Hi,

As a side note, one thing I could look into is the ability to use 
@Inject of a KeycloakSession.  Developer could then write entire web 
applications that are deployed separately and worked with the keycloak 
API directly.  @Inject KeycloakSession would work similarly to 
@PersistenceContexts EntityManager.
Sounds incredibly cool! From my practice I can say that applications often need to perform queries on an IdM layer; such queries can make an essential part of application's business logic (ex., "retrieve all the members of groups the current user is a member of"). For that, native KeyCloak API seems to be much more convenient than REST.

But if I get it right, this will be limited to webapps deployed to the same WildFly instance. Do you think this approach could be nevertheless extended to webapps running in separate JVMs/appservers, or REST is the only option here?

Looking forward, as soon as JSR-375 is ready, do you think KeyCloak could adopt it?

Dmitry