PASService Behavior

• OIDCAuthenticationFilter is mapped to: /rest/services/*

• When SSO is disabled, requests continue through the existing flow.

• When SSO is enabled, PASService expects HTTP Basic credentials.

• The filter exchanges the Basic username and password through the OIDC password grant:

grant_type=password

client_id=<clientId>

client_secret=<clientSecret>

username=<Basic username>

password=<Basic password>

scope=openid

• The implementation validates the returned access token against jwks_uri.

• The implementation extracts roles from resource_access[clientId].roles.

• At least one token role must match a <role-name> that PASService web.xml configures.

Important PASService IdP Requirement

Direct Access Grant or Resource Owner Password Credentials must be enabled for the client or provider because PASService currently uses the password grant for Basic-auth callers.