 
not available in mechanisms [BASIC, CLIENT_CERT, DIGEST, FORM] from the 
HttpAuthenticationFactory."}}

My web.xml under WEB-INF:

<web-app xmlns="http://java.sun.com/xml/ns/javaee"
     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
     xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
     version="3.0">

<module-name>demo</module-name>

<security-constraint>
    <web-resource-collection>
        <web-resource-name>Application</web-resource-name>
        <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <role-name>user</role-name>
    </auth-constraint>
</security-constraint>

<login-config>
    <auth-method>KEYCLOAK</auth-method>
    <realm-name>my-auth</realm-name>
</login-config>

<security-role>
    <role-name>user</role-name>
</security-role>

</web-app>

My wildfly docker file:

FROM jboss/wildfly:25.0.0.Final

ENV KEYCLOAK_VERSION 15.0.2
ENV WILDFLY_HOME /opt/jboss/wildfly

RUN cd $WILDFLY_HOME && curl -LO  https://github.com/keycloak/keycloak/releases/download/${KEYCLOAK_VERSION}/keycloak-oidc-wildfly-adapter-${KEYCLOAK_VERSION}.tar.gz \
&& tar -xzvf keycloak-oidc-wildfly-adapter-${KEYCLOAK_VERSION}.tar.gz \
&& rm keycloak-oidc-wildfly-adapter-${KEYCLOAK_VERSION}.tar.gz \
&& bin/jboss-cli.sh --file=bin/adapter-elytron-install-offline.cli \
# Admin-User anlegen
&& bin/add-user.sh admin admin1234 --silent \
# Zu Vermeidung von Fehlermeldungen beim Start
&& rm -r standalone/configuration/standalone_xml_history/current/

CMD ["/opt/jboss/wildfly/bin/standalone.sh", "-b", "0.0.0.0", "-bmanagement", "0.0.0.0"]
EXPOSE 8285
EXPOSE 9992

Openning the wildfly in browser -> confguration ->subsystem shows me that the keycloak is there. I can see in thestandalone.xml file of wildfly container the following has been set:

 <http-authentication-factory name="keycloak-http-authentication" security-domain="KeycloakDomain" http-server-mechanism-factory="keycloak-http-server-mechanism-factory">
                <mechanism-configuration>
                    <mechanism mechanism-name="KEYCLOAK">
                        <mechanism-realm realm-name="KeycloakOIDCRealm" realm-mapper="keycloak-oidc-realm-mapper"/>
                    </mechanism>
                </mechanism-configuration>
            </http-authentication-factory>

The app has keyclaock.json in WEB-INF as well. Any Idea how to fix this?

Answer 1

Here is how I solved this problem: Wildfly: 23 Adapter: keycloak-wildfly-adapter-dist-21.1.1.zip Webapp: https://github.com/keycloak/keycloak-quickstarts/tree/latest/app-profile-jee-vanilla

I deployed the plugin as suggested https://www.keycloak.org/docs/latest/securing_apps/index.html#_jboss_adapter using following commands:

$ cd $WILDFLY_HOME
$ unzip keycloak-wildfly-adapter-dist-21.1.1.zip
$./bin/jboss-cli.sh --file=bin/adapter-elytron-install-offline.cli

Used offline installer above, other installer did not work.

Then put this section in standalone.xml:

    <subsystem xmlns="urn:jboss:domain:keycloak:1.2">
        <secure-deployment name="vanilla.war">
            <realm>mydevrealm</realm>
            <resource>myclient</resource>
            <use-resource-role-mappings>true</use-resource-role-mappings>
            <auth-server-url>http://192.168.1.4:8180/</auth-server-url>
            <ssl-required>EXTERNAL</ssl-required>
            <verify-token-audience>true</verify-token-audience>
            <credential name="secret">HYjSBguWHQ3lAf2DXB7fel2QWeQ2Epm8</credential>
        </secure-deployment>
    </subsystem>

It is to be noted that everywhere on internet they have been referring the namespace as urn:jboss:domain:keycloak:1.1 but the adapter creates urn:jboss:domain:keycloak:1.2 so configuration was put under urn:jboss:domain:keycloak:1.2

After this when trying to deploy the webapp using

mvn clean wildfly:deploy

I was getting an error like this:

INFO: ELY00001: WildFly Elytron version 1.1.7.Final
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  10.073 s
[INFO] Finished at: 2023-05-25T18:51:12-04:00
[INFO] ------------------------------------------------------------------------
[ERROR] Failed to execute goal org.wildfly.plugins:wildfly-maven-plugin:1.2.2.Final:deploy (default-cli) on project keycloak-app-profile-jee-vanilla: Failed to execute goal deploy: {"WFLYCTL0062: Composite operation failed and was rolled back. Steps that failed:" => {"Operation step-1" => {"WFLYCTL0080: Failed services" => {"jboss.deployment.unit.\"vanilla.war\".undertow-deployment" => "java.lang.RuntimeException: java.lang.IllegalStateException: The required mechanism 'KEYCLOAK' is not available in mechanisms [BASIC, CLIENT_CERT, DIGEST, FORM] from the HttpAuthenticationFactory.
[ERROR]     Caused by: java.lang.RuntimeException: java.lang.IllegalStateException: The required mechanism 'KEYCLOAK' is not available in mechanisms [BASIC, CLIENT_CERT, DIGEST, FORM] from the HttpAuthenticationFactory.
[ERROR]     Caused by: java.lang.IllegalStateException: The required mechanism 'KEYCLOAK' is not available in mechanisms [BASIC, CLIENT_CERT, DIGEST, FORM] from the HttpAuthenticationFactory."}}}}

So what fixed this error?

1. Add two additional security domain in standalone/configuration/standalone.xml as shown below.

First entry in this section: <subsystem xmlns="urn:jboss:domain:ejb3:9.0"

    <application-security-domains>
        <application-security-domain name="other" security-domain="ApplicationDomain"/>
        <!--Additional entry below-->
        <application-security-domain name="keycloak" security-domain="KeycloakDomain"/>
    </application-security-domains>

Second entry in this section: <subsystem xmlns="urn:jboss:domain:undertow:12.0" ...>

    <application-security-domains>
        <application-security-domain name="other" security-domain="ApplicationDomain"/>
        <!--Additional entry below-->
        <application-security-domain name="keycloak" http-authentication-factory="keycloak-http-authentication"/>
    </application-security-domains>

2. Created a new file in applications WEB-INF folder: src/main/webapp/WEB-INF/jboss-web.xml

<!-- Define a security domain for the webapp -->
<jboss-web>
    <security-domain>keycloak</security-domain>
</jboss-web>

Then deploy the application again and it goes OK.

[dev@localhost app-profile-jee-vanilla]$ mvn clean wildfly:deploy

The application gets deployed OK and one can reach /vanilla/, which redirects to keycloak and upon authentication it comes back to the page in /vanilla context showing principal's ID.

Answer 2

Dont install adapter into Wildfly 25 or Wildfly 26. Use wildfly:elytron-oidc-client:1.0 way to configure. My problem is the same, but when I did the configuration I get a 403 status code error. If change to wildfly 23 everything works.

Answer 3

Keycloak has deprecated the Wildfly-Adapter in Favour of the built in Elytron OIDC-Authenticator. https://www.keycloak.org/2021/12/keycloak-1510-released

You can check whether that meets your requirements, or stick with Wildfly 24 for now.

See https://wildfly-security.github.io/wildfly-elytron/blog/securing-wildfly-apps-openid-connect/ for more infos about using the built in authentication with Elytron.