As in standalone mode , you can secure the management console with OpenID Connect (OIDC) by configuring an OIDC provider, such as Red Hat build of Keycloak, and the elytron-oidc-client subsystem.

Requirement to secure the management console in domain mode as well .

In EAP 8 doc , it is outlined that it it is only supported in standalone mode not in domain mode  - jboss-eap-management-console-security-with-oidc_securing-the-jboss-eap-management-console-with-an-openid-provider