At present, the Keycloak adapter for AMQ 7 supports an OAuth2 direct grant mechanism for having the user/password credentials of a JMS client validated by Keycloak, and a suitable token returned that represents the user's allowed roles. It also supports a standard flow (with HTTP redirection to a log-in page) for the console, but that is not relevant here: this request concerns only machine-to-machine interaction: a JMS client against the broker, for example.

There is no mechanism for the broker to accept a client certificate from a JMS client, and present it to Keycloak in exchange for a token that can be used to authorize subsequent client interactions with the broker. This is surprising to customers, because  the broker itself, without Keycloak, can validate a client certificate and assign roles in a session. When Keycloak is used, clients are limited to user/password authentication strategies.