Follow the steps in Keycloak’s getting started guide to add a new realm called wildfly-infra. Then, create a new OpenID Connect client called wildfly-console. Set the Valid Redirect URIs using the URI used to access the WildFly management console, e.g.,  http://localhost:9990/console/ . Similarly, you’ll also need to set *Web Origins using the management port for your WildFly instance, e.g.,  http://localhost:9990 . Next, create a second OpenID Connect client called wildfly-management. This will be a bearer-only client so in the Capability configuration, be sure to uncheck the Standard flow and Direct access grants. Configuring WildFly to enable Role Based Access Control (RBAC), And don't create ADMINISTRATOR role.   Elytron OIDC Client Subsystem Configuration We need to add a secure-deployment resource that references the wildfly-management client that was created in the previous section. A secure-server that references the wildfly-console client is also needed. Some example CLI commands that add these resources can be seen here: Configure the Keycloak provider /subsystem=elytron-oidc-client/provider=keycloak:add(provider-url= http://localhost:8180/realms/wildfly-infra ) Create a secure-deployment in order to protect mgmt interface /subsystem=elytron-oidc-client/secure-deployment=wildfly-management:add(provider=keycloak,client-id=wildfly-management,principal-attribute=preferred_username,bearer-only=true,ssl-required=EXTERNAL) Enable RBAC where roles are obtained from the identity /core-service=management/access=authorization:write-attribute(name=provider,value=rbac) /core-service=management/access=authorization:write-attribute(name=use-identity-roles,value=true) Create a secure-server in order to publish the management console configuration via mgmt interface /subsystem=elytron-oidc-client/secure-server=wildfly-console:add(provider=keycloak,client-id=wildfly-console,public-client=true) Reload reload