I've sent a PR for this:
It's a pretty big change in the way the Auth Server is started when
the KeyCloak subsystem is used. The WAR is no longer dropped into
the standalone/deployments directory. This is especially helpful
for domain deployments, but it makes standalone cleaner as well. It
will also be important for Feature Pack installation.
The main difference you will see right away with this PR is that the
appliance dist now uses the subsystem to launch the Auth Server.
Here are some notes about how everything turned out. Next, I'll
update the documentation if there is no major rework that needs to
be done after the PR is reviewed.
- The WAR for the auth server now lives in
default, it is unexploded. If you want it to be exploded you
can unzip it into that same directory and set the
"auth-server-exploded" property in module.xml.
- A new Auth Server is declared in standalone.xml/domain.xml.
You can have more than one Auth Server in the same WildFly
- <subsystem xmlns="urn:jboss:domain:keycloak:1.0">
- The "enabled" attribute can be toggled at runtime to make the
auth server undeploy/redeploy.
- If you have more than one auth-server, the web-context must be
- In a domain environment, all specified Auth Server deployments
are propagated to all servers using that profile. The same is
true for overlays uploaded through the new CLI operations.
- There are two new CLI operations that act on an auth-server.
They are "add-provider" and "update-server-config". Currently,
you can only execute these operations in the latest version of
CLI GUI. We should discuss if we need to add support in plain
CLI. The long term goal would be to add this functionality to
the Keycloak Admin Console.
- "add-provider" adds a provider jar to an auth-server
- "update-server-config" overlays the keycloak-server.json for
- If a keycloak-server.json file is found in
standalone/configuration directory, all auth-server instances
will still use it regardless of any update-server-config
- EAP6 does not yet support all this. We should discuss whether
or not this functionality should be backported.