Featured image for Red Hat JBoss Enterprise Application Platform.

The recent release of Red Hat JBoss EAP 8.0 includes native support for OpenID Connect (OIDC) via the elytron-oidc-client subsystem. OIDC is an identity layer that enables clients, such as JBoss EAP, to verify a user’s identity based on authentication performed by an OpenID provider. For example, you can secure your JBoss EAP applications using the Red Hat build of Keycloak as the OpenID provider.

In this article, we will use the elytron-oidc-subsystem to secure a simple web application using Microsoft Entra ID (formerly Azure Active Directory) as the OpenID provider.

For more information about JBoss EAP 8.0's native OpenID Connect support, refer to the product documentation.


Connect a web application to Microsoft Entra ID

  1. Check out the sample application here.

  2. Create a file src/main/webapp/WEB-INF/oidc.json with the following contents:

        "client-id" : "<<from azure>",
        "provider-url" : "<<from azure>",
        "ssl-required" : "EXTERNAL",
        "credentials" : {
            "secret" : "<<from azure>>"
  3. In the Azure portal, go to the All Services page and click Microsoft Entra ID.

  4. In the left-hand menu, select App registrations and click New Registration. You will see the Register an application page shown in Figure 1.

    Register a new application
    Figure 1: Register a new application
    Figure 1: Register a new application.
  5. Enter a name (e.g., jboss) and click the Register button. This brings you to the App registrations overview page for your application.

  6. Click Add a Redirect URL, then click Add a Platform.

  7. Select Web; you will see the Configure Web page, as shown in Figure 2.

    Configure a web application
    Figure 2: Configure a web application
    Figure 2: Configure a web application.
  8. Enter the following URL:

  9. Click the Configure button.

  10. Go back to the Overview page and click Add a certificate or secret.

  11. Select + New Client secret. This brings you to the Add a client secret page (Figure 3).

    Create a new secret
    Figure 3: Create a new secret
    Figure 3: Create a new secret.
  12. Enter a description (e.g., EAP) and click the Add button.

  13. Copy the value shown on the next page and paste this value into src/main/webapp/WEB-INF/oidc.json as the secret value.

  14. Return to the Overview page and click on Endpoints.

  15. Copy the value from OpenID Connect metadata document and paste it into src/main/webapp/WEB-INF/oidc.json as the provider-url. Be sure to remove the text /.well-known/openid-configuration.

  16. Return to the Overview page. Copy the Application (client) ID and paste this value in src/main/webapp/WEB-INF/oidc.json as the client-id.

  17. Save the changes to the oidc.json file.

Our connection to Microsoft Entra ID is now configured, and we can deploy our application to JBoss EAP 8.0 and test the authentication.

Test the Azure authentication

  1. First, we're going to start our JBoss EAP 8.0 instance. Run the following command to start JBoss EAP 8.0:

  2. We can now deploy our app. From the folder containing the sample application source code, enter:

    mvn wildfly:deploy 
  3. We can access our application using http://localhost:8080/simple-webapp-oidc/.

    Click Access Secured Servlet. Now you'll be redirected to the Azure login page (Figure 4). Log in with your Azure credentials.

    Azure login page
    Figure 4: Azure login page
    Figure 4: Azure login page.
  4. Next, you'll be redirected back to our application and you should see the Secured Servlet page:

    Secured Servlet
    Current Principal 'xxxx'

We were able to successfully log in to our application via the Microsoft Entra ID provider!


With JBoss EAP 8.0, OpenID Connect support is provided by the included elytron-oidc-subsytem. In this article, we demonstrated how to secure a simple JBoss EAP 8.0 web application with Azure authentication via Open ID Connect.

For further information on JBoss EAP 8.0 OpenID support, refer to the documentation.