I did a write up of the login algorith and how it currently works. Most of it is required OAuth 2 protocol, except the servlet JSP forward() requests. https://github.com/keycloak/keycloak/wiki/Login-Algorithm -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com