How to integrate Keycloak with Payara Micro?

How i can integrate the Keycloak with Payara Micro?

I want create an stateless REST JAX-RS application that use the Keycloak as authentication and authorization server, but i unknown how do it.

The Eclipse MicroProfile JWT Authentication API defines the @LoginConfig annotation:

@LoginConfig(authMethod = "MP-JWT", realmName = "admin-realm")
public class MyApplication extends Application {...}

And the java EE the @RolesAllowed annotation:

public class BooksController {

    public Books findAll() {...}


How integrate these two things?

I faced the same challenge in a personal project and as is mentioned Keycloak project does not provide a native adapter for Payara, in that moment I did a library to secure my app with Keycloak, if you like, you can take it a look and let me know if it's ok or how we can improve it.

[keycloak-user] How to integrate Keycloak with Payara Micro?, [keycloak-user] How to integrate Keycloak with Payara Micro? Thom�s Sousa Silva thomas.sousa.96 at Sun May 13 21:03:32 EDT� How i can integrate the Keycloak with Payara Micro? I want create an stateless REST JAX-RS application that use the Keycloak as authentication and authorization server, but i unknown how do it. The

Keycloak project doesn't provide a native adapter for Payara Server or Payara Micro and the Payara project doesn't provide it either.

But Keycloak also provides a generic servlet filter adapter which should also use with Payara Micro:

Just add the keycloak-servlet-filter-adapter dependency into your web application and configure the adapter in the web.xml according to the documentation. I haven't tested it though, so I don't know if it really works.

OpenID Connect Support - Payara Documentation, Keycloak integration. Keycloak is Open Source Identity and Access Management Server, which is a OAuth2 and OpenID Connect(OIDC) protocol complaint. In this � We will use Payara Micro Maven archetype to generate our project, run the following command. $ mvn archetype:generate -DarchetypeGroupId=fish.payara.maven.archetypes -DarchetypeArtifactId=payara-micro-maven-archetype -DarchetypeVersion=1.0.1 -DgroupId=fish.payara.micro -DartifactId=microprofile-config-example -Dversion=1.0-SNAPSHOT -Dpackage

You can find solution in The Payara Monthly Roundup for April 2019

MicroProfile JWT with Keycloak - In this step by step blog, Hayri Cicek‏ demonstrates how to secure your services using MicroProfile JWT and Keycloak.

Init LoginConfig and map your roles using DeclareRoles

import org.eclipse.microprofile.auth.LoginConfig;

@LoginConfig(authMethod = "MP-JWT")
@DeclareRoles({ "mysimplerole", "USER" })
public class ApplicationConfig extends Application {


Add params to


And you can use your roles in RolesAllowed

public class HelloWorldEndpoint {

    public Response doGet() {
        return Response.ok("Hello from MicroProfile!").build();

A Simple MicroProfile JWT Token Provider With Payara Realms and , A Simple MicroProfile JWT Token Provider With Payara Realms and it is already integrated with Java EE security schemes; using the realm� Keycloak High Availibility: It is done using Keycloak being deployed in a cluster; LDAP high availibility. done through LDAP replication with 2 LDAP instances as well; 9) Deploying a microservice architecture with a Saas Authentication service using keycloak. Keycloak scales very well with micro-service architecture Saas architecture.

Payara on Twitter: "#MicroProfile JWT with @Keycloak In this tutorial , Open Source Server Runtimes & Support Stable, Supported, Aggressively compatible software for production & containerized Jakarta EE &� Since IntelliJ IDEA has a configuration option for running a JAR application, which is what we need to run Payara Micro, you can easily integrate Payara Micro with the IDE in your development environment. You just need to indicate where Payara Micro is stored on your machine and where the application is built with Maven, for example.

Atbash blog – Java EE, Web Application security and testing made , And Atbash Octopus where KeyCloak and MicroProfile JWT auth spec and Added Payara micro as supported server to serve the configuration. Integration with Keycloak (Client Credentials for Java SE, AuthorizationCode grant for Web, � Figure 2: Add client Step 4: Configure Client. If Keycloak runs on Port 8080, make sure your microservice runs on another port. In the example, micro-service is configured to run on 8085.

On the following page add the name MicroProfile and make sure the realm is enabled. Next, go to the Keys tab within the Realm Settings and copy the public key of the rsa-generated key to an editor or clipboard. We will need this key later on for verifying the JWT signature within the Java EE backend.

  • Very thanks!! Now you can update the readme file with the keycloak config, how to get an token, how to do logout and how to use an external configuration (without using mp-config?
  • You could send the configuration through environment variables or java properties, the config file can be used as default. Regarding the token, at this point the app library has been tested to work with services, in this case the token should be obtained by the FE, do you need to secure also web pages??
  • Yes, i desire make a backend server with jax-rs and microprofile and a frontend server with nodejs and angular both using keycloak.
  • In this case the library I did will work (I am working to make some improvements). Regarding the angular app, you can use to make the FE part.
  • New version released, now you can use keycloak.json file to define your configuration.
  • I already had seen this option, but i want configure using the eclipse microprofile specification. This option use the web.xml to configure and i desire use an external configuration using the mp-config specification.
  • It's possible to use references to system properties and environment variables in web.xml:… However, this doesn't provide the same flexibility as using MicroProfile Config and Pablo's Soteria addon looks very nice!
  • @ThomásSousaSilva did you find a way to achieve the config with mp-jwt and payara ?