Authenticating using OpenId Connect and Keycloak

Technical Discussion
1

Hello,
I implemented the Payara OpenId Connector in order to authenticate with the Keycloak OIDC provider. I am using Payara Community 5.2022.5
I reach the Keycloak authentication form after visiting a protected page and I login with an existing user.
The session is created on keycloak and the callback is invokated apparently without errors (http 200) but I cannot print or log any info from the context.

Using the fish.payara.security logger I obtain these errors:

  • UserPrincipal is not set, authenticate user using OpenId Connect protocol.|#]
  • Expected state not found|#]
    I cannot not find any reference about these errors, so it is very difficult to understand what’s happen exaclty.
    It looks the UserPrincipal is not created, so Payara is not aware of the existing session on Keycloak.
    In fact, if I visit another protected page the callback is invokated again, but the logon is no more necessary as I said the logged session exists on Keycloak.

Do you have any idea or experience on this issue ?

Thank you in advance !

Robert

2

It looks this problem occurs when there is an additional JSESSIONID. This happens with our website as we have a static app (always on) and a service app that could be offline for maintenance.
The 1st app is in the root context while the service app is in a specific context.
After login the user has collected two JSESSIONID as per the above explnation and Payara OIDC APIs and other third party APIs such as pac4j are not able to select the correct session id.
Probably there is no solution to this… in theory the last JSESSIONID should be the correct one, but browsers probably are not ensuring the right order of these info so it would end to be tricky.