As we developed WildFly Elytron and integrated in WildFly 11 and EAP 7.1 the specifications in use by Keycloak around OpenID Connect were very much in a state of ongoing development so at the time it made sense for the Keycloak project to handle the integration. The relevant specifications are now stable and it makes sense for individual projects to handle their own OIDC integration.

Another benefit mentioned from Stian is this would allow EAP / XP releases to be interoperable with other OIDC providers which may be required for both cloud and bare metal deployments.

Since the original WildFly client side adaptors were written for Elytron our integration has also progressed further, at the moment the installation of these adaptors requires security domains and realms to be defined before a deployment can be deployed.

The Keycloak adaptors support two different modes:

• Managed
• Deployment Configured

The native integration should support the same, cloud use cases are really showing a trend towards deployment configured at the moment.

In the case of deployment configured we should be able to eliminate the pre-wired configuration presently used. We have used this pattern already for microprofile-jwt by dynamically defining a virtual security domain.

Layering is also proving important, I would suggest a feature such as this should be in a dedicated subsystem "elytron-oidc" which will follow a similar pattern to the "microprofile-jwt" subsystem.