Similar to the thread about Tenancy on Hawkular Services, I thought I'd also post about the current state of Keycloak for Hawkular. Hawkular Services cannot depend on Keycloak. Because of that, Nest is being changed to not consume the Keycloak Feature pack as before. As a side effect, we do not have support for tokens anymore (key/secret tokens, created via the "Tokens" UI), as those tokens were backed by OAuth Offline Tokens. Hawkular Services will have a simple JAAS integration, which should give us enough flexibility for the scenarios that we need to support. The UI on Hawkular will also have to remove the keycloak.js . I have yet to talk to the UI developers, but I think the main idea for now would be to have the WAR for the UI to be deployed and protected like any other backend component. The Accounts-related part will also have to be removed, such as the Organization and Token management. Nothing prevents Hawkular from shipping with Keycloak (server and/or adapter), as recent versions of Keycloak can protect any WAR deployments transparently, via the Keycloak Adapter Subsystem for Wildfly. This can be done by the community if interest in that integration exists but I currently have no plans on working on that. For reference, this is how you can activate a simple JAAS for your deployments: https://git.io/vwADp - web.xml (on your WAR) https://git.io/vwAyT - application-roles.properties https://git.io/vwAyL - application-users.properties - Juca.