I've sent a PR for this:

It's a pretty big change in the way the Auth Server is started when the KeyCloak subsystem is used.  The WAR is no longer dropped into the standalone/deployments directory.   This is especially helpful for domain deployments, but it makes standalone cleaner as well.  It will also be important for Feature Pack installation.

The main difference you will see right away with this PR is that the appliance dist now uses the subsystem to launch the Auth Server.

Here are some notes about how everything turned out.  Next, I'll update the documentation if there is no major rework that needs to be done after the PR is reviewed.