[4.x] Unable to get IDCS roles even after configuring IDCS Role Mapper after upgrading to 4.0.0 from 3.2.3

[tirunagaris]

Environment Details

• Helidon Version: 4.0.0
• Helidon MP
• JDK version: JDK 21
• OS: Windows 10 Enterprise 22H2
• Docker version (if applicable): NA

---

Problem Description

Upgraded to Helidon MP 4.0.0 from 3.2.3 and found that service is not able to get the IDCS roles, which was working prior to upgrade.
Problem is easily reproducible and consistent.

Below are the oidc configurations:

security:
  providers:
    - abac:
      # Adds ABAC Provider - it does not require any configuration
    - oidc:
        header-use: true
        identity-uri: "${security.properties.idcs-uri}"
        client-id: "${security.properties.idcs-client-id}"
        client-secret: "${security.properties.idcs-client-secret}"
        audience: "${security.properties.idcs-uri}"
        optional-audience: true
        scope-audience: "https://localhost:8001"
        redirect-uri: "/sr/test/topology"
        token-endpoint-auth: CLIENT_SECRET_POST
        cookie-name: "JSESSIONID"
        cookie-same-site: "LAX"
        logout-enabled: true
        logout-uri: "/custom/logout"
        post-logout-uri: "/greet/WelcomeUser"
        validate-jwt-with-jwk: false
        cookie-encryption-password: "lpmaster"   

    - idcs-role-mapper:
        multitenant: false
        default-idcs-subject-type: client
        subject-types: SERVICE
        oidc-config:
          # we must repeat IDCS configuration, as in this case
          # IDCS serves both as open ID connect authenticator and
          # as a role mapper. Using minimal configuration here
          client-id: "${security.properties.idcs-client-id}"
          client-secret: "${security.properties.idcs-client-secret}"
          identity-uri: "${security.properties.idcs-uri}"

Steps to reproduce

Start/Run the service and access the endpoint to view the roles from security context. (check below sample code)

Sample code

@GET
@Produces(MediaType.TEXT_HTML)
public String getMessage(@Context SecurityContext securityContext) {
		StringBuilder strBuilder = new StringBuilder("<b> Roles: </b> <br>");
		securityContext.user().ifPresent(subject -> {
			List<Grant> grantsByType = subject.grantsByType("role");
			for (Grant grant : grantsByType) {
				strBuilder.append(grant.getName() + "<br>");
			}
		});
        return message.getMessage() + "<br> <br>" + strBuilder.toString() + "<br> "
				+ " <br> <br> <a href='/custom/logout'> Custom Logout </a>";
}

Getting the below error in the logs; although the client in IDCS is assigned "Authenticator Client" role.

Cannot read groups for user "xxxxxxx". Response code: 401 Unauthorized, make sure your IDCS client has role "Authenticator Client" added on the client configuration page, error entity: <HTML><HEAD><META HTTP-EQUIV="Content-Type" CONTENT="text/html;charset=UTF-8"><TITLE>Unauthorized</TITLE></HEAD>
<BODY><H1>Unauthorized</H1>
Proper authorization is required for this area. Either your browser does not perform authorization, or your authorization has failed.
</BODY></HTML>