From 0f0e5b37e8f099c9a05b7c57ecd85361342d77ae Mon Sep 17 00:00:00 2001
From: Farah Juma <fjuma@redhat.com>
Date: Mon, 6 Nov 2023 13:22:20 -0500
Subject: [PATCH] Add example applications for identity propagation with OIDC

---
 .../README.md                                 | 11 +++
 .../configure-server.cli                      |  7 ++
 .../ejb-same-domain/ear/pom.xml               | 52 +++++++++++
 .../ejb-same-domain/ejb/pom.xml               | 72 +++++++++++++++
 .../ejb/src/main/java/META-INF/beans.xml      | 24 +++++
 .../examples/ejb_same_domain/ejb/WhoAmI.java  | 22 +++++
 .../ejb_same_domain/ejb/WhoAmIBean.java       | 43 +++++++++
 .../main/resources/META-INF/jboss-ejb3.xml    | 19 ++++
 .../ejb-same-domain/pom.xml                   | 56 +++++++++++
 .../same-virtual-domain/ear/pom.xml           | 58 ++++++++++++
 .../same-virtual-domain/ejb/pom.xml           | 50 ++++++++++
 .../ejb/src/main/java/META-INF/beans.xml      | 24 +++++
 .../same_virtual_domain/ejb/EntryBean.java    | 83 +++++++++++++++++
 .../same-virtual-domain/pom.xml               | 61 ++++++++++++
 .../same-virtual-domain/web/pom.xml           | 66 +++++++++++++
 .../web/WhoAmIServlet.java                    | 92 +++++++++++++++++++
 .../web/src/main/webapp/WEB-INF/beans.xml     | 24 +++++
 .../web/src/main/webapp/WEB-INF/jboss-web.xml | 26 ++++++
 .../web/src/main/webapp/WEB-INF/oidc.json     |  8 ++
 .../web/src/main/webapp/WEB-INF/web.xml       | 24 +++++
 .../web/src/main/webapp/index.html            | 24 +++++
 oidc-with-identity-propagation/README.md      |  9 ++
 .../configure-server.cli                      | 29 ++++++
 .../ejb-basic/ear/pom.xml                     | 47 ++++++++++
 .../ejb-basic/ejb/pom.xml                     | 62 +++++++++++++
 .../ejb/src/main/java/META-INF/beans.xml      | 24 +++++
 .../examples/ejb_basic/ejb/Management.java    | 23 +++++
 .../ejb_basic/ejb/ManagementBean.java         | 44 +++++++++
 .../ejb-basic/pom.xml                         | 56 +++++++++++
 .../ear/pom.xml                               | 58 ++++++++++++
 .../ejb/pom.xml                               | 50 ++++++++++
 .../ejb/src/main/java/META-INF/beans.xml      | 24 +++++
 .../ejb/EntryBean.java                        | 83 +++++++++++++++++
 .../virtual-security-domain-to-domain/pom.xml | 61 ++++++++++++
 .../web/pom.xml                               | 66 +++++++++++++
 .../web/SecuredServlet.java                   | 92 +++++++++++++++++++
 .../web/src/main/webapp/WEB-INF/beans.xml     | 24 +++++
 .../web/src/main/webapp/WEB-INF/jboss-web.xml | 26 ++++++
 .../web/src/main/webapp/WEB-INF/oidc.json     |  8 ++
 .../web/src/main/webapp/WEB-INF/web.xml       | 24 +++++
 .../web/src/main/webapp/index.html            | 24 +++++
 41 files changed, 1680 insertions(+)
 create mode 100644 oidc-with-identity-propagation-same-domain/README.md
 create mode 100644 oidc-with-identity-propagation-same-domain/configure-server.cli
 create mode 100644 oidc-with-identity-propagation-same-domain/ejb-same-domain/ear/pom.xml
 create mode 100644 oidc-with-identity-propagation-same-domain/ejb-same-domain/ejb/pom.xml
 create mode 100644 oidc-with-identity-propagation-same-domain/ejb-same-domain/ejb/src/main/java/META-INF/beans.xml
 create mode 100644 oidc-with-identity-propagation-same-domain/ejb-same-domain/ejb/src/main/java/org/wildfly/security/examples/ejb_same_domain/ejb/WhoAmI.java
 create mode 100644 oidc-with-identity-propagation-same-domain/ejb-same-domain/ejb/src/main/java/org/wildfly/security/examples/ejb_same_domain/ejb/WhoAmIBean.java
 create mode 100644 oidc-with-identity-propagation-same-domain/ejb-same-domain/ejb/src/main/resources/META-INF/jboss-ejb3.xml
 create mode 100644 oidc-with-identity-propagation-same-domain/ejb-same-domain/pom.xml
 create mode 100644 oidc-with-identity-propagation-same-domain/same-virtual-domain/ear/pom.xml
 create mode 100644 oidc-with-identity-propagation-same-domain/same-virtual-domain/ejb/pom.xml
 create mode 100644 oidc-with-identity-propagation-same-domain/same-virtual-domain/ejb/src/main/java/META-INF/beans.xml
 create mode 100644 oidc-with-identity-propagation-same-domain/same-virtual-domain/ejb/src/main/java/org/wildfly/security/examples/same_virtual_domain/ejb/EntryBean.java
 create mode 100644 oidc-with-identity-propagation-same-domain/same-virtual-domain/pom.xml
 create mode 100644 oidc-with-identity-propagation-same-domain/same-virtual-domain/web/pom.xml
 create mode 100644 oidc-with-identity-propagation-same-domain/same-virtual-domain/web/src/main/java/org/wildfly/security/examples/same_virtual_domain/web/WhoAmIServlet.java
 create mode 100644 oidc-with-identity-propagation-same-domain/same-virtual-domain/web/src/main/webapp/WEB-INF/beans.xml
 create mode 100644 oidc-with-identity-propagation-same-domain/same-virtual-domain/web/src/main/webapp/WEB-INF/jboss-web.xml
 create mode 100644 oidc-with-identity-propagation-same-domain/same-virtual-domain/web/src/main/webapp/WEB-INF/oidc.json
 create mode 100644 oidc-with-identity-propagation-same-domain/same-virtual-domain/web/src/main/webapp/WEB-INF/web.xml
 create mode 100644 oidc-with-identity-propagation-same-domain/same-virtual-domain/web/src/main/webapp/index.html
 create mode 100644 oidc-with-identity-propagation/README.md
 create mode 100644 oidc-with-identity-propagation/configure-server.cli
 create mode 100644 oidc-with-identity-propagation/ejb-basic/ear/pom.xml
 create mode 100644 oidc-with-identity-propagation/ejb-basic/ejb/pom.xml
 create mode 100644 oidc-with-identity-propagation/ejb-basic/ejb/src/main/java/META-INF/beans.xml
 create mode 100644 oidc-with-identity-propagation/ejb-basic/ejb/src/main/java/org/wildfly/security/examples/ejb_basic/ejb/Management.java
 create mode 100644 oidc-with-identity-propagation/ejb-basic/ejb/src/main/java/org/wildfly/security/examples/ejb_basic/ejb/ManagementBean.java
 create mode 100644 oidc-with-identity-propagation/ejb-basic/pom.xml
 create mode 100644 oidc-with-identity-propagation/virtual-security-domain-to-domain/ear/pom.xml
 create mode 100644 oidc-with-identity-propagation/virtual-security-domain-to-domain/ejb/pom.xml
 create mode 100644 oidc-with-identity-propagation/virtual-security-domain-to-domain/ejb/src/main/java/META-INF/beans.xml
 create mode 100644 oidc-with-identity-propagation/virtual-security-domain-to-domain/ejb/src/main/java/org/wildfly/security/examples/virtual_security_domain_to_domain/ejb/EntryBean.java
 create mode 100644 oidc-with-identity-propagation/virtual-security-domain-to-domain/pom.xml
 create mode 100644 oidc-with-identity-propagation/virtual-security-domain-to-domain/web/pom.xml
 create mode 100644 oidc-with-identity-propagation/virtual-security-domain-to-domain/web/src/main/java/org/wildfly/security/examples/virtual_security_domain_to_domain/web/SecuredServlet.java
 create mode 100644 oidc-with-identity-propagation/virtual-security-domain-to-domain/web/src/main/webapp/WEB-INF/beans.xml
 create mode 100644 oidc-with-identity-propagation/virtual-security-domain-to-domain/web/src/main/webapp/WEB-INF/jboss-web.xml
 create mode 100644 oidc-with-identity-propagation/virtual-security-domain-to-domain/web/src/main/webapp/WEB-INF/oidc.json
 create mode 100644 oidc-with-identity-propagation/virtual-security-domain-to-domain/web/src/main/webapp/WEB-INF/web.xml
 create mode 100644 oidc-with-identity-propagation/virtual-security-domain-to-domain/web/src/main/webapp/index.html

diff --git a/oidc-with-identity-propagation-same-domain/README.md b/oidc-with-identity-propagation-same-domain/README.md
new file mode 100644
index 00000000..5f44b933
--- /dev/null
+++ b/oidc-with-identity-propagation-same-domain/README.md
@@ -0,0 +1,11 @@
+## Identity Propagation with OpenID Connect (OIDC)
+
+When securing an application with OpenID Connect (OIDC), the `elytron-oidc-client` subsystem will automatically create a
+virtual security domain for you. If your application invokes an EJB, additional configuration might be required to propagate
+the security identity from the virtual security domain depending on how the EJB is being secured.
+
+If your application secured with OIDC invokes an EJB within the same deployment and you'd like to secure the EJB
+using the same virtual security domain, no additional configuration is required.
+
+If your application secured with OIDC invokes an EJB in a separate deployment and you'd like to secure the EJB using
+the same virtual security domain, additional configuration will be needed as shown in this example.
diff --git a/oidc-with-identity-propagation-same-domain/configure-server.cli b/oidc-with-identity-propagation-same-domain/configure-server.cli
new file mode 100644
index 00000000..c85ac95d
--- /dev/null
+++ b/oidc-with-identity-propagation-same-domain/configure-server.cli
@@ -0,0 +1,7 @@
+batch
+
+# Configure a virtual-security-domain that will be referenced by the WhoAmIBean
+/subsystem=elytron/virtual-security-domain=same-virtual-domain.ear:add()
+
+# Run the batch commands
+run-batch
diff --git a/oidc-with-identity-propagation-same-domain/ejb-same-domain/ear/pom.xml b/oidc-with-identity-propagation-same-domain/ejb-same-domain/ear/pom.xml
new file mode 100644
index 00000000..f59c57de
--- /dev/null
+++ b/oidc-with-identity-propagation-same-domain/ejb-same-domain/ear/pom.xml
@@ -0,0 +1,52 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    <parent>
+        <groupId>org.wildfly.security.examples</groupId>
+        <artifactId>ejb-same-domain</artifactId>
+        <version>2.0.0.Alpha1-SNAPSHOT</version>
+    </parent>
+    <artifactId>ejb-same-domain-ear</artifactId>
+    <packaging>ear</packaging>
+
+    <properties>
+        <version.wildfly.maven.plugin>4.2.0.Final</version.wildfly.maven.plugin>
+        <version.wildfly.maven.ear.plugin>3.3.0</version.wildfly.maven.ear.plugin>
+    </properties>
+
+    <dependencies>
+        <dependency>
+            <groupId>${project.groupId}</groupId>
+            <artifactId>ejb-same-domain-ejb</artifactId>
+            <type>ejb</type>
+        </dependency>
+    </dependencies>
+
+    <build>
+        <finalName>${project.parent.artifactId}</finalName>
+        <plugins>
+            <!-- EAR plug-in -->
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-ear-plugin</artifactId>
+                <version>3.3.0</version>
+                <configuration>
+                    <!-- Use Jakarta EE ear libraries as needed. Jakarta EE ear libraries
+                        are in easy way to package any libraries needed in the ear, and automatically
+                        have any modules (EJB-JARs and WARs) use them -->
+                    <version>7</version>
+                    <defaultLibBundleDir>lib</defaultLibBundleDir>
+                    <outputFileNameMapping>@{artifactId}@@{dashClassifier?}@.@{extension}@</outputFileNameMapping>
+                </configuration>
+            </plugin>
+            <plugin>
+                <groupId>org.wildfly.plugins</groupId>
+                <artifactId>wildfly-maven-plugin</artifactId>
+                <version>${version.wildfly.maven.plugin}</version>
+                <configuration>
+                    <skip>false</skip>
+                </configuration>
+            </plugin>
+        </plugins>
+    </build>
+</project>
diff --git a/oidc-with-identity-propagation-same-domain/ejb-same-domain/ejb/pom.xml b/oidc-with-identity-propagation-same-domain/ejb-same-domain/ejb/pom.xml
new file mode 100644
index 00000000..80c5f49b
--- /dev/null
+++ b/oidc-with-identity-propagation-same-domain/ejb-same-domain/ejb/pom.xml
@@ -0,0 +1,72 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+    JBoss, Home of Professional Open Source
+    Copyright 2017, Red Hat, Inc. and/or its affiliates, and individual
+    contributors by the @authors tag. See the copyright.txt in the
+    distribution for a full listing of individual contributors.
+
+    Licensed under the Apache License, Version 2.0 (the "License");
+    you may not use this file except in compliance with the License.
+    You may obtain a copy of the License at
+    http://www.apache.org/licenses/LICENSE-2.0
+    Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+-->
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+
+    <modelVersion>4.0.0</modelVersion>
+
+    <parent>
+        <groupId>org.wildfly.security.examples</groupId>
+        <artifactId>ejb-same-domain</artifactId>
+        <version>2.0.0.Alpha1-SNAPSHOT</version>
+    </parent>
+    <artifactId>ejb-same-domain-ejb</artifactId>
+
+    <dependencies>
+        <dependency>
+            <groupId>jakarta.enterprise</groupId>
+            <artifactId>jakarta.enterprise.cdi-api</artifactId>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>jakarta.annotation</groupId>
+            <artifactId>jakarta.annotation-api</artifactId>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>jakarta.ejb</groupId>
+            <artifactId>jakarta.ejb-api</artifactId>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.jboss.ejb3</groupId>
+            <artifactId>jboss-ejb3-ext-api</artifactId>
+        </dependency>
+    </dependencies>
+    <build>
+        <finalName>${project.artifactId}</finalName>
+        <resources>
+            <resource>
+                <targetPath>META-INF</targetPath>
+                <directory>src/main/resources/META-INF</directory>
+                <!-- add the jboss configuration to declare the security domain without using the JBoss specific annotation -->
+                <includes>
+                    <include>jboss-ejb3.xml</include>
+                </includes>
+            </resource>
+        </resources>
+        <plugins>
+            <plugin>
+                <groupId>org.wildfly.plugins</groupId>
+                <artifactId>wildfly-maven-plugin</artifactId>
+                <configuration>
+                    <skip>true</skip>
+                </configuration>
+            </plugin>
+        </plugins>
+    </build>
+</project>
diff --git a/oidc-with-identity-propagation-same-domain/ejb-same-domain/ejb/src/main/java/META-INF/beans.xml b/oidc-with-identity-propagation-same-domain/ejb-same-domain/ejb/src/main/java/META-INF/beans.xml
new file mode 100644
index 00000000..d3ddf148
--- /dev/null
+++ b/oidc-with-identity-propagation-same-domain/ejb-same-domain/ejb/src/main/java/META-INF/beans.xml
@@ -0,0 +1,24 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+    JBoss, Home of Professional Open Source
+    Copyright 2015, Red Hat, Inc. and/or its affiliates, and individual
+    contributors by the @authors tag. See the copyright.txt in the
+    distribution for a full listing of individual contributors.
+
+    Licensed under the Apache License, Version 2.0 (the "License");
+    you may not use this file except in compliance with the License.
+    You may obtain a copy of the License at
+    http://www.apache.org/licenses/LICENSE-2.0
+    Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+-->
+<!-- Marker file indicating CDI should be enabled -->
+<beans xmlns="http://xmlns.jcp.org/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="
+      http://xmlns.jcp.org/xml/ns/javaee
+      http://xmlns.jcp.org/xml/ns/javaee/beans_1_1.xsd"
+    bean-discovery-mode="all">
+</beans>
diff --git a/oidc-with-identity-propagation-same-domain/ejb-same-domain/ejb/src/main/java/org/wildfly/security/examples/ejb_same_domain/ejb/WhoAmI.java b/oidc-with-identity-propagation-same-domain/ejb-same-domain/ejb/src/main/java/org/wildfly/security/examples/ejb_same_domain/ejb/WhoAmI.java
new file mode 100644
index 00000000..88669138
--- /dev/null
+++ b/oidc-with-identity-propagation-same-domain/ejb-same-domain/ejb/src/main/java/org/wildfly/security/examples/ejb_same_domain/ejb/WhoAmI.java
@@ -0,0 +1,22 @@
+/*
+ * Copyright 2023 Red Hat, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.wildfly.security.examples.ejb_same_domain.ejb;
+
+public interface WhoAmI {
+
+    public String whoAmI();
+}
diff --git a/oidc-with-identity-propagation-same-domain/ejb-same-domain/ejb/src/main/java/org/wildfly/security/examples/ejb_same_domain/ejb/WhoAmIBean.java b/oidc-with-identity-propagation-same-domain/ejb-same-domain/ejb/src/main/java/org/wildfly/security/examples/ejb_same_domain/ejb/WhoAmIBean.java
new file mode 100644
index 00000000..bceb5d89
--- /dev/null
+++ b/oidc-with-identity-propagation-same-domain/ejb-same-domain/ejb/src/main/java/org/wildfly/security/examples/ejb_same_domain/ejb/WhoAmIBean.java
@@ -0,0 +1,43 @@
+/*
+ * Copyright 2023 Red Hat, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.wildfly.security.examples.ejb_same_domain.ejb;
+
+import jakarta.ejb.Remote;
+import jakarta.ejb.Stateful;
+import jakarta.annotation.security.RolesAllowed;
+import jakarta.annotation.security.PermitAll;
+import jakarta.annotation.Resource;
+
+import org.jboss.ejb3.annotation.SecurityDomain;
+import jakarta.ejb.SessionContext;
+
+@Stateful
+@Remote(WhoAmI.class)
+@SecurityDomain("same-virtual-domain.ear")
+public class WhoAmIBean implements WhoAmI {
+
+    @Resource
+    private SessionContext sessionContext;
+
+    @Override
+    public String whoAmI() {
+        String callerPrincipal = sessionContext.getCallerPrincipal().getName();
+        boolean isCallerUser = sessionContext.isCallerInRole("User");
+        boolean isCallerAdmin = sessionContext.isCallerInRole("Admin");
+        return "Principal : " + callerPrincipal + "<br/><br/>Caller Has Role 'User'=" + String.valueOf(isCallerUser) + "<br/><br/>Caller Has Role 'Admin'=" + String.valueOf(isCallerAdmin);
+    }
+}
diff --git a/oidc-with-identity-propagation-same-domain/ejb-same-domain/ejb/src/main/resources/META-INF/jboss-ejb3.xml b/oidc-with-identity-propagation-same-domain/ejb-same-domain/ejb/src/main/resources/META-INF/jboss-ejb3.xml
new file mode 100644
index 00000000..7e059aef
--- /dev/null
+++ b/oidc-with-identity-propagation-same-domain/ejb-same-domain/ejb/src/main/resources/META-INF/jboss-ejb3.xml
@@ -0,0 +1,19 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Copyright The WildFly Authors
+  ~ SPDX-License-Identifier: Apache-2.0
+  -->
+
+<jboss:jboss
+        xmlns="http://java.sun.com/xml/ns/javaee"
+        xmlns:jboss="http://www.jboss.com/xml/ns/javaee"
+        xmlns:s="urn:security:1.1"
+        version="3.1" impl-version="2.0">
+
+    <assembly-descriptor>
+        <s:security>
+            <ejb-name>*</ejb-name>
+            <s:missing-method-permissions-deny-access>false</s:missing-method-permissions-deny-access>
+        </s:security>
+    </assembly-descriptor>
+</jboss:jboss>
diff --git a/oidc-with-identity-propagation-same-domain/ejb-same-domain/pom.xml b/oidc-with-identity-propagation-same-domain/ejb-same-domain/pom.xml
new file mode 100644
index 00000000..ff143146
--- /dev/null
+++ b/oidc-with-identity-propagation-same-domain/ejb-same-domain/pom.xml
@@ -0,0 +1,56 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    <groupId>org.wildfly.security.examples</groupId>
+    <version>2.0.0.Alpha1-SNAPSHOT</version>
+    <artifactId>ejb-same-domain</artifactId>
+    <packaging>pom</packaging>
+
+    <properties>
+        <version.wildfly.maven.plugin>4.2.0.Final</version.wildfly.maven.plugin>
+        <version.wildfly.maven.ear.plugin>3.3.0</version.wildfly.maven.ear.plugin>
+        <version.server.bom>30.0.0.Final</version.server.bom>
+        <maven.compiler.source>11</maven.compiler.source>
+        <maven.compiler.target>11</maven.compiler.target>
+    </properties>
+
+    <modules>
+        <module>ejb</module>
+        <module>ear</module>
+    </modules>
+
+    <dependencyManagement>
+        <dependencies>
+            <dependency>
+                <groupId>org.wildfly.bom</groupId>
+                <artifactId>wildfly-ee-with-tools</artifactId>
+                <version>${version.server.bom}</version>
+                <type>pom</type>
+                <scope>import</scope>
+            </dependency>
+            <dependency>
+                <groupId>${project.groupId}</groupId>
+                <artifactId>ejb-same-domain-ejb</artifactId>
+                <version>${project.version}</version>
+                <type>ejb</type>
+            </dependency>
+        </dependencies>
+    </dependencyManagement>
+
+    <build>
+        <plugins>
+            <!-- The WildFly plug-in deploys your ear to a local WildFly container.
+                Due to Maven's lack of intelligence with EARs we need to configure
+                the WildFly Maven plug-in to skip deployment for all modules. We then enable
+                it specifically in the ear module. -->
+            <plugin>
+                <groupId>org.wildfly.plugins</groupId>
+                <artifactId>wildfly-maven-plugin</artifactId>
+                <configuration>
+                    <skip>true</skip>
+                </configuration>
+            </plugin>
+        </plugins>
+    </build>
+
+</project>
diff --git a/oidc-with-identity-propagation-same-domain/same-virtual-domain/ear/pom.xml b/oidc-with-identity-propagation-same-domain/same-virtual-domain/ear/pom.xml
new file mode 100644
index 00000000..d5987315
--- /dev/null
+++ b/oidc-with-identity-propagation-same-domain/same-virtual-domain/ear/pom.xml
@@ -0,0 +1,58 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    <parent>
+        <groupId>org.wildfly.security.examples</groupId>
+        <artifactId>same-virtual-domain</artifactId>
+        <version>2.0.0.Alpha1-SNAPSHOT</version>
+    </parent>
+    <artifactId>same-virtual-domain-ear</artifactId>
+    <packaging>ear</packaging>
+    
+    <dependencies>
+        <dependency>
+            <groupId>${project.groupId}</groupId>
+            <artifactId>same-virtual-domain-ejb</artifactId>
+            <type>ejb</type>
+        </dependency>
+        <dependency>
+            <groupId>${project.groupId}</groupId>
+            <artifactId>same-virtual-domain-web</artifactId>
+            <type>war</type>
+        </dependency>
+    </dependencies>
+
+    <build>
+        <finalName>${project.parent.artifactId}</finalName>
+        <plugins>
+            <!-- EAR plug-in -->
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-ear-plugin</artifactId>
+                <version>3.3.0</version>
+                <configuration>
+                    <!-- Use Jakarta EE ear libraries as needed. Jakarta EE ear libraries
+                        are in easy way to package any libraries needed in the ear, and automatically
+                        have any modules (EJB-JARs and WARs) use them -->
+                    <version>7</version>
+                    <defaultLibBundleDir>lib</defaultLibBundleDir>
+                    <modules>
+                        <webModule>
+                            <groupId>${project.groupId}</groupId>
+                            <artifactId>same-virtual-domain-web</artifactId>
+                            <contextRoot>/same-virtual-domain</contextRoot>
+                        </webModule>
+                    </modules>
+                    <outputFileNameMapping>@{artifactId}@@{dashClassifier?}@.@{extension}@</outputFileNameMapping>
+                </configuration>
+            </plugin>
+            <plugin>
+                <groupId>org.wildfly.plugins</groupId>
+                <artifactId>wildfly-maven-plugin</artifactId>
+                <configuration>
+                    <skip>false</skip>
+                </configuration>
+            </plugin>
+        </plugins>
+    </build>
+</project>
diff --git a/oidc-with-identity-propagation-same-domain/same-virtual-domain/ejb/pom.xml b/oidc-with-identity-propagation-same-domain/same-virtual-domain/ejb/pom.xml
new file mode 100644
index 00000000..d34d97e6
--- /dev/null
+++ b/oidc-with-identity-propagation-same-domain/same-virtual-domain/ejb/pom.xml
@@ -0,0 +1,50 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    <parent>
+        <groupId>org.wildfly.security.examples</groupId>
+        <artifactId>same-virtual-domain</artifactId>
+        <version>2.0.0.Alpha1-SNAPSHOT</version>
+    </parent>
+    <artifactId>same-virtual-domain-ejb</artifactId>
+
+    <dependencies>
+        <dependency>
+            <groupId>jakarta.enterprise</groupId>
+            <artifactId>jakarta.enterprise.cdi-api</artifactId>
+            <scope>provided</scope>
+        </dependency>
+         <dependency>
+            <groupId>jakarta.annotation</groupId>
+            <artifactId>jakarta.annotation-api</artifactId>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>jakarta.ejb</groupId>
+            <artifactId>jakarta.ejb-api</artifactId>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.jboss.ejb3</groupId>
+            <artifactId>jboss-ejb3-ext-api</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.wildfly.security.examples</groupId>
+            <artifactId>ejb-same-domain-ejb</artifactId>
+            <type>ejb</type>
+            <version>${project.version}</version>
+        </dependency>
+    </dependencies>
+    <build>
+        <finalName>${project.artifactId}</finalName>
+        <plugins>
+            <plugin>
+                <groupId>org.wildfly.plugins</groupId>
+                <artifactId>wildfly-maven-plugin</artifactId>
+                <configuration>
+                    <skip>true</skip>
+                </configuration>
+            </plugin>
+        </plugins>
+    </build>
+</project>
diff --git a/oidc-with-identity-propagation-same-domain/same-virtual-domain/ejb/src/main/java/META-INF/beans.xml b/oidc-with-identity-propagation-same-domain/same-virtual-domain/ejb/src/main/java/META-INF/beans.xml
new file mode 100644
index 00000000..d3ddf148
--- /dev/null
+++ b/oidc-with-identity-propagation-same-domain/same-virtual-domain/ejb/src/main/java/META-INF/beans.xml
@@ -0,0 +1,24 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+    JBoss, Home of Professional Open Source
+    Copyright 2015, Red Hat, Inc. and/or its affiliates, and individual
+    contributors by the @authors tag. See the copyright.txt in the
+    distribution for a full listing of individual contributors.
+
+    Licensed under the Apache License, Version 2.0 (the "License");
+    you may not use this file except in compliance with the License.
+    You may obtain a copy of the License at
+    http://www.apache.org/licenses/LICENSE-2.0
+    Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+-->
+<!-- Marker file indicating CDI should be enabled -->
+<beans xmlns="http://xmlns.jcp.org/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="
+      http://xmlns.jcp.org/xml/ns/javaee
+      http://xmlns.jcp.org/xml/ns/javaee/beans_1_1.xsd"
+    bean-discovery-mode="all">
+</beans>
diff --git a/oidc-with-identity-propagation-same-domain/same-virtual-domain/ejb/src/main/java/org/wildfly/security/examples/same_virtual_domain/ejb/EntryBean.java b/oidc-with-identity-propagation-same-domain/same-virtual-domain/ejb/src/main/java/org/wildfly/security/examples/same_virtual_domain/ejb/EntryBean.java
new file mode 100644
index 00000000..622a28ee
--- /dev/null
+++ b/oidc-with-identity-propagation-same-domain/same-virtual-domain/ejb/src/main/java/org/wildfly/security/examples/same_virtual_domain/ejb/EntryBean.java
@@ -0,0 +1,83 @@
+/*
+ * Copyright 2023 Red Hat, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.wildfly.security.examples.same_virtual_domain.ejb;
+
+import java.security.Principal;
+
+import jakarta.annotation.Resource;
+import jakarta.annotation.security.PermitAll;
+import jakarta.ejb.SessionContext;
+import jakarta.ejb.Stateless;
+import javax.naming.Context;
+import javax.naming.InitialContext;
+import javax.naming.NamingException;
+
+import org.wildfly.security.examples.ejb_same_domain.ejb.WhoAmI;
+
+
+/**
+ * A simple EJB that can be called to obtain the current caller principal and to check the role membership for
+ * that principal.
+ *
+ * @author <a href="mailto:darran.lofthouse@jboss.com">Darran Lofthouse</a>
+ */
+@Stateless
+public class EntryBean {
+
+    @Resource
+    private SessionContext sessionContext;
+
+    @PermitAll
+    public Principal getCallerPrincipal() {
+        return sessionContext.getCallerPrincipal();
+    }
+
+    @PermitAll
+    public boolean userHasRole(final String roleName) {
+        return sessionContext.isCallerInRole(roleName);
+    }
+
+    @PermitAll
+    public String invokeWhoAmIBean() {
+        WhoAmI bean = lookup(WhoAmI.class, "java:global/same-virtual-domain/ejb-same-domain-ejb/WhoAmIBean!org.wildfly.security.examples.ejb_same_domain.ejb.WhoAmI");
+        return bean.whoAmI();
+    }
+
+
+
+    public static <T> T lookup(Class<T> clazz, String jndiName) {
+        Object bean = lookup(jndiName);
+        return clazz.cast(bean);
+    }
+
+    private static Object lookup(String jndiName) {
+        Context context = null;
+        try {
+            context = new InitialContext();
+            return context.lookup(jndiName);
+        } catch (NamingException ex) {
+            throw new IllegalStateException("Lookup failed ", ex);
+        } finally {
+            try {
+                context.close();
+            } catch (NamingException ex) {
+                throw new IllegalStateException(ex);
+            }
+        }
+    }
+
+}
diff --git a/oidc-with-identity-propagation-same-domain/same-virtual-domain/pom.xml b/oidc-with-identity-propagation-same-domain/same-virtual-domain/pom.xml
new file mode 100644
index 00000000..ba8428bc
--- /dev/null
+++ b/oidc-with-identity-propagation-same-domain/same-virtual-domain/pom.xml
@@ -0,0 +1,61 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    <groupId>org.wildfly.security.examples</groupId>
+    <artifactId>same-virtual-domain</artifactId>
+    <version>2.0.0.Alpha1-SNAPSHOT</version>
+    <packaging>pom</packaging>
+    
+    <modules>
+        <module>ejb</module>
+        <module>web</module>
+        <module>ear</module>
+    </modules>
+
+    <properties>
+        <!-- The versions for BOMs, Dependencies and Plugins -->
+        <version.server.bom>30.0.0.Final</version.server.bom>
+        <maven.compiler.source>11</maven.compiler.source>
+        <maven.compiler.target>11</maven.compiler.target>
+    </properties>
+
+    <dependencyManagement>
+        <dependencies>
+            <dependency>
+                <groupId>org.wildfly.bom</groupId>
+                <artifactId>wildfly-ee-with-tools</artifactId>
+                <version>${version.server.bom}</version>
+                <type>pom</type>
+                <scope>import</scope>
+            </dependency>
+            <dependency>
+                <groupId>${project.groupId}</groupId>
+                <artifactId>same-virtual-domain-ejb</artifactId>
+                <version>${project.version}</version>
+                <type>ejb</type>
+            </dependency>
+            <dependency>
+                <groupId>${project.groupId}</groupId>
+                <artifactId>same-virtual-domain-web</artifactId>
+                <version>${project.version}</version>
+                <type>war</type>
+            </dependency>
+        </dependencies>
+    </dependencyManagement>
+
+    <build>
+        <plugins>
+            <!-- The WildFly plug-in deploys your ear to a local WildFly container. 
+                Due to Maven's lack of intelligence with EARs we need to configure
+                the WildFly Maven plug-in to skip deployment for all modules. We then enable
+                it specifically in the ear module. -->
+            <plugin>
+                <groupId>org.wildfly.plugins</groupId>
+                <artifactId>wildfly-maven-plugin</artifactId>
+                <configuration>
+                    <skip>true</skip>
+                </configuration>
+            </plugin>
+        </plugins>
+    </build>
+</project>
diff --git a/oidc-with-identity-propagation-same-domain/same-virtual-domain/web/pom.xml b/oidc-with-identity-propagation-same-domain/same-virtual-domain/web/pom.xml
new file mode 100644
index 00000000..097378bc
--- /dev/null
+++ b/oidc-with-identity-propagation-same-domain/same-virtual-domain/web/pom.xml
@@ -0,0 +1,66 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    <parent>
+        <groupId>org.wildfly.security.examples</groupId>
+        <artifactId>same-virtual-domain</artifactId>
+        <version>2.0.0.Alpha1-SNAPSHOT</version>
+        <relativePath>../pom.xml</relativePath>
+    </parent>
+    <artifactId>same-virtual-domain-web</artifactId>
+    <packaging>war</packaging>
+
+    <dependencies>
+        <dependency>
+            <groupId>jakarta.enterprise</groupId>
+            <artifactId>jakarta.enterprise.cdi-api</artifactId>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>${project.groupId}</groupId>
+            <artifactId>same-virtual-domain-ejb</artifactId>
+            <type>ejb</type>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>jakarta.annotation</groupId>
+            <artifactId>jakarta.annotation-api</artifactId>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>jakarta.servlet</groupId>
+            <artifactId>jakarta.servlet-api</artifactId>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>jakarta.ejb</groupId>
+            <artifactId>jakarta.ejb-api</artifactId>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.wildfly.security</groupId>
+            <artifactId>wildfly-elytron</artifactId>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.wildfly</groupId>
+            <artifactId>wildfly-ejb-client-bom</artifactId>
+            <type>pom</type>
+            <scope>compile</scope>
+        </dependency>
+    </dependencies>
+
+    <build>
+        <finalName>${project.artifactId}</finalName>
+        <plugins>
+            <plugin>
+                <groupId>org.wildfly.plugins</groupId>
+                <artifactId>wildfly-maven-plugin</artifactId>
+                <configuration>
+                    <skip>true</skip>
+                </configuration>
+            </plugin>
+        </plugins>
+    </build>
+</project>
diff --git a/oidc-with-identity-propagation-same-domain/same-virtual-domain/web/src/main/java/org/wildfly/security/examples/same_virtual_domain/web/WhoAmIServlet.java b/oidc-with-identity-propagation-same-domain/same-virtual-domain/web/src/main/java/org/wildfly/security/examples/same_virtual_domain/web/WhoAmIServlet.java
new file mode 100644
index 00000000..e3c41b6b
--- /dev/null
+++ b/oidc-with-identity-propagation-same-domain/same-virtual-domain/web/src/main/java/org/wildfly/security/examples/same_virtual_domain/web/WhoAmIServlet.java
@@ -0,0 +1,92 @@
+/*
+ * JBoss, Home of Professional Open Source
+ * Copyright 2023, Red Hat, Inc. and/or its affiliates, and individual
+ * contributors by the @authors tag. See the copyright.txt in the
+ * distribution for a full listing of individual contributors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.wildfly.security.examples.same_virtual_domain.web;
+
+import java.io.IOException;
+import java.io.PrintWriter;
+
+import javax.naming.Context;
+import javax.naming.InitialContext;
+import javax.naming.NamingException;
+import jakarta.servlet.ServletException;
+import jakarta.servlet.annotation.WebServlet;
+import jakarta.servlet.http.HttpServlet;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+
+import org.wildfly.security.examples.same_virtual_domain.ejb.EntryBean;
+
+/**
+ * A simple secured servlet that will show information about the current authenticated identity and also information about the
+ * representation of the identity as it calls an EJB.
+ *
+ * @author <a href="mailto:darran.lofthouse@jboss.com">Darran Lofthouse</a>
+ */
+@SuppressWarnings("serial")
+@WebServlet("/secured")
+public class WhoAmIServlet extends HttpServlet {
+
+    @Override
+    protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
+        EntryBean bean = lookup(EntryBean.class, "java:global/same-virtual-domain/same-virtual-domain-ejb/EntryBean");
+        final PrintWriter writer = resp.getWriter();
+
+        writer.println("<html><head><title>same-virtual-domain</title></head><body>");
+        writer.println("<h1>Successfully logged into Secured Servlet with OIDC</h1>");
+        writer.println("<h2>Identity as visible to servlet.</h2>");
+        writer.println(String.format("<p>Principal  : %s</p>", req.getUserPrincipal().getName()));
+        writer.println(String.format("<p>Authentication Type : %s</p>", req.getAuthType()));
+
+        writer.println(String.format("<p>Caller Has Role '%s'=%b</p>", "User", req.isUserInRole("User")));
+        writer.println(String.format("<p>Caller Has Role '%s'=%b</p>", "Admin", req.isUserInRole("Admin")));
+
+        writer.println("<h2>Identity as visible to EntryBean.</h2>");
+
+
+        writer.println(String.format("<p>Principal  : %s</p>", bean.getCallerPrincipal().getName()));
+        writer.println(String.format("<p>Caller Has Role '%s'=%b</p>", "User", req.isUserInRole("User")));
+        writer.println(String.format("<p>Caller Has Role '%s'=%b</p>", "Admin", bean.userHasRole("Admin")));
+
+        writer.println("<h2>Identity as visible to ManagementBean.</h2>");
+        writer.println(String.format("<p>%s</p>", bean.invokeWhoAmIBean()));
+
+        writer.println("</body></html>");
+        writer.close();
+    }
+
+    public static <T> T lookup(Class<T> clazz, String jndiName) {
+        Object bean = lookup(jndiName);
+        return clazz.cast(bean);
+    }
+
+    private static Object lookup(String jndiName) {
+        Context context = null;
+        try {
+            context = new InitialContext();
+            return context.lookup(jndiName);
+        } catch (NamingException ex) {
+            throw new IllegalStateException("Lookup failed", ex);
+        } finally {
+            try {
+                context.close();
+            } catch (NamingException ex) {
+                throw new IllegalStateException(ex);
+            }
+        }
+    }
+}
diff --git a/oidc-with-identity-propagation-same-domain/same-virtual-domain/web/src/main/webapp/WEB-INF/beans.xml b/oidc-with-identity-propagation-same-domain/same-virtual-domain/web/src/main/webapp/WEB-INF/beans.xml
new file mode 100644
index 00000000..d3ddf148
--- /dev/null
+++ b/oidc-with-identity-propagation-same-domain/same-virtual-domain/web/src/main/webapp/WEB-INF/beans.xml
@@ -0,0 +1,24 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+    JBoss, Home of Professional Open Source
+    Copyright 2015, Red Hat, Inc. and/or its affiliates, and individual
+    contributors by the @authors tag. See the copyright.txt in the
+    distribution for a full listing of individual contributors.
+
+    Licensed under the Apache License, Version 2.0 (the "License");
+    you may not use this file except in compliance with the License.
+    You may obtain a copy of the License at
+    http://www.apache.org/licenses/LICENSE-2.0
+    Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+-->
+<!-- Marker file indicating CDI should be enabled -->
+<beans xmlns="http://xmlns.jcp.org/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="
+      http://xmlns.jcp.org/xml/ns/javaee
+      http://xmlns.jcp.org/xml/ns/javaee/beans_1_1.xsd"
+    bean-discovery-mode="all">
+</beans>
diff --git a/oidc-with-identity-propagation-same-domain/same-virtual-domain/web/src/main/webapp/WEB-INF/jboss-web.xml b/oidc-with-identity-propagation-same-domain/same-virtual-domain/web/src/main/webapp/WEB-INF/jboss-web.xml
new file mode 100644
index 00000000..f5544c5a
--- /dev/null
+++ b/oidc-with-identity-propagation-same-domain/same-virtual-domain/web/src/main/webapp/WEB-INF/jboss-web.xml
@@ -0,0 +1,26 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+    JBoss, Home of Professional Open Source
+    Copyright 2017, Red Hat, Inc. and/or its affiliates, and individual
+    contributors by the @authors tag. See the copyright.txt in the
+    distribution for a full listing of individual contributors.
+
+    Licensed under the Apache License, Version 2.0 (the "License");
+    you may not use this file except in compliance with the License.
+    You may obtain a copy of the License at
+    http://www.apache.org/licenses/LICENSE-2.0
+    Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+-->
+<!DOCTYPE jboss-web>
+<jboss-web xmlns="http://www.jboss.com/xml/ns/javaee"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://www.jboss.org/schema/jbossas
+    http://www.jboss.org/schema/jbossas/jboss-web_7_2.xsd">
+   <!-- Configure usage of the security domain "other" -->
+   <security-domain>other</security-domain>
+   <disable-audit>true</disable-audit>
+</jboss-web>
diff --git a/oidc-with-identity-propagation-same-domain/same-virtual-domain/web/src/main/webapp/WEB-INF/oidc.json b/oidc-with-identity-propagation-same-domain/same-virtual-domain/web/src/main/webapp/WEB-INF/oidc.json
new file mode 100644
index 00000000..37e87ed5
--- /dev/null
+++ b/oidc-with-identity-propagation-same-domain/same-virtual-domain/web/src/main/webapp/WEB-INF/oidc.json
@@ -0,0 +1,8 @@
+{
+    "client-id" : "myclient",
+    "provider-url" : "${env.OIDC_PROVIDER_URL:http://localhost:8080/realms/myrealm}",
+    "public-client" : "true",
+    "principal-attribute" : "preferred_username",
+    "ssl-required" : "EXTERNAL"
+}
+
diff --git a/oidc-with-identity-propagation-same-domain/same-virtual-domain/web/src/main/webapp/WEB-INF/web.xml b/oidc-with-identity-propagation-same-domain/same-virtual-domain/web/src/main/webapp/WEB-INF/web.xml
new file mode 100644
index 00000000..06236d2a
--- /dev/null
+++ b/oidc-with-identity-propagation-same-domain/same-virtual-domain/web/src/main/webapp/WEB-INF/web.xml
@@ -0,0 +1,24 @@
+<?xml version="1.0"?>
+<web-app version="3.1" xmlns="http://xmlns.jcp.org/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+   xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd">
+
+   <security-constraint>
+        <web-resource-collection>
+            <web-resource-name>secured</web-resource-name>
+            <url-pattern>/secured</url-pattern>
+        </web-resource-collection>
+        <auth-constraint>
+            <role-name>*</role-name>
+        </auth-constraint>   
+    </security-constraint>
+
+   <!-- Configure login to be HTTP Basic -->
+   <login-config>
+      <auth-method>OIDC</auth-method>
+   </login-config>
+
+   <security-role>
+       <role-name>*</role-name>
+   </security-role>
+</web-app>
+
diff --git a/oidc-with-identity-propagation-same-domain/same-virtual-domain/web/src/main/webapp/index.html b/oidc-with-identity-propagation-same-domain/same-virtual-domain/web/src/main/webapp/index.html
new file mode 100644
index 00000000..18d0cf8c
--- /dev/null
+++ b/oidc-with-identity-propagation-same-domain/same-virtual-domain/web/src/main/webapp/index.html
@@ -0,0 +1,24 @@
+<!--
+    JBoss, Home of Professional Open Source
+    Copyright 2015, Red Hat, Inc. and/or its affiliates, and individual
+    contributors by the @authors tag. See the copyright.txt in the
+    distribution for a full listing of individual contributors.
+
+    Licensed under the Apache License, Version 2.0 (the "License");
+    you may not use this file except in compliance with the License.
+    You may obtain a copy of the License at
+    http://www.apache.org/licenses/LICENSE-2.0
+    Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+-->
+<!-- Plain HTML page that kicks us into the app -->
+
+<html>
+  <body>
+    <h2>Hello World!</h2>
+    <a href="./secured">Access Secured Servlet</a>
+  </body>
+</html>
diff --git a/oidc-with-identity-propagation/README.md b/oidc-with-identity-propagation/README.md
new file mode 100644
index 00000000..35c8edd4
--- /dev/null
+++ b/oidc-with-identity-propagation/README.md
@@ -0,0 +1,9 @@
+## Identity Propagation with OpenID Connect (OIDC)
+
+When securing an application with OpenID Connect (OIDC), the `elytron-oidc-client` subsystem will automatically create a
+virtual security domain for you. If your application invokes an EJB, additional configuration might be required to propagate
+the security identity from the virtual security domain depending on how the EJB is being secured.
+
+If your application secured with OIDC invokes an EJB and you'd like to secure the EJB using a different security domain,
+additional configuration will be needed as shown in this example.
+
diff --git a/oidc-with-identity-propagation/configure-server.cli b/oidc-with-identity-propagation/configure-server.cli
new file mode 100644
index 00000000..9e83518a
--- /dev/null
+++ b/oidc-with-identity-propagation/configure-server.cli
@@ -0,0 +1,29 @@
+# Batch script to configure the security domains and define the database query used to authenticate users
+batch
+
+# Add a filesystem realm called BusinessRealm in the jboss.server.config directory
+/subsystem=elytron/filesystem-realm=BusinessRealm:add(path=business-realm-users,relative-to=jboss.server.config.dir)
+
+# Add user alice with Admin role
+/subsystem=elytron/filesystem-realm=BusinessRealm:add-identity(identity=alice)
+/subsystem=elytron/filesystem-realm=BusinessRealm:add-identity-attribute(identity=alice, name=Roles, value=["Admin"])
+
+# Add user bob with no roles
+/subsystem=elytron/filesystem-realm=BusinessRealm:add-identity(identity=bob)
+
+# Add a security domain that references our newly created realm
+/subsystem=elytron/security-domain=BusinessDomain:add(realms=[{realm=BusinessRealm}],default-realm=BusinessRealm,permission-mapper=default-permission-mapper)
+
+# Update the application security domain mappings in the EJB3 subsystem
+/subsystem=ejb3/application-security-domain=BusinessDomain:add(security-domain=BusinessDomain)
+
+/subsystem=elytron/virtual-security-domain=virtual-security-domain-to-domain.ear:add(outflow-security-domains=[BusinessDomain])
+/subsystem=elytron/security-domain=BusinessDomain:write-attribute(name=trusted-virtual-security-domains, value=[virtual-security-domain-to-domain.ear])
+
+# Run the batch commands
+run-batch
+
+# Reload the server configuration
+reload
+
+
diff --git a/oidc-with-identity-propagation/ejb-basic/ear/pom.xml b/oidc-with-identity-propagation/ejb-basic/ear/pom.xml
new file mode 100644
index 00000000..2100fe5b
--- /dev/null
+++ b/oidc-with-identity-propagation/ejb-basic/ear/pom.xml
@@ -0,0 +1,47 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    <parent>
+        <groupId>org.wildfly.security.examples</groupId>
+        <artifactId>ejb-basic</artifactId>
+        <version>2.0.0.Alpha1-SNAPSHOT</version>
+    </parent>
+    <artifactId>ejb-basic-ear</artifactId>
+    <packaging>ear</packaging>
+
+    <properties>
+        <version.wildfly.maven.plugin>4.2.0.Final</version.wildfly.maven.plugin>
+        <version.wildfly.maven.ear.plugin>3.3.0</version.wildfly.maven.ear.plugin>
+    </properties>
+
+    <dependencies>
+        <dependency>
+            <groupId>${project.groupId}</groupId>
+            <artifactId>ejb-basic-ejb</artifactId>
+            <type>ejb</type>
+        </dependency>
+    </dependencies>
+
+    <build>
+        <finalName>${project.parent.artifactId}</finalName>
+        <plugins>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-ear-plugin</artifactId>
+                <version>${version.wildfly.maven.ear.plugin}</version>
+                <configuration>
+                    <defaultLibBundleDir>lib</defaultLibBundleDir>
+                    <outputFileNameMapping>@{artifactId}@@{dashClassifier?}@.@{extension}@</outputFileNameMapping>
+                </configuration>
+            </plugin>
+            <plugin>
+                <groupId>org.wildfly.plugins</groupId>
+                <artifactId>wildfly-maven-plugin</artifactId>
+                <version>${version.wildfly.maven.plugin}</version>
+                <configuration>
+                    <skip>false</skip>
+                </configuration>
+            </plugin>
+        </plugins>
+    </build>
+</project>
diff --git a/oidc-with-identity-propagation/ejb-basic/ejb/pom.xml b/oidc-with-identity-propagation/ejb-basic/ejb/pom.xml
new file mode 100644
index 00000000..8b4416dd
--- /dev/null
+++ b/oidc-with-identity-propagation/ejb-basic/ejb/pom.xml
@@ -0,0 +1,62 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+    JBoss, Home of Professional Open Source
+    Copyright 2017, Red Hat, Inc. and/or its affiliates, and individual
+    contributors by the @authors tag. See the copyright.txt in the
+    distribution for a full listing of individual contributors.
+
+    Licensed under the Apache License, Version 2.0 (the "License");
+    you may not use this file except in compliance with the License.
+    You may obtain a copy of the License at
+    http://www.apache.org/licenses/LICENSE-2.0
+    Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+-->
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+
+    <modelVersion>4.0.0</modelVersion>
+
+    <parent>
+        <groupId>org.wildfly.security.examples</groupId>
+        <artifactId>ejb-basic</artifactId>
+        <version>2.0.0.Alpha1-SNAPSHOT</version>
+    </parent>
+    <artifactId>ejb-basic-ejb</artifactId>
+
+    <dependencies>
+        <dependency>
+            <groupId>jakarta.enterprise</groupId>
+            <artifactId>jakarta.enterprise.cdi-api</artifactId>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>jakarta.annotation</groupId>
+            <artifactId>jakarta.annotation-api</artifactId>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>jakarta.ejb</groupId>
+            <artifactId>jakarta.ejb-api</artifactId>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.jboss.ejb3</groupId>
+            <artifactId>jboss-ejb3-ext-api</artifactId>
+        </dependency>
+    </dependencies>
+    <build>
+        <finalName>${project.artifactId}</finalName>
+        <plugins>
+            <plugin>
+                <groupId>org.wildfly.plugins</groupId>
+                <artifactId>wildfly-maven-plugin</artifactId>
+                <configuration>
+                    <skip>true</skip>
+                </configuration>
+            </plugin>
+        </plugins>
+    </build>
+</project>
diff --git a/oidc-with-identity-propagation/ejb-basic/ejb/src/main/java/META-INF/beans.xml b/oidc-with-identity-propagation/ejb-basic/ejb/src/main/java/META-INF/beans.xml
new file mode 100644
index 00000000..d3ddf148
--- /dev/null
+++ b/oidc-with-identity-propagation/ejb-basic/ejb/src/main/java/META-INF/beans.xml
@@ -0,0 +1,24 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+    JBoss, Home of Professional Open Source
+    Copyright 2015, Red Hat, Inc. and/or its affiliates, and individual
+    contributors by the @authors tag. See the copyright.txt in the
+    distribution for a full listing of individual contributors.
+
+    Licensed under the Apache License, Version 2.0 (the "License");
+    you may not use this file except in compliance with the License.
+    You may obtain a copy of the License at
+    http://www.apache.org/licenses/LICENSE-2.0
+    Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+-->
+<!-- Marker file indicating CDI should be enabled -->
+<beans xmlns="http://xmlns.jcp.org/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="
+      http://xmlns.jcp.org/xml/ns/javaee
+      http://xmlns.jcp.org/xml/ns/javaee/beans_1_1.xsd"
+    bean-discovery-mode="all">
+</beans>
diff --git a/oidc-with-identity-propagation/ejb-basic/ejb/src/main/java/org/wildfly/security/examples/ejb_basic/ejb/Management.java b/oidc-with-identity-propagation/ejb-basic/ejb/src/main/java/org/wildfly/security/examples/ejb_basic/ejb/Management.java
new file mode 100644
index 00000000..ec4028da
--- /dev/null
+++ b/oidc-with-identity-propagation/ejb-basic/ejb/src/main/java/org/wildfly/security/examples/ejb_basic/ejb/Management.java
@@ -0,0 +1,23 @@
+/*
+ * Copyright 2023 Red Hat, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.wildfly.security.examples.ejb_basic.ejb;
+
+
+public interface Management {
+
+    public String adminOnlyMethod();
+}
diff --git a/oidc-with-identity-propagation/ejb-basic/ejb/src/main/java/org/wildfly/security/examples/ejb_basic/ejb/ManagementBean.java b/oidc-with-identity-propagation/ejb-basic/ejb/src/main/java/org/wildfly/security/examples/ejb_basic/ejb/ManagementBean.java
new file mode 100644
index 00000000..d74c6977
--- /dev/null
+++ b/oidc-with-identity-propagation/ejb-basic/ejb/src/main/java/org/wildfly/security/examples/ejb_basic/ejb/ManagementBean.java
@@ -0,0 +1,44 @@
+/*
+ * Copyright 2023 Red Hat, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.wildfly.security.examples.ejb_basic.ejb;
+
+import jakarta.ejb.Remote;
+import jakarta.ejb.Stateful;
+import jakarta.annotation.security.RolesAllowed;
+import jakarta.annotation.security.PermitAll;
+import jakarta.annotation.Resource;
+
+import org.jboss.ejb3.annotation.SecurityDomain;
+import jakarta.ejb.SessionContext;
+
+@Stateful
+@Remote(Management.class)
+@SecurityDomain("BusinessDomain")
+public class ManagementBean implements Management {
+
+    @Resource
+    private SessionContext sessionContext;
+
+    @Override
+    @RolesAllowed("Admin")
+    public String adminOnlyMethod() {
+        String callerPrincipal = sessionContext.getCallerPrincipal().getName();
+        boolean isCallerUser = sessionContext.isCallerInRole("User");
+        boolean isCallerAdmin = sessionContext.isCallerInRole("Admin");
+        return "Principal : " + callerPrincipal + "<br/><br/>Caller Has Role 'User'=" + String.valueOf(isCallerUser) + "<br/><br/>Caller Has Role 'Admin'=" + String.valueOf(isCallerAdmin);
+    }
+}
diff --git a/oidc-with-identity-propagation/ejb-basic/pom.xml b/oidc-with-identity-propagation/ejb-basic/pom.xml
new file mode 100644
index 00000000..394dd4b9
--- /dev/null
+++ b/oidc-with-identity-propagation/ejb-basic/pom.xml
@@ -0,0 +1,56 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    <groupId>org.wildfly.security.examples</groupId>
+    <version>2.0.0.Alpha1-SNAPSHOT</version>
+    <artifactId>ejb-basic</artifactId>
+    <packaging>pom</packaging>
+
+    <properties>
+        <version.wildfly.maven.plugin>4.2.0.Final</version.wildfly.maven.plugin>
+        <version.wildfly.maven.ear.plugin>3.3.0</version.wildfly.maven.ear.plugin>
+        <version.server.bom>30.0.0.Final</version.server.bom>
+        <maven.compiler.source>11</maven.compiler.source>
+        <maven.compiler.target>11</maven.compiler.target>
+    </properties>
+
+    <modules>
+        <module>ejb</module>
+        <module>ear</module>
+    </modules>
+
+    <dependencyManagement>
+        <dependencies>
+            <dependency>
+                <groupId>org.wildfly.bom</groupId>
+                <artifactId>wildfly-ee-with-tools</artifactId>
+                <version>${version.server.bom}</version>
+                <type>pom</type>
+                <scope>import</scope>
+            </dependency>
+            <dependency>
+                <groupId>${project.groupId}</groupId>
+                <artifactId>ejb-basic-ejb</artifactId>
+                <version>${project.version}</version>
+                <type>ejb</type>
+            </dependency>
+        </dependencies>
+    </dependencyManagement>
+
+    <build>
+        <plugins>
+            <!-- The WildFly plug-in deploys your ear to a local WildFly container.
+                Due to Maven's lack of intelligence with EARs we need to configure
+                the WildFly Maven plug-in to skip deployment for all modules. We then enable
+                it specifically in the ear module. -->
+            <plugin>
+                <groupId>org.wildfly.plugins</groupId>
+                <artifactId>wildfly-maven-plugin</artifactId>
+                <configuration>
+                    <skip>true</skip>
+                </configuration>
+            </plugin>
+        </plugins>
+    </build>
+
+</project>
diff --git a/oidc-with-identity-propagation/virtual-security-domain-to-domain/ear/pom.xml b/oidc-with-identity-propagation/virtual-security-domain-to-domain/ear/pom.xml
new file mode 100644
index 00000000..981842a0
--- /dev/null
+++ b/oidc-with-identity-propagation/virtual-security-domain-to-domain/ear/pom.xml
@@ -0,0 +1,58 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    <parent>
+        <groupId>org.wildfly.security.examples</groupId>
+        <artifactId>virtual-security-domain-to-domain</artifactId>
+        <version>2.0.0.Alpha1-SNAPSHOT</version>
+    </parent>
+    <artifactId>virtual-security-domain-to-domain-ear</artifactId>
+    <packaging>ear</packaging>
+    
+    <dependencies>
+        <dependency>
+            <groupId>${project.groupId}</groupId>
+            <artifactId>virtual-security-domain-to-domain-ejb</artifactId>
+            <type>ejb</type>
+        </dependency>
+        <dependency>
+            <groupId>${project.groupId}</groupId>
+            <artifactId>virtual-security-domain-to-domain-web</artifactId>
+            <type>war</type>
+        </dependency>
+    </dependencies>
+
+    <build>
+        <finalName>${project.parent.artifactId}</finalName>
+        <plugins>
+            <!-- EAR plug-in -->
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-ear-plugin</artifactId>
+                <version>3.3.0</version>
+                <configuration>
+                    <!-- Use Jakarta EE ear libraries as needed. Jakarta EE ear libraries
+                        are in easy way to package any libraries needed in the ear, and automatically
+                        have any modules (EJB-JARs and WARs) use them -->
+                    <version>7</version>
+                    <defaultLibBundleDir>lib</defaultLibBundleDir>
+                    <modules>
+                        <webModule>
+                            <groupId>${project.groupId}</groupId>
+                            <artifactId>virtual-security-domain-to-domain-web</artifactId>
+                            <contextRoot>/virtual-security-domain-to-domain</contextRoot>
+                        </webModule>
+                    </modules>
+                    <outputFileNameMapping>@{artifactId}@@{dashClassifier?}@.@{extension}@</outputFileNameMapping>
+                </configuration>
+            </plugin>
+            <plugin>
+                <groupId>org.wildfly.plugins</groupId>
+                <artifactId>wildfly-maven-plugin</artifactId>
+                <configuration>
+                    <skip>false</skip>
+                </configuration>
+            </plugin>
+        </plugins>
+    </build>
+</project>
diff --git a/oidc-with-identity-propagation/virtual-security-domain-to-domain/ejb/pom.xml b/oidc-with-identity-propagation/virtual-security-domain-to-domain/ejb/pom.xml
new file mode 100644
index 00000000..65ee37a1
--- /dev/null
+++ b/oidc-with-identity-propagation/virtual-security-domain-to-domain/ejb/pom.xml
@@ -0,0 +1,50 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    <parent>
+        <groupId>org.wildfly.security.examples</groupId>
+        <artifactId>virtual-security-domain-to-domain</artifactId>
+        <version>2.0.0.Alpha1-SNAPSHOT</version>
+    </parent>
+    <artifactId>virtual-security-domain-to-domain-ejb</artifactId>
+
+    <dependencies>
+        <dependency>
+            <groupId>jakarta.enterprise</groupId>
+            <artifactId>jakarta.enterprise.cdi-api</artifactId>
+            <scope>provided</scope>
+        </dependency>
+         <dependency>
+            <groupId>jakarta.annotation</groupId>
+            <artifactId>jakarta.annotation-api</artifactId>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>jakarta.ejb</groupId>
+            <artifactId>jakarta.ejb-api</artifactId>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.jboss.ejb3</groupId>
+            <artifactId>jboss-ejb3-ext-api</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.wildfly.security.examples</groupId>
+            <artifactId>ejb-basic-ejb</artifactId>
+            <type>ejb</type>
+            <version>${project.version}</version>
+        </dependency>
+    </dependencies>
+    <build>
+        <finalName>${project.artifactId}</finalName>
+        <plugins>
+            <plugin>
+                <groupId>org.wildfly.plugins</groupId>
+                <artifactId>wildfly-maven-plugin</artifactId>
+                <configuration>
+                    <skip>true</skip>
+                </configuration>
+            </plugin>
+        </plugins>
+    </build>
+</project>
diff --git a/oidc-with-identity-propagation/virtual-security-domain-to-domain/ejb/src/main/java/META-INF/beans.xml b/oidc-with-identity-propagation/virtual-security-domain-to-domain/ejb/src/main/java/META-INF/beans.xml
new file mode 100644
index 00000000..d3ddf148
--- /dev/null
+++ b/oidc-with-identity-propagation/virtual-security-domain-to-domain/ejb/src/main/java/META-INF/beans.xml
@@ -0,0 +1,24 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+    JBoss, Home of Professional Open Source
+    Copyright 2015, Red Hat, Inc. and/or its affiliates, and individual
+    contributors by the @authors tag. See the copyright.txt in the
+    distribution for a full listing of individual contributors.
+
+    Licensed under the Apache License, Version 2.0 (the "License");
+    you may not use this file except in compliance with the License.
+    You may obtain a copy of the License at
+    http://www.apache.org/licenses/LICENSE-2.0
+    Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+-->
+<!-- Marker file indicating CDI should be enabled -->
+<beans xmlns="http://xmlns.jcp.org/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="
+      http://xmlns.jcp.org/xml/ns/javaee
+      http://xmlns.jcp.org/xml/ns/javaee/beans_1_1.xsd"
+    bean-discovery-mode="all">
+</beans>
diff --git a/oidc-with-identity-propagation/virtual-security-domain-to-domain/ejb/src/main/java/org/wildfly/security/examples/virtual_security_domain_to_domain/ejb/EntryBean.java b/oidc-with-identity-propagation/virtual-security-domain-to-domain/ejb/src/main/java/org/wildfly/security/examples/virtual_security_domain_to_domain/ejb/EntryBean.java
new file mode 100644
index 00000000..40f52274
--- /dev/null
+++ b/oidc-with-identity-propagation/virtual-security-domain-to-domain/ejb/src/main/java/org/wildfly/security/examples/virtual_security_domain_to_domain/ejb/EntryBean.java
@@ -0,0 +1,83 @@
+/*
+ * Copyright 2023 Red Hat, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.wildfly.security.examples.virtual_security_domain_to_domain.ejb;
+
+import java.security.Principal;
+
+import jakarta.annotation.Resource;
+import jakarta.annotation.security.PermitAll;
+import jakarta.ejb.SessionContext;
+import jakarta.ejb.Stateless;
+import javax.naming.Context;
+import javax.naming.InitialContext;
+import javax.naming.NamingException;
+
+import org.wildfly.security.examples.ejb_basic.ejb.Management;
+
+
+/**
+ * A simple EJB that can be called to obtain the current caller principal and to check the role membership for
+ * that principal.
+ *
+ * @author <a href="mailto:darran.lofthouse@jboss.com">Darran Lofthouse</a>
+ */
+@Stateless
+public class EntryBean {
+
+    @Resource
+    private SessionContext sessionContext;
+
+    @PermitAll
+    public Principal getCallerPrincipal() {
+        return sessionContext.getCallerPrincipal();
+    }
+
+    @PermitAll
+    public boolean userHasRole(final String roleName) {
+        return sessionContext.isCallerInRole(roleName);
+    }
+
+    @PermitAll
+    public String invokeManagementBean() {
+        Management management = lookup(Management.class, "java:global/virtual-security-domain-to-domain/ejb-basic-ejb/ManagementBean!org.wildfly.security.examples.ejb_basic.ejb.Management");
+        return management.adminOnlyMethod();
+    }
+
+
+
+    public static <T> T lookup(Class<T> clazz, String jndiName) {
+        Object bean = lookup(jndiName);
+        return clazz.cast(bean);
+    }
+
+    private static Object lookup(String jndiName) {
+        Context context = null;
+        try {
+            context = new InitialContext();
+            return context.lookup(jndiName);
+        } catch (NamingException ex) {
+            throw new IllegalStateException("Lookup failed ", ex);
+        } finally {
+            try {
+                context.close();
+            } catch (NamingException ex) {
+                throw new IllegalStateException(ex);
+            }
+        }
+    }
+
+}
diff --git a/oidc-with-identity-propagation/virtual-security-domain-to-domain/pom.xml b/oidc-with-identity-propagation/virtual-security-domain-to-domain/pom.xml
new file mode 100644
index 00000000..2d53a437
--- /dev/null
+++ b/oidc-with-identity-propagation/virtual-security-domain-to-domain/pom.xml
@@ -0,0 +1,61 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    <groupId>org.wildfly.security.examples</groupId>
+    <artifactId>virtual-security-domain-to-domain</artifactId>
+    <version>2.0.0.Alpha1-SNAPSHOT</version>
+    <packaging>pom</packaging>
+    
+    <modules>
+        <module>ejb</module>
+        <module>web</module>
+        <module>ear</module>
+    </modules>
+
+    <properties>
+        <!-- The versions for BOMs, Dependencies and Plugins -->
+        <version.server.bom>30.0.0.Final</version.server.bom>
+        <maven.compiler.source>11</maven.compiler.source>
+        <maven.compiler.target>11</maven.compiler.target>
+    </properties>
+
+    <dependencyManagement>
+        <dependencies>
+            <dependency>
+                <groupId>org.wildfly.bom</groupId>
+                <artifactId>wildfly-ee-with-tools</artifactId>
+                <version>${version.server.bom}</version>
+                <type>pom</type>
+                <scope>import</scope>
+            </dependency>
+            <dependency>
+                <groupId>${project.groupId}</groupId>
+                <artifactId>virtual-security-domain-to-domain-ejb</artifactId>
+                <version>${project.version}</version>
+                <type>ejb</type>
+            </dependency>
+            <dependency>
+                <groupId>${project.groupId}</groupId>
+                <artifactId>virtual-security-domain-to-domain-web</artifactId>
+                <version>${project.version}</version>
+                <type>war</type>
+            </dependency>
+        </dependencies>
+    </dependencyManagement>
+
+    <build>
+        <plugins>
+            <!-- The WildFly plug-in deploys your ear to a local WildFly container. 
+                Due to Maven's lack of intelligence with EARs we need to configure
+                the WildFly Maven plug-in to skip deployment for all modules. We then enable
+                it specifically in the ear module. -->
+            <plugin>
+                <groupId>org.wildfly.plugins</groupId>
+                <artifactId>wildfly-maven-plugin</artifactId>
+                <configuration>
+                    <skip>true</skip>
+                </configuration>
+            </plugin>
+        </plugins>
+    </build>
+</project>
diff --git a/oidc-with-identity-propagation/virtual-security-domain-to-domain/web/pom.xml b/oidc-with-identity-propagation/virtual-security-domain-to-domain/web/pom.xml
new file mode 100644
index 00000000..bbdd03ed
--- /dev/null
+++ b/oidc-with-identity-propagation/virtual-security-domain-to-domain/web/pom.xml
@@ -0,0 +1,66 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    <parent>
+        <groupId>org.wildfly.security.examples</groupId>
+        <artifactId>virtual-security-domain-to-domain</artifactId>
+        <version>2.0.0.Alpha1-SNAPSHOT</version>
+        <relativePath>../pom.xml</relativePath>
+    </parent>
+    <artifactId>virtual-security-domain-to-domain-web</artifactId>
+    <packaging>war</packaging>
+
+    <dependencies>
+        <dependency>
+            <groupId>jakarta.enterprise</groupId>
+            <artifactId>jakarta.enterprise.cdi-api</artifactId>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>${project.groupId}</groupId>
+            <artifactId>virtual-security-domain-to-domain-ejb</artifactId>
+            <type>ejb</type>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>jakarta.annotation</groupId>
+            <artifactId>jakarta.annotation-api</artifactId>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>jakarta.servlet</groupId>
+            <artifactId>jakarta.servlet-api</artifactId>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>jakarta.ejb</groupId>
+            <artifactId>jakarta.ejb-api</artifactId>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.wildfly.security</groupId>
+            <artifactId>wildfly-elytron</artifactId>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.wildfly</groupId>
+            <artifactId>wildfly-ejb-client-bom</artifactId>
+            <type>pom</type>
+            <scope>compile</scope>
+        </dependency>
+    </dependencies>
+
+    <build>
+        <finalName>${project.artifactId}</finalName>
+        <plugins>
+            <plugin>
+                <groupId>org.wildfly.plugins</groupId>
+                <artifactId>wildfly-maven-plugin</artifactId>
+                <configuration>
+                    <skip>true</skip>
+                </configuration>
+            </plugin>
+        </plugins>
+    </build>
+</project>
diff --git a/oidc-with-identity-propagation/virtual-security-domain-to-domain/web/src/main/java/org/wildfly/security/examples/virtual_security_domain_to_domain/web/SecuredServlet.java b/oidc-with-identity-propagation/virtual-security-domain-to-domain/web/src/main/java/org/wildfly/security/examples/virtual_security_domain_to_domain/web/SecuredServlet.java
new file mode 100644
index 00000000..6e00d815
--- /dev/null
+++ b/oidc-with-identity-propagation/virtual-security-domain-to-domain/web/src/main/java/org/wildfly/security/examples/virtual_security_domain_to_domain/web/SecuredServlet.java
@@ -0,0 +1,92 @@
+/*
+ * JBoss, Home of Professional Open Source
+ * Copyright 2023, Red Hat, Inc. and/or its affiliates, and individual
+ * contributors by the @authors tag. See the copyright.txt in the
+ * distribution for a full listing of individual contributors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.wildfly.security.examples.virtual_security_domain_to_domain.web;
+
+import java.io.IOException;
+import java.io.PrintWriter;
+
+import javax.naming.Context;
+import javax.naming.InitialContext;
+import javax.naming.NamingException;
+import jakarta.servlet.ServletException;
+import jakarta.servlet.annotation.WebServlet;
+import jakarta.servlet.http.HttpServlet;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+
+import org.wildfly.security.examples.virtual_security_domain_to_domain.ejb.EntryBean;
+
+/**
+ * A simple secured servlet that will show information about the current authenticated identity and also information about the
+ * representation of the identity as it calls an EJB.
+ *
+ * @author <a href="mailto:darran.lofthouse@jboss.com">Darran Lofthouse</a>
+ */
+@SuppressWarnings("serial")
+@WebServlet("/secured")
+public class SecuredServlet extends HttpServlet {
+
+    @Override
+    protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
+        EntryBean bean = lookup(EntryBean.class, "java:global/virtual-security-domain-to-domain/virtual-security-domain-to-domain-ejb/EntryBean");
+        final PrintWriter writer = resp.getWriter();
+
+        writer.println("<html><head><title>virtual-security-domain-to-domain</title></head><body>");
+        writer.println("<h1>Successfully logged into Secured Servlet with OIDC</h1>");
+        writer.println("<h2>Identity as visible to servlet.</h2>");
+        writer.println(String.format("<p>Principal  : %s</p>", req.getUserPrincipal().getName()));
+        writer.println(String.format("<p>Authentication Type : %s</p>", req.getAuthType()));
+
+        writer.println(String.format("<p>Caller Has Role '%s'=%b</p>", "User", req.isUserInRole("User")));
+        writer.println(String.format("<p>Caller Has Role '%s'=%b</p>", "Admin", req.isUserInRole("Admin")));
+
+        writer.println("<h2>Identity as visible to EntryBean.</h2>");
+
+
+        writer.println(String.format("<p>Principal  : %s</p>", bean.getCallerPrincipal().getName()));
+        writer.println(String.format("<p>Caller Has Role '%s'=%b</p>", "User", req.isUserInRole("User")));
+        writer.println(String.format("<p>Caller Has Role '%s'=%b</p>", "Admin", bean.userHasRole("Admin")));
+
+        writer.println("<h2>Identity as visible to ManagementBean.</h2>");
+        writer.println(String.format("<p>%s</p>", bean.invokeManagementBean()));
+
+        writer.println("</body></html>");
+        writer.close();
+    }
+
+    public static <T> T lookup(Class<T> clazz, String jndiName) {
+        Object bean = lookup(jndiName);
+        return clazz.cast(bean);
+    }
+
+    private static Object lookup(String jndiName) {
+        Context context = null;
+        try {
+            context = new InitialContext();
+            return context.lookup(jndiName);
+        } catch (NamingException ex) {
+            throw new IllegalStateException("Lookup failed", ex);
+        } finally {
+            try {
+                context.close();
+            } catch (NamingException ex) {
+                throw new IllegalStateException(ex);
+            }
+        }
+    }
+}
diff --git a/oidc-with-identity-propagation/virtual-security-domain-to-domain/web/src/main/webapp/WEB-INF/beans.xml b/oidc-with-identity-propagation/virtual-security-domain-to-domain/web/src/main/webapp/WEB-INF/beans.xml
new file mode 100644
index 00000000..d3ddf148
--- /dev/null
+++ b/oidc-with-identity-propagation/virtual-security-domain-to-domain/web/src/main/webapp/WEB-INF/beans.xml
@@ -0,0 +1,24 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+    JBoss, Home of Professional Open Source
+    Copyright 2015, Red Hat, Inc. and/or its affiliates, and individual
+    contributors by the @authors tag. See the copyright.txt in the
+    distribution for a full listing of individual contributors.
+
+    Licensed under the Apache License, Version 2.0 (the "License");
+    you may not use this file except in compliance with the License.
+    You may obtain a copy of the License at
+    http://www.apache.org/licenses/LICENSE-2.0
+    Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+-->
+<!-- Marker file indicating CDI should be enabled -->
+<beans xmlns="http://xmlns.jcp.org/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="
+      http://xmlns.jcp.org/xml/ns/javaee
+      http://xmlns.jcp.org/xml/ns/javaee/beans_1_1.xsd"
+    bean-discovery-mode="all">
+</beans>
diff --git a/oidc-with-identity-propagation/virtual-security-domain-to-domain/web/src/main/webapp/WEB-INF/jboss-web.xml b/oidc-with-identity-propagation/virtual-security-domain-to-domain/web/src/main/webapp/WEB-INF/jboss-web.xml
new file mode 100644
index 00000000..f5544c5a
--- /dev/null
+++ b/oidc-with-identity-propagation/virtual-security-domain-to-domain/web/src/main/webapp/WEB-INF/jboss-web.xml
@@ -0,0 +1,26 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+    JBoss, Home of Professional Open Source
+    Copyright 2017, Red Hat, Inc. and/or its affiliates, and individual
+    contributors by the @authors tag. See the copyright.txt in the
+    distribution for a full listing of individual contributors.
+
+    Licensed under the Apache License, Version 2.0 (the "License");
+    you may not use this file except in compliance with the License.
+    You may obtain a copy of the License at
+    http://www.apache.org/licenses/LICENSE-2.0
+    Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+-->
+<!DOCTYPE jboss-web>
+<jboss-web xmlns="http://www.jboss.com/xml/ns/javaee"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://www.jboss.org/schema/jbossas
+    http://www.jboss.org/schema/jbossas/jboss-web_7_2.xsd">
+   <!-- Configure usage of the security domain "other" -->
+   <security-domain>other</security-domain>
+   <disable-audit>true</disable-audit>
+</jboss-web>
diff --git a/oidc-with-identity-propagation/virtual-security-domain-to-domain/web/src/main/webapp/WEB-INF/oidc.json b/oidc-with-identity-propagation/virtual-security-domain-to-domain/web/src/main/webapp/WEB-INF/oidc.json
new file mode 100644
index 00000000..37e87ed5
--- /dev/null
+++ b/oidc-with-identity-propagation/virtual-security-domain-to-domain/web/src/main/webapp/WEB-INF/oidc.json
@@ -0,0 +1,8 @@
+{
+    "client-id" : "myclient",
+    "provider-url" : "${env.OIDC_PROVIDER_URL:http://localhost:8080/realms/myrealm}",
+    "public-client" : "true",
+    "principal-attribute" : "preferred_username",
+    "ssl-required" : "EXTERNAL"
+}
+
diff --git a/oidc-with-identity-propagation/virtual-security-domain-to-domain/web/src/main/webapp/WEB-INF/web.xml b/oidc-with-identity-propagation/virtual-security-domain-to-domain/web/src/main/webapp/WEB-INF/web.xml
new file mode 100644
index 00000000..bc97fa22
--- /dev/null
+++ b/oidc-with-identity-propagation/virtual-security-domain-to-domain/web/src/main/webapp/WEB-INF/web.xml
@@ -0,0 +1,24 @@
+<?xml version="1.0"?>
+<web-app version="3.1" xmlns="http://xmlns.jcp.org/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+   xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd">
+
+   <security-constraint>
+        <web-resource-collection>
+            <web-resource-name>secured</web-resource-name>
+            <url-pattern>/secured</url-pattern>
+        </web-resource-collection>
+        <auth-constraint>
+            <role-name>*</role-name>
+        </auth-constraint>   
+    </security-constraint>
+
+   <!-- Configure login to be OIDC -->
+   <login-config>
+      <auth-method>OIDC</auth-method>
+   </login-config>
+
+   <security-role>
+       <role-name>*</role-name>
+   </security-role>
+</web-app>
+
diff --git a/oidc-with-identity-propagation/virtual-security-domain-to-domain/web/src/main/webapp/index.html b/oidc-with-identity-propagation/virtual-security-domain-to-domain/web/src/main/webapp/index.html
new file mode 100644
index 00000000..18d0cf8c
--- /dev/null
+++ b/oidc-with-identity-propagation/virtual-security-domain-to-domain/web/src/main/webapp/index.html
@@ -0,0 +1,24 @@
+<!--
+    JBoss, Home of Professional Open Source
+    Copyright 2015, Red Hat, Inc. and/or its affiliates, and individual
+    contributors by the @authors tag. See the copyright.txt in the
+    distribution for a full listing of individual contributors.
+
+    Licensed under the Apache License, Version 2.0 (the "License");
+    you may not use this file except in compliance with the License.
+    You may obtain a copy of the License at
+    http://www.apache.org/licenses/LICENSE-2.0
+    Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+-->
+<!-- Plain HTML page that kicks us into the app -->
+
+<html>
+  <body>
+    <h2>Hello World!</h2>
+    <a href="./secured">Access Secured Servlet</a>
+  </body>
+</html>