Hey Benedikt,
had some time now to look at your reproducer (sorry it took a bit, we're
all just volunteers afterall) and it seems like this is indeed a bug in
TomEE when using notifyProvider=true combined with JAX-RS. I filed an
issue for it (https://issues.apache.org/jira/browse/TOMEE-4596) and
pushed a fix to our main and tomee-10.x branches.
Could you download the latest SNAPSHOT build from here
https://repository.apache.org/content/groups/snapshots/org/apache/tomee/apache-tomee/10.1.5-SNAPSHOT/
and confirm the fix also works in your real applications?
Thanks
Markus
On 3/16/26 11:07, Benedikt Lang wrote:
Hi Richard,
if uploaded the reproducer to github here:
https://github.com/pickbreaker/tomee-oidc-bug-reproducer
Gruß
Benedikt
On 13.03.26 13:12, Richard Zowalla wrote:
Hi,
Perhaps it would be best, if you could upload that reproducer, so we
can replicate.
Gruß
Richard
Am 13.03.2026 um 12:24 schrieb Benedikt Lang <[email protected]>:
Hello Markus,
our Keycloak Client is indeed set up as a public client. However
changing it to a confidential one and configuring the client secret
did not change the outcome.
A colleague of mine built a minimal reproducer and we experimented a
bit. The exception only shows, when using the authentication
mechanism with JAX-RS. When using a servlet directly the exception
vanishes.
Hope this helps
Thanks
Benedikt
On 13.03.26 09:07, Markus Jung wrote:
Hello Benedikt,
your config is _very_ similar to the one we run at my company, I
also added a test to verify this behavior works
(https://github.com/apache/tomee/commit/9efdac831ae6a906664fd0c72b0ccd8410a528ce)
which passes on my machine. I noticed your
@OpenIdAuthenticationMechanismDefinition does not contain a client
secret. Did you simply remove it before copying into your mail or
is your client in Keycloak maybe configured for public access (=
Client authentication in Keycloak turned off)?
Thanks
Markus
On 3/12/26 10:15, Benedikt Lang wrote:
Hello Markus,
thanks for the reply.
The definition reads as follows:
```java
@OpenIdAuthenticationMechanismDefinition(providerURI
="${openId.providerURI}", clientId ="${openId.clientId}",
redirectURI ="${baseURL}", redirectToOriginalResource =false,
logout =@LogoutDefinition(notifyProvider =true, redirectURI
="${baseURL}"))
```
With the providerUri being `https://<domain>/realms/<realmName>`.
We are using Keycloak as our OIDC provider as well. Furthermore
I'm pretty sure the Access Token validates as the Endpoint is
secured.
Thanks
Benedikt
On 11.03.26 19:05, Markus Jung wrote:
Hello Benedikt,
from a first glance looks like either a bug in TomEE or your
session hasn't been properly authenticated (Access token/ID token
failed to verify?).
I'm curious about the rest of your
@OpenIdAuthenticationMechanismDefinition. Could you possibly
share that? Also, what OIDC provider are you using?
We're running the OIDC authentication at my company with
notifyProvider=true on logout without any issues on Keycloak.
That's also what I tested against during the implementation, so
there could of course still be quirks to with other OIDC providers.
Thanks
Markus
Am 11. März 2026 18:07:43 MEZ schrieb Benedikt
Lang<[email protected]>:
Hello,
I am using TomEE 10.1.4 to serve a web application. For
authentication I am using the OpenIdAuthenticationMechanisms via
`@OpenIdAuthenticationMechanismDefinition`. When using
notifyProvider=false the logout endpoint runs fine, but when
setting it to true I receive the following exception:
```
jakarta.enterprise.context.ContextNotActiveException: WebBeans
context with scope type annotation @SessionScoped does not exist
within current thread
at
org.apache.webbeans.container.BeanManagerImpl.getContext(BeanManagerImpl.java:339)
at
org.apache.webbeans.intercept.NormalScopedBeanInterceptorHandler.getContextualInstance(NormalScopedBeanInterceptorHandler.java:89)
at
org.apache.webbeans.intercept.SessionScopedBeanInterceptorHandler.getContextualInstance(SessionScopedBeanInterceptorHandler.java:76)
at
org.apache.webbeans.intercept.NormalScopedBeanInterceptorHandler.get(NormalScopedBeanInterceptorHandler.java:71)
at
org.apache.tomee.security.cdi.openid.TomEEOpenIdContext$$OwbNormalScopeProxy0.getIdentityToken(org/apache/tomee/security/cdi/openid/TomEEOpenIdContext.java)
at
org.apache.tomee.security.cdi.OpenIdAuthenticationMechanism.cleanSubject(OpenIdAuthenticationMechanism.java:87)
at
org.apache.tomee.security.cdi.OpenIdAuthenticationMechanism$$OwbNormalScopeProxy0.cleanSubject(org/apache/tomee/security/cdi/OpenIdAuthenticationMechanism.java)
at
org.apache.tomee.security.cdi.DefaultAuthenticationMechanism.cleanSubject(DefaultAuthenticationMechanism.java:56)
at
org.apache.tomee.security.cdi.DefaultAuthenticationMechanism$$OwbNormalScopeProxy0.cleanSubject(org/apache/tomee/security/cdi/DefaultAuthenticationMechanism.java)
at
org.apache.tomee.security.provider.TomEESecurityServerAuthModule.cleanSubject(TomEESecurityServerAuthModule.java:60)
at
org.apache.tomee.security.provider.TomEESecurityServerAuthContext.cleanSubject(TomEESecurityServerAuthContext.java:37)
at
org.apache.catalina.authenticator.AuthenticatorBase.logout(AuthenticatorBase.java:1238)
at
org.apache.catalina.connector.Request.logout(Request.java:2527)
at
org.apache.catalina.connector.RequestFacade.logout(RequestFacade.java:764)
at
jakarta.servlet.http.HttpServletRequestWrapper.logout(HttpServletRequestWrapper.java:302)
at
org.apache.openejb.server.httpd.EEFilter$NoCdiRequest.logout(EEFilter.java:95)
at
org.apache.openejb.server.httpd.ServletRequestAdapter.logout(ServletRequestAdapter.java:92)
at
jakarta.servlet.http.HttpServletRequestWrapper.logout(HttpServletRequestWrapper.java:302)
at
org.apache.openejb.rest.ThreadLocalHttpServletRequest.logout(ThreadLocalHttpServletRequest.java:398)
at
<redacted>.LogoutRestAdapter.logout(LogoutRestAdapter.java:36)
at
<redacted>t.LogoutRestAdapter$$OwbNormalScopeProxy0.logout(<redacted>/LogoutRestAdapter.java)
at
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native
Method)
at
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
at
java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at
java.base/java.lang.reflect.Method.invoke(Method.java:569)
at
org.apache.openejb.server.cxf.rs.PojoInvoker.performInvocation(PojoInvoker.java:37)
at
org.apache.cxf.service.invoker.AbstractInvoker.invoke(AbstractInvoker.java:96)
at
org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:200)
at
org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:103)
at
org.apache.openejb.server.cxf.rs.AutoJAXRSInvoker.invoke(AutoJAXRSInvoker.java:68)
at
org.apache.cxf.interceptor.ServiceInvokerInterceptor$1.run(ServiceInvokerInterceptor.java:59)
at
org.apache.cxf.interceptor.ServiceInvokerInterceptor.handleMessage(ServiceInvokerInterceptor.java:96)
at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:307)
at
org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
at
org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:267)
at
org.apache.openejb.server.cxf.rs.CxfRsHttpListener.doInvoke(CxfRsHttpListener.java:266)
at
org.apache.tomee.webservices.CXFJAXRSFilter.doFilter(CXFJAXRSFilter.java:80)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:162)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:138)
at
org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:51)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:162)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:138)
at
org.apache.openejb.server.httpd.EEFilter.doFilter(EEFilter.java:67)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:162)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:138)
at
io.smallrye.metrics.jaxrs.JaxRsMetricsServletFilter.doFilter(JaxRsMetricsServletFilter.java:37)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:162)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:138)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:165)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:88)
at
org.apache.tomee.catalina.OpenEJBValve.invoke(OpenEJBValve.java:45)
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:607)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:113)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:83)
at
org.apache.tomee.catalina.OpenEJBSecurityListener$RequestCapturer.invoke(OpenEJBSecurityListener.java:97)
at
org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:654)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:72)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342)
at
org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:399)
at
org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:63)
at
org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:903)
at
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1775)
at
org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:52)
at
org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:973)
at
org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:491)
at
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:63)
at java.base/java.lang.Thread.run(Thread.java:840)
```
Is this a bug in TomEE? What should I look out for to determine
what the culprit is?
Best regards
Benedikt Lang
