[keycloak-user] Issue with Bearer only auth

Hi, I have a rest endpoint running on wildfly 9. Wildfly and application is setup to use Keycloak and request to endpoints are intercepted with keycloak adapter. But is seems to be that it is not working. If auth header is not present keycloak just skips authentication and lets all request thru. It doesn’t matter do I use curl or browser. Wilfly logs says (last line comes from servlet filter) 2015-11-06 13:10:23,962 DEBUG [org.keycloak.adapters.PreAuthActionsHandler] (default task-17) adminRequest https://localhost:8443/foobar/endpoint 2015-11-06 13:10:23,969 TRACE [org.keycloak.adapters.RequestAuthenticator] (default task-17) --> authenticate() 2015-11-06 13:10:23,969 TRACE [org.keycloak.adapters.RequestAuthenticator] (default task-17) try bearer 2015-11-06 13:10:23,969 DEBUG [org.keycloak.adapters.RequestAuthenticator] (default task-17) NOT_ATTEMPTED: bearer only 2015-11-06 13:10:23,970 DEBUG [org.keycloak.adapters.AuthenticatedActionsHandler] (default task-17) AuthenticatedActionsValve.invoke https://localhost:8443/foobar/endpoint 2015-11-06 13:10:23,970 INFO [stdout] (default task-17) GET:/foobar/endpoint If I add Authorization headar like this Authorization: Bearer 123 I get HTTP/1.1 401 Unauthorized WWW-Authenticate: Bearer realm="saas-pilot", error="invalid_token", error_description="Couldn't parse token” Is there something that I dont understand? I have tried with web.xml/keycloak.json and keycloak subsystem configuration methods, same outcome. Br, Tero