Installing Keycloak Client adapters on WildFly

This article covers how to install Keycloak Client Adapters on WildFly so that you can let Keycloak manage the whole authentication/authorization of your applications running on WildFly.

Please note: If you are running WildFly 25 or above, you can secure your applications with Keycloak using Elytron OpenID Connect which is available out of the box.
Check this article to learn more: Secure WildFly applications with OpenID Connect

There are mainly three options for patching WildFly with Keycloak Client adapters:

1) Download Keycloak Client Adapters and run the install scripts

The most common option is to download Keycloak client adapters and install them on the top of your WildFly distribution.

Follow these steps:

  • Download the WildFly distribution and extract it from the compressed file into a directory on your machine.
  • Download the WildFly OpenID Connect adapter distribution from
  • Extract the contents of this file into the root directory of your WildFly distribution.

When done, run the appropriate script for your platform:

WildFly 10

$ cd bin
$ ./ --file=adapter-install-offline.cli

Wildfly 11 and newer

$ cd bin
$ ./ --file=adapter-elytron-install-offline.cli

Start the application server.

$ cd bin
$ ./

An example application, running on the top of a patched WildFly installation, is shown in this tutorial: Introduction to Keycloak

2) Install Keycloak layer with Galleon

The keycloak-client-oidc Galleon layer brings the OIDC keycloak subsystem (and associated JBoss modules) and configures the server security. To install it, you need to download the Galleon tool from

Once downloaded, unzip and move to the ‘bin’ folder. From there, launch the galleon script:

$ ./

At first, provision a basic WildFly distribution. For example a distribution which contains the web-server layer:

install wildfly:current --layers=web-server --dir=wildfly-keycloak

On the top of that, install the keycloak-adapter-galleon-pack:

install org.keycloak:keycloak-adapter-galleon-pack:12.0.2 --layers=keycloak-client-oidc --dir=wildfly-keycloak

Please notice that, unlike the WildFly feature pack, the Keycloak feature pack is not part of a Galleon universe and so a fully qualified group:artifact:version reference to the feature pack is required.

That’s it. You can now start the application server.

$ cd wildfly-keycloak/bin
$ ./

3) Running your application as Bootable JAR with Keycloak layer

This approach also uses Galleon under the hoods. However, we will be able to run our application as Bootable Jar. Just as a recap, to turn your application as Bootable Jar, it is required to include the wildfly-jar-maven-plugin in your pom.xml file. Within its configuration, we will include the keycloak-adapter-galleon-pack:


Also notice, to enable Keycloak secure deployments, we need to add a reference to the Keycloak Realm to our deployment. This is done by the configure-oidc.cli script that will be launched on our Bootable WildFly server:

/subsystem=keycloak/secure-deployment=simple-webapp.war:add(realm=wildfly-realm, resource=simple-webapp, public-client=true, auth-server-url=http://localhost:8180/auth/, ssl-required=EXTERNAL)

The full example, forked from WildFly Bootable Jar repository, is available here:

In this repository I have added a script for creating a Keycloak Realm so that you can test it against a Docker image of Keycloak. Let’s see how to test it. First start Keycloak Docker image to run on port 8180:

docker run --rm     --name keycloak    -e KEYCLOAK_USER=admin    -e KEYCLOAK_PASSWORD=admin     -p 8180:8180    -it    -b    -Djboss.http.port=8180    

Now copy the available in the root folder in the folder /opt/jboss/keycloak/bin of your Keycloak server:

docker cp keycloak:/opt/jboss/keycloak/bin

Then, set execution permissions and run the script:

docker exec -it keycloak chmod 755 /opt/jboss/keycloak/bin/
docker exec -it keycloak /opt/jboss/keycloak/bin/

The script we have just run, creates a Keycloak Realm named “wildfly-realm” with a Role named “Users”, one User (demo/demo) and a Client application to which we will redirect after login:


cd /opt/jboss/keycloak/bin

./ config credentials --server http://localhost:8180/auth --realm master --user admin --password admin
./ create realms -s realm=wildfly-realm -s enabled=true -o
./ create users -r wildfly-realm -s username=demo -s enabled=true
./ set-password -r wildfly-realm --username demo --new-password demo
./ create clients -r wildfly-realm -s clientId=simple-webapp -s publicClient="true"  -s "redirectUris=[\"http://localhost:8080/simple-webapp/*\"]" -s enabled=true
./ create roles -r wildfly-realm -s name=Users
./ add-roles --uusername demo --rolename Users -r wildfly-realm

That’s it. Now start the Bootable jar:

$ mvn install; java -jar target/simple-webapp-bootable.jar

Reach the secured Servlet at http://localhost:8080/simple-webapp/secured

The Keycloak Login for the Realm will prompt:
install keycloak on WildFly
Enter demo/demo. You will be able to access the secured Servlet.

That’s it! Enjoy Keycloak with WildFly.