Skip to end of metadata
Go to start of metadata


In this document you will learn how to integrate security for Wildfly Administration Console with Keycloak using Elytron subsystem.

System Requirements

To follow the instructions in this document, make sure you have both Wildfly and Keycloak servers properly installed. You need the latest versions for both servers.

When running Wildfly, it must be using port 8080 (default port). The following command can be used to start the server:

For Keycloak, use the following command to start the server on port 8180:

Installing Keycloak Wildfly Elytron Adapters

Keycloak integration is only possible when using Keycloak Wildfly Elytron Adapter. This adapter is fully integrated with the new security infrastructure in Wildfly provided by Elytron and its subsystem.

Download the latest version of Wildfly Client Adapters and follow the instructions in this document to extract/install the adapters in your Wildfly installation. Make sure you run the following script when installing the adapter:

Creating a Keycloak Realm for Wildfly Management Services

We'll be protecting both administration console and HTTP management interface in Wildfly. For that, we need to create a Keycloak realm and two client applications, where these clients will be used to configure security for both administration console and HTTP management interface.

Start your Keycloak server using the following command:

After running the command above you should be able to access Keycloak Administration Console at http://localhost:8180/auth and log in.

If you are running the server for the first name, you will be prompted to create an initial admin user to get started. Once you provide the username and password for the admin user you'll be redirected to Keycloak Administration Console login page.

Create a realm with a name wildfly-infra.

Create a client application with a name wildfly-console and configure it as follows:

Save changes for client wildfly-console and make sure it is properly updated. The client should have a configuration similar to following:

Create another client application with a name wildfly-management and configure it as follows:

  • Select bearer-only in the Access Type field

Save changes for client wildfly-management and make sure it is properly updated. The client should have a configuration similar to following:

For last, we need to create an user to jboss-infra realm and also a role to grant to this user access to the Wildfly Administration Console.

Create a Realm Role with a name ADMINISTRATOR. It is important to keep the name in uppercase.

For example purposes, we are only using the ADMINISTRATOR role to grant users access to the administration console. However, Wildfly also supports other roles with different access scopes. For more details, please take a look at

Create a new user with a name admin. You can choose whatever password you like, just make sure you set one. After creating the user, map the ADMINISTRATOR role to the admin user.

Protecting Wildfly Console and Management API

As a last configuration step, you need to configure Keycloak, Elytron and core subsystems to protect both management services.

Copy and paste the following commands to a new file with a name protect-wildfly-mgmt-services.cli:

Before saving the new file, you need to obtain the public key of jboss-infra realm and replace [REALM_PUBLIC_KEY] in the first command above with the value of the public key. To obtain realm's public key, go to Keycloak Administration Console, select Realm Settings on the left side menu and than click on the Keys tab. You should see a page as follows:


For last, execute the protect-wildfly-mgmt-services.cli script using JBoss CLI. Make sure your Wildfly instance is running before running the script:

Accessing Wildfly Administration Console

If everything is correct you should be able to access the Wildfly Administration Console now after authenticating in Keycloak.

Try to access Wildfly Administration Console and you should be redirected to a login page in Keycloak. You should be able to log in as the admin user you created in the jboss-infra realm. 

Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.