Authenticating using OpenId Connect and Keycloak

I implemented the Payara OpenId Connector in order to authenticate with the Keycloak OIDC provider. I am using Payara Community 5.2022.5
I reach the Keycloak authentication form after visiting a protected page and I login with an existing user.
The session is created on keycloak and the callback is invokated apparently without errors (http 200) but I cannot print or log any info from the context.

Using the logger I obtain these errors:

  • UserPrincipal is not set, authenticate user using OpenId Connect protocol.|#]
  • Expected state not found|#]
    I cannot not find any reference about these errors, so it is very difficult to understand what’s happen exaclty.
    It looks the UserPrincipal is not created, so Payara is not aware of the existing session on Keycloak.
    In fact, if I visit another protected page the callback is invokated again, but the logon is no more necessary as I said the logged session exists on Keycloak.

Do you have any idea or experience on this issue ?

Thank you in advance !


It looks this problem occurs when there is an additional JSESSIONID. This happens with our website as we have a static app (always on) and a service app that could be offline for maintenance.
The 1st app is in the root context while the service app is in a specific context.
After login the user has collected two JSESSIONID as per the above explnation and Payara OIDC APIs and other third party APIs such as pac4j are not able to select the correct session id.
Probably there is no solution to this… in theory the last JSESSIONID should be the correct one, but browsers probably are not ensuring the right order of these info so it would end to be tricky.

Did you found any solution for the problem? I run into the same error message using OIDC with Wildfly (which is also using soteria).
I can login on and I receive a token with all data needed (I think) but no user name seems to be generated…

I finally found out, that in Wildfly 27 it is important to change the configuration of the undertow application-security-domain

It should look like this in the standalone.xml file:

            <application-security-domain name="other" security-domain="ApplicationDomain" integrated-jaspi="false" />

Only when the integrated-jaspi is disabled, the annotation @OpenIdAuthenticationMechanismDefinition will work correctly.

Sorry - I know this is not a Wildfly Forum :wink: (hope this will help anyone either way)