If SSL is a realm requirement, can't you use two-way SSL using between
Keycloak and the application's server using the certificates of each of
those servers? There would be no need to set up client certs. For
self-signed certs you could even do what the browser does and have the
admin console ask to trust the cert from the host of the application's
server (vice versa too!).
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com