@AzureAuthenticationDefinition and password aliases

I am constructing an application that will use AAD for single sign on and authorisation. I have constructed a test bed web application that is able to successfully authenticate me using the @AzureAuthenticationDefinition annotation:

        providerURI = "https://login.microsoftonline.com/**REDACTED**/v2.0/",
        clientId = "**REDACTED**",
        clientSecret = "**REDACTED**",
        redirectURI = "${baseURL}/Callback"
public class SecurityConfig {

Now, I want to use a password alias to protect the clientSecret. I have saved the secret in the console under an alias called appsecret. I have tried changing the client secret thus:

        clientSecret = "${ALIAS=appsecret}",

but I then get this in the server log:

  Error occurred in validating Authorization Code : invalid_client caused by AADSTS7000215: Invalid client secret provided. Ensure the secret being sent in the request is the client secret value, not the client secret ID, for a secret added to app '**REDACTED**'.

and the secued page then refuses to load.

If I use @ConfigProperty on a bean:

import javax.inject.Inject;
import javax.inject.Named;
import org.eclipse.microprofile.config.inject.ConfigProperty;

public class ConfigBean {
    @ConfigProperty(name = "appsecret")
    private String secret;

    public String getSecret() {
        return secret;

    public ConfigBean() {

…then include the microprofile library, and use a bean expression:

        clientSecret = "#{configBean.secret}",

this works, but it feels like I am increasing the attack surface on my application, by having a bean that exposes the secret.
Can anyone help me here? Should ALIAS substitution work in this context? Do the depedencies / classpath have an impact on this? Currently I have:



Hi @sgparry,

As per our technical documentation Cloud Connectors :: Payara Community Documentation

On Payara all properties can be replaced via System properties using the syntax ${system.property.name} or environment variables using the syntax ${ENV=evironment.property.name} or password aliases using the syntax ${ALIAS=alias.name}

So as you expected, using the alias directly should be possible. Could you please raise a bug report with a full, easy to follow reproducer in the Payara Ecosystem Support repository: Issues · payara/ecosystem-support · GitHub. This will allow us to better track this issue and keep you informed of any updates.