Can not call remote EJB when OIDC is enabled

Prepare KeyCloak: download and unzip keycloak-22.0.1 cd to $keycloak_dir/bin start keycloak: ./kc.sh start-dev --http-port=9080 open http://localhost:9080/ create admin user/password open the Administration Console and sign in create a new realm s4p_azure click on the paginator and select "100 per page" click on Client scopes and select roles click on Mappers / Add mapper / From predefined mappers select groups create a client in that realm and name it s4p_azure_client . Under Valid redirect URIs enter http://localhost/* create a realm role AUTHENTICATED_USER create a user testuser click on Credentials and set password_123 as password. Disable the Temporary switch click on Role mapping and assign the AUTHENTICATED_USER role open the realm settings and click on Keys find the line with Use SIG copy the SIG Kid copy the SIG Public Key Prepare the reproducer: download and unzip the attached reproducer copy the Kid and Public Key into $reproducer_dir/configure-wildfly.cli Test server with enabled security-domain: cd to $reproducer_dir/ in a new terminal (here called "server terminal") start the application server with mvn -Prun-server verify that the server started correctly. there should be no errors or exceptions in the output keep the "server terminal" running and open your webbrowser to http://localhost:8080/sso-app/index.xhtml click on "Access Secured Area" and log on with testuser / password_123 test with the two buttons: the first performs a direct call to an EJB annotated with @PermitAll; the second tests an EJB call via @RunAs both calls will fail keep the terminal open and running Test client with enabled security-domain: cd to $reproducer_dir/ in a new terminal (here called "client terminal") start the client with mvn -Prun-client verify that the client started correctly. there should be no errors or exceptions in the output verify that the remote EJB invocation works (marked with ****** in the output) Test server with disabled security-domain: stop the server with CTRL-C in the server-terminal comment the marked line in configure-wildfly.cli in the server-tarminal: start the application server with mvn -Prun-server verify that the server started correctly. there should be no errors or exceptions in the output keep the "server terminal" running and open your webbrowser to http://localhost:8080/sso-app/index.xhtml click on "Access Secured Area" and log on with testuser/password_123 test with the two buttons: the first performs a direct call to an EJB annotated with @PermitAll; the second tests an EJB call via @RunAs both calls work now keep the terminal open and running Test client with disabled security-domain in the server-terminal: start the client with mvn -Prun-client verify that the client started correctly. there should be no errors or exceptions in the output verify that the remote EJB invocation no longer works