JWT/Bearer Authorization

[Gromofiz]

Hi Ralph

I have successfully integrated imixis-jsf-example with "WildFly 26 Final" and "Keycloak 18".
When I try to access a resource of imixis-jsf-example the browser redirects to keycloak,
where the user authenticates with user/password and then the browser redirects to the imixis-jsf-example.

If an endpoint of imixis is called using Postman as client, ie

GET http://localhost:8080/imixs-jsf-example/api/workflow/worklist?format=json,

using the Cookie JSESSIONID to authenticate everything works fine.

Now I'm trying to use a bearer authorization, so I ask keycloak a token for my client_id with

POST http://127.0.0.1:8081/realms/master/protocol/openid-connect/token

and form-data:

• client_id=imixs-oid-realm
• username=sofia
• password=password
• grant_type=password

I got the token and I try to use it as Bearer but it does not work.

The question is: how can I use keycloak token as bearer authorization.
I tried using the imixs-jwt module but I'm not able to set it up in WildFly 26.

Could you give me some help! :-)

Have a nice day!
Enzo

[rsoika]

Hi Enzo,
this is a interesting question. I guess you have configured you Wildfly with a security realm referring to the KeycloakLoginModule

...
<login-module code="org.keycloak.adapters.jboss.KeycloakLoginModule"....

This would mean the keycloak module handles all the corresponding tokens and cookies now. The imixs-jwt module does not help you here because it is not aware of the sso login flow provided by keycloak. And you don't need it.

For postman I guess you just need to provide the bearer token you got in the header request:

headers :{

Authorization : 'Bearer <YOUR_ACCESS_TOKEN_FROM_KEYCLOAK>'

}

This seems to me be more a postman issue than an issue with wildfly/keycloak/imixs as you have already configured everything correct.
If you have a valid token you should be able to access the Imixs Rest API - even with curl.

I found this two links which which maybe helpful:

• https://sis-cc.gitlab.io/dotstatsuite-documentation/configurations/authentication/token-in-postman/
• https://www.baeldung.com/postman-keycloak-endpoints

===
Ralph

[Gromofiz]

Hi Ralph,
I got back on this issue! :-)
So .. from Wildfly 26 the keycloak adapter is not used anymore: an OIDC "adapter" has been integrated in elytron the security subsystem.
Since there is a demo application for bearer authentication for wildfly27 and Keycloak (https://github.com/wildfly-security-incubator/elytron-examples/tree/main/oidc-with-bearer) I wanted to try imixs on the same server (wildfly27).
I have updated imixs dependencies from 5.2 to 6.0 (wildfly27 use jakarta and not javax) but I have the following problem with the (eclipselink) persistence

Caused by: Exception [EclipseLink-0] (Eclipse Persistence Services - 3.0.1.v202104072230): org.eclipse.persistence.exceptions.JPQLException
Exception Description: Problem compiling [SELECT document FROM Document AS document  WHERE document.type = 'model' ORDER BY document.created DESC]. 
[21, 29] The abstract schema type 'Document' is unknown.
[48, 61] The state field path 'document.type' cannot be resolved to a valid type.
[81, 97] The state field path 'document.created' cannot be resolved to a valid type.
	at org.eclipse.persistence//org.eclipse.persistence.internal.jpa.jpql.HermesParser.buildException(HermesParser.java:157)
	at org.eclipse.persistence//org.eclipse.persistence.internal.jpa.jpql.HermesParser.validate(HermesParser.java:349)
	at org.eclipse.persistence//org.eclipse.persistence.internal.jpa.jpql.HermesParser.populateQueryImp(HermesParser.java:280)
	at org.eclipse.persistence//org.eclipse.persistence.internal.jpa.jpql.HermesParser.buildQuery(HermesParser.java:165)
	at org.eclipse.persistence//org.eclipse.persistence.internal.jpa.EJBQueryImpl.buildEJBQLDatabaseQuery(EJBQueryImpl.java:142)
	at org.eclipse.persistence//org.eclipse.persistence.internal.jpa.EJBQueryImpl.buildEJBQLDatabaseQuery(EJBQueryImpl.java:118)
	at org.eclipse.persistence//org.eclipse.persistence.internal.jpa.EJBQueryImpl.<init>(EJBQueryImpl.java:104)
	at org.eclipse.persistence//org.eclipse.persistence.internal.jpa.EJBQueryImpl.<init>(EJBQueryImpl.java:88)
	at org.eclipse.persistence//org.eclipse.persistence.internal.jpa.EntityManagerImpl.createQuery(EntityManagerImpl.java:1749)
	... 228 more

Could you please tell me with version of eclipselink to use with Wildfly 27?

Enzo

[rsoika]

Hello Enzo,
you can find a running example with wildfly 27 here: https://github.com/imixs/imixs-process-manager

It looks to me that during deployment the server was not able to create the tables. There should be other messages in your log file before.

Take a look at the persistence.xml file in the example app: https://github.com/imixs/imixs-process-manager/blob/master/src/main/resources/META-INF/persistence.xml

...and also into the docker/wildfly configuration here:
https://github.com/imixs/imixs-process-manager/tree/master/docker/configuration/wildfly

The /modules/ folder (loading the eclipselink and postgres JDBC driver) has changed.

[Gromofiz]

Hi Ralph
you were right, the problem was the persistence.xml file: for some reasons

     <jar-file>lib/imixs-workflow-engine-6.0.0.jar</jar-file>

didn't work. So i changed to:

      <class>org.imixs.workflow.engine.jpa.Document </class>
      <class>org.imixs.workflow.engine.jpa.EventLog </class>

and know it's ok!
Last thing: with

• imixs 6.0.0
• Wildfly 27
• keycloak 18

the bearer authentication is working! :-)
I really appreciated you help! Thank you! :-)

[rsoika]

Wow!! This is very cool! Great that you have got it working.
The thing with the persistence.xml is strange...

Please note, that 6.0.0 is a very early release. Version 6.0.1 and 6.0.2 include some important bug fixes....