Do we need this? 

<subsystem xmlns="urn:jboss:domain:keycloak:1.0">
            <auth-server name="main-auth-server">

If I have this, I get this error:

11:17:29,821 ERROR [] (Controller Boot Thread) JBAS014613: Operation ("deploy") failed - address: ([("deployment" => "auth-server.war")]) - failure description: {"JBAS014671: Failed services" => {"jboss.deployment.unit.\"auth-server.war\".POST_MODULE" => "org.jboss.msc.service.StartException in service jboss.deployment.unit.\"auth-server.war\".POST_MODULE: JBAS018733: Failed to process phase POST_MODULE of deployment \"auth-server.war\"
    Caused by: org.jboss.msc.service.DuplicateServiceException: Service is already registered”}}

If I don’t have this, I get this error when deploying the demo app.

Caused by: java.lang.RuntimeException: UT010039: Unknown authentication mechanism KEYCLOAK"}}