Security with OpenId and Eclipse Microprofile JWT

Zeta · March 17, 2026, 7:49am

Can a single Web application that contains both REST services and Web pages be secured by a different security mechanism?

OpenId authentication is currently designed to implement the OpenId Authorization Code Flow which requires a redirection to the Identity Provider (IdP) where the user is asked for credentials (username and password). This flow requires user interaction to get an access token, which is used in the authentication and authorization process to access restricted resources on the application server (Web pages).

On the other hand, REST services do not required this interactive process and just validating that the request contains a bearer access token. This authentication and authorization process can not be implemented through the current OpenId authentication mechanism.

I found, searching over Internet, that a solution might be using Eclipse Microprofile JWT to secure just REST services, but deploying both on Payara Community 6x|7x I’m getting the following CDI error:

026-03-16T11:26:30.060+0100] [Payara 7.2026.2] [WARNING] [] [javax.enterprise.system.container.web.com.sun.web.security] [tid: _ThreadID=111 _ThreadName=http-thread-pool::http-listener-1(5)] [timeMillis: 1773656790060] [levelValue: 900] [[
  JASPIC: http msg authentication fail
org.jboss.weld.exceptions.AmbiguousResolutionException: WELD-001318: Cannot resolve an ambiguous dependency between: 
  - org.glassfish.common.util.PayaraCdiProducer@3087019b,
  - DecorableWeldBeanWrapper WELD%AbstractBuiltInBean%org.glassfish.soteria.cdi.CdiExtension%HttpAuthenticationMechanism%org.glassfish.soteria.cdi.CdiProducer class org.glassfish.soteria.mechanisms.OpenIdAuthenticationMechanism
	at org.jboss.weld.manager.BeanManagerImpl.resolve(BeanManagerImpl.java:1193)
	at org.glassfish.soteria.cdi.CdiUtils.getContextualReference(CdiUtils.java:160)
	at org.glassfish.soteria.cdi.CdiUtils.getBeanReferenceByType(CdiUtils.java:185)
	at org.glassfish.soteria.mechanisms.DefaultHttpAuthenticationMechanismHandler.init(DefaultHttpAuthenticationMechanismHandler.java:33)
	at org.glassfish.soteria.cdi.CdiExtension.lambda$afterBean$23(CdiExtension.java:400)
	at org.glassfish.soteria.cdi.CdiProducer.create(CdiProducer.java:81)
	at org.glassfish.soteria.spi.bean.decorator.weld.DecorableWeldBeanWrapper.create(DecorableWeldBeanWrapper.java:100)
	at org.jboss.weld.contexts.AbstractContext.get(AbstractContext.java:96)

I suspect that the two implementations, OpenId and Eclipse MicroProfile, are not compatible within the same web application, or I cannot find a way for them to coexist and work together.

How can I develop such kind of a single Web application?

Topic		Replies	Views
Authenticating using OpenId Connect and Keycloak Technical Discussion security	3	920	June 12, 2023
OpenId Connect: .well-known/openid-configuration network call even if URL not protected Technical Discussion	0	699	April 13, 2022
Payaramicro with MicroShed JWT issue Technical Discussion	2	278	November 20, 2021
Security API deployment failure in Payara Full CE 5.2022.1 Technical Discussion	0	576	March 23, 2022
Question on OpenIdAuthenticationMechanism Technical Discussion security	0	105	February 23, 2024

Security with OpenId and Eclipse Microprofile JWT

Related topics