First, I using the adapters in a WildFly server. I am using a web application configuration. All works well, but for a possible "nuisance" I am seeing in the logging, that may just be because I have TRACE logging turned on. My web.xml has two security constraints, but only one has a user role constraint, thus the "unprotected" resources should be entirely ignored by the Keycloak processing: <security-constraint> <web-resource-collection> <web-resource-name>unprotected</web-resource-name> <url-pattern>/shortcut.ico</url-pattern> <url-pattern>/features/*</url-pattern> <url-pattern>/plugins/*</url-pattern> <url-pattern>/registerForClock/*</url-pattern> <url-pattern>/registerForCallbacks/*</url-pattern> </web-resource-collection> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint> <security-constraint> <web-resource-collection> <web-resource-name>protected</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>PremiereClientAccessRole</role-name> </auth-constraint> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint> My issue is I simply had too many problems with the websocket paths (register*) and so exclude them until I can get more time to work them. I also have to exclude the features and plugins paths, as those are accessed by a Java Web Start JNLP application, that simply cannot pass any kind of OAuth credentials, I can only make it pass a JSESSIONID query parameter. When that occurs, I get this output: 2019-09-25 05:49:05,656 DEBUG [org.keycloak.adapters.elytron.ElytronSessionTokenStore] (default task-8) Account was not in session, returning null 2019-09-25 05:49:05,656 DEBUG [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-8) there was no code 2019-09-25 05:49:05,656 DEBUG [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-8) redirecting to auth server 2019-09-25 05:49:05,656 DEBUG [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-8) callback uri: https://ispace.space.smil:8443/premiereclient/plugins/org.eclipse.equinox... 2019-09-25 05:49:05,656 DEBUG [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-8) Sending redirect to login page: https://iskeycloak:8443/auth/realms/ispace/protocol/openid-connect/auth?r... 2019-09-25 05:49:05,657 INFO [io.undertow.request.dump] (default task-8) ----------------------------REQUEST--------------------------- URI=/premiereclient/plugins/org.eclipse.equinox.bidi_0.10.0.v20130327-1442.jar characterEncoding=null contentLength=-1 contentType=[application/x-java-archive] header=Accept=text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2 header=Cache-Control=no-cache header=accept-encoding=pack200-gzip,gzip header=UA-Java-Version=1.8.0_221 header=Pragma=no-cache header=User-Agent=JNLP/1.7.0 javaws/11.221.2.11 (<internal>) Java/1.8.0_221 header=If-Modified-Since=Tue, 24 Sep 2019 23:11:52 GMT header=Connection=keep-alive header=content-type=application/x-java-archive header=Host=ispace.space.smil:8443 locale=[] method=HEAD parameter=JSESSIONID=hSSQKI3rhbSZpBucCG9pgfSVJ3_boi6QBComJIzX protocol=HTTP/1.1 queryString=JSESSIONID=hSSQKI3rhbSZpBucCG9pgfSVJ3_boi6QBComJIzX remoteAddr=tlsdorl9166lg3.us.lmco.com/172.22.1.138:2503 remoteHost=tlsdorl9166lg3.us.lmco.com scheme=https host=ispace.space.smil:8443 serverPort=8443 isSecure=true --------------------------RESPONSE-------------------------- contentLength=0 contentType=null header=Connection=keep-alive header=Content-Length=0 header=Date=Wed, 25 Sep 2019 05:49:05 GMT status=200 It "says", it is sending a redirect, but there is no Location parameters in the RESPONSE, so it just downloads the jar and everything works fine, but it is "disconcerting" that it is "attempting", even though that URL is excluded per the security constraints. In the case of the websocket paths, something similar occurs: 2019-09-25 05:49:25,699 DEBUG [org.keycloak.adapters.elytron.KeycloakHttpServerAuthenticationMechanism] (default task-7) Evaluating request for path [https://ispace.space.smil:8443/premiereclient/registerForCallbacks/9c84cc...] 2019-09-25 05:49:25,699 DEBUG [org.keycloak.adapters.PreAuthActionsHandler] (default task-7) adminRequest https://ispace.space.smil:8443/premiereclient/registerForCallbacks/9c84cc... 2019-09-25 05:49:25,699 TRACE [org.keycloak.adapters.RequestAuthenticator] (default task-7) --> authenticate() 2019-09-25 05:49:25,699 TRACE [org.keycloak.adapters.RequestAuthenticator] (default task-7) try bearer 2019-09-25 05:49:25,699 TRACE [org.keycloak.adapters.RequestAuthenticator] (default task-7) try query paramter auth 2019-09-25 05:49:25,700 TRACE [org.keycloak.adapters.RequestAuthenticator] (default task-7) try basic auth 2019-09-25 05:49:25,700 DEBUG [org.keycloak.adapters.RequestAuthenticator] (default task-7) NOT_ATTEMPTED: Treating as bearer only 2019-09-25 05:49:25,702 INFO [io.undertow.request.dump] (default task-7) ----------------------------REQUEST--------------------------- URI=/premiereclient/registerForCallbacks/9c84cc61-45df-4c9b-8687-3da7b5d35773 characterEncoding=null contentLength=-1 contentType=null cookie=JSESSIONID=hSSQKI3rhbSZpBucCG9pgfSVJ3_boi6QBComJIzX header=Connection=upgrade header=Sec-WebSocket-Version=13 header=Sec-WebSocket-Key=06K18ImuBoSwY85ku2AtMA== header=Origin=https://ispace.space.smil header=Upgrade=websocket header=Cookie=$Version="1" header=Cookie=JSESSIONID="hSSQKI3rhbSZpBucCG9pgfSVJ3_boi6QBComJIzX";$Path="/premiereclient";$Domain=".ispace.space.smil" header=Cookie=JSESSIONID=hSSQKI3rhbSZpBucCG9pgfSVJ3_boi6QBComJIzX.db header=Cookie=JSESSIONID="hSSQKI3rhbSZpBucCG9pgfSVJ3_boi6QBComJIzX";$Path="/premiereclient";$Domain=".ispace.space.smil" header=Host=ispace.space.smil:8443 locale=[] method=GET protocol=HTTP/1.1 queryString= remoteAddr=/172.22.1.138:2525 remoteHost=tlsdorl9166lg3.us.lmco.com scheme=https host=ispace.space.smil:8443 serverPort=8443 isSecure=true --------------------------RESPONSE-------------------------- contentLength=-1 contentType=null cookie=JSESSIONID=hSSQKI3rhbSZpBucCG9pgfSVJ3_boi6QBComJIzX.db; domain=null; path=/premiereclient header=Connection=Upgrade header=Set-Cookie=JSESSIONID=hSSQKI3rhbSZpBucCG9pgfSVJ3_boi6QBComJIzX.db; path=/premiereclient header=Sec-WebSocket-Location=wss://ispace.space.smil:8443/premiereclient/registerForCallbacks/9c84cc61-45df-4c9b-8687-3da7b5d35773 header=Origin=https://ispace.space.smil header=Upgrade=WebSocket header=Sec-WebSocket-Accept=J5354J166p8qV08GoBhXAN6ZRjY= header=Date=Wed, 25 Sep 2019 05:49:25 GMT status=101 You can notice, the status is 101, so the upgrade succeeded, and all works fine, but once again, it is "disconcerting" that the adapters are doing anything at all, in an excluded URL. I get the same logging if I do not exclude the paths, but then I get a 401 and the upgrade fails. Please advise if you can give me something to try. I would like to not have to exclude either of these resources, but unfortunately there is zero ability for me to integrate Web Start in any way that I can find, so I can only hope to fix the websocket resources. Thanks Gene