Hi, Perhaps it would be best, if you could upload that reproducer, so we can replicate.
Gruß Richard > Am 13.03.2026 um 12:24 schrieb Benedikt Lang <[email protected]>: > > Hello Markus, > > > our Keycloak Client is indeed set up as a public client. However changing it > to a confidential one and configuring the client secret did not change the > outcome. > > A colleague of mine built a minimal reproducer and we experimented a bit. The > exception only shows, when using the authentication mechanism with JAX-RS. > When using a servlet directly the exception vanishes. > > > Hope this helps > > Thanks > > Benedikt > > On 13.03.26 09:07, Markus Jung wrote: >> Hello Benedikt, >> >> >> your config is _very_ similar to the one we run at my company, I also added >> a test to verify this behavior works >> (https://github.com/apache/tomee/commit/9efdac831ae6a906664fd0c72b0ccd8410a528ce) >> which passes on my machine. I noticed your >> @OpenIdAuthenticationMechanismDefinition does not contain a client secret. >> Did you simply remove it before copying into your mail or is your client in >> Keycloak maybe configured for public access (= Client authentication in >> Keycloak turned off)? >> >> >> Thanks >> >> Markus >> >> >> On 3/12/26 10:15, Benedikt Lang wrote: >>> Hello Markus, >>> >>> >>> thanks for the reply. >>> >>> The definition reads as follows: >>> >>> ```java >>> >>> @OpenIdAuthenticationMechanismDefinition(providerURI >>> ="${openId.providerURI}", clientId ="${openId.clientId}", redirectURI >>> ="${baseURL}", redirectToOriginalResource =false, logout >>> =@LogoutDefinition(notifyProvider =true, redirectURI ="${baseURL}")) >>> >>> ``` >>> >>> With the providerUri being `https://<domain>/realms/<realmName>`. >>> >>> We are using Keycloak as our OIDC provider as well. Furthermore I'm pretty >>> sure the Access Token validates as the Endpoint is secured. >>> >>> >>> Thanks >>> >>> Benedikt >>> >>> >>> On 11.03.26 19:05, Markus Jung wrote: >>>> Hello Benedikt, >>>> >>>> from a first glance looks like either a bug in TomEE or your session >>>> hasn't been properly authenticated (Access token/ID token failed to >>>> verify?). >>>> I'm curious about the rest of your >>>> @OpenIdAuthenticationMechanismDefinition. Could you possibly share that? >>>> Also, what OIDC provider are you using? >>>> >>>> We're running the OIDC authentication at my company with >>>> notifyProvider=true on logout without any issues on Keycloak. That's also >>>> what I tested against during the implementation, so there could of course >>>> still be quirks to with other OIDC providers. >>>> >>>> >>>> Thanks >>>> Markus >>>> >>>> Am 11. März 2026 18:07:43 MEZ schrieb Benedikt Lang<[email protected]>: >>>>> Hello, >>>>> >>>>> I am using TomEE 10.1.4 to serve a web application. For authentication I >>>>> am using the OpenIdAuthenticationMechanisms via >>>>> `@OpenIdAuthenticationMechanismDefinition`. When using >>>>> notifyProvider=false the logout endpoint runs fine, but when setting it >>>>> to true I receive the following exception: >>>>> >>>>> ``` >>>>> >>>>> jakarta.enterprise.context.ContextNotActiveException: WebBeans context >>>>> with scope type annotation @SessionScoped does not exist within current >>>>> thread >>>>> at >>>>> org.apache.webbeans.container.BeanManagerImpl.getContext(BeanManagerImpl.java:339) >>>>> at >>>>> org.apache.webbeans.intercept.NormalScopedBeanInterceptorHandler.getContextualInstance(NormalScopedBeanInterceptorHandler.java:89) >>>>> at >>>>> org.apache.webbeans.intercept.SessionScopedBeanInterceptorHandler.getContextualInstance(SessionScopedBeanInterceptorHandler.java:76) >>>>> at >>>>> org.apache.webbeans.intercept.NormalScopedBeanInterceptorHandler.get(NormalScopedBeanInterceptorHandler.java:71) >>>>> at >>>>> org.apache.tomee.security.cdi.openid.TomEEOpenIdContext$$OwbNormalScopeProxy0.getIdentityToken(org/apache/tomee/security/cdi/openid/TomEEOpenIdContext.java) >>>>> at >>>>> org.apache.tomee.security.cdi.OpenIdAuthenticationMechanism.cleanSubject(OpenIdAuthenticationMechanism.java:87) >>>>> at >>>>> org.apache.tomee.security.cdi.OpenIdAuthenticationMechanism$$OwbNormalScopeProxy0.cleanSubject(org/apache/tomee/security/cdi/OpenIdAuthenticationMechanism.java) >>>>> at >>>>> org.apache.tomee.security.cdi.DefaultAuthenticationMechanism.cleanSubject(DefaultAuthenticationMechanism.java:56) >>>>> at >>>>> org.apache.tomee.security.cdi.DefaultAuthenticationMechanism$$OwbNormalScopeProxy0.cleanSubject(org/apache/tomee/security/cdi/DefaultAuthenticationMechanism.java) >>>>> at >>>>> org.apache.tomee.security.provider.TomEESecurityServerAuthModule.cleanSubject(TomEESecurityServerAuthModule.java:60) >>>>> at >>>>> org.apache.tomee.security.provider.TomEESecurityServerAuthContext.cleanSubject(TomEESecurityServerAuthContext.java:37) >>>>> at >>>>> org.apache.catalina.authenticator.AuthenticatorBase.logout(AuthenticatorBase.java:1238) >>>>> at >>>>> org.apache.catalina.connector.Request.logout(Request.java:2527) >>>>> at >>>>> org.apache.catalina.connector.RequestFacade.logout(RequestFacade.java:764) >>>>> at >>>>> jakarta.servlet.http.HttpServletRequestWrapper.logout(HttpServletRequestWrapper.java:302) >>>>> at >>>>> org.apache.openejb.server.httpd.EEFilter$NoCdiRequest.logout(EEFilter.java:95) >>>>> at >>>>> org.apache.openejb.server.httpd.ServletRequestAdapter.logout(ServletRequestAdapter.java:92) >>>>> at >>>>> jakarta.servlet.http.HttpServletRequestWrapper.logout(HttpServletRequestWrapper.java:302) >>>>> at >>>>> org.apache.openejb.rest.ThreadLocalHttpServletRequest.logout(ThreadLocalHttpServletRequest.java:398) >>>>> at <redacted>.LogoutRestAdapter.logout(LogoutRestAdapter.java:36) >>>>> at >>>>> <redacted>t.LogoutRestAdapter$$OwbNormalScopeProxy0.logout(<redacted>/LogoutRestAdapter.java) >>>>> at >>>>> java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native >>>>> Method) >>>>> at >>>>> java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77) >>>>> at >>>>> java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) >>>>> at java.base/java.lang.reflect.Method.invoke(Method.java:569) >>>>> at >>>>> org.apache.openejb.server.cxf.rs.PojoInvoker.performInvocation(PojoInvoker.java:37) >>>>> at >>>>> org.apache.cxf.service.invoker.AbstractInvoker.invoke(AbstractInvoker.java:96) >>>>> at >>>>> org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:200) >>>>> at >>>>> org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:103) >>>>> at >>>>> org.apache.openejb.server.cxf.rs.AutoJAXRSInvoker.invoke(AutoJAXRSInvoker.java:68) >>>>> at >>>>> org.apache.cxf.interceptor.ServiceInvokerInterceptor$1.run(ServiceInvokerInterceptor.java:59) >>>>> at >>>>> org.apache.cxf.interceptor.ServiceInvokerInterceptor.handleMessage(ServiceInvokerInterceptor.java:96) >>>>> at >>>>> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:307) >>>>> at >>>>> org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121) >>>>> at >>>>> org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:267) >>>>> at >>>>> org.apache.openejb.server.cxf.rs.CxfRsHttpListener.doInvoke(CxfRsHttpListener.java:266) >>>>> at >>>>> org.apache.tomee.webservices.CXFJAXRSFilter.doFilter(CXFJAXRSFilter.java:80) >>>>> at >>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:162) >>>>> at >>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:138) >>>>> at >>>>> org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:51) >>>>> at >>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:162) >>>>> at >>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:138) >>>>> at >>>>> org.apache.openejb.server.httpd.EEFilter.doFilter(EEFilter.java:67) >>>>> at >>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:162) >>>>> at >>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:138) >>>>> at >>>>> io.smallrye.metrics.jaxrs.JaxRsMetricsServletFilter.doFilter(JaxRsMetricsServletFilter.java:37) >>>>> at >>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:162) >>>>> at >>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:138) >>>>> at >>>>> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:165) >>>>> at >>>>> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:88) >>>>> at >>>>> org.apache.tomee.catalina.OpenEJBValve.invoke(OpenEJBValve.java:45) >>>>> at >>>>> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:607) >>>>> at >>>>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:113) >>>>> at >>>>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:83) >>>>> at >>>>> org.apache.tomee.catalina.OpenEJBSecurityListener$RequestCapturer.invoke(OpenEJBSecurityListener.java:97) >>>>> at >>>>> org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:654) >>>>> at >>>>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:72) >>>>> at >>>>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342) >>>>> at >>>>> org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:399) >>>>> at >>>>> org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:63) >>>>> at >>>>> org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:903) >>>>> at >>>>> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1775) >>>>> at >>>>> org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:52) >>>>> at >>>>> org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:973) >>>>> at >>>>> org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:491) >>>>> at >>>>> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:63) >>>>> at java.base/java.lang.Thread.run(Thread.java:840) >>>>> >>>>> ``` >>>>> >>>>> >>>>> Is this a bug in TomEE? What should I look out for to determine what the >>>>> culprit is? >>>>> >>>>> >>>>> Best regards >>>>> >>>>> Benedikt Lang >>>>> >>>>>
