Update changelog for release 2.2.2

Signed-off-by: ansible-middleware-core <ansible-middleware-core@redhat.com>
Merge pull request #210 from Footur/copy-key-material
2026-03-27 13:53:04 +00:00 · 2024-05-06 08:11:11 +00:00 · 2024-05-06 08:28:09 +02:00 · 2024-05-05 13:58:19 +02:00 · 2024-05-05 12:11:51 +02:00 · 2024-05-03 16:34:57 +02:00
136 changed files with 11002 additions and 1473 deletions
--- a/.ansible-lint
+++ b/.ansible-lint
@@ -6,6 +6,7 @@ exclude_paths:
  - .ansible-lint
  - .yamllint
  - meta/
+  - playbooks/roles/

 rulesdir:
   - ../../ansible-lint-custom-rules/rules/
@@ -20,11 +21,21 @@ warn_list:
  - experimental
  - ignore-errors
  - no-handler
-  - fqcn-builtins
  - no-log-password
+  - jinja[spacing]
+  - jinja[invalid]
+  - meta-no-tags
+  - name[casing]
+  - fqcn[action]
+  - schema[meta]
+  - var-naming[no-role-prefix]
+  - key-order[task]
+  - blocked_modules

 skip_list:
  - vars_should_not_be_used
+  - file_is_small_enough
+  - name[template]

 use_default_rules: true
 parseable: true
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -1,51 +1,18 @@
 ---
 name: CI
-"on":
+on:
  push:
    branches:
      - main
  pull_request:
+  schedule:
+    - cron: '15 6 * * *'

 jobs:
  ci:
-    runs-on: ubuntu-latest
-    strategy:
-      matrix:
-        python_version: ["3.9"]
-    steps:
-      - name: Check out code
-        uses: actions/checkout@v2
-        with:
-          path: ansible_collections/middleware_automation/keycloak
-
-      - name: Set up Python ${{ matrix.python_version }}
-        uses: actions/setup-python@v1
-        with:
-          python-version: ${{ matrix.python_version }}
-
-      - name: Install yamllint, ansible and molecule
-        run: |
-          python -m pip install --upgrade pip
-          pip install yamllint 'molecule[docker]~=3.5.2' ansible-core flake8 ansible-lint voluptuous
-          pip install -r ansible_collections/middleware_automation/keycloak/requirements.txt
-
-      - name: Install ansible-lint custom rules
-        uses: actions/checkout@v2
-        with:
-          repository: ansible-middleware/ansible-lint-custom-rules
-          path: ansible_collections/ansible-lint-custom-rules/
-
-      - name: Create default collection path
-        run: |
-          mkdir -p /home/runner/.ansible/collections/ansible_collections
-
-      - name: Run sanity tests
-        run: ansible-test sanity --docker -v --color --python ${{ matrix.python_version }} --exclude changelogs/fragments/.gitignore
-        working-directory: ./ansible_collections/middleware_automation/keycloak
-
-      - name: Run molecule test
-        run: molecule test --all
-        working-directory: ./ansible_collections/middleware_automation/keycloak
-        env:
-          PY_COLORS: '1'
-          ANSIBLE_FORCE_COLOR: '1'
+    uses: ansible-middleware/github-actions/.github/workflows/ci.yml@main
+    secrets: inherit
+    with:
+      fqcn: 'middleware_automation/keycloak'
+      molecule_tests: >-
+          [ "default", "overridexml", "https_revproxy", "quarkus", "quarkus-devmode", "debian" ]
--- a/.github/workflows/docs.yml
+++ b/.github/workflows/docs.yml
@@ -8,54 +8,11 @@ on:
      - "[0-9]+.[0-9]+.[0-9]+"
  workflow_dispatch:

-env:
-  COLORTERM: 'yes'
-  TERM: 'xterm-256color'
-  PYTEST_ADDOPTS: '--color=yes'
-
 jobs:
  docs:
-    runs-on: ubuntu-latest
-    if: github.repository == 'ansible-middleware/keycloak'
-    permissions:
-      actions: write
-      checks: write
-      contents: write
-      deployments: write
-      packages: write
-      pages: write
-    steps:
-      - name: Check out code
-        uses: actions/checkout@v2
-        with:
-          path: ansible_collections/middleware_automation/keycloak
-          fetch-depth: 0
-
-      - name: Set up Python
-        uses: actions/setup-python@v2
-        with:
-          python-version: 3.9
-
-      - name: Install doc dependencies
-        run: |
-          python -m pip install --upgrade pip
-          pip install -r ansible_collections/middleware_automation/keycloak/docs/requirements.txt
-          pip install -r ansible_collections/middleware_automation/keycloak/requirements.txt
-          sudo apt install -y sed hub
-
-      - name: Create default collection path
-        run: |
-          mkdir -p /home/runner/.ansible/collections/ansible_collections
-
-      - name: Create changelog and documentation
-        uses: ansible-middleware/collection-docs-action@main
-        with:
-          collection_fqcn: middleware_automation.keycloak
-          collection_repo: ansible-middleware/keycloak
-          dependencies: false
-          commit_changelog: false
-          commit_ghpages: true
-          changelog_release: false
-          generate_docs: true
-          path: ansible_collections/middleware_automation/keycloak
-          token: ${{ secrets.GITHUB_TOKEN }}
+    uses: ansible-middleware/github-actions/.github/workflows/docs.yml@main
+    secrets: inherit
+    with:
+      fqcn: 'middleware_automation/keycloak'
+      collection_fqcn: 'middleware_automation.keycloak'
+      historical_docs: 'false'
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -2,96 +2,27 @@
 name: Release collection
 on:
  workflow_dispatch:
+    inputs:
+      release_summary:
+        description: 'Optional release summary for changelogs'
+        required: false

 jobs:
  release:
-    runs-on: ubuntu-latest
-    if: github.repository == 'ansible-middleware/keycloak'
-    permissions:
-      actions: write
-      checks: write
-      contents: write
-      deployments: write
-      packages: write
-      pages: write
-    outputs:
-      tag_version: ${{ steps.get_version.outputs.TAG_VERSION }}
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v3
-        with:
-          fetch-depth: 0
-          token: ${{ secrets.TRIGGERING_PAT }}
-
-      - name: Set up Python
-        uses: actions/setup-python@v1
-        with:
-          python-version: "3.x"
-
-      - name: Get current version
-        id: get_version
-        run: echo "::set-output name=TAG_VERSION::$(grep version galaxy.yml | awk -F'"' '{ print $2 }')"
-
-      - name: Check if tag exists
-        id: check_tag
-        run: echo "::set-output name=TAG_EXISTS::$(git tag | grep ${{ steps.get_version.outputs.TAG_VERSION }})"
-
-      - name: Fail if tag exists
-        if: ${{ steps.get_version.outputs.TAG_VERSION == steps.check_tag.outputs.TAG_EXISTS }}
-        uses: actions/github-script@v3
-        with:
-          script: |
-              core.setFailed('Release tag already exists')
-
-      - name: Install dependencies
-        run: |
-          python -m pip install --upgrade pip
-          pip install ansible-core antsibull
-          sudo apt install -y sed hub
-
-      - name: Build collection
-        run: |
-          ansible-galaxy collection build .
-
-      - name: Create changelog and documentation
-        uses: ansible-middleware/collection-docs-action@main
-        with:
-          collection_fqcn: middleware_automation.keycloak
-          collection_repo: ansible-middleware/keycloak
-          dependencies: false
-          commit_changelog: true
-          commit_ghpages: false
-          changelog_release: true
-          generate_docs: false
-          token: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Publish collection
-        env:
-          ANSIBLE_GALAXY_API_KEY: ${{ secrets.ANSIBLE_GALAXY_API_KEY }}
-        run: |
-          ansible-galaxy collection publish *.tar.gz --api-key $ANSIBLE_GALAXY_API_KEY
-
-      - name: Create release tag
-        run: |
-          git config user.name github-actions
-          git config user.email github-actions@github.com
-          git tag -a ${{ steps.get_version.outputs.TAG_VERSION }} -m "Release v${{ steps.get_version.outputs.TAG_VERSION }}" || true
-          git push origin --tags
-
-      - name: Publish Release
-        uses: softprops/action-gh-release@v1
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
-          tag_name: ${{ steps.get_version.outputs.TAG_VERSION }}
-          files: "*.tar.gz"
-          body_path: gh-release.md
+    uses: ansible-middleware/github-actions/.github/workflows/release.yml@main
+    with:
+      collection_fqcn: 'middleware_automation.keycloak'
+      downstream_name: 'rhbk'
+      release_summary: "${{ github.event.inputs.release_summary }}"
+    secrets:
+      galaxy_token: ${{ secrets.ANSIBLE_GALAXY_API_KEY }}
+      jira_webhook: ${{ secrets.JIRA_WEBHOOK_CREATE_VERSION }}

  dispatch:
    needs: release
    strategy:
      matrix:
-        repo: ['ansible-middleware/cross-dc-rhsso-demo', 'ansible-middleware/flange-demo', 'ansible-middleware/ansible-middleware-ee']
+        repo: ['ansible-middleware/ansible-middleware-ee']
    runs-on: ubuntu-latest
    steps:
      - name: Repository Dispatch
--- a/.gitignore
+++ b/.gitignore
@@ -2,6 +2,8 @@
 *.zip
 .tmp
 .cache
+.vscode/
+__pycache__/
 docs/plugins/
 docs/roles/
 docs/_build/
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@@ -1,11 +1,311 @@
-============================================
-middleware_automation.keycloak Release Notes
-============================================
+=============================================
+middleware\_automation.keycloak Release Notes
+=============================================

 .. contents:: Topics

 This changelog describes changes after version 0.2.6.

+v2.2.2
+======
+
+Minor Changes
+-------------
+
+- Copying of key material for TLS configuration `#210 <https://github.com/ansible-middleware/keycloak/pull/210>`_
+- Validate certs parameter for JDBC driver downloads `#207 <https://github.com/ansible-middleware/keycloak/pull/207>`_
+
+Bugfixes
+--------
+
+- Turn off controller privilege escalation `#209 <https://github.com/ansible-middleware/keycloak/pull/209>`_
+
+v2.2.1
+======
+
+Release Summary
+---------------
+
+Internal release, documentation or test changes only.
+
+Bugfixes
+--------
+
+- JDBC provider: fix clause in argument validation `#204 <https://github.com/ansible-middleware/keycloak/pull/204>`_
+
+v2.2.0
+======
+
+Major Changes
+-------------
+
+- Support java keystore for configuration of sensitive options `#189 <https://github.com/ansible-middleware/keycloak/pull/189>`_
+
+Minor Changes
+-------------
+
+- Add ``wait_for_port`` and ``wait_for_log`` systemd unit logic `#199 <https://github.com/ansible-middleware/keycloak/pull/199>`_
+- Customize jdbc driver downloads, optional authentication `#202 <https://github.com/ansible-middleware/keycloak/pull/202>`_
+- Keystore-based vault SPI configuration `#196 <https://github.com/ansible-middleware/keycloak/pull/196>`_
+- New ``keycloak_quarkus_hostname_strict_https`` parameter `#195 <https://github.com/ansible-middleware/keycloak/pull/195>`_
+- Providers config and custom providers `#201 <https://github.com/ansible-middleware/keycloak/pull/201>`_
+- Remove administrator credentials from files once keycloak is bootstrapped `#197 <https://github.com/ansible-middleware/keycloak/pull/197>`_
+- Update keycloak to 24.0 `#194 <https://github.com/ansible-middleware/keycloak/pull/194>`_
+
+v2.1.2
+======
+
+Release Summary
+---------------
+
+Internal release, documentation or test changes only.
+
+v2.1.1
+======
+
+Minor Changes
+-------------
+
+- Add reverse ``proxy_headers`` config, supersedes ``proxy_mode`` `#187 <https://github.com/ansible-middleware/keycloak/pull/187>`_
+- Debian/Ubuntu compatibility `#178 <https://github.com/ansible-middleware/keycloak/pull/178>`_
+- Use ``keycloak_realm`` as default for sub-entities `#180 <https://github.com/ansible-middleware/keycloak/pull/180>`_
+
+Bugfixes
+--------
+
+- Fix permissions on controller-side downloaded artifacts `#184 <https://github.com/ansible-middleware/keycloak/pull/184>`_
+- JVM args moved to ``JAVA_OPTS`` envvar (instead of JAVA_OPTS_APPEND) `#186 <https://github.com/ansible-middleware/keycloak/pull/186>`_
+- Unrelax configuration file permissions `#191 <https://github.com/ansible-middleware/keycloak/pull/191>`_
+- Utilize comment filter for ``ansible_managed`` annotations `#176 <https://github.com/ansible-middleware/keycloak/pull/176>`_
+
+v2.1.0
+======
+
+Major Changes
+-------------
+
+- Implement infinispan TCPPING discovery protocol `#159 <https://github.com/ansible-middleware/keycloak/pull/159>`_
+
+Minor Changes
+-------------
+
+- Set enable-recovery when xa transactions are enabled `#167 <https://github.com/ansible-middleware/keycloak/pull/167>`_
+- keycloak_quarkus: Allow configuring log rotate options in quarkus configuration `#161 <https://github.com/ansible-middleware/keycloak/pull/161>`_
+- keycloak_quarkus: ``sticky-session`` for infinispan routes `#163 <https://github.com/ansible-middleware/keycloak/pull/163>`_
+
+Breaking Changes / Porting Guide
+--------------------------------
+
+- keycloak_quarkus: renamed infinispan host list configuration `#157 <https://github.com/ansible-middleware/keycloak/pull/157>`_
+
+Bugfixes
+--------
+
+- keycloak_quarkus: fix custom JAVA_HOME parameter name `#171 <https://github.com/ansible-middleware/keycloak/pull/171>`_
+
+v2.0.2
+======
+
+Minor Changes
+-------------
+
+- keycloak_quarkus: Add support for sqlserver jdbc driver `#148 <https://github.com/ansible-middleware/keycloak/pull/148>`_
+- keycloak_quarkus: allow configuration of ``hostname-strict-backchannel`` `#152 <https://github.com/ansible-middleware/keycloak/pull/152>`_
+- keycloak_quarkus: systemd restart behavior `#145 <https://github.com/ansible-middleware/keycloak/pull/145>`_
+
+Bugfixes
+--------
+
+- keycloak_quarkus: Use ``keycloak_quarkus_java_opts`` `#154 <https://github.com/ansible-middleware/keycloak/pull/154>`_
+- keycloak_quarkus: allow ports <1024 (e.g. :443) in systemd unit `#150 <https://github.com/ansible-middleware/keycloak/pull/150>`_
+
+v2.0.1
+======
+
+Minor Changes
+-------------
+
+- keycloak_quarkus: add hostname-strict parameter `#139 <https://github.com/ansible-middleware/keycloak/pull/139>`_
+- keycloak_quarkus: update to version 23.0.1 `#133 <https://github.com/ansible-middleware/keycloak/pull/133>`_
+
+Bugfixes
+--------
+
+- keycloak_quarkus: template requires lowercase boolean values `#138 <https://github.com/ansible-middleware/keycloak/pull/138>`_
+
+v2.0.0
+======
+
+Minor Changes
+-------------
+
+- Add new parameter for port offset configuration `#124 <https://github.com/ansible-middleware/keycloak/pull/124>`_
+- Update Keycloak to version 22.0.5 `#122 <https://github.com/ansible-middleware/keycloak/pull/122>`_
+
+Breaking Changes / Porting Guide
+--------------------------------
+
+- Add support for more http-related configs `#115 <https://github.com/ansible-middleware/keycloak/pull/115>`_
+- Update minimum ansible-core version > 2.14 `#119 <https://github.com/ansible-middleware/keycloak/pull/119>`_
+- keycloak_quarkus: enable config of key store and trust store `#116 <https://github.com/ansible-middleware/keycloak/pull/116>`_
+
+v1.3.0
+======
+
+Major Changes
+-------------
+
+- Run service as ``keycloak_service_user`` `#106 <https://github.com/ansible-middleware/keycloak/pull/106>`_
+
+Minor Changes
+-------------
+
+- keycloak_quarkus: Update Keycloak to version 22.0.3 `#112 <https://github.com/ansible-middleware/keycloak/pull/112>`_
+- keycloak_quarkus: fix admin console redirect when running locally `#111 <https://github.com/ansible-middleware/keycloak/pull/111>`_
+- keycloak_quarkus: skip proxy config if ``keycloak_quarkus_proxy_mode`` is ``none`` `#109 <https://github.com/ansible-middleware/keycloak/pull/109>`_
+
+Bugfixes
+--------
+
+- keycloak_quarkus: fix validation failure upon port configuration change `#113 <https://github.com/ansible-middleware/keycloak/pull/113>`_
+
+v1.2.8
+======
+
+Minor Changes
+-------------
+
+- keycloak_quarkus: set openjdk 17 as default `#103 <https://github.com/ansible-middleware/keycloak/pull/103>`_
+- keycloak_quarkus: update to version 22.0.1 `#107 <https://github.com/ansible-middleware/keycloak/pull/107>`_
+
+Bugfixes
+--------
+
+- Fix incorrect checks for ``keycloak_jgroups_subnet`` `#98 <https://github.com/ansible-middleware/keycloak/pull/98>`_
+- Undefine ``keycloak_db_valid_conn_sql`` default `#91 <https://github.com/ansible-middleware/keycloak/pull/91>`_
+- Update bindep.txt package python3-devel to support RHEL9 `#105 <https://github.com/ansible-middleware/keycloak/pull/105>`_
+
+v1.2.7
+======
+
+Minor Changes
+-------------
+
+- Allow to override jgroups subnet `#93 <https://github.com/ansible-middleware/keycloak/pull/93>`_
+- keycloak-quarkus: update keycloakx to v21.1.1 `#92 <https://github.com/ansible-middleware/keycloak/pull/92>`_
+
+v1.2.6
+======
+
+Minor Changes
+-------------
+
+- Add profile features enabling/disabling `#87 <https://github.com/ansible-middleware/keycloak/pull/87>`_
+- Improve service restart behavior configuration `#88 <https://github.com/ansible-middleware/keycloak/pull/88>`_
+- Update default xa_datasource_class value for mariadb jdbc configuration `#89 <https://github.com/ansible-middleware/keycloak/pull/89>`_
+
+Bugfixes
+--------
+
+- Handle WFLYCTL0117 when background validation millis is 0 `#90 <https://github.com/ansible-middleware/keycloak/pull/90>`_
+
+v1.2.5
+======
+
+Minor Changes
+-------------
+
+- Add configuration for database connection pool validation `#85 <https://github.com/ansible-middleware/keycloak/pull/85>`_
+- Allow to configure administration endpoint URL `#86 <https://github.com/ansible-middleware/keycloak/pull/86>`_
+- Allow to force backend URLs to frontend URLs `#84 <https://github.com/ansible-middleware/keycloak/pull/84>`_
+- Introduce systemd unit restart behavior `#81 <https://github.com/ansible-middleware/keycloak/pull/81>`_
+
+v1.2.4
+======
+
+Minor Changes
+-------------
+
+- Add ``sqlserver`` to keycloak role jdbc configurations `#78 <https://github.com/ansible-middleware/keycloak/pull/78>`_
+- Add configurability for XA transactions `#73 <https://github.com/ansible-middleware/keycloak/pull/73>`_
+
+Bugfixes
+--------
+
+- Fix deprecation warning for ``ipaddr`` `#77 <https://github.com/ansible-middleware/keycloak/pull/77>`_
+- Fix undefined facts when offline patching sso `#71 <https://github.com/ansible-middleware/keycloak/pull/71>`_
+
+v1.2.1
+======
+
+Minor Changes
+-------------
+
+- Allow to setup keycloak HA cluster without remote cache store `#68 <https://github.com/ansible-middleware/keycloak/pull/68>`_
+
+Bugfixes
+--------
+
+- Pass attributes to realm clients `#69 <https://github.com/ansible-middleware/keycloak/pull/69>`_
+
+v1.2.0
+======
+
+Major Changes
+-------------
+
+- Provide config for multiple modcluster proxies `#60 <https://github.com/ansible-middleware/keycloak/pull/60>`_
+
+Minor Changes
+-------------
+
+- Allow to configure TCPPING for cluster discovery `#62 <https://github.com/ansible-middleware/keycloak/pull/62>`_
+- Drop community.general from dependencies `#61 <https://github.com/ansible-middleware/keycloak/pull/61>`_
+- Switch middleware_automation.redhat_csp_download for middleware_automation.common `#63 <https://github.com/ansible-middleware/keycloak/pull/63>`_
+- Switch to middleware_automation.common for rh-sso patching `#64 <https://github.com/ansible-middleware/keycloak/pull/64>`_
+
+v1.1.1
+======
+
+Bugfixes
+--------
+
+- keycloak-quarkus: fix ``cache-config-file`` path in keycloak.conf.j2 template `#53 <https://github.com/ansible-middleware/keycloak/pull/53>`_
+
+v1.1.0
+======
+
+Minor Changes
+-------------
+
+- Update keycloak to 18.0.2 - sso to 7.6.1 `#46 <https://github.com/ansible-middleware/keycloak/pull/46>`_
+- Variable ``keycloak_no_log`` controls ansible ``no_log`` parameter (for debugging purposes) `#47 <https://github.com/ansible-middleware/keycloak/pull/47>`_
+- Variables to override service start retries and delay `#51 <https://github.com/ansible-middleware/keycloak/pull/51>`_
+- keycloak_quarkus: variable to enable development mode `#45 <https://github.com/ansible-middleware/keycloak/pull/45>`_
+
+Breaking Changes / Porting Guide
+--------------------------------
+
+- Rename variables from ``infinispan_`` prefix to ``keycloak_infinispan_`` `#42 <https://github.com/ansible-middleware/keycloak/pull/42>`_
+
+Bugfixes
+--------
+
+- keycloak_quarkus: fix /var/log/keycloak symlink to keycloak log directory `#44 <https://github.com/ansible-middleware/keycloak/pull/44>`_
+
+v1.0.7
+======
+
+Breaking Changes / Porting Guide
+--------------------------------
+
+- keycloak_quarkus: use absolute path for certificate files `#39 <https://github.com/ansible-middleware/keycloak/pull/39>`_
+
+Bugfixes
+--------
+
+- keycloak_quarkus: use become for tasks that will otherwise fail `#38 <https://github.com/ansible-middleware/keycloak/pull/38>`_
+
 v1.0.6
 ======

@@ -26,6 +326,11 @@ Minor Changes
 v1.0.4
 ======

+Release Summary
+---------------
+
+Internal release, documentation or test changes only.
+
 v1.0.3
 ======

@@ -66,7 +371,6 @@ Release Summary

 Minor enhancements, bug and documentation fixes.

-
 Major Changes
 -------------

@@ -84,4 +388,3 @@ Release Summary
 ---------------

 This is the first stable release of the ``middleware_automation.keycloak`` collection.
-
--- a/README.md
+++ b/README.md
@@ -1,14 +1,17 @@
 # Ansible Collection - middleware_automation.keycloak

+<!--start build_status -->
 [![Build Status](https://github.com/ansible-middleware/keycloak/workflows/CI/badge.svg?branch=main)](https://github.com/ansible-middleware/keycloak/actions/workflows/ci.yml)

+> **_NOTE:_ If you are Red Hat customer, install `redhat.sso` (for Red Hat Single Sign-On) or `redhat.rhbk` (for Red Hat Build of Keycloak) from [Automation Hub](https://console.redhat.com/ansible/ansible-dashboard) as the certified version of this collection.**

-Collection to install and configure [Keycloak](https://www.keycloak.org/) or [Red Hat Single Sign-On](https://access.redhat.com/products/red-hat-single-sign-on). 
+<!--end build_status -->
+Collection to install and configure [Keycloak](https://www.keycloak.org/) or [Red Hat Single Sign-On](https://access.redhat.com/products/red-hat-single-sign-on) / [Red Hat Build of Keycloak](https://access.redhat.com/products/red-hat-build-of-keycloak).

 <!--start requires_ansible-->
 ## Ansible version compatibility

-This collection has been tested against following Ansible versions: **>=2.9.10**.
+This collection has been tested against following Ansible versions: **>=2.14.0**.

 Plugins and modules within a collection may be tested with only specific Ansible versions. A collection may contain metadata that identifies these versions.
 <!--end requires_ansible-->
@@ -16,12 +19,15 @@ Plugins and modules within a collection may be tested with only specific Ansible

 ## Installation

+<!--start galaxy_download -->
 ### Installing the Collection from Ansible Galaxy

 Before using the collection, you need to install it with the Ansible Galaxy CLI:

    ansible-galaxy collection install middleware_automation.keycloak

+<!--end galaxy_download -->
+
 You can also include it in a `requirements.yml` file and install it via `ansible-galaxy collection install -r requirements.yml`, using the format:

 ```yaml
@@ -38,84 +44,49 @@ A requirement file is provided to install:

    pip install -r requirements.txt

-
+<!--start roles_paths -->
 ### Included roles

-* [`keycloak`](https://github.com/ansible-middleware/keycloak/blob/main/roles/keycloak/README.md): role for installing the service.
+* [`keycloak`](https://github.com/ansible-middleware/keycloak/blob/main/roles/keycloak/README.md): role for installing the service (keycloak <= 19.0).
 * [`keycloak_realm`](https://github.com/ansible-middleware/keycloak/blob/main/roles/keycloak_realm/README.md): role for configuring a realm, user federation(s), clients and users, in an installed service.
 * [`keycloak_quarkus`](https://github.com/ansible-middleware/keycloak/blob/main/roles/keycloak_quarkus/README.md): role for installing the quarkus variant of keycloak (>= 17.0.0).
-
+<!--end roles_paths -->

 ## Usage


 ### Install Playbook
-
-* [`playbooks/keycloak.yml`](https://github.com/ansible-middleware/keycloak/blob/main/playbooks/keycloak.yml) installs the upstream(Keycloak) based on the defined variables.
-* [`playbooks/rhsso.yml`](https://github.com/ansible-middleware/keycloak/blob/main/playbooks/rhsso.yml) installs Red Hat Single Sign-On(RHSSO) based on defined variables.
-
+<!--start rhbk_playbook -->
+* [`playbooks/keycloak.yml`](https://github.com/ansible-middleware/keycloak/blob/main/playbooks/keycloak.yml) installs keycloak legacy based on the defined variables (using most defaults).
+* [`playbooks/keycloak_quarkus.yml`](https://github.com/ansible-middleware/keycloak/blob/main/playbooks/keycloak_quarkus.yml) installs keycloak >= 17 based on the defined variables (using most defaults).
+  
 Both playbooks include the `keycloak` role, with different settings, as described in the following sections.

 For full service configuration details, refer to the [keycloak role README](https://github.com/ansible-middleware/keycloak/blob/main/roles/keycloak/README.md).
+<!--end rhbk_playbook -->

+#### Install from controller node (offline)

-### Choosing between upstream project (Keycloak) and Red Hat Single Sign-On (RHSSO)
-
-The general flag `keycloak_rhsso_enable` controls what to install between upstream (Keycloak, when `False`) or Red Hat Single Sign-On (when `True`).
-The default value for the flag if `True` when Red Hat Network credentials are defined, `False` otherwise.
-
-
-#### Install upstream (Keycloak) from keycloak releases
-
-This is the default approach when RHN credentials are not defined. Keycloak is downloaded from keycloak builds (hosted on github.com) locally, and distributed to target nodes.
-
-
-#### Install RHSSO from the Red Hat Customer Support Portal
-
-Define the credentials as follows, and the default behaviour is to download a fresh archive of RHSSO on the controller node, then distribute to target nodes.
+Making the keycloak zip archive available to the playbook working directory, and setting `keycloak_offline_install` to `true`, allows to skip
+the download tasks. The local path for the archive does match the downloaded archive path, so that it is also used as a cache when multiple hosts are provisioned in a cluster.

 ```yaml
-rhn_username: '<customer_portal_username>'
-rhn_password: '<customer_portal_password>'
-# (keycloak_rhsso_enable defaults to True)
+keycloak_offline_install: true
 ```


-#### Install from controller node (local source)
-
-Making the keycloak zip archive (or the RHSSO zip archive), available to the playbook repository root directory, and setting `keycloak_offline_install` to `True`, allows to skip
-the download tasks. The local path for the archive matches the downloaded archive path, so it is also used as a cache when multiple hosts are provisioned in a cluster.
-
-```yaml
-keycloak_offline_install: True
-```
-
-And depending on `keycloak_rhsso_enable`:
-
-* `True`: install RHSSO using file rh-sso-x.y.z-server-dist.zip
-* `False`: install keycloak using file keycloak-x.y.zip
+<!--start rhn_credentials -->
+<!--end rhn_credentials -->


 #### Install from alternate sources (like corporate Nexus, artifactory, proxy, etc)

-For RHSSO:
-
-```yaml
-keycloak_rhsso_enable: True
-keycloak_rhsso_download_url: "https://<internal-nexus.private.net>/<path>/<to>/rh-sso-x.y.z-server-dist.zip"
-```
-
-For keycloak:
-
-```yaml
-keycloak_rhsso_enable: False
-keycloak_download_url: "https://<internal-nexus.private.net>/<path>/<to>/keycloak-x.y.zip"
-```
+It is possible to perform downloads from alternate sources, using the `keycloak_download_url` variable; make sure the final downloaded filename matches with the source filename (ie. keycloak-legacy-x.y.zip or rh-sso-x.y.z-server-dist.zip).


 ### Example installation command

-Execute the following command from the source root directory 
+Execute the following command from the source root directory

 ```
 ansible-playbook -i <ansible_hosts> -e @rhn-creds.yml playbooks/keycloak.yml -e keycloak_admin_password=<changeme>
@@ -129,14 +100,16 @@ ansible-playbook -i <ansible_hosts> -e @rhn-creds.yml playbooks/keycloak.yml -e
  localhost ansible_connection=local
  ```

+Note: when deploying clustered configurations, all hosts belonging to the cluster must be present in ansible_play_batch; ie. they must be targeted by the same ansible-playbook execution.
+

 ## Configuration


 ### Config Playbook
-
+<!--start rhbk_realm_playbook -->
 [`playbooks/keycloak_realm.yml`](https://github.com/ansible-middleware/keycloak/blob/main/playbooks/keycloak_realm.yml) creates or updates provided realm, user federation(s), client(s), client role(s) and client user(s).
-
+<!--end rhbk_realm_playbook -->

 ### Example configuration command

@@ -154,16 +127,18 @@ ansible-playbook -i <ansible_hosts> playbooks/keycloak_realm.yml -e keycloak_adm
  [keycloak]
  localhost ansible_connection=local
  ```
-
+<!--start rhbk_realm_readme -->
 For full configuration details, refer to the [keycloak_realm role README](https://github.com/ansible-middleware/keycloak/blob/main/roles/keycloak_realm/README.md).
+<!--end rhbk_realm_readme -->

-## Support
+<!--start support -->
+<!--end support -->

-Keycloak collection v1.0.0 is a Beta release and for [Technical Preview](https://access.redhat.com/support/offerings/techpreview). If you have any issues or questions related to collection, please don't hesitate to contact us on Ansible-middleware-core@redhat.com or open an issue on https://github.com/ansible-middleware/keycloak/issues

 ## License

 Apache License v2.0 or later
-
+<!--start license -->
 See [LICENSE](LICENSE) to view the full text.
+<!--end license -->

--- a/bindep.txt
+++ b/bindep.txt
@@ -1,7 +1,9 @@
-python39-devel [platform:rpm compile]
-git-lfs [platform:rpm]
-python3-netaddr [platform:rpm]
-python3-lxml [platform:rpm]
-python3-jmespath [platform:rpm]
-python3-requests [platform:rpm]
+python3-dev [compile platform:dpkg]
+python3-devel [compile platform:rpm]
+python39-devel [compile platform:centos-8 platform:rhel-8]
+git-lfs [platform:rpm platform:dpkg]
+python3-netaddr [platform:rpm platform:dpkg]
+python3-lxml [platform:rpm platform:dpkg]
+python3-jmespath [platform:rpm platform:dpkg]
+python3-requests [platform:rpm platform:dpkg]

--- a/changelogs/changelog.yaml
+++ b/changelogs/changelog.yaml
@@ -59,6 +59,10 @@ releases:
    - 31.yaml
    release_date: '2022-05-09'
  1.0.4:
+    changes:
+      release_summary: 'Internal release, documentation or test changes only.
+
+        '
    release_date: '2022-05-11'
  1.0.5:
    changes:
@@ -82,3 +86,449 @@ releases:
    - 34.yaml
    - 35.yaml
    release_date: '2022-06-01'
+  1.0.7:
+    changes:
+      breaking_changes:
+      - 'keycloak_quarkus: use absolute path for certificate files `#39 <https://github.com/ansible-middleware/keycloak/pull/39>`_
+
+        '
+      bugfixes:
+      - 'keycloak_quarkus: use become for tasks that will otherwise fail `#38 <https://github.com/ansible-middleware/keycloak/pull/38>`_
+
+        '
+    fragments:
+    - 38.yaml
+    - 39.yaml
+    release_date: '2022-07-06'
+  1.1.0:
+    changes:
+      breaking_changes:
+      - 'Rename variables from ``infinispan_`` prefix to ``keycloak_infinispan_``
+        `#42 <https://github.com/ansible-middleware/keycloak/pull/42>`_
+
+        '
+      bugfixes:
+      - 'keycloak_quarkus: fix /var/log/keycloak symlink to keycloak log directory
+        `#44 <https://github.com/ansible-middleware/keycloak/pull/44>`_
+
+        '
+      minor_changes:
+      - 'Update keycloak to 18.0.2 - sso to 7.6.1 `#46 <https://github.com/ansible-middleware/keycloak/pull/46>`_
+
+        '
+      - 'Variable ``keycloak_no_log`` controls ansible ``no_log`` parameter (for debugging
+        purposes) `#47 <https://github.com/ansible-middleware/keycloak/pull/47>`_
+
+        '
+      - 'Variables to override service start retries and delay `#51 <https://github.com/ansible-middleware/keycloak/pull/51>`_
+
+        '
+      - 'keycloak_quarkus: variable to enable development mode `#45 <https://github.com/ansible-middleware/keycloak/pull/45>`_
+
+        '
+    fragments:
+    - 42.yaml
+    - 44.yaml
+    - 45.yaml
+    - 46.yaml
+    - 47.yaml
+    - 51.yaml
+    release_date: '2023-01-09'
+  1.1.1:
+    changes:
+      bugfixes:
+      - 'keycloak-quarkus: fix ``cache-config-file`` path in keycloak.conf.j2 template
+        `#53 <https://github.com/ansible-middleware/keycloak/pull/53>`_
+
+        '
+    fragments:
+    - 53.yaml
+    release_date: '2023-03-07'
+  1.2.0:
+    changes:
+      major_changes:
+      - 'Provide config for multiple modcluster proxies `#60 <https://github.com/ansible-middleware/keycloak/pull/60>`_
+
+        '
+      minor_changes:
+      - 'Allow to configure TCPPING for cluster discovery `#62 <https://github.com/ansible-middleware/keycloak/pull/62>`_
+
+        '
+      - 'Drop community.general from dependencies `#61 <https://github.com/ansible-middleware/keycloak/pull/61>`_
+
+        '
+      - 'Switch middleware_automation.redhat_csp_download for middleware_automation.common
+        `#63 <https://github.com/ansible-middleware/keycloak/pull/63>`_
+
+        '
+      - 'Switch to middleware_automation.common for rh-sso patching `#64 <https://github.com/ansible-middleware/keycloak/pull/64>`_
+
+        '
+    fragments:
+    - 60.yaml
+    - 61.yaml
+    - 62.yaml
+    - 63.yaml
+    - 64.yaml
+    release_date: '2023-03-16'
+  1.2.1:
+    changes:
+      bugfixes:
+      - 'Pass attributes to realm clients `#69 <https://github.com/ansible-middleware/keycloak/pull/69>`_
+
+        '
+      minor_changes:
+      - 'Allow to setup keycloak HA cluster without remote cache store `#68 <https://github.com/ansible-middleware/keycloak/pull/68>`_
+
+        '
+    fragments:
+    - 68.yaml
+    - 69.yaml
+    release_date: '2023-04-11'
+  1.2.4:
+    changes:
+      bugfixes:
+      - 'Fix deprecation warning for ``ipaddr`` `#77 <https://github.com/ansible-middleware/keycloak/pull/77>`_
+
+        '
+      - 'Fix undefined facts when offline patching sso `#71 <https://github.com/ansible-middleware/keycloak/pull/71>`_
+
+        '
+      minor_changes:
+      - 'Add ``sqlserver`` to keycloak role jdbc configurations `#78 <https://github.com/ansible-middleware/keycloak/pull/78>`_
+
+        '
+      - 'Add configurability for XA transactions `#73 <https://github.com/ansible-middleware/keycloak/pull/73>`_
+
+        '
+    fragments:
+    - 71.yaml
+    - 73.yaml
+    - 77.yaml
+    - 78.yaml
+    release_date: '2023-05-09'
+  1.2.5:
+    changes:
+      minor_changes:
+      - 'Add configuration for database connection pool validation `#85 <https://github.com/ansible-middleware/keycloak/pull/85>`_
+
+        '
+      - 'Allow to configure administration endpoint URL `#86 <https://github.com/ansible-middleware/keycloak/pull/86>`_
+
+        '
+      - 'Allow to force backend URLs to frontend URLs `#84 <https://github.com/ansible-middleware/keycloak/pull/84>`_
+
+        '
+      - 'Introduce systemd unit restart behavior `#81 <https://github.com/ansible-middleware/keycloak/pull/81>`_
+
+        '
+    fragments:
+    - 81.yaml
+    - 84.yaml
+    - 85.yaml
+    - 86.yaml
+    release_date: '2023-05-26'
+  1.2.6:
+    changes:
+      bugfixes:
+      - 'Handle WFLYCTL0117 when background validation millis is 0 `#90 <https://github.com/ansible-middleware/keycloak/pull/90>`_
+
+        '
+      minor_changes:
+      - 'Add profile features enabling/disabling `#87 <https://github.com/ansible-middleware/keycloak/pull/87>`_
+
+        '
+      - 'Improve service restart behavior configuration `#88 <https://github.com/ansible-middleware/keycloak/pull/88>`_
+
+        '
+      - 'Update default xa_datasource_class value for mariadb jdbc configuration `#89
+        <https://github.com/ansible-middleware/keycloak/pull/89>`_
+
+        '
+    fragments:
+    - 87.yaml
+    - 88.yaml
+    - 89.yaml
+    - 90.yaml
+    release_date: '2023-06-07'
+  1.2.7:
+    changes:
+      minor_changes:
+      - 'Allow to override jgroups subnet `#93 <https://github.com/ansible-middleware/keycloak/pull/93>`_
+
+        '
+      - 'keycloak-quarkus: update keycloakx to v21.1.1 `#92 <https://github.com/ansible-middleware/keycloak/pull/92>`_
+
+        '
+    fragments:
+    - 92.yaml
+    - 93.yaml
+    release_date: '2023-06-19'
+  1.2.8:
+    changes:
+      bugfixes:
+      - 'Fix incorrect checks for ``keycloak_jgroups_subnet`` `#98 <https://github.com/ansible-middleware/keycloak/pull/98>`_
+
+        '
+      - 'Undefine ``keycloak_db_valid_conn_sql`` default `#91 <https://github.com/ansible-middleware/keycloak/pull/91>`_
+
+        '
+      - 'Update bindep.txt package python3-devel to support RHEL9 `#105 <https://github.com/ansible-middleware/keycloak/pull/105>`_
+
+        '
+      minor_changes:
+      - 'keycloak_quarkus: set openjdk 17 as default `#103 <https://github.com/ansible-middleware/keycloak/pull/103>`_
+
+        '
+      - 'keycloak_quarkus: update to version 22.0.1 `#107 <https://github.com/ansible-middleware/keycloak/pull/107>`_
+
+        '
+    fragments:
+    - 103.yaml
+    - 105.yaml
+    - 107.yaml
+    - 91.yaml
+    - 98.yaml
+    release_date: '2023-08-28'
+  1.3.0:
+    changes:
+      bugfixes:
+      - 'keycloak_quarkus: fix validation failure upon port configuration change `#113
+        <https://github.com/ansible-middleware/keycloak/pull/113>`_
+
+        '
+      major_changes:
+      - 'Run service as ``keycloak_service_user`` `#106 <https://github.com/ansible-middleware/keycloak/pull/106>`_
+
+        '
+      minor_changes:
+      - 'keycloak_quarkus: Update Keycloak to version 22.0.3 `#112 <https://github.com/ansible-middleware/keycloak/pull/112>`_
+
+        '
+      - 'keycloak_quarkus: fix admin console redirect when running locally `#111 <https://github.com/ansible-middleware/keycloak/pull/111>`_
+
+        '
+      - 'keycloak_quarkus: skip proxy config if ``keycloak_quarkus_proxy_mode`` is
+        ``none`` `#109 <https://github.com/ansible-middleware/keycloak/pull/109>`_
+
+        '
+    fragments:
+    - 106.yaml
+    - 109.yaml
+    - 111.yaml
+    - 112.yaml
+    - 113.yaml
+    release_date: '2023-09-25'
+  2.0.0:
+    changes:
+      breaking_changes:
+      - 'Add support for more http-related configs `#115 <https://github.com/ansible-middleware/keycloak/pull/115>`_
+
+        '
+      - 'Update minimum ansible-core version > 2.14 `#119 <https://github.com/ansible-middleware/keycloak/pull/119>`_
+
+        '
+      - 'keycloak_quarkus: enable config of key store and trust store `#116 <https://github.com/ansible-middleware/keycloak/pull/116>`_
+
+        '
+      minor_changes:
+      - 'Add new parameter for port offset configuration `#124 <https://github.com/ansible-middleware/keycloak/pull/124>`_
+
+        '
+      - 'Update Keycloak to version 22.0.5 `#122 <https://github.com/ansible-middleware/keycloak/pull/122>`_
+
+        '
+    fragments:
+    - 115.yaml
+    - 116.yaml
+    - 119.yaml
+    - 122.yaml
+    - 124.yaml
+    release_date: '2023-11-20'
+  2.0.1:
+    changes:
+      bugfixes:
+      - 'keycloak_quarkus: template requires lowercase boolean values `#138 <https://github.com/ansible-middleware/keycloak/pull/138>`_
+
+        '
+      minor_changes:
+      - 'keycloak_quarkus: add hostname-strict parameter `#139 <https://github.com/ansible-middleware/keycloak/pull/139>`_
+
+        '
+      - 'keycloak_quarkus: update to version 23.0.1 `#133 <https://github.com/ansible-middleware/keycloak/pull/133>`_
+
+        '
+    fragments:
+    - 133.yaml
+    - 138.yaml
+    - 139.yaml
+    release_date: '2023-12-07'
+  2.0.2:
+    changes:
+      bugfixes:
+      - 'keycloak_quarkus: Use ``keycloak_quarkus_java_opts`` `#154 <https://github.com/ansible-middleware/keycloak/pull/154>`_
+
+        '
+      - 'keycloak_quarkus: allow ports <1024 (e.g. :443) in systemd unit `#150 <https://github.com/ansible-middleware/keycloak/pull/150>`_
+
+        '
+      minor_changes:
+      - 'keycloak_quarkus: Add support for sqlserver jdbc driver `#148 <https://github.com/ansible-middleware/keycloak/pull/148>`_
+
+        '
+      - 'keycloak_quarkus: allow configuration of ``hostname-strict-backchannel``
+        `#152 <https://github.com/ansible-middleware/keycloak/pull/152>`_
+
+        '
+      - 'keycloak_quarkus: systemd restart behavior `#145 <https://github.com/ansible-middleware/keycloak/pull/145>`_
+
+        '
+    fragments:
+    - 145.yaml
+    - 148.yaml
+    - 150.yaml
+    - 152.yaml
+    - 154.yaml
+    release_date: '2024-01-17'
+  2.1.0:
+    changes:
+      breaking_changes:
+      - 'keycloak_quarkus: renamed infinispan host list configuration `#157 <https://github.com/ansible-middleware/keycloak/pull/157>`_
+
+        '
+      bugfixes:
+      - 'keycloak_quarkus: fix custom JAVA_HOME parameter name `#171 <https://github.com/ansible-middleware/keycloak/pull/171>`_
+
+        '
+      major_changes:
+      - 'Implement infinispan TCPPING discovery protocol `#159 <https://github.com/ansible-middleware/keycloak/pull/159>`_
+
+        '
+      minor_changes:
+      - 'Set enable-recovery when xa transactions are enabled `#167 <https://github.com/ansible-middleware/keycloak/pull/167>`_
+
+        '
+      - 'keycloak_quarkus: Allow configuring log rotate options in quarkus configuration
+        `#161 <https://github.com/ansible-middleware/keycloak/pull/161>`_
+
+        '
+      - 'keycloak_quarkus: ``sticky-session`` for infinispan routes `#163 <https://github.com/ansible-middleware/keycloak/pull/163>`_
+
+        '
+    fragments:
+    - 157.yaml
+    - 159.yaml
+    - 161.yaml
+    - 163.yaml
+    - 167.yaml
+    - 171.yaml
+    release_date: '2024-02-28'
+  2.1.1:
+    changes:
+      bugfixes:
+      - 'Fix permissions on controller-side downloaded artifacts `#184 <https://github.com/ansible-middleware/keycloak/pull/184>`_
+
+        '
+      - 'JVM args moved to ``JAVA_OPTS`` envvar (instead of JAVA_OPTS_APPEND) `#186
+        <https://github.com/ansible-middleware/keycloak/pull/186>`_
+
+        '
+      - 'Unrelax configuration file permissions `#191 <https://github.com/ansible-middleware/keycloak/pull/191>`_
+
+        '
+      - 'Utilize comment filter for ``ansible_managed`` annotations `#176 <https://github.com/ansible-middleware/keycloak/pull/176>`_
+
+        '
+      minor_changes:
+      - 'Add reverse ``proxy_headers`` config, supersedes ``proxy_mode`` `#187 <https://github.com/ansible-middleware/keycloak/pull/187>`_
+
+        '
+      - 'Debian/Ubuntu compatibility `#178 <https://github.com/ansible-middleware/keycloak/pull/178>`_
+
+        '
+      - 'Use ``keycloak_realm`` as default for sub-entities `#180 <https://github.com/ansible-middleware/keycloak/pull/180>`_
+
+        '
+    fragments:
+    - 176.yaml
+    - 178.yaml
+    - 180.yaml
+    - 184.yaml
+    - 186.yaml
+    - 187.yaml
+    - 191.yaml
+    release_date: '2024-04-17'
+  2.1.2:
+    changes:
+      release_summary: 'Internal release, documentation or test changes only.
+
+        '
+    release_date: '2024-04-17'
+  2.2.0:
+    changes:
+      major_changes:
+      - 'Support java keystore for configuration of sensitive options `#189 <https://github.com/ansible-middleware/keycloak/pull/189>`_
+
+        '
+      minor_changes:
+      - 'Add ``wait_for_port`` and ``wait_for_log`` systemd unit logic `#199 <https://github.com/ansible-middleware/keycloak/pull/199>`_
+
+        '
+      - 'Customize jdbc driver downloads, optional authentication `#202 <https://github.com/ansible-middleware/keycloak/pull/202>`_
+
+        '
+      - 'Keystore-based vault SPI configuration `#196 <https://github.com/ansible-middleware/keycloak/pull/196>`_
+
+        '
+      - 'New ``keycloak_quarkus_hostname_strict_https`` parameter `#195 <https://github.com/ansible-middleware/keycloak/pull/195>`_
+
+        '
+      - 'Providers config and custom providers `#201 <https://github.com/ansible-middleware/keycloak/pull/201>`_
+
+        '
+      - 'Remove administrator credentials from files once keycloak is bootstrapped
+        `#197 <https://github.com/ansible-middleware/keycloak/pull/197>`_
+
+        '
+      - 'Update keycloak to 24.0 `#194 <https://github.com/ansible-middleware/keycloak/pull/194>`_
+
+        '
+    fragments:
+    - 189.yaml
+    - 194.yaml
+    - 195.yaml
+    - 196.yaml
+    - 197.yaml
+    - 199.yaml
+    - 201.yaml
+    - 202.yaml
+    release_date: '2024-05-01'
+  2.2.1:
+    changes:
+      bugfixes:
+      - 'JDBC provider: fix clause in argument validation `#204 <https://github.com/ansible-middleware/keycloak/pull/204>`_
+
+        '
+      release_summary: Internal release, documentation or test changes only.
+    fragments:
+    - 204.yaml
+    - v2.2.1-devel_summary.yaml
+    release_date: '2024-05-02'
+  2.2.2:
+    changes:
+      bugfixes:
+      - 'Turn off controller privilege escalation `#209 <https://github.com/ansible-middleware/keycloak/pull/209>`_
+
+        '
+      minor_changes:
+      - 'Copying of key material for TLS configuration `#210 <https://github.com/ansible-middleware/keycloak/pull/210>`_
+
+        '
+      - 'Validate certs parameter for JDBC driver downloads `#207 <https://github.com/ansible-middleware/keycloak/pull/207>`_
+
+        '
+    fragments:
+    - 207.yaml
+    - 209.yaml
+    - 210.yaml
+    release_date: '2024-05-06'
--- a/docs/_gh_include/header.inc
+++ b/docs/_gh_include/header.inc
@@ -21,6 +21,20 @@
        <div class="wy-side-nav-search" >
            <a href="#" class="icon icon-home"> Keycloak Ansible Collection</a>
        </div>
+        <div class="wy-menu wy-menu-vertical" data-spy="affix" role="navigation" aria-label="Navigation menu">
+            <p class="caption" role="heading"><span class="caption-text">Middleware Automation</span></p>
+            <ul>
+              <li class="toctree-l1"><a class="reference internal" href="https://ansible-middleware.github.io/infinispan/main/">Infinispan / Red Hat Data Grid</a></li>
+              <li class="toctree-l1"><a class="reference internal" href="https://ansible-middleware.github.io/keycloak/main/">Keycloak / Red Hat Single Sign-On</a></li>
+              <li class="toctree-l1"><a class="reference internal" href="https://ansible-middleware.github.io/wildfly/main/">Wildfly / Red Hat JBoss EAP</a></li>
+              <li class="toctree-l1"><a class="reference internal" href="https://ansible-middleware.github.io/jws/main/">Tomcat / Red Hat JWS</a></li>
+              <li class="toctree-l1"><a class="reference internal" href="https://ansible-middleware.github.io/amq/main/">ActiveMQ / Red Hat AMQ Broker</a></li>
+              <li class="toctree-l1"><a class="reference internal" href="https://ansible-middleware.github.io/amq_streams/main/">Kafka / Red Hat AMQ Streams</a></li>
+              <li class="toctree-l1"><a class="reference internal" href="https://ansible-middleware.github.io/common/main/">Ansible Middleware utilities</a></li>
+              <li class="toctree-l1"><a class="reference internal" href="https://ansible-middleware.github.io/redhat-csp-download/main/">Red Hat CSP Download</a></li>
+              <li class="toctree-l1"><a class="reference internal" href="https://ansible-middleware.github.io/ansible_collections_jcliff/main/">JCliff</a></li>
+            </ul>
+        </div>
      </div>
    </nav>
    <section data-toggle="wy-nav-shift" class="wy-nav-content-wrap">
--- a/docs/conf.py
+++ b/docs/conf.py
@@ -43,6 +43,7 @@ extensions = [
    'myst_parser',
    'sphinx.ext.autodoc',
    'sphinx.ext.intersphinx',
+    'sphinx_antsibull_ext',
    'ansible_basic_sphinx_ext',
 ]

@@ -71,7 +72,7 @@ language = None
 exclude_patterns = ['_build', 'Thumbs.db', '.DS_Store', '.tmp']

 # The name of the Pygments (syntax highlighting) style to use.
-pygments_style = 'sphinx'
+pygments_style = 'ansible'

 highlight_language = 'YAML+Jinja'

--- a/docs/index.rst
+++ b/docs/index.rst
@@ -25,8 +25,16 @@ Welcome to Keycloak Collection documentation

   Changelog <CHANGELOG>

-Indices and tables
-==================
+.. toctree::
+   :maxdepth: 2
+   :caption: Middleware collections

-* :ref:`genindex`
-* :ref:`search`
+   Infinispan / Red Hat Data Grid <https://ansible-middleware.github.io/infinispan/main/>
+   Keycloak / Red Hat Single Sign-On <https://ansible-middleware.github.io/keycloak/main/>
+   Wildfly / Red Hat JBoss EAP <https://ansible-middleware.github.io/wildfly/main/>
+   Tomcat / Red Hat JWS <https://ansible-middleware.github.io/jws/main/>
+   ActiveMQ / Red Hat AMQ Broker <https://ansible-middleware.github.io/amq/main/>
+   Kafka / Red Hat AMQ Streams <https://ansible-middleware.github.io/amq_streams/main/>
+   Ansible Middleware utilities <https://ansible-middleware.github.io/common/main/>
+   Red Hat CSP Download <https://ansible-middleware.github.io/redhat-csp-download/main/>
+   JCliff <https://ansible-middleware.github.io/ansible_collections_jcliff/main/>
--- a/docs/requirements.txt
+++ b/docs/requirements.txt
@@ -1,5 +1,8 @@
 antsibull>=0.17.0
-ansible-base>=2.10.12
+antsibull-docs
+antsibull-changelog
+ansible-core>=2.14.1
+ansible-pygments
 sphinx-rtd-theme
 git+https://github.com/felixfontein/ansible-basic-sphinx-ext
 myst-parser
--- a/galaxy.yml
+++ b/galaxy.yml
@@ -1,12 +1,13 @@
 ---
 namespace: middleware_automation
 name: keycloak
-version: "1.0.6"
+version: "2.2.2"
 readme: README.md
 authors:
  - Romain Pelisse <rpelisse@redhat.com>
  - Guido Grazioli <ggraziol@redhat.com>
  - Pavan Kumar Motaparthi <pmotapar@redhat.com>
+  - Helmut Wolf <hwo@world-direct.at>
 description: Install and configure a keycloak, or Red Hat Single Sign-on, service.
 license_file: "LICENSE"
 tags:
@@ -20,15 +21,26 @@ tags:
  - security
  - infrastructure
  - authentication
+  - java
+  - runtimes
+  - middleware
+  - a4mw
 dependencies:
-  "middleware_automation.redhat_csp_download": ">=1.2.1"
-  "middleware_automation.wildfly": ">=1.0.0"
+  "middleware_automation.common": ">=1.1.0"
+  "ansible.posix": ">=1.4.0"
 repository: https://github.com/ansible-middleware/keycloak
 documentation: https://ansible-middleware.github.io/keycloak
 homepage: https://github.com/ansible-middleware/keycloak
 issues: https://github.com/ansible-middleware/keycloak/issues
 build_ignore:
-  - molecule
+  - .gitignore
  - .github
+  - .yamllint
  - '*.tar.gz'
  - '*.zip'
+  - molecule
+  - changelogs
+  - docs/_gh_include
+  - docs/conf.py
+  - docs/roles.rst.template
+  - docs/requirements.yml
--- a/github.json
+++ b/github.json
--- a/meta/runtime.yml
+++ b/meta/runtime.yml
@@ -1,2 +1,2 @@
 ---
-requires_ansible: ">=2.9.10"
+requires_ansible: ">=2.14.0"
--- a/molecule/debian/converge.yml
+++ b/molecule/debian/converge.yml
@@ -0,0 +1,41 @@
+---
+- name: Converge
+  hosts: all
+  vars:
+    keycloak_quarkus_admin_pass: "remembertochangeme"
+    keycloak_realm: TestRealm
+    keycloak_quarkus_log: file
+    keycloak_quarkus_frontend_url: 'http://localhost:8080/'
+    keycloak_quarkus_start_dev: True
+    keycloak_quarkus_proxy_mode: none
+    keycloak_client_default_roles:
+      - TestRoleAdmin
+      - TestRoleUser
+    keycloak_client_users:
+      - username: TestUser
+        password: password
+        client_roles:
+          - client: TestClient
+            role: TestRoleUser
+      - username: TestAdmin
+        password: password
+        client_roles:
+          - client: TestClient
+            role: TestRoleUser
+          - client: TestClient
+            role: TestRoleAdmin
+    keycloak_clients:
+      - name: TestClient
+        roles: "{{ keycloak_client_default_roles }}"
+        public_client: "{{ keycloak_client_public }}"
+        web_origins: "{{ keycloak_client_web_origins }}"
+        users: "{{ keycloak_client_users }}"
+        client_id: TestClient
+        attributes:
+          post.logout.redirect.uris: '/public/logout'
+  roles:
+    - role: keycloak_quarkus
+    - role: keycloak_realm
+      keycloak_realm: TestRealm
+      keycloak_admin_password: "remembertochangeme"
+      keycloak_context: ''
--- a/molecule/debian/molecule.yml
+++ b/molecule/debian/molecule.yml
@@ -0,0 +1,48 @@
+---
+driver:
+  name: docker
+platforms:
+  - name: instance
+    image: ghcr.io/hspaans/molecule-containers:debian-11
+    pre_build_image: true
+    privileged: true
+    port_bindings:
+      - "8080/tcp"
+      - "8443/tcp"
+      - "8009/tcp"
+    cgroupns_mode: host
+    command: "/lib/systemd/systemd"
+    volumes:
+      - /sys/fs/cgroup:/sys/fs/cgroup:rw
+provisioner:
+  name: ansible
+  config_options:
+    defaults:
+      interpreter_python: auto_silent
+    ssh_connection:
+      pipelining: false
+  playbooks:
+    prepare: prepare.yml
+    converge: converge.yml
+    verify: verify.yml
+  inventory:
+    host_vars:
+      localhost:
+        ansible_python_interpreter: /usr/bin/python3
+  env:
+    ANSIBLE_FORCE_COLOR: "true"
+    ANSIBLE_REMOTE_TMP: /tmp/.ansible/tmp
+verifier:
+  name: ansible
+scenario:
+  test_sequence:
+    - cleanup
+    - destroy
+    - create
+    - prepare
+    - converge
+    - idempotence
+    - side_effect
+    - verify
+    - cleanup
+    - destroy
--- a/molecule/debian/prepare.yml
+++ b/molecule/debian/prepare.yml
@@ -0,0 +1,11 @@
+---
+- name: Prepare
+  hosts: all
+  gather_facts: yes
+  tasks:
+    - name: Install sudo
+      ansible.builtin.apt:
+        name:
+          - sudo
+          - openjdk-17-jdk-headless
+        state: present
--- a/molecule/debian/roles
+++ b/molecule/debian/roles
@@ -0,0 +1 @@
+../../roles
--- a/molecule/debian/verify.yml
+++ b/molecule/debian/verify.yml
@@ -0,0 +1,40 @@
+---
+- name: Verify
+  hosts: all
+  vars:
+    keycloak_admin_password: "remembertochangeme"
+    keycloak_uri: "http://localhost:{{ 8080 + ( keycloak_jboss_port_offset | default(0) ) }}"
+    keycloak_management_port: "http://localhost:{{ 9990 + ( keycloak_jboss_port_offset | default(0) ) }}"
+    keycloak_jboss_port_offset: 10
+  tasks:
+    - name: Populate service facts
+      ansible.builtin.service_facts:
+
+    - name: Check if keycloak service started
+      ansible.builtin.assert:
+        that:
+          - ansible_facts.services["keycloak.service"]["state"] == "running"
+          - ansible_facts.services["keycloak.service"]["status"] == "enabled"
+
+    - name: Verify openid config
+      block:
+        - name: Fetch openID config # noqa blocked_modules command-instead-of-module
+          ansible.builtin.shell: |
+            set -o pipefail
+            curl http://localhost:8080/realms/master/.well-known/openid-configuration -k | jq .
+          args:
+            executable: /bin/bash
+          delegate_to: localhost
+          register: openid_config
+          changed_when: False
+        - name: Verify endpoint URLs
+          ansible.builtin.assert:
+            that:
+              - (openid_config.stdout | from_json)["backchannel_authentication_endpoint"] == 'http://localhost:8080/realms/master/protocol/openid-connect/ext/ciba/auth'
+              - (openid_config.stdout | from_json)['issuer'] == 'http://localhost:8080/realms/master'
+              - (openid_config.stdout | from_json)['authorization_endpoint'] == 'http://localhost:8080/realms/master/protocol/openid-connect/auth'
+              - (openid_config.stdout | from_json)['token_endpoint'] == 'http://localhost:8080/realms/master/protocol/openid-connect/token'
+          delegate_to: localhost
+      when:
+        - hera_home is defined
+        - hera_home | length == 0
--- a/molecule/default/converge.yml
+++ b/molecule/default/converge.yml
@@ -1,9 +1,17 @@
 ---
 - name: Converge
  hosts: all
-  vars: 
+  vars:
    keycloak_admin_password: "remembertochangeme"
    keycloak_jvm_package: java-11-openjdk-headless
+    keycloak_modcluster_enabled: True
+    keycloak_modcluster_urls:
+      - host: myhost1
+        port: 16667
+      - host: myhost2
+        port: 16668
+    keycloak_jboss_port_offset: 10
+    keycloak_log_target: /tmp/keycloak
  roles:
    - role: keycloak
  tasks:
@@ -39,3 +47,16 @@
            web_origins: "{{ keycloak_client_web_origins }}"
            users: "{{ keycloak_client_users }}"
            client_id: TestClient
+            attributes:
+              post.logout.redirect.uris: '/public/logout'
+  pre_tasks:
+    - name: "Retrieve assets server from env"
+      ansible.builtin.set_fact:
+        assets_server: "{{ lookup('env', 'MIDDLEWARE_DOWNLOAD_RELEASE_SERVER_URL') }}"
+
+    - name: "Set offline when assets server from env is defined"
+      ansible.builtin.set_fact:
+        sso_offline_install: True
+      when:
+        - assets_server is defined
+        - assets_server | length > 0
--- a/molecule/default/molecule.yml
+++ b/molecule/default/molecule.yml
@@ -1,12 +1,6 @@
 ---
-dependency:
-  name: shell
-  command: ansible-galaxy collection install -r molecule/default/requirements.yml -p $HOME/.ansible/collections --force-with-deps
 driver:
  name: docker
-lint: |
-  ansible-lint --version
-  ansible-lint -v
 platforms:
  - name: instance
    image: registry.access.redhat.com/ubi8/ubi-init:latest
@@ -16,7 +10,7 @@ platforms:
    port_bindings:
      - "8080/tcp"
      - "8443/tcp"
-      - "8009/tcp"      
+      - "8009/tcp"
 provisioner:
  name: ansible
  config_options:
@@ -33,16 +27,13 @@ provisioner:
      localhost:
        ansible_python_interpreter: "{{ ansible_playbook_python }}"
  env:
-    ANSIBLE_FORCE_COLOR: "true"        
+    ANSIBLE_FORCE_COLOR: "true"
 verifier:
  name: ansible
 scenario:
  test_sequence:
-    - dependency
-    - lint
    - cleanup
    - destroy
-    - syntax
    - create
    - prepare
    - converge
--- a/molecule/default/prepare.yml
+++ b/molecule/default/prepare.yml
@@ -1,10 +1,29 @@
 ---
 - name: Prepare
  hosts: all
+  gather_facts: yes
+  vars:
+    sudo_pkg_name: sudo
  tasks:
-    - name: Install sudo
+    - name: "Run preparation common to all scenario"
+      ansible.builtin.include_tasks: ../prepare.yml
+      vars:
+        assets:
+          - "{{ assets_server }}/sso/7.6.0/rh-sso-7.6.0-server-dist.zip"
+          - "{{ assets_server }}/sso/7.6.1/rh-sso-7.6.1-patch.zip"
+
+    - name: Install JDK8
+      become: yes
      ansible.builtin.yum:
        name:
-          - sudo
          - java-1.8.0-openjdk
        state: present
+      when: ansible_facts['os_family'] == "RedHat"
+
+    - name: Install JDK8
+      become: yes
+      ansible.builtin.apt:
+        name:
+          - openjdk-8-jdk
+        state: present
+      when: ansible_facts['os_family'] == "Debian"
--- a/molecule/default/requirements.yml
+++ b/molecule/default/requirements.yml
@@ -1,10 +0,0 @@
---
-collections:
-  - name: middleware_automation.redhat_csp_download
-    version: ">=1.2.1"
-  - name: middleware_automation.wildfly
-    version: ">=0.0.5"
-  - name: community.general
-  - name: community.docker
-    version: ">=1.9.1"
-    
--- a/molecule/default/verify.yml
+++ b/molecule/default/verify.yml
@@ -4,8 +4,9 @@
  vars:
    keycloak_admin_password: "remembertochangeme"
    keycloak_jvm_package: java-11-openjdk-headless
-    keycloak_port: http://localhost:8080
-    keycloak_management_port: http://localhost:9990
+    keycloak_uri: "http://localhost:{{ 8080 + ( keycloak_jboss_port_offset | default(0) ) }}"
+    keycloak_management_port: "http://localhost:{{ 9990 + ( keycloak_jboss_port_offset | default(0) ) }}"
+    keycloak_jboss_port_offset: 10
  tasks:
    - name: Populate service facts
      ansible.builtin.service_facts:
@@ -14,16 +15,75 @@
        that:
          - ansible_facts.services["keycloak.service"]["state"] == "running"
          - ansible_facts.services["keycloak.service"]["status"] == "enabled"
-    - name: Verify we are running on requested jvm
-      shell: |
-        ps -ef | grep /usr/lib/jvm/java-11 | grep -v grep
+    - name: Verify we are running on requested jvm # noqa blocked_modules command-instead-of-module
+      ansible.builtin.shell: |
+        set -o pipefail
+        ps -ef | grep '/etc/alternatives/jre_11/' | grep -v grep
+      args:
+        executable: /bin/bash
+      changed_when: no
    - name: Verify token api call
      ansible.builtin.uri:
-        url: "{{ keycloak_port }}/auth/realms/master/protocol/openid-connect/token"
+        url: "{{ keycloak_uri }}/auth/realms/master/protocol/openid-connect/token"
        method: POST
        body: "client_id=admin-cli&username=admin&password={{ keycloak_admin_password }}&grant_type=password"
        validate_certs: no
      register: keycloak_auth_response
      until: keycloak_auth_response.status == 200
      retries: 2
-      delay: 2
+      delay: 2
+    - name: Fetch openid-connect config
+      ansible.builtin.uri:
+        url: "{{ keycloak_uri }}/auth/realms/TestRealm/.well-known/openid-configuration"
+        method: GET
+        validate_certs: no
+        status_code: 200
+      register: keycloak_openid_config
+    - name: Verify expected config
+      ansible.builtin.assert:
+        that:
+          - keycloak_openid_config.json.registration_endpoint == 'http://localhost:8080/auth/realms/TestRealm/clients-registrations/openid-connect'
+    - name: Get test realm clients
+      ansible.builtin.uri:
+        url: "{{ keycloak_uri }}/auth/admin/realms/TestRealm/clients"
+        method: GET
+        validate_certs: no
+        status_code: 200
+        headers:
+          Authorization: "Bearer {{ keycloak_auth_response.json.access_token }}"
+      register: keycloak_query_clients
+    - name: Verify expected config
+      ansible.builtin.assert:
+        that:
+          - (keycloak_query_clients.json | selectattr('clientId','equalto','TestClient') | first)["attributes"]["post.logout.redirect.uris"] == '/public/logout'
+    - name: "Privilege escalation as some files/folders may requires it"
+      become: yes
+      block:
+        - name: Check log folder
+          ansible.builtin.stat:
+            path: "/tmp/keycloak"
+          register: keycloak_log_folder
+        - name: Check that keycloak log folder exists and is a link
+          ansible.builtin.assert:
+            that:
+              - keycloak_log_folder.stat.exists
+              - not keycloak_log_folder.stat.isdir
+              - keycloak_log_folder.stat.islnk
+        - name: Check log file
+          ansible.builtin.stat:
+            path: "/tmp/keycloak/server.log"
+          register: keycloak_log_file
+        - name: Check if keycloak file exists
+          ansible.builtin.assert:
+            that:
+              - keycloak_log_file.stat.exists
+              - not keycloak_log_file.stat.isdir
+        - name: Check default log folder
+          ansible.builtin.stat:
+            path: "/var/log/keycloak"
+          register: keycloak_default_log_folder
+          failed_when: false
+        - name: Check that default keycloak log folder doesn't exist
+          ansible.builtin.assert:
+            that:
+              - not keycloak_default_log_folder.stat.exists
--- a/molecule/https_revproxy/converge.yml
+++ b/molecule/https_revproxy/converge.yml
@@ -0,0 +1,16 @@
+---
+- name: Converge
+  hosts: all
+  vars: 
+    keycloak_quarkus_admin_pass: "remembertochangeme"
+    keycloak_admin_password: "remembertochangeme"
+    keycloak_realm: TestRealm
+    keycloak_quarkus_host: instance
+    keycloak_quarkus_log: file
+    keycloak_quarkus_http_enabled: True
+    keycloak_quarkus_http_port: 8080
+    keycloak_quarkus_proxy_mode: edge
+    keycloak_quarkus_http_relative_path: /
+    keycloak_quarkus_frontend_url: https://proxy/
+  roles:
+    - role: keycloak_quarkus
--- a/molecule/https_revproxy/molecule.yml
+++ b/molecule/https_revproxy/molecule.yml
@@ -0,0 +1,57 @@
+---
+driver:
+  name: docker
+platforms:
+  - name: instance
+    image: registry.access.redhat.com/ubi8/ubi-init:latest
+    pre_build_image: true
+    privileged: true
+    command: "/usr/sbin/init"
+    networks:
+      - name: keycloak
+    port_bindings:
+      - "8080/tcp"
+    published_ports:
+      - 0.0.0.0:8080:8080/tcp
+  - name: proxy
+    image: registry.access.redhat.com/ubi8/ubi-init:latest
+    pre_build_image: true
+    privileged: true
+    command: "/usr/sbin/init"
+    networks:
+      - name: keycloak
+    port_bindings:
+      - "443/tcp"
+    published_ports:
+      - 0.0.0.0:443:443/tcp
+provisioner:
+  name: ansible
+  config_options:
+    defaults:
+      interpreter_python: auto_silent
+    ssh_connection:
+      pipelining: false
+  playbooks:
+    prepare: prepare.yml
+    converge: converge.yml
+    verify: verify.yml
+  inventory:
+    host_vars:
+      localhost:
+        ansible_python_interpreter: "{{ ansible_playbook_python }}"
+  env:
+    ANSIBLE_FORCE_COLOR: "true"
+verifier:
+  name: ansible
+scenario:
+  test_sequence:
+    - cleanup
+    - destroy
+    - create
+    - prepare
+    - converge
+    - idempotence
+    - side_effect
+    - verify
+    - cleanup
+    - destroy
--- a/molecule/https_revproxy/prepare.yml
+++ b/molecule/https_revproxy/prepare.yml
@@ -0,0 +1,49 @@
+---
+- name: Prepare
+  hosts: all
+  tasks:
+    - name: Install sudo
+      ansible.builtin.dnf:
+        name: sudo
+        state: present
+
+    - name: "Display hera_home if defined."
+      ansible.builtin.set_fact:
+        hera_home: "{{ lookup('env', 'HERA_HOME') }}"
+
+- name: Prepare proxy
+  hosts: proxy
+  vars:
+    nginx_proxy: |
+      location / {
+          proxy_set_header        Host $host;
+          proxy_set_header        X-Real-IP $remote_addr;
+          proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
+          proxy_set_header        X-Forwarded-Proto $scheme;
+          proxy_pass              http://instance:8080;
+      }
+  roles:
+    - elan.simple_nginx_reverse_proxy
+  pre_tasks:
+    - name: Create certificate request
+      ansible.builtin.command: openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -sha256 -days 365 -nodes -subj '/CN=proxy'
+      delegate_to: localhost
+      changed_when: false
+    - name: Make certificate directory
+      ansible.builtin.file:
+        path: /etc/nginx/tls
+        state: directory
+        mode: 0755
+    - name: Copy certificates
+      ansible.builtin.copy:
+        src: "{{ item.name }}"
+        dest: "{{ item.dest }}"
+        mode: 0444
+      become: true
+      loop:
+        - { name: 'cert.pem', dest: '/etc/nginx/tls/certificate.crt' }
+        - { name: 'key.pem', dest: '/etc/nginx/tls/certificate.key' }
+    - name: Update CA trust
+      ansible.builtin.command: update-ca-trust
+      changed_when: false
+      become: true
--- a/molecule/https_revproxy/roles
+++ b/molecule/https_revproxy/roles
@@ -0,0 +1 @@
+../../roles
--- a/molecule/https_revproxy/verify.yml
+++ b/molecule/https_revproxy/verify.yml
@@ -0,0 +1,28 @@
+---
+- name: Verify
+  hosts: instance
+  tasks:
+    - name: Populate service facts
+      ansible.builtin.service_facts:
+
+    - name: Check if keycloak service started
+      ansible.builtin.assert:
+        that:
+          - ansible_facts.services["keycloak.service"]["state"] == "running"
+          - ansible_facts.services["keycloak.service"]["status"] == "enabled"
+
+    - name: Verify openid config
+      block:
+        - name: Fetch openID config # noqa blocked_modules command-instead-of-module
+          ansible.builtin.uri:
+            url: http://localhost:8080/realms/master/.well-known/openid-configuration
+            validate_certs: false
+            headers:
+              Host: proxy
+          register: openid_config
+          changed_when: False
+        - name: Verify endpoint URLs
+          ansible.builtin.assert:
+            that:
+              - openid_config.json['issuer'] == 'https://proxy/realms/master'
+              - openid_config.json['authorization_endpoint'] == 'https://proxy/realms/master/protocol/openid-connect/auth'
--- a/molecule/overridexml/converge.yml
+++ b/molecule/overridexml/converge.yml
@@ -1,43 +1,11 @@
 ---
 - name: Converge
  hosts: all
-  vars: 
+  vars:
    keycloak_admin_password: "remembertochangeme"
    keycloak_config_override_template: custom.xml.j2
    keycloak_http_port: 8081
    keycloak_management_http_port: 19990
+    keycloak_service_runas: True
  roles:
    - role: keycloak
-  tasks:
-    - name: Keycloak Realm Role
-      ansible.builtin.include_role:
-        name: keycloak_realm
-      vars:
-        keycloak_client_default_roles:
-          - TestRoleAdmin
-          - TestRoleUser
-        keycloak_client_users:
-          - username: TestUser
-            password: password
-            client_roles:
-              - client: TestClient
-                role: TestRoleUser
-                realm: "{{ keycloak_realm }}"
-          - username: TestAdmin
-            password: password
-            client_roles:
-              - client: TestClient
-                role: TestRoleUser
-                realm: "{{ keycloak_realm }}"
-              - client: TestClient
-                role: TestRoleAdmin
-                realm: "{{ keycloak_realm }}"
-        keycloak_realm: TestRealm
-        keycloak_clients:
-          - name: TestClient
-            roles: "{{ keycloak_client_default_roles }}"
-            realm: "{{ keycloak_realm }}"
-            public_client: "{{ keycloak_client_public }}"
-            web_origins: "{{ keycloak_client_web_origins }}"
-            users: "{{ keycloak_client_users }}"
-            client_id: TestClient
--- a/molecule/overridexml/molecule.yml
+++ b/molecule/overridexml/molecule.yml
@@ -1,12 +1,6 @@
 ---
-dependency:
-  name: shell
-  command: ansible-galaxy collection install -r molecule/default/requirements.yml -p $HOME/.ansible/collections --force-with-deps
 driver:
  name: docker
-lint: |
-  ansible-lint --version
-  ansible-lint -v
 platforms:
  - name: instance
    image: registry.access.redhat.com/ubi8/ubi-init:latest
@@ -16,7 +10,7 @@ platforms:
    port_bindings:
      - "8080/tcp"
      - "8443/tcp"
-      - "8009/tcp"      
+      - "8009/tcp"
 provisioner:
  name: ansible
  config_options:
@@ -33,16 +27,13 @@ provisioner:
      localhost:
        ansible_python_interpreter: "{{ ansible_playbook_python }}"
  env:
-    ANSIBLE_FORCE_COLOR: "true"        
+    ANSIBLE_FORCE_COLOR: "true"
 verifier:
  name: ansible
 scenario:
  test_sequence:
-    - dependency
-    - lint
    - cleanup
    - destroy
-    - syntax
    - create
    - prepare
    - converge
--- a/molecule/overridexml/prepare.yml
+++ b/molecule/overridexml/prepare.yml
@@ -1,12 +1,12 @@
 ---
 - name: Prepare
  hosts: all
+  gather_facts: yes
+  vars:
+    sudo_pkg_name: sudo
  tasks:
-    - name: Disable beta repos
-      ansible.builtin.command: yum config-manager --disable '*beta*'
-      ignore_errors: yes
-
-    - name: Install sudo
-      ansible.builtin.yum:
-        name: sudo
-        state: present
+    - name: "Run preparation common to all scenario"
+      ansible.builtin.include_tasks: ../prepare.yml
+      vars:
+        assets:
+          - "{{ assets_server }}/sso/7.6.0/rh-sso-7.6.0-server-dist.zip"
--- a/molecule/overridexml/requirements.yml
+++ b/molecule/overridexml/requirements.yml
@@ -1,10 +0,0 @@
---
-collections:
-  - name: middleware_automation.redhat_csp_download
-    version: ">=1.2.1"
-  - name: middleware_automation.wildfly
-    version: ">=0.0.5"
-  - name: community.general
-  - name: community.docker
-    version: ">=1.9.1"
-    
--- a/molecule/overridexml/templates/custom.xml.j2
+++ b/molecule/overridexml/templates/custom.xml.j2
@@ -1,5 +1,5 @@
 <?xml version='1.0' encoding='UTF-8'?>
-<!-- {{ ansible_managed }} -->
+<!-- this is a custom file -->
 <server xmlns="urn:jboss:domain:16.0">
    <extensions>
        <extension module="org.jboss.as.clustering.infinispan"/>
@@ -15,7 +15,6 @@
        <extension module="org.jboss.as.modcluster"/>
        <extension module="org.jboss.as.naming"/>
        <extension module="org.jboss.as.remoting"/>
-        <extension module="org.jboss.as.security"/>
        <extension module="org.jboss.as.transactions"/>
        <extension module="org.jboss.as.weld"/>
        <extension module="org.keycloak.keycloak-server-subsystem"/>
@@ -30,31 +29,6 @@
        <extension module="org.wildfly.extension.undertow"/>
    </extensions>
    <management>
-        <security-realms>
-            <security-realm name="ManagementRealm">
-                <authentication>
-                    <local default-user="$local" skip-group-loading="true"/>
-                    <properties path="mgmt-users.properties" relative-to="jboss.server.config.dir"/>
-                </authentication>
-                <authorization map-groups-to-roles="false">
-                    <properties path="mgmt-groups.properties" relative-to="jboss.server.config.dir"/>
-                </authorization>
-            </security-realm>
-            <security-realm name="ApplicationRealm">
-                <server-identities>
-                    <ssl>
-                        <keystore path="application.keystore" relative-to="jboss.server.config.dir" keystore-password="password" alias="server" key-password="password" generate-self-signed-certificate-host="localhost"/>
-                    </ssl>
-                </server-identities>
-                <authentication>
-                    <local default-user="$local" allowed-users="*" skip-group-loading="true"/>
-                    <properties path="application-users.properties" relative-to="jboss.server.config.dir"/>
-                </authentication>
-                <authorization>
-                    <properties path="application-roles.properties" relative-to="jboss.server.config.dir"/>
-                </authorization>
-            </security-realm>
-        </security-realms>
        <audit-log>
            <formatters>
                <json-formatter name="json-formatter"/>
@@ -69,8 +43,8 @@
            </logger>
        </audit-log>
        <management-interfaces>
-            <http-interface security-realm="ManagementRealm">
-                <http-upgrade enabled="true"/>
+            <http-interface http-authentication-factory="management-http-authentication">
+                <http-upgrade enabled="true" sasl-authentication-factory="management-sasl-authentication"/>
                <socket-binding http="management-http"/>
            </http-interface>
        </management-interfaces>
@@ -205,6 +179,9 @@
                </thread-pool>
            </thread-pools>
            <default-security-domain value="other"/>
+            <application-security-domains>
+                <application-security-domain name="other" security-domain="ApplicationDomain"/>
+            </application-security-domains>
            <default-missing-method-permissions-deny-access value="true"/>
            <statistics enabled="${wildfly.ejb3.statistics-enabled:${wildfly.statistics-enabled:false}}"/>
            <log-system-exceptions value="true"/>
@@ -278,6 +255,13 @@
                        </mechanism>
                    </mechanism-configuration>
                </http-authentication-factory>
+                <http-authentication-factory name="application-http-authentication" security-domain="ApplicationDomain" http-server-mechanism-factory="global">
+                    <mechanism-configuration>
+                        <mechanism mechanism-name="BASIC">
+                            <mechanism-realm realm-name="ApplicationRealm"/>
+                        </mechanism>
+                    </mechanism-configuration>
+                </http-authentication-factory>
                <provider-http-server-mechanism-factory name="global"/>
            </http>
            <sasl>
@@ -497,8 +481,8 @@
                <default-provider>default</default-provider>
                <provider name="default" enabled="true">
                    <properties>
-                        <property name="frontendUrl" value="{{ keycloak_modcluster.frontend_url }}"/>
-                        <property name="forceBackendUrlToFrontendUrl" value="true"/>
+                        <property name="frontendUrl" value="${keycloak.frontendUrl:}"/>
+                        <property name="forceBackendUrlToFrontendUrl" value="false"/>
                    </properties>
                </provider>
            </spi>
@@ -513,41 +497,9 @@
            <remote-naming/>
        </subsystem>
        <subsystem xmlns="urn:jboss:domain:remoting:4.0">
-            <http-connector name="http-remoting-connector" connector-ref="default" security-realm="ApplicationRealm"/>
+            <http-connector name="http-remoting-connector" connector-ref="default" sasl-authentication-factory="application-sasl-authentication"/>
        </subsystem>
        <subsystem xmlns="urn:jboss:domain:request-controller:1.0"/>
-        <subsystem xmlns="urn:jboss:domain:security:2.0">
-            <security-domains>
-                <security-domain name="other" cache-type="default">
-                    <authentication>
-                        <login-module code="Remoting" flag="optional">
-                            <module-option name="password-stacking" value="useFirstPass"/>
-                        </login-module>
-                        <login-module code="RealmDirect" flag="required">
-                            <module-option name="password-stacking" value="useFirstPass"/>
-                        </login-module>
-                    </authentication>
-                </security-domain>
-                <security-domain name="jboss-web-policy" cache-type="default">
-                    <authorization>
-                        <policy-module code="Delegating" flag="required"/>
-                    </authorization>
-                </security-domain>
-                <security-domain name="jaspitest" cache-type="default">
-                    <authentication-jaspi>
-                        <login-module-stack name="dummy">
-                            <login-module code="Dummy" flag="optional"/>
-                        </login-module-stack>
-                        <auth-module code="Dummy"/>
-                    </authentication-jaspi>
-                </security-domain>
-                <security-domain name="jboss-ejb-policy" cache-type="default">
-                    <authorization>
-                        <policy-module code="Delegating" flag="required"/>
-                    </authorization>
-                </security-domain>
-            </security-domains>
-        </subsystem>
        <subsystem xmlns="urn:jboss:domain:security-manager:1.0">
            <deployment-permissions>
                <maximum-set>
@@ -568,10 +520,11 @@
        <subsystem xmlns="urn:jboss:domain:undertow:12.0" default-server="default-server" default-virtual-host="default-host" default-servlet-container="default" default-security-domain="other" statistics-enabled="${wildfly.undertow.statistics-enabled:${wildfly.statistics-enabled:false}}">
            <buffer-cache name="default"/>
            <server name="default-server">
-                <http-listener name="default" socket-binding="http"/>
+                <http-listener name="default" socket-binding="http" redirect-socket="https" enable-http2="true"/>
+                <https-listener name="https" socket-binding="https" ssl-context="applicationSSC" enable-http2="true"/>
                <host name="default-host" alias="localhost">
                    <location name="/" handler="welcome-content"/>
-                    <http-invoker security-realm="ApplicationRealm"/>
+                    <http-invoker http-authentication-factory="application-http-authentication"/>
                </host>
            </server>
            <servlet-container name="default">
@@ -581,20 +534,25 @@
            <handlers>
                <file name="welcome-content" path="${jboss.home.dir}/welcome-content"/>
            </handlers>
+            <application-security-domains>
+                <application-security-domain name="other" security-domain="ApplicationDomain"/>
+            </application-security-domains>
        </subsystem>
        <subsystem xmlns="urn:jboss:domain:weld:4.0"/>
    </profile>
    <interfaces>
        <interface name="management">
-            <inet-address value="${jboss.bind.address.management:127.0.0.1}"/>
+            <inet-address value="127.0.0.1"/>
        </interface>
        <interface name="public">
-            <inet-address value="${jboss.bind.address:127.0.0.1}"/>
+            <inet-address value="127.0.0.1"/>
        </interface>
    </interfaces>
    <socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
        <socket-binding name="http" port="8081"/>
+        <socket-binding name="https" port="8443"/>
        <socket-binding name="management-http" interface="management" port="19990"/>
+        <socket-binding name="management-https" interface="management" port="19991"/>
        <socket-binding name="txn-recovery-environment" port="4712"/>
        <socket-binding name="txn-status-manager" port="4713"/>
        <outbound-socket-binding name="mail-smtp">
--- a/molecule/overridexml/verify.yml
+++ b/molecule/overridexml/verify.yml
@@ -1,6 +1,10 @@
 ---
 - name: Verify
  hosts: all
+  vars:
+    keycloak_uri: "http://localhost:8081"
+    keycloak_management_port: "http://localhost:19990"
+    keycloak_admin_password: "remembertochangeme"
  tasks:
    - name: Populate service facts
      ansible.builtin.service_facts:
@@ -9,3 +13,20 @@
        that:
          - ansible_facts.services["keycloak.service"]["state"] == "running"
          - ansible_facts.services["keycloak.service"]["status"] == "enabled"
+    - name: Verify we are running on requested jvm # noqa blocked_modules command-instead-of-module
+      ansible.builtin.shell: |
+        set -o pipefail
+        ps -ef | grep '/etc/alternatives/jre_1.8.0/' | grep -v grep
+      args:
+        executable: /bin/bash
+      changed_when: no
+    - name: Verify token api call
+      ansible.builtin.uri:
+        url: "{{ keycloak_uri }}/auth/realms/master/protocol/openid-connect/token"
+        method: POST
+        body: "client_id=admin-cli&username=admin&password={{ keycloak_admin_password }}&grant_type=password"
+        validate_certs: no
+      register: keycloak_auth_response
+      until: keycloak_auth_response.status == 200
+      retries: 2
+      delay: 2
--- a/molecule/prepare.yml
+++ b/molecule/prepare.yml
@@ -0,0 +1,58 @@
+---
+- name: Display Ansible version
+  ansible.builtin.debug:
+    msg: "Ansible version is  {{ ansible_version.full }}"
+
+- name: "Set package name for sudo"
+  ansible.builtin.set_fact:
+    sudo_pkg_name: sudo
+
+- name: "Ensure {{ sudo_pkg_name }} is installed (if user is root)."
+  ansible.builtin.yum:
+    name: "{{ sudo_pkg_name }}"
+    state: present
+  when:
+    - ansible_user_id == 'root'
+
+- name: Gather the package facts
+  ansible.builtin.package_facts:
+    manager: auto
+
+- name: "Check if sudo is installed."
+  ansible.builtin.assert:
+    that:
+      - sudo_pkg_name in ansible_facts.packages
+    fail_msg: "sudo is not installed on target system"
+
+- name: "Install iproute"
+  become: true
+  ansible.builtin.yum:
+    name:
+      - iproute
+    state: present
+
+- name: "Retrieve assets server from env"
+  ansible.builtin.set_fact:
+    assets_server: "{{ lookup('env', 'MIDDLEWARE_DOWNLOAD_RELEASE_SERVER_URL') }}"
+
+- name: "Download artefacts only if assets_server is set"
+  when:
+    - assets_server is defined
+    - assets_server | length > 0
+    - assets is defined
+    - assets | length > 0
+  block:
+    - name: "Set offline when assets server from env is defined"
+      ansible.builtin.set_fact:
+        sso_offline_install: True
+
+    - name: "Download and deploy zips from {{ assets_server }}"
+      ansible.builtin.get_url:
+        url: "{{ asset }}"
+        dest: "{{ lookup('env', 'PWD') }}"
+        validate_certs: no
+        mode: '0644'
+      delegate_to: localhost
+      loop: "{{ assets }}"
+      loop_control:
+        loop_var: asset
--- a/molecule/quarkus-devmode/converge.yml
+++ b/molecule/quarkus-devmode/converge.yml
@@ -0,0 +1,44 @@
+---
+- name: Converge
+  hosts: all
+  vars: 
+    keycloak_quarkus_admin_pass: "remembertochangeme"
+    keycloak_admin_password: "remembertochangeme"
+    keycloak_realm: TestRealm
+    keycloak_quarkus_log: file
+    keycloak_quarkus_frontend_url: 'http://localhost:8080/'
+    keycloak_quarkus_start_dev: True
+    keycloak_quarkus_proxy_mode: none
+    keycloak_quarkus_java_home: /opt/openjdk/
+  roles:
+    - role: keycloak_quarkus
+    - role: keycloak_realm
+      keycloak_context: ''
+      keycloak_client_default_roles:
+        - TestRoleAdmin
+        - TestRoleUser
+      keycloak_client_users:
+        - username: TestUser
+          password: password
+          client_roles:
+            - client: TestClient
+              role: TestRoleUser
+              realm: "{{ keycloak_realm }}"
+        - username: TestAdmin
+          password: password
+          client_roles:
+            - client: TestClient
+              role: TestRoleUser
+              realm: "{{ keycloak_realm }}"
+            - client: TestClient
+              role: TestRoleAdmin
+              realm: "{{ keycloak_realm }}"
+      keycloak_realm: TestRealm
+      keycloak_clients:
+        - name: TestClient
+          roles: "{{ keycloak_client_default_roles }}"
+          realm: "{{ keycloak_realm }}"
+          public_client: "{{ keycloak_client_public }}"
+          web_origins: "{{ keycloak_client_web_origins }}"
+          users: "{{ keycloak_client_users }}"
+          client_id: TestClient
--- a/molecule/quarkus-devmode/molecule.yml
+++ b/molecule/quarkus-devmode/molecule.yml
@@ -0,0 +1,45 @@
+---
+driver:
+  name: docker
+platforms:
+  - name: instance
+    image: registry.access.redhat.com/ubi8/ubi-init:latest
+    pre_build_image: true
+    privileged: true
+    command: "/usr/sbin/init"
+    port_bindings:
+      - "8080/tcp"
+      - "8009/tcp"
+    published_ports:
+      - 0.0.0.0:8080:8080/tcp
+provisioner:
+  name: ansible
+  config_options:
+    defaults:
+      interpreter_python: auto_silent
+    ssh_connection:
+      pipelining: false
+  playbooks:
+    prepare: prepare.yml
+    converge: converge.yml
+    verify: verify.yml
+  inventory:
+    host_vars:
+      localhost:
+        ansible_python_interpreter: "{{ ansible_playbook_python }}"
+  env:
+    ANSIBLE_FORCE_COLOR: "true"
+verifier:
+  name: ansible
+scenario:
+  test_sequence:
+    - cleanup
+    - destroy
+    - create
+    - prepare
+    - converge
+    - idempotence
+    - side_effect
+    - verify
+    - cleanup
+    - destroy
--- a/molecule/quarkus-devmode/prepare.yml
+++ b/molecule/quarkus-devmode/prepare.yml
@@ -0,0 +1,49 @@
+---
+- name: Prepare
+  hosts: all
+  tasks:
+    - name: Install sudo
+      ansible.builtin.apt:
+        name:
+          - sudo
+          - openjdk-17-jdk-headless
+        state: present
+      when:
+        - ansible_facts.os_family == 'Debian'
+
+    - name: "Ensure common prepare phase are set."
+      ansible.builtin.include_tasks: ../prepare.yml
+
+    - name: Install JDK17
+      become: yes
+      ansible.builtin.yum:
+        name:
+          - java-17-openjdk-headless
+        state: present
+      when:
+        - ansible_facts.os_family == 'RedHat'
+
+    - name: Link default logs directory
+      become: yes
+      ansible.builtin.file:
+        state: link
+        src: "{{ item }}"
+        dest: /opt/openjdk
+        force: true
+      with_fileglob:
+        - /usr/lib/jvm/java-17-openjdk*
+      when:
+        - ansible_facts.os_family == "Debian"
+
+    - name: Link default logs directory
+      ansible.builtin.file:
+        state: link
+        src: /usr/lib/jvm/jre-17-openjdk
+        dest: /opt/openjdk
+        force: true
+      when:
+        - ansible_facts.os_family == "RedHat"
+
+    - name: "Display hera_home if defined."
+      ansible.builtin.set_fact:
+        hera_home: "{{ lookup('env', 'HERA_HOME') }}"
--- a/molecule/quarkus-devmode/roles
+++ b/molecule/quarkus-devmode/roles
@@ -0,0 +1 @@
+../../roles
--- a/molecule/quarkus-devmode/verify.yml
+++ b/molecule/quarkus-devmode/verify.yml
@@ -0,0 +1,47 @@
+---
+- name: Verify
+  hosts: all
+  tasks:
+    - name: Populate service facts
+      ansible.builtin.service_facts:
+
+    - name: Check if keycloak service started
+      ansible.builtin.assert:
+        that:
+          - ansible_facts.services["keycloak.service"]["state"] == "running"
+          - ansible_facts.services["keycloak.service"]["status"] == "enabled"
+
+    - name: Verify we are running on requested JAVA_HOME # noqa blocked_modules command-instead-of-module
+      ansible.builtin.shell: |
+        set -o pipefail
+        ps -ef | grep '/opt/openjdk' | grep -v grep
+      args:
+        executable: /bin/bash
+      changed_when: False
+
+    - name: Set internal envvar
+      ansible.builtin.set_fact:
+        hera_home: "{{ lookup('env', 'HERA_HOME') }}"
+
+    - name: Verify openid config
+      block:
+        - name: Fetch openID config # noqa blocked_modules command-instead-of-module
+          ansible.builtin.shell: |
+            set -o pipefail
+            curl http://localhost:8080/realms/master/.well-known/openid-configuration -k | jq .
+          args:
+            executable: /bin/bash
+          delegate_to: localhost
+          register: openid_config
+          changed_when: False
+        - name: Verify endpoint URLs
+          ansible.builtin.assert:
+            that:
+              - (openid_config.stdout | from_json)["backchannel_authentication_endpoint"] == 'http://localhost:8080/realms/master/protocol/openid-connect/ext/ciba/auth'
+              - (openid_config.stdout | from_json)['issuer'] == 'http://localhost:8080/realms/master'
+              - (openid_config.stdout | from_json)['authorization_endpoint'] == 'http://localhost:8080/realms/master/protocol/openid-connect/auth'
+              - (openid_config.stdout | from_json)['token_endpoint'] == 'http://localhost:8080/realms/master/protocol/openid-connect/token'
+          delegate_to: localhost
+      when:
+        - hera_home is defined
+        - hera_home | length == 0
--- a/molecule/quarkus/converge.yml
+++ b/molecule/quarkus/converge.yml
@@ -1,16 +1,36 @@
 ---
 - name: Converge
  hosts: all
-  vars: 
+  vars:
    keycloak_quarkus_admin_pass: "remembertochangeme"
    keycloak_admin_password: "remembertochangeme"
    keycloak_realm: TestRealm
-    keycloak_quarkus_host: instance:8443
-    keycloak_quarkus_http_relative_path: ''
+    keycloak_quarkus_host: instance
    keycloak_quarkus_log: file
-    keycloak_quarkus_https_enabled: True
-    keycloak_quarkus_key_file: conf/key.pem
-    keycloak_quarkus_cert_file: conf/cert.pem
+    keycloak_quarkus_log_level: debug
+    keycloak_quarkus_https_key_file_enabled: true
+    keycloak_quarkus_key_file_copy_enabled: true
+    keycloak_quarkus_key_content: "{{ lookup('file', 'key.pem') }}"
+    keycloak_quarkus_cert_file_copy_enabled: true
+    keycloak_quarkus_cert_file_src: cert.pem
+    keycloak_quarkus_log_target: /tmp/keycloak
+    keycloak_quarkus_ks_vault_enabled: true
+    keycloak_quarkus_ks_vault_file: "/opt/keycloak/vault/keystore.p12"
+    keycloak_quarkus_ks_vault_pass: keystorepassword
+    keycloak_quarkus_systemd_wait_for_port: true
+    keycloak_quarkus_systemd_wait_for_timeout: 20
+    keycloak_quarkus_systemd_wait_for_delay: 2
+    keycloak_quarkus_systemd_wait_for_log: true
+    keycloak_quarkus_providers:
+      - id: http-client
+        spi: connections
+        default: true
+        restart: true
+        properties:
+          - key: default-connection-pool-size
+            value: 10
+      - id: spid-saml
+        url: https://github.com/italia/spid-keycloak-provider/releases/download/24.0.2/spid-provider.jar
  roles:
    - role: keycloak_quarkus
    - role: keycloak_realm
--- a/molecule/quarkus/molecule.yml
+++ b/molecule/quarkus/molecule.yml
@@ -1,12 +1,6 @@
 ---
-dependency:
-  name: shell
-  command: ansible-galaxy collection install -r molecule/default/requirements.yml -p $HOME/.ansible/collections --force-with-deps
 driver:
  name: docker
-lint: |
-  ansible-lint --version
-  ansible-lint -v
 platforms:
  - name: instance
    image: registry.access.redhat.com/ubi8/ubi-init:latest
@@ -35,16 +29,13 @@ provisioner:
      localhost:
        ansible_python_interpreter: "{{ ansible_playbook_python }}"
  env:
-    ANSIBLE_FORCE_COLOR: "true"        
+    ANSIBLE_FORCE_COLOR: "true"
 verifier:
  name: ansible
 scenario:
  test_sequence:
-    - dependency
-    - lint
    - cleanup
    - destroy
-    - syntax
    - create
    - prepare
    - converge
--- a/molecule/quarkus/prepare.yml
+++ b/molecule/quarkus/prepare.yml
@@ -2,25 +2,43 @@
 - name: Prepare
  hosts: all
  tasks:
-    - name: Install sudo
-      ansible.builtin.yum:
-        name: sudo
-        state: present
-    - command: openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -sha256 -days 365 -nodes -subj '/CN=instance'
+    - name: "Display hera_home if defined."
+      ansible.builtin.set_fact:
+        hera_home: "{{ lookup('env', 'HERA_HOME') }}"
+
+    - name: "Ensure common prepare phase are set."
+      ansible.builtin.include_tasks: ../prepare.yml
+
+    - name: Create certificate request
+      ansible.builtin.command: openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -sha256 -days 365 -nodes -subj '/CN=instance'
      delegate_to: localhost
-    - lineinfile:
-        dest: /etc/hosts
-        line: "127.0.0.1 instance"
-        state: present
-      delegate_to: localhost
-      become: yes
-    - file:
+      changed_when: False
+
+    - name: Create vault directory
+      become: true
+      ansible.builtin.file:
        state: directory
-        path: /opt/keycloak/keycloak-18.0.0/conf/
-    - copy:
-        src: "{{ item }}"
-        dest: "/opt/keycloak/keycloak-18.0.0/conf/{{ item }}"
+        path: "/opt/keycloak/vault"
+        mode: 0755
+
+    - name: Make sure a jre is available (for keytool to prepare keystore)
+      delegate_to: localhost
+      ansible.builtin.package:
+        name: "{{ 'java-17-openjdk-headless' if hera_home | length > 0 else 'openjdk-17-jdk-headless' }}"
+        state: present
+      become: true
+      failed_when: false
+
+    - name: Create vault keystore
+      ansible.builtin.command: keytool -importpass -alias TestRealm_testalias -keystore keystore.p12 -storepass keystorepassword
+      delegate_to: localhost
+      register: keytool_cmd
+      changed_when: False
+      failed_when: not 'already exists' in keytool_cmd.stdout and keytool_cmd.rc != 0
+
+    - name: Copy certificates and vault
+      become: true
+      ansible.builtin.copy:
+        src: keystore.p12
+        dest: /opt/keycloak/vault/keystore.p12
        mode: 0444
-      loop:
-        - cert.pem
-        - key.pem
--- a/molecule/quarkus/requirements.yml
+++ b/molecule/quarkus/requirements.yml
@@ -1,10 +0,0 @@
---
-collections:
-  - name: middleware_automation.redhat_csp_download
-    version: ">=1.2.1"
-  - name: middleware_automation.wildfly
-    version: ">=0.0.5"
-  - name: community.general
-  - name: community.docker
-    version: ">=1.9.1"
-    
--- a/molecule/quarkus/verify.yml
+++ b/molecule/quarkus/verify.yml
@@ -4,24 +4,83 @@
  tasks:
    - name: Populate service facts
      ansible.builtin.service_facts:
+
    - name: Check if keycloak service started
      ansible.builtin.assert:
        that:
          - ansible_facts.services["keycloak.service"]["state"] == "running"
          - ansible_facts.services["keycloak.service"]["status"] == "enabled"
-    - name: Fetch openID config
-      shell: |
-        curl https://instance:8443/realms/master/.well-known/openid-configuration -k | jq .
-      delegate_to: localhost
-      register: openid_config
-    - debug:
-        msg: " {{ openid_config.stdout | from_json }}"
-      delegate_to: localhost
-    - name: Verify endpoint URLs
-      assert:
+        fail_msg: "Service not running"
+
+    - name: Set internal envvar
+      ansible.builtin.set_fact:
+        hera_home: "{{ lookup('env', 'HERA_HOME') }}"
+
+    - name: Verify openid config
+      when:
+        - hera_home is defined
+        - hera_home | length == 0
+      block:
+        - name: Fetch openID config # noqa blocked_modules command-instead-of-module
+          ansible.builtin.shell: |
+            set -o pipefail
+            curl -H 'Host: instance' https://localhost:8443/realms/master/.well-known/openid-configuration -k | jq .
+          args:
+            executable: /bin/bash
+          delegate_to: localhost
+          register: openid_config
+          changed_when: False
+        - name: Verify endpoint URLs
+          ansible.builtin.assert:
+            that:
+              - (openid_config.stdout | from_json)["backchannel_authentication_endpoint"] == 'https://instance/realms/master/protocol/openid-connect/ext/ciba/auth'
+              - (openid_config.stdout | from_json)['issuer'] == 'https://instance/realms/master'
+              - (openid_config.stdout | from_json)['authorization_endpoint'] == 'https://instance/realms/master/protocol/openid-connect/auth'
+              - (openid_config.stdout | from_json)['token_endpoint'] == 'https://instance/realms/master/protocol/openid-connect/token'
+          delegate_to: localhost
+
+    - name: Check log folder
+      ansible.builtin.stat:
+        path: /tmp/keycloak
+      register: keycloak_log_folder
+
+    - name: Check that keycloak log folder exists and is a link
+      ansible.builtin.assert:
        that:
-          - (openid_config.stdout | from_json)["backchannel_authentication_endpoint"] == 'https://instance:8443/realms/master/protocol/openid-connect/ext/ciba/auth'
-          - (openid_config.stdout | from_json)['issuer'] == 'https://instance:8443/realms/master'
-          - (openid_config.stdout | from_json)['authorization_endpoint'] == 'https://instance:8443/realms/master/protocol/openid-connect/auth'
-          - (openid_config.stdout | from_json)['token_endpoint'] == 'https://instance:8443/realms/master/protocol/openid-connect/token'
-      delegate_to: localhost
+          - keycloak_log_folder.stat.exists
+          - not keycloak_log_folder.stat.isdir
+          - keycloak_log_folder.stat.islnk
+        fail_msg: "Service log symlink not correctly created"
+
+    - name: Check log file
+      become: true
+      ansible.builtin.stat:
+        path: /tmp/keycloak/keycloak.log
+      register: keycloak_log_file
+
+    - name: Check if keycloak file exists
+      ansible.builtin.assert:
+        that:
+          - keycloak_log_file.stat.exists
+          - not keycloak_log_file.stat.isdir
+
+    - name: Check default log folder
+      become: yes
+      ansible.builtin.stat:
+        path: /var/log/keycloak
+      register: keycloak_default_log_folder
+      failed_when: false
+
+    - name: Check that default keycloak log folder doesn't exist
+      ansible.builtin.assert:
+        that:
+          - not keycloak_default_log_folder.stat.exists
+
+    - name: Verify vault SPI in logfile
+      become: true
+      ansible.builtin.shell: |
+        set -o pipefail
+        zgrep 'Configured KeystoreVaultProviderFactory with the keystore file' /opt/keycloak/keycloak-*/data/log/keycloak.log*zip
+      changed_when: false
+      failed_when: slurped_log.rc != 0
+      register: slurped_log
--- a/molecule/requirements.yml
+++ b/molecule/requirements.yml
@@ -0,0 +1,11 @@
+---
+collections:
+  - name: middleware_automation.common
+  - name: middleware_automation.jbcs
+  - name: community.general
+  - name: ansible.posix
+  - name: community.docker
+    version: ">=3.8.0"
+
+roles:
+  - name: elan.simple_nginx_reverse_proxy
--- a/playbooks/keycloak.yml
+++ b/playbooks/keycloak.yml
@@ -3,7 +3,5 @@
  hosts: all
  vars:
    keycloak_admin_password: "remembertochangeme"
-  collections:
-    - middleware_automation.keycloak
  roles:
-    - keycloak
+    - middleware_automation.keycloak.keycloak
--- a/playbooks/keycloak_federation.yml
+++ b/playbooks/keycloak_federation.yml
@@ -0,0 +1,68 @@
+---
+- name: Playbook for Keycloak Hosts
+  hosts: all
+  tasks:
+    - name: Keycloak Realm Role
+      ansible.builtin.include_role:
+        name: keycloak_realm
+      vars:
+        keycloak_admin_password: "remembertochangeme"
+        keycloak_realm: TestRealm
+        keycloak_user_federation:
+          - realm: TestRealm
+            name: my-ldap
+            provider_id: ldap
+            provider_type: org.keycloak.storage.UserStorageProvider
+            config:
+              priority: '0'
+              enabled: true
+              cachePolicy: DEFAULT
+              batchSizeForSync: '1000'
+              editMode: READ_ONLY
+              importEnabled: true
+              syncRegistrations: false
+              vendor: other
+              usernameLDAPAttribute: uid
+              rdnLDAPAttribute: uid
+              uuidLDAPAttribute: entryUUID
+              userObjectClasses: inetOrgPerson, organizationalPerson
+              connectionUrl: ldaps://ldap.example.com:636
+              usersDn: ou=Users,dc=example,dc=com
+              authType: simple
+              bindDn: cn=directory reader
+              bindCredential: password
+              searchScope: '1'
+              validatePasswordPolicy: false
+              trustEmail: false
+              useTruststoreSpi: ldapsOnly
+              connectionPooling: true
+              pagination: true
+              allowKerberosAuthentication: false
+              debug: false
+              useKerberosForPasswordAuthentication: false
+            mappers:
+              - name: "full name"
+                providerId: "full-name-ldap-mapper"
+                providerType: "org.keycloak.storage.ldap.mappers.LDAPStorageMapper"
+                config:
+                  ldap.full.name.attribute: cn
+                  read.only: true
+                  write.only: false
+        keycloak_clients:
+          - name: TestClient1
+            client_id: TestClient1
+            roles:
+              - TestClient1Admin
+              - TestClient1User
+            realm: "{{ keycloak_realm }}"
+            public_client: true
+            web_origins:
+              - http://testclient1origin/application
+              - http://testclient1origin/other
+            users:
+              - username: TestUser
+                password: password
+                client_roles:
+                  - client: TestClient1
+                    role: TestClient1User
+                    realm: "{{ keycloak_realm }}"
--- a/playbooks/keycloak_quarkus.yml
+++ b/playbooks/keycloak_quarkus.yml
@@ -1,15 +1,11 @@
 ---
- name: Playbook for Keycloak X Hosts
+- name: Playbook for Keycloak X Hosts with HTTPS enabled
  hosts: all
  vars:
-    keycloak_admin_password: "remembertochangeme"
-    keycloak_quarkus_host: localhost:8443
-    keycloak_quarkus_http_relative_path: ''
+    keycloak_quarkus_admin_pass: "remembertochangeme"
+    keycloak_quarkus_host: localhost
+    keycloak_quarkus_port: 8443
    keycloak_quarkus_log: file
-    keycloak_quarkus_https_enabled: True
-    keycloak_quarkus_key_file: conf/key.pem
-    keycloak_quarkus_cert_file: conf/cert.pem
-  collections:
-    - middleware_automation.keycloak
+    keycloak_quarkus_proxy_mode: none
  roles:
-    - keycloak_quarkus
+    - middleware_automation.keycloak.keycloak_quarkus
--- a/playbooks/keycloak_quarkus_dev.yml
+++ b/playbooks/keycloak_quarkus_dev.yml
@@ -0,0 +1,12 @@
+---
+- name: Playbook for Keycloak X Hosts in develop mode
+  hosts: all
+  vars:
+    keycloak_admin_password: "remembertochangeme"
+    keycloak_quarkus_host: localhost
+    keycloak_quarkus_port: 8080
+    keycloak_quarkus_log: file
+    keycloak_quarkus_start_dev: true
+    keycloak_quarkus_proxy_mode: none
+  roles:
+    - middleware_automation.keycloak.keycloak_quarkus
--- a/playbooks/keycloak_realm.yml
+++ b/playbooks/keycloak_realm.yml
@@ -1,67 +1,26 @@
 ---
 - name: Playbook for Keycloak Hosts
  hosts: all
-  tasks:
-    - name: Keycloak Realm Role
-      ansible.builtin.include_role:
-        name: middleware_automation.keycloak.keycloak_realm
-      vars:
-        keycloak_admin_password: "remembertochangeme"
-        keycloak_realm: TestRealm
-        keycloak_user_federation:
-          - realm: TestRealm
-            name: my-ldap
-            provider_id: ldap
-            provider_type: org.keycloak.storage.UserStorageProvider
-            config:
-              priority: '0'
-              enabled: true
-              cachePolicy: DEFAULT
-              batchSizeForSync: '1000'
-              editMode: READ_ONLY
-              importEnabled: true
-              syncRegistrations: false
-              vendor: other
-              usernameLDAPAttribute: uid
-              rdnLDAPAttribute: uid
-              uuidLDAPAttribute: entryUUID
-              userObjectClasses: inetOrgPerson, organizationalPerson
-              connectionUrl: ldaps://ldap.example.com:636
-              usersDn: ou=Users,dc=example,dc=com
-              authType: simple
-              bindDn: cn=directory reader
-              bindCredential: password
-              searchScope: '1'
-              validatePasswordPolicy: false
-              trustEmail: false
-              useTruststoreSpi: ldapsOnly
-              connectionPooling: true
-              pagination: true
-              allowKerberosAuthentication: false
-              debug: false
-              useKerberosForPasswordAuthentication: false
-            mappers:
-              - name: "full name"
-                providerId: "full-name-ldap-mapper"
-                providerType: "org.keycloak.storage.ldap.mappers.LDAPStorageMapper"
-                config:
-                  ldap.full.name.attribute: cn
-                  read.only: true
-                  write.only: false
-        keycloak_clients:
-          - name: TestClient1
-            roles:
-              - TestClient1Admin
-              - TestClient1User
-            realm: "{{ keycloak_realm }}"
-            public_client: True
-            web_origins:
-              - http://testclient1origin/application
-              - http://testclient1origin/other
-            users:
-            - username: TestUser
-              password: password
-              client_roles:
-                - client: TestClient1
-                  role: TestClient1User
-                  realm: "{{ keycloak_realm }}"
+  vars:
+    keycloak_admin_password: "remembertochangeme"
+    keycloak_clients:
+      - name: TestClient1
+        client_id: TestClient1
+        roles:
+          - TestClient1Admin
+          - TestClient1User
+        realm: TestRealm
+        public_client: true
+        web_origins:
+          - http://testclient1origin/application
+          - http://testclient1origin/other
+        users:
+          - username: TestUser
+            password: password
+            client_roles:
+              - client: TestClient1
+                role: TestClient1User
+                realm: TestRealm
+  roles:
+    - role: middleware_automation.keycloak.keycloak_realm
+      keycloak_realm: TestRealm
--- a/playbooks/rhsso.yml
+++ b/playbooks/rhsso.yml
@@ -1,12 +1,8 @@
 ---
- name: Playbook for Keycloak Hosts
-  hosts: keycloak
+- name: Playbook for Red Hat SSO Hosts
+  hosts: sso
  vars:
    keycloak_admin_password: "remembertochangeme"
-    keycloak_rhsso_enable: True
-  collections:
-    - middleware_automation.redhat_csp_download
-    - middleware_automation.keycloak
+    sso_enable: true
  roles:
-    - middleware_automation.redhat_csp_download.redhat_csp_download
    - middleware_automation.keycloak.keycloak
--- a/plugins/doc_fragments/attributes.py
+++ b/plugins/doc_fragments/attributes.py
@@ -0,0 +1,93 @@
+# -*- coding: utf-8 -*-
+
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from __future__ import (absolute_import, division, print_function)
+__metaclass__ = type
+
+
+class ModuleDocFragment(object):
+
+    # Standard documentation fragment
+    DOCUMENTATION = r'''
+options: {}
+attributes:
+    check_mode:
+      description: Can run in C(check_mode) and return changed status prediction without modifying target.
+    diff_mode:
+      description: Will return details on what has changed (or possibly needs changing in C(check_mode)), when in diff mode.
+'''
+
+    PLATFORM = r'''
+options: {}
+attributes:
+    platform:
+      description: Target OS/families that can be operated against.
+      support: N/A
+'''
+
+    # Should be used together with the standard fragment
+    INFO_MODULE = r'''
+options: {}
+attributes:
+    check_mode:
+      support: full
+      details:
+        - This action does not modify state.
+    diff_mode:
+      support: N/A
+      details:
+        - This action does not modify state.
+'''
+
+    CONN = r'''
+options: {}
+attributes:
+    become:
+      description: Is usable alongside C(become) keywords.
+    connection:
+      description: Uses the target's configured connection information to execute code on it.
+    delegation:
+      description: Can be used in conjunction with C(delegate_to) and related keywords.
+'''
+
+    FACTS = r'''
+options: {}
+attributes:
+    facts:
+      description: Action returns an C(ansible_facts) dictionary that will update existing host facts.
+'''
+
+    # Should be used together with the standard fragment and the FACTS fragment
+    FACTS_MODULE = r'''
+options: {}
+attributes:
+    check_mode:
+      support: full
+      details:
+        - This action does not modify state.
+    diff_mode:
+      support: N/A
+      details:
+        - This action does not modify state.
+    facts:
+      support: full
+'''
+
+    FILES = r'''
+options: {}
+attributes:
+    safe_file_operations:
+      description: Uses Ansible's strict file operation functions to ensure proper permissions and avoid data corruption.
+'''
+
+    FLOW = r'''
+options: {}
+attributes:
+    action:
+      description: Indicates this has a corresponding action plugin so some parts of the options can be executed on the controller.
+    async:
+      description: Supports being used with the C(async) keyword.
+'''
--- a/plugins/doc_fragments/keycloak.py
+++ b/plugins/doc_fragments/keycloak.py
@@ -0,0 +1,78 @@
+# -*- coding: utf-8 -*-
+
+# Copyright (c) 2017, Eike Frost <ei@kefro.st>
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from __future__ import (absolute_import, division, print_function)
+__metaclass__ = type
+
+
+class ModuleDocFragment(object):
+
+    # Standard documentation fragment
+    DOCUMENTATION = r'''
+options:
+    auth_keycloak_url:
+        description:
+            - URL to the Keycloak instance.
+        type: str
+        required: true
+        aliases:
+          - url
+
+    auth_client_id:
+        description:
+            - OpenID Connect I(client_id) to authenticate to the API with.
+        type: str
+        default: admin-cli
+
+    auth_realm:
+        description:
+            - Keycloak realm name to authenticate to for API access.
+        type: str
+
+    auth_client_secret:
+        description:
+            - Client Secret to use in conjunction with I(auth_client_id) (if required).
+        type: str
+
+    auth_username:
+        description:
+            - Username to authenticate for API access with.
+        type: str
+        aliases:
+          - username
+
+    auth_password:
+        description:
+            - Password to authenticate for API access with.
+        type: str
+        aliases:
+          - password
+
+    token:
+        description:
+            - Authentication token for Keycloak API.
+        type: str
+        version_added: 3.0.0
+
+    validate_certs:
+        description:
+            - Verify TLS certificates (do not disable this in production).
+        type: bool
+        default: true
+
+    connection_timeout:
+        description:
+            - Controls the HTTP connections timeout period (in seconds) to Keycloak API.
+        type: int
+        default: 10
+        version_added: 4.5.0
+    http_agent:
+        description:
+            - Configures the HTTP User-Agent header.
+        type: str
+        default: Ansible
+        version_added: 5.4.0
+'''
--- a/plugins/module_utils/identity/keycloak/keycloak.py
+++ b/plugins/module_utils/identity/keycloak/keycloak.py
--- a/plugins/modules/keycloak_client.py
+++ b/plugins/modules/keycloak_client.py
@@ -0,0 +1,984 @@
+#!/usr/bin/python
+# -*- coding: utf-8 -*-
+
+# Copyright (c) 2017, Eike Frost <ei@kefro.st>
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from __future__ import absolute_import, division, print_function
+__metaclass__ = type
+
+DOCUMENTATION = '''
+---
+module: keycloak_client
+
+short_description: Allows administration of Keycloak clients via Keycloak API
+
+
+description:
+    - This module allows the administration of Keycloak clients via the Keycloak REST API. It
+      requires access to the REST API via OpenID Connect; the user connecting and the client being
+      used must have the requisite access rights. In a default Keycloak installation, admin-cli
+      and an admin user would work, as would a separate client definition with the scope tailored
+      to your needs and a user having the expected roles.
+
+    - The names of module options are snake_cased versions of the camelCase ones found in the
+      Keycloak API and its documentation at U(https://www.keycloak.org/docs-api/8.0/rest-api/index.html).
+      Aliases are provided so camelCased versions can be used as well.
+
+    - The Keycloak API does not always sanity check inputs e.g. you can set
+      SAML-specific settings on an OpenID Connect client for instance and vice versa. Be careful.
+      If you do not specify a setting, usually a sensible default is chosen.
+
+attributes:
+    check_mode:
+        support: full
+    diff_mode:
+        support: full
+
+options:
+    state:
+        description:
+            - State of the client
+            - On C(present), the client will be created (or updated if it exists already).
+            - On C(absent), the client will be removed if it exists
+        choices: ['present', 'absent']
+        default: 'present'
+        type: str
+
+    realm:
+        description:
+            - The realm to create the client in.
+        type: str
+        default: master
+
+    client_id:
+        description:
+            - Client id of client to be worked on. This is usually an alphanumeric name chosen by
+              you. Either this or I(id) is required. If you specify both, I(id) takes precedence.
+              This is 'clientId' in the Keycloak REST API.
+        aliases:
+            - clientId
+        type: str
+
+    id:
+        description:
+            - Id of client to be worked on. This is usually an UUID. Either this or I(client_id)
+              is required. If you specify both, this takes precedence.
+        type: str
+
+    name:
+        description:
+            - Name of the client (this is not the same as I(client_id)).
+        type: str
+
+    description:
+        description:
+            - Description of the client in Keycloak.
+        type: str
+
+    root_url:
+        description:
+            - Root URL appended to relative URLs for this client.
+              This is 'rootUrl' in the Keycloak REST API.
+        aliases:
+            - rootUrl
+        type: str
+
+    admin_url:
+        description:
+            - URL to the admin interface of the client.
+              This is 'adminUrl' in the Keycloak REST API.
+        aliases:
+            - adminUrl
+        type: str
+
+    base_url:
+        description:
+            - Default URL to use when the auth server needs to redirect or link back to the client
+              This is 'baseUrl' in the Keycloak REST API.
+        aliases:
+            - baseUrl
+        type: str
+
+    enabled:
+        description:
+            - Is this client enabled or not?
+        type: bool
+
+    client_authenticator_type:
+        description:
+            - How do clients authenticate with the auth server? Either C(client-secret) or
+              C(client-jwt) can be chosen. When using C(client-secret), the module parameter
+              I(secret) can set it, while for C(client-jwt), you can use the keys C(use.jwks.url),
+              C(jwks.url), and C(jwt.credential.certificate) in the I(attributes) module parameter
+              to configure its behavior.
+              This is 'clientAuthenticatorType' in the Keycloak REST API.
+        choices: ['client-secret', 'client-jwt']
+        aliases:
+            - clientAuthenticatorType
+        type: str
+
+    secret:
+        description:
+            - When using I(client_authenticator_type) C(client-secret) (the default), you can
+              specify a secret here (otherwise one will be generated if it does not exit). If
+              changing this secret, the module will not register a change currently (but the
+              changed secret will be saved).
+        type: str
+
+    registration_access_token:
+        description:
+            - The registration access token provides access for clients to the client registration
+              service.
+              This is 'registrationAccessToken' in the Keycloak REST API.
+        aliases:
+            - registrationAccessToken
+        type: str
+
+    default_roles:
+        description:
+            - list of default roles for this client. If the client roles referenced do not exist
+              yet, they will be created.
+              This is 'defaultRoles' in the Keycloak REST API.
+        aliases:
+            - defaultRoles
+        type: list
+        elements: str
+
+    redirect_uris:
+        description:
+            - Acceptable redirect URIs for this client.
+              This is 'redirectUris' in the Keycloak REST API.
+        aliases:
+            - redirectUris
+        type: list
+        elements: str
+
+    web_origins:
+        description:
+            - List of allowed CORS origins.
+              This is 'webOrigins' in the Keycloak REST API.
+        aliases:
+            - webOrigins
+        type: list
+        elements: str
+
+    not_before:
+        description:
+            - Revoke any tokens issued before this date for this client (this is a UNIX timestamp).
+              This is 'notBefore' in the Keycloak REST API.
+        type: int
+        aliases:
+            - notBefore
+
+    bearer_only:
+        description:
+            - The access type of this client is bearer-only.
+              This is 'bearerOnly' in the Keycloak REST API.
+        aliases:
+            - bearerOnly
+        type: bool
+
+    consent_required:
+        description:
+            - If enabled, users have to consent to client access.
+              This is 'consentRequired' in the Keycloak REST API.
+        aliases:
+            - consentRequired
+        type: bool
+
+    standard_flow_enabled:
+        description:
+            - Enable standard flow for this client or not (OpenID connect).
+              This is 'standardFlowEnabled' in the Keycloak REST API.
+        aliases:
+            - standardFlowEnabled
+        type: bool
+
+    implicit_flow_enabled:
+        description:
+            - Enable implicit flow for this client or not (OpenID connect).
+              This is 'implicitFlowEnabled' in the Keycloak REST API.
+        aliases:
+            - implicitFlowEnabled
+        type: bool
+
+    direct_access_grants_enabled:
+        description:
+            - Are direct access grants enabled for this client or not (OpenID connect).
+              This is 'directAccessGrantsEnabled' in the Keycloak REST API.
+        aliases:
+            - directAccessGrantsEnabled
+        type: bool
+
+    service_accounts_enabled:
+        description:
+            - Are service accounts enabled for this client or not (OpenID connect).
+              This is 'serviceAccountsEnabled' in the Keycloak REST API.
+        aliases:
+            - serviceAccountsEnabled
+        type: bool
+
+    authorization_services_enabled:
+        description:
+            - Are authorization services enabled for this client or not (OpenID connect).
+              This is 'authorizationServicesEnabled' in the Keycloak REST API.
+        aliases:
+            - authorizationServicesEnabled
+        type: bool
+
+    public_client:
+        description:
+            - Is the access type for this client public or not.
+              This is 'publicClient' in the Keycloak REST API.
+        aliases:
+            - publicClient
+        type: bool
+
+    frontchannel_logout:
+        description:
+            - Is frontchannel logout enabled for this client or not.
+              This is 'frontchannelLogout' in the Keycloak REST API.
+        aliases:
+            - frontchannelLogout
+        type: bool
+
+    protocol:
+        description:
+            - Type of client (either C(openid-connect) or C(saml).
+        type: str
+        choices: ['openid-connect', 'saml']
+
+    full_scope_allowed:
+        description:
+            - Is the "Full Scope Allowed" feature set for this client or not.
+              This is 'fullScopeAllowed' in the Keycloak REST API.
+        aliases:
+            - fullScopeAllowed
+        type: bool
+
+    node_re_registration_timeout:
+        description:
+            - Cluster node re-registration timeout for this client.
+              This is 'nodeReRegistrationTimeout' in the Keycloak REST API.
+        type: int
+        aliases:
+            - nodeReRegistrationTimeout
+
+    registered_nodes:
+        description:
+            - dict of registered cluster nodes (with C(nodename) as the key and last registration
+              time as the value).
+              This is 'registeredNodes' in the Keycloak REST API.
+        type: dict
+        aliases:
+            - registeredNodes
+
+    client_template:
+        description:
+            - Client template to use for this client. If it does not exist this field will silently
+              be dropped.
+              This is 'clientTemplate' in the Keycloak REST API.
+        type: str
+        aliases:
+            - clientTemplate
+
+    use_template_config:
+        description:
+            - Whether or not to use configuration from the I(client_template).
+              This is 'useTemplateConfig' in the Keycloak REST API.
+        aliases:
+            - useTemplateConfig
+        type: bool
+
+    use_template_scope:
+        description:
+            - Whether or not to use scope configuration from the I(client_template).
+              This is 'useTemplateScope' in the Keycloak REST API.
+        aliases:
+            - useTemplateScope
+        type: bool
+
+    use_template_mappers:
+        description:
+            - Whether or not to use mapper configuration from the I(client_template).
+              This is 'useTemplateMappers' in the Keycloak REST API.
+        aliases:
+            - useTemplateMappers
+        type: bool
+
+    always_display_in_console:
+        description:
+            - Whether or not to display this client in account console, even if the
+              user does not have an active session.
+        aliases:
+            - alwaysDisplayInConsole
+        type: bool
+        version_added: 4.7.0
+
+    surrogate_auth_required:
+        description:
+            - Whether or not surrogate auth is required.
+              This is 'surrogateAuthRequired' in the Keycloak REST API.
+        aliases:
+            - surrogateAuthRequired
+        type: bool
+
+    authorization_settings:
+        description:
+            - a data structure defining the authorization settings for this client. For reference,
+              please see the Keycloak API docs at U(https://www.keycloak.org/docs-api/8.0/rest-api/index.html#_resourceserverrepresentation).
+              This is 'authorizationSettings' in the Keycloak REST API.
+        type: dict
+        aliases:
+            - authorizationSettings
+
+    authentication_flow_binding_overrides:
+        description:
+            - Override realm authentication flow bindings.
+        type: dict
+        aliases:
+            - authenticationFlowBindingOverrides
+        version_added: 3.4.0
+
+    default_client_scopes:
+        description:
+            - List of default client scopes.
+        aliases:
+            - defaultClientScopes
+        type: list
+        elements: str
+        version_added: 4.7.0
+
+    optional_client_scopes:
+        description:
+            - List of optional client scopes.
+        aliases:
+            - optionalClientScopes
+        type: list
+        elements: str
+        version_added: 4.7.0
+
+    protocol_mappers:
+        description:
+            - a list of dicts defining protocol mappers for this client.
+              This is 'protocolMappers' in the Keycloak REST API.
+        aliases:
+            - protocolMappers
+        type: list
+        elements: dict
+        suboptions:
+            consentRequired:
+                description:
+                    - Specifies whether a user needs to provide consent to a client for this mapper to be active.
+                type: bool
+
+            consentText:
+                description:
+                    - The human-readable name of the consent the user is presented to accept.
+                type: str
+
+            id:
+                description:
+                    - Usually a UUID specifying the internal ID of this protocol mapper instance.
+                type: str
+
+            name:
+                description:
+                    - The name of this protocol mapper.
+                type: str
+
+            protocol:
+                description:
+                    - This is either C(openid-connect) or C(saml), this specifies for which protocol this protocol mapper.
+                      is active.
+                choices: ['openid-connect', 'saml']
+                type: str
+
+            protocolMapper:
+                description:
+                    - The Keycloak-internal name of the type of this protocol-mapper. While an exhaustive list is
+                      impossible to provide since this may be extended through SPIs by the user of Keycloak,
+                      by default Keycloak as of 3.4 ships with at least
+                    - C(docker-v2-allow-all-mapper)
+                    - C(oidc-address-mapper)
+                    - C(oidc-full-name-mapper)
+                    - C(oidc-group-membership-mapper)
+                    - C(oidc-hardcoded-claim-mapper)
+                    - C(oidc-hardcoded-role-mapper)
+                    - C(oidc-role-name-mapper)
+                    - C(oidc-script-based-protocol-mapper)
+                    - C(oidc-sha256-pairwise-sub-mapper)
+                    - C(oidc-usermodel-attribute-mapper)
+                    - C(oidc-usermodel-client-role-mapper)
+                    - C(oidc-usermodel-property-mapper)
+                    - C(oidc-usermodel-realm-role-mapper)
+                    - C(oidc-usersessionmodel-note-mapper)
+                    - C(saml-group-membership-mapper)
+                    - C(saml-hardcode-attribute-mapper)
+                    - C(saml-hardcode-role-mapper)
+                    - C(saml-role-list-mapper)
+                    - C(saml-role-name-mapper)
+                    - C(saml-user-attribute-mapper)
+                    - C(saml-user-property-mapper)
+                    - C(saml-user-session-note-mapper)
+                    - An exhaustive list of available mappers on your installation can be obtained on
+                      the admin console by going to Server Info -> Providers and looking under
+                      'protocol-mapper'.
+                type: str
+
+            config:
+                description:
+                    - Dict specifying the configuration options for the protocol mapper; the
+                      contents differ depending on the value of I(protocolMapper) and are not documented
+                      other than by the source of the mappers and its parent class(es). An example is given
+                      below. It is easiest to obtain valid config values by dumping an already-existing
+                      protocol mapper configuration through check-mode in the I(existing) field.
+                type: dict
+
+    attributes:
+        description:
+            - A dict of further attributes for this client. This can contain various configuration
+              settings; an example is given in the examples section. While an exhaustive list of
+              permissible options is not available; possible options as of Keycloak 3.4 are listed below. The Keycloak
+              API does not validate whether a given option is appropriate for the protocol used; if specified
+              anyway, Keycloak will simply not use it.
+        type: dict
+        suboptions:
+            saml.authnstatement:
+                description:
+                    - For SAML clients, boolean specifying whether or not a statement containing method and timestamp
+                      should be included in the login response.
+
+            saml.client.signature:
+                description:
+                    - For SAML clients, boolean specifying whether a client signature is required and validated.
+
+            saml.encrypt:
+                description:
+                    - Boolean specifying whether SAML assertions should be encrypted with the client's public key.
+
+            saml.force.post.binding:
+                description:
+                    - For SAML clients, boolean specifying whether always to use POST binding for responses.
+
+            saml.onetimeuse.condition:
+                description:
+                    - For SAML clients, boolean specifying whether a OneTimeUse condition should be included in login responses.
+
+            saml.server.signature:
+                description:
+                    - Boolean specifying whether SAML documents should be signed by the realm.
+
+            saml.server.signature.keyinfo.ext:
+                description:
+                    - For SAML clients, boolean specifying whether REDIRECT signing key lookup should be optimized through inclusion
+                      of the signing key id in the SAML Extensions element.
+
+            saml.signature.algorithm:
+                description:
+                    - Signature algorithm used to sign SAML documents. One of C(RSA_SHA256), C(RSA_SHA1), C(RSA_SHA512), or C(DSA_SHA1).
+
+            saml.signing.certificate:
+                description:
+                    - SAML signing key certificate, base64-encoded.
+
+            saml.signing.private.key:
+                description:
+                    - SAML signing key private key, base64-encoded.
+
+            saml_assertion_consumer_url_post:
+                description:
+                    - SAML POST Binding URL for the client's assertion consumer service (login responses).
+
+            saml_assertion_consumer_url_redirect:
+                description:
+                    - SAML Redirect Binding URL for the client's assertion consumer service (login responses).
+
+
+            saml_force_name_id_format:
+                description:
+                    - For SAML clients, Boolean specifying whether to ignore requested NameID subject format and using the configured one instead.
+
+            saml_name_id_format:
+                description:
+                    - For SAML clients, the NameID format to use (one of C(username), C(email), C(transient), or C(persistent))
+
+            saml_signature_canonicalization_method:
+                description:
+                    - SAML signature canonicalization method. This is one of four values, namely
+                      C(http://www.w3.org/2001/10/xml-exc-c14n#) for EXCLUSIVE,
+                      C(http://www.w3.org/2001/10/xml-exc-c14n#WithComments) for EXCLUSIVE_WITH_COMMENTS,
+                      C(http://www.w3.org/TR/2001/REC-xml-c14n-20010315) for INCLUSIVE, and
+                      C(http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments) for INCLUSIVE_WITH_COMMENTS.
+
+            saml_single_logout_service_url_post:
+                description:
+                    - SAML POST binding url for the client's single logout service.
+
+            saml_single_logout_service_url_redirect:
+                description:
+                    - SAML redirect binding url for the client's single logout service.
+
+            user.info.response.signature.alg:
+                description:
+                    - For OpenID-Connect clients, JWA algorithm for signed UserInfo-endpoint responses. One of C(RS256) or C(unsigned).
+
+            request.object.signature.alg:
+                description:
+                    - For OpenID-Connect clients, JWA algorithm which the client needs to use when sending
+                      OIDC request object. One of C(any), C(none), C(RS256).
+
+            use.jwks.url:
+                description:
+                    - For OpenID-Connect clients, boolean specifying whether to use a JWKS URL to obtain client
+                      public keys.
+
+            jwks.url:
+                description:
+                    - For OpenID-Connect clients, URL where client keys in JWK are stored.
+
+            jwt.credential.certificate:
+                description:
+                    - For OpenID-Connect clients, client certificate for validating JWT issued by
+                      client and signed by its key, base64-encoded.
+
+extends_documentation_fragment:
+    - middleware_automation.keycloak.keycloak
+    - middleware_automation.keycloak.attributes
+
+author:
+    - Eike Frost (@eikef)
+'''
+
+EXAMPLES = '''
+- name: Create or update Keycloak client (minimal example), authentication with credentials
+  middleware_automation.keycloak.keycloak_client:
+    auth_keycloak_url: https://auth.example.com/auth
+    auth_realm: master
+    auth_username: USERNAME
+    auth_password: PASSWORD
+    client_id: test
+    state: present
+  delegate_to: localhost
+
+
+- name: Create or update Keycloak client (minimal example), authentication with token
+  middleware_automation.keycloak.keycloak_client:
+    auth_client_id: admin-cli
+    auth_keycloak_url: https://auth.example.com/auth
+    auth_realm: master
+    token: TOKEN
+    client_id: test
+    state: present
+  delegate_to: localhost
+
+
+- name: Delete a Keycloak client
+  middleware_automation.keycloak.keycloak_client:
+    auth_client_id: admin-cli
+    auth_keycloak_url: https://auth.example.com/auth
+    auth_realm: master
+    auth_username: USERNAME
+    auth_password: PASSWORD
+    client_id: test
+    state: absent
+  delegate_to: localhost
+
+
+- name: Create or update a Keycloak client (with all the bells and whistles)
+  middleware_automation.keycloak.keycloak_client:
+    auth_client_id: admin-cli
+    auth_keycloak_url: https://auth.example.com/auth
+    auth_realm: master
+    auth_username: USERNAME
+    auth_password: PASSWORD
+    state: present
+    realm: master
+    client_id: test
+    id: d8b127a3-31f6-44c8-a7e4-4ab9a3e78d95
+    name: this_is_a_test
+    description: Description of this wonderful client
+    root_url: https://www.example.com/
+    admin_url: https://www.example.com/admin_url
+    base_url: basepath
+    enabled: true
+    client_authenticator_type: client-secret
+    secret: REALLYWELLKEPTSECRET
+    redirect_uris:
+      - https://www.example.com/*
+      - http://localhost:8888/
+    web_origins:
+      - https://www.example.com/*
+    not_before: 1507825725
+    bearer_only: false
+    consent_required: false
+    standard_flow_enabled: true
+    implicit_flow_enabled: false
+    direct_access_grants_enabled: false
+    service_accounts_enabled: false
+    authorization_services_enabled: false
+    public_client: false
+    frontchannel_logout: false
+    protocol: openid-connect
+    full_scope_allowed: false
+    node_re_registration_timeout: -1
+    client_template: test
+    use_template_config: false
+    use_template_scope: false
+    use_template_mappers: false
+    always_display_in_console: true
+    registered_nodes:
+      node01.example.com: 1507828202
+    registration_access_token: eyJWT_TOKEN
+    surrogate_auth_required: false
+    default_roles:
+      - test01
+      - test02
+    authentication_flow_binding_overrides:
+      browser: 4c90336b-bf1d-4b87-916d-3677ba4e5fbb
+    protocol_mappers:
+      - config:
+          access.token.claim: true
+          claim.name: "family_name"
+          id.token.claim: true
+          jsonType.label: String
+          user.attribute: lastName
+          userinfo.token.claim: true
+        consentRequired: true
+        consentText: "${familyName}"
+        name: family name
+        protocol: openid-connect
+        protocolMapper: oidc-usermodel-property-mapper
+      - config:
+          attribute.name: Role
+          attribute.nameformat: Basic
+          single: false
+        consentRequired: false
+        name: role list
+        protocol: saml
+        protocolMapper: saml-role-list-mapper
+    attributes:
+      saml.authnstatement: true
+      saml.client.signature: true
+      saml.force.post.binding: true
+      saml.server.signature: true
+      saml.signature.algorithm: RSA_SHA256
+      saml.signing.certificate: CERTIFICATEHERE
+      saml.signing.private.key: PRIVATEKEYHERE
+      saml_force_name_id_format: false
+      saml_name_id_format: username
+      saml_signature_canonicalization_method: "http://www.w3.org/2001/10/xml-exc-c14n#"
+      user.info.response.signature.alg: RS256
+      request.object.signature.alg: RS256
+      use.jwks.url: true
+      jwks.url: JWKS_URL_FOR_CLIENT_AUTH_JWT
+      jwt.credential.certificate: JWT_CREDENTIAL_CERTIFICATE_FOR_CLIENT_AUTH
+  delegate_to: localhost
+'''
+
+RETURN = '''
+msg:
+    description: Message as to what action was taken.
+    returned: always
+    type: str
+    sample: "Client testclient has been updated"
+
+proposed:
+    description: Representation of proposed client.
+    returned: always
+    type: dict
+    sample: {
+      clientId: "test"
+    }
+
+existing:
+    description: Representation of existing client (sample is truncated).
+    returned: always
+    type: dict
+    sample: {
+        "adminUrl": "http://www.example.com/admin_url",
+        "attributes": {
+            "request.object.signature.alg": "RS256",
+        }
+    }
+
+end_state:
+    description: Representation of client after module execution (sample is truncated).
+    returned: on success
+    type: dict
+    sample: {
+        "adminUrl": "http://www.example.com/admin_url",
+        "attributes": {
+            "request.object.signature.alg": "RS256",
+        }
+    }
+'''
+
+from ansible_collections.middleware_automation.keycloak.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI, camel, \
+    keycloak_argument_spec, get_token, KeycloakError
+from ansible.module_utils.basic import AnsibleModule
+import copy
+
+
+def normalise_cr(clientrep, remove_ids=False):
+    """ Re-sorts any properties where the order so that diff's is minimised, and adds default values where appropriate so that the
+    the change detection is more effective.
+
+    :param clientrep: the clientrep dict to be sanitized
+    :param remove_ids: If set to true, then the unique ID's of objects is removed to make the diff and checks for changed
+                       not alert when the ID's of objects are not usually known, (e.g. for protocol_mappers)
+    :return: normalised clientrep dict
+    """
+    # Avoid the dict passed in to be modified
+    clientrep = clientrep.copy()
+
+    if 'attributes' in clientrep:
+        clientrep['attributes'] = list(sorted(clientrep['attributes']))
+
+    if 'redirectUris' in clientrep:
+        clientrep['redirectUris'] = list(sorted(clientrep['redirectUris']))
+
+    if 'protocolMappers' in clientrep:
+        clientrep['protocolMappers'] = sorted(clientrep['protocolMappers'], key=lambda x: (x.get('name'), x.get('protocol'), x.get('protocolMapper')))
+        for mapper in clientrep['protocolMappers']:
+            if remove_ids:
+                mapper.pop('id', None)
+
+            # Set to a default value.
+            mapper['consentRequired'] = mapper.get('consentRequired', False)
+
+    return clientrep
+
+
+def sanitize_cr(clientrep):
+    """ Removes probably sensitive details from a client representation.
+
+    :param clientrep: the clientrep dict to be sanitized
+    :return: sanitized clientrep dict
+    """
+    result = copy.deepcopy(clientrep)
+    if 'secret' in result:
+        result['secret'] = 'no_log'
+    if 'attributes' in result:
+        if 'saml.signing.private.key' in result['attributes']:
+            result['attributes']['saml.signing.private.key'] = 'no_log'
+    return normalise_cr(result)
+
+
+def main():
+    """
+    Module execution
+
+    :return:
+    """
+    argument_spec = keycloak_argument_spec()
+
+    protmapper_spec = dict(
+        consentRequired=dict(type='bool'),
+        consentText=dict(type='str'),
+        id=dict(type='str'),
+        name=dict(type='str'),
+        protocol=dict(type='str', choices=['openid-connect', 'saml']),
+        protocolMapper=dict(type='str'),
+        config=dict(type='dict'),
+    )
+
+    meta_args = dict(
+        state=dict(default='present', choices=['present', 'absent']),
+        realm=dict(type='str', default='master'),
+
+        id=dict(type='str'),
+        client_id=dict(type='str', aliases=['clientId']),
+        name=dict(type='str'),
+        description=dict(type='str'),
+        root_url=dict(type='str', aliases=['rootUrl']),
+        admin_url=dict(type='str', aliases=['adminUrl']),
+        base_url=dict(type='str', aliases=['baseUrl']),
+        surrogate_auth_required=dict(type='bool', aliases=['surrogateAuthRequired']),
+        enabled=dict(type='bool'),
+        client_authenticator_type=dict(type='str', choices=['client-secret', 'client-jwt'], aliases=['clientAuthenticatorType']),
+        secret=dict(type='str', no_log=True),
+        registration_access_token=dict(type='str', aliases=['registrationAccessToken'], no_log=True),
+        default_roles=dict(type='list', elements='str', aliases=['defaultRoles']),
+        redirect_uris=dict(type='list', elements='str', aliases=['redirectUris']),
+        web_origins=dict(type='list', elements='str', aliases=['webOrigins']),
+        not_before=dict(type='int', aliases=['notBefore']),
+        bearer_only=dict(type='bool', aliases=['bearerOnly']),
+        consent_required=dict(type='bool', aliases=['consentRequired']),
+        standard_flow_enabled=dict(type='bool', aliases=['standardFlowEnabled']),
+        implicit_flow_enabled=dict(type='bool', aliases=['implicitFlowEnabled']),
+        direct_access_grants_enabled=dict(type='bool', aliases=['directAccessGrantsEnabled']),
+        service_accounts_enabled=dict(type='bool', aliases=['serviceAccountsEnabled']),
+        authorization_services_enabled=dict(type='bool', aliases=['authorizationServicesEnabled']),
+        public_client=dict(type='bool', aliases=['publicClient']),
+        frontchannel_logout=dict(type='bool', aliases=['frontchannelLogout']),
+        protocol=dict(type='str', choices=['openid-connect', 'saml']),
+        attributes=dict(type='dict'),
+        full_scope_allowed=dict(type='bool', aliases=['fullScopeAllowed']),
+        node_re_registration_timeout=dict(type='int', aliases=['nodeReRegistrationTimeout']),
+        registered_nodes=dict(type='dict', aliases=['registeredNodes']),
+        client_template=dict(type='str', aliases=['clientTemplate']),
+        use_template_config=dict(type='bool', aliases=['useTemplateConfig']),
+        use_template_scope=dict(type='bool', aliases=['useTemplateScope']),
+        use_template_mappers=dict(type='bool', aliases=['useTemplateMappers']),
+        always_display_in_console=dict(type='bool', aliases=['alwaysDisplayInConsole']),
+        authentication_flow_binding_overrides=dict(type='dict', aliases=['authenticationFlowBindingOverrides']),
+        protocol_mappers=dict(type='list', elements='dict', options=protmapper_spec, aliases=['protocolMappers']),
+        authorization_settings=dict(type='dict', aliases=['authorizationSettings']),
+        default_client_scopes=dict(type='list', elements='str', aliases=['defaultClientScopes']),
+        optional_client_scopes=dict(type='list', elements='str', aliases=['optionalClientScopes']),
+    )
+
+    argument_spec.update(meta_args)
+
+    module = AnsibleModule(argument_spec=argument_spec,
+                           supports_check_mode=True,
+                           required_one_of=([['client_id', 'id'],
+                                             ['token', 'auth_realm', 'auth_username', 'auth_password']]),
+                           required_together=([['auth_realm', 'auth_username', 'auth_password']]))
+
+    result = dict(changed=False, msg='', diff={}, proposed={}, existing={}, end_state={})
+
+    # Obtain access token, initialize API
+    try:
+        connection_header = get_token(module.params)
+    except KeycloakError as e:
+        module.fail_json(msg=str(e))
+
+    kc = KeycloakAPI(module, connection_header)
+
+    realm = module.params.get('realm')
+    cid = module.params.get('id')
+    state = module.params.get('state')
+
+    # Filter and map the parameters names that apply to the client
+    client_params = [x for x in module.params
+                     if x not in list(keycloak_argument_spec().keys()) + ['state', 'realm'] and
+                     module.params.get(x) is not None]
+
+    # See if it already exists in Keycloak
+    if cid is None:
+        before_client = kc.get_client_by_clientid(module.params.get('client_id'), realm=realm)
+        if before_client is not None:
+            cid = before_client['id']
+    else:
+        before_client = kc.get_client_by_id(cid, realm=realm)
+
+    if before_client is None:
+        before_client = {}
+
+    # Build a proposed changeset from parameters given to this module
+    changeset = {}
+
+    for client_param in client_params:
+        new_param_value = module.params.get(client_param)
+
+        # some lists in the Keycloak API are sorted, some are not.
+        if isinstance(new_param_value, list):
+            if client_param in ['attributes']:
+                try:
+                    new_param_value = sorted(new_param_value)
+                except TypeError:
+                    pass
+        # Unfortunately, the ansible argument spec checker introduces variables with null values when
+        # they are not specified
+        if client_param == 'protocol_mappers':
+            new_param_value = [dict((k, v) for k, v in x.items() if x[k] is not None) for x in new_param_value]
+
+        changeset[camel(client_param)] = new_param_value
+
+    # Prepare the desired values using the existing values (non-existence results in a dict that is save to use as a basis)
+    desired_client = before_client.copy()
+    desired_client.update(changeset)
+
+    result['proposed'] = sanitize_cr(changeset)
+    result['existing'] = sanitize_cr(before_client)
+
+    # Cater for when it doesn't exist (an empty dict)
+    if not before_client:
+        if state == 'absent':
+            # Do nothing and exit
+            if module._diff:
+                result['diff'] = dict(before='', after='')
+            result['changed'] = False
+            result['end_state'] = {}
+            result['msg'] = 'Client does not exist; doing nothing.'
+            module.exit_json(**result)
+
+        # Process a creation
+        result['changed'] = True
+
+        if 'clientId' not in desired_client:
+            module.fail_json(msg='client_id needs to be specified when creating a new client')
+
+        if module._diff:
+            result['diff'] = dict(before='', after=sanitize_cr(desired_client))
+
+        if module.check_mode:
+            module.exit_json(**result)
+
+        # create it
+        kc.create_client(desired_client, realm=realm)
+        after_client = kc.get_client_by_clientid(desired_client['clientId'], realm=realm)
+
+        result['end_state'] = sanitize_cr(after_client)
+
+        result['msg'] = 'Client %s has been created.' % desired_client['clientId']
+        module.exit_json(**result)
+
+    else:
+        if state == 'present':
+            # Process an update
+            result['changed'] = True
+
+            if module.check_mode:
+                # We can only compare the current client with the proposed updates we have
+                before_norm = normalise_cr(before_client, remove_ids=True)
+                desired_norm = normalise_cr(desired_client, remove_ids=True)
+                if module._diff:
+                    result['diff'] = dict(before=sanitize_cr(before_norm),
+                                          after=sanitize_cr(desired_norm))
+                result['changed'] = (before_norm != desired_norm)
+
+                module.exit_json(**result)
+
+            # do the update
+            kc.update_client(cid, desired_client, realm=realm)
+
+            after_client = kc.get_client_by_id(cid, realm=realm)
+            if before_client == after_client:
+                result['changed'] = False
+            if module._diff:
+                result['diff'] = dict(before=sanitize_cr(before_client),
+                                      after=sanitize_cr(after_client))
+
+            result['end_state'] = sanitize_cr(after_client)
+
+            result['msg'] = 'Client %s has been updated.' % desired_client['clientId']
+            module.exit_json(**result)
+
+        else:
+            # Process a deletion (because state was not 'present')
+            result['changed'] = True
+
+            if module._diff:
+                result['diff'] = dict(before=sanitize_cr(before_client), after='')
+
+            if module.check_mode:
+                module.exit_json(**result)
+
+            # delete it
+            kc.delete_client(cid, realm=realm)
+            result['proposed'] = {}
+
+            result['end_state'] = {}
+
+            result['msg'] = 'Client %s has been deleted.' % before_client['clientId']
+
+    module.exit_json(**result)
+
+
+if __name__ == '__main__':
+    main()
--- a/plugins/modules/keycloak_role.py
+++ b/plugins/modules/keycloak_role.py
@@ -0,0 +1,374 @@
+#!/usr/bin/python
+# -*- coding: utf-8 -*-
+
+# Copyright (c) 2019, Adam Goossens <adam.goossens@gmail.com>
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from __future__ import absolute_import, division, print_function
+__metaclass__ = type
+
+DOCUMENTATION = '''
+---
+module: keycloak_role
+
+short_description: Allows administration of Keycloak roles via Keycloak API
+
+version_added: 3.4.0
+
+description:
+    - This module allows you to add, remove or modify Keycloak roles via the Keycloak REST API.
+      It requires access to the REST API via OpenID Connect; the user connecting and the client being
+      used must have the requisite access rights. In a default Keycloak installation, admin-cli
+      and an admin user would work, as would a separate client definition with the scope tailored
+      to your needs and a user having the expected roles.
+
+    - The names of module options are snake_cased versions of the camelCase ones found in the
+      Keycloak API and its documentation at U(https://www.keycloak.org/docs-api/8.0/rest-api/index.html).
+
+    - Attributes are multi-valued in the Keycloak API. All attributes are lists of individual values and will
+      be returned that way by this module. You may pass single values for attributes when calling the module,
+      and this will be translated into a list suitable for the API.
+
+attributes:
+    check_mode:
+        support: full
+    diff_mode:
+        support: full
+
+options:
+    state:
+        description:
+            - State of the role.
+            - On C(present), the role will be created if it does not yet exist, or updated with the parameters you provide.
+            - On C(absent), the role will be removed if it exists.
+        default: 'present'
+        type: str
+        choices:
+            - present
+            - absent
+
+    name:
+        type: str
+        required: true
+        description:
+            - Name of the role.
+            - This parameter is required.
+
+    description:
+        type: str
+        description:
+            - The role description.
+
+    realm:
+        type: str
+        description:
+            - The Keycloak realm under which this role resides.
+        default: 'master'
+
+    client_id:
+        type: str
+        description:
+            - If the role is a client role, the client id under which it resides.
+            - If this parameter is absent, the role is considered a realm role.
+
+    attributes:
+        type: dict
+        description:
+            - A dict of key/value pairs to set as custom attributes for the role.
+            - Values may be single values (e.g. a string) or a list of strings.
+
+extends_documentation_fragment:
+    - middleware_automation.keycloak.keycloak
+    - middleware_automation.keycloak.attributes
+
+author:
+    - Laurent Paumier (@laurpaum)
+'''
+
+EXAMPLES = '''
+- name: Create a Keycloak realm role, authentication with credentials
+  middleware_automation.keycloak.keycloak_role:
+    name: my-new-kc-role
+    realm: MyCustomRealm
+    state: present
+    auth_client_id: admin-cli
+    auth_keycloak_url: https://auth.example.com/auth
+    auth_realm: master
+    auth_username: USERNAME
+    auth_password: PASSWORD
+  delegate_to: localhost
+
+- name: Create a Keycloak realm role, authentication with token
+  middleware_automation.keycloak.keycloak_role:
+    name: my-new-kc-role
+    realm: MyCustomRealm
+    state: present
+    auth_client_id: admin-cli
+    auth_keycloak_url: https://auth.example.com/auth
+    token: TOKEN
+  delegate_to: localhost
+
+- name: Create a Keycloak client role
+  middleware_automation.keycloak.keycloak_role:
+    name: my-new-kc-role
+    realm: MyCustomRealm
+    client_id: MyClient
+    state: present
+    auth_client_id: admin-cli
+    auth_keycloak_url: https://auth.example.com/auth
+    auth_realm: master
+    auth_username: USERNAME
+    auth_password: PASSWORD
+  delegate_to: localhost
+
+- name: Delete a Keycloak role
+  middleware_automation.keycloak.keycloak_role:
+    name: my-role-for-deletion
+    state: absent
+    auth_client_id: admin-cli
+    auth_keycloak_url: https://auth.example.com/auth
+    auth_realm: master
+    auth_username: USERNAME
+    auth_password: PASSWORD
+  delegate_to: localhost
+
+- name: Create a keycloak role with some custom attributes
+  middleware_automation.keycloak.keycloak_role:
+    auth_client_id: admin-cli
+    auth_keycloak_url: https://auth.example.com/auth
+    auth_realm: master
+    auth_username: USERNAME
+    auth_password: PASSWORD
+    name: my-new-role
+    attributes:
+      attrib1: value1
+      attrib2: value2
+      attrib3:
+        - with
+        - numerous
+        - individual
+        - list
+        - items
+  delegate_to: localhost
+'''
+
+RETURN = '''
+msg:
+    description: Message as to what action was taken.
+    returned: always
+    type: str
+    sample: "Role myrole has been updated"
+
+proposed:
+    description: Representation of proposed role.
+    returned: always
+    type: dict
+    sample: {
+        "description": "My updated test description"
+    }
+
+existing:
+    description: Representation of existing role.
+    returned: always
+    type: dict
+    sample: {
+        "attributes": {},
+        "clientRole": true,
+        "composite": false,
+        "containerId": "9f03eb61-a826-4771-a9fd-930e06d2d36a",
+        "description": "My client test role",
+        "id": "561703dd-0f38-45ff-9a5a-0c978f794547",
+        "name": "myrole"
+    }
+
+end_state:
+    description: Representation of role after module execution (sample is truncated).
+    returned: on success
+    type: dict
+    sample: {
+        "attributes": {},
+        "clientRole": true,
+        "composite": false,
+        "containerId": "9f03eb61-a826-4771-a9fd-930e06d2d36a",
+        "description": "My updated client test role",
+        "id": "561703dd-0f38-45ff-9a5a-0c978f794547",
+        "name": "myrole"
+    }
+'''
+
+from ansible_collections.middleware_automation.keycloak.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI, camel, \
+    keycloak_argument_spec, get_token, KeycloakError
+from ansible.module_utils.basic import AnsibleModule
+
+
+def main():
+    """
+    Module execution
+
+    :return:
+    """
+    argument_spec = keycloak_argument_spec()
+
+    meta_args = dict(
+        state=dict(type='str', default='present', choices=['present', 'absent']),
+        name=dict(type='str', required=True),
+        description=dict(type='str'),
+        realm=dict(type='str', default='master'),
+        client_id=dict(type='str'),
+        attributes=dict(type='dict'),
+    )
+
+    argument_spec.update(meta_args)
+
+    module = AnsibleModule(argument_spec=argument_spec,
+                           supports_check_mode=True,
+                           required_one_of=([['token', 'auth_realm', 'auth_username', 'auth_password']]),
+                           required_together=([['auth_realm', 'auth_username', 'auth_password']]))
+
+    result = dict(changed=False, msg='', diff={}, proposed={}, existing={}, end_state={})
+
+    # Obtain access token, initialize API
+    try:
+        connection_header = get_token(module.params)
+    except KeycloakError as e:
+        module.fail_json(msg=str(e))
+
+    kc = KeycloakAPI(module, connection_header)
+
+    realm = module.params.get('realm')
+    clientid = module.params.get('client_id')
+    name = module.params.get('name')
+    state = module.params.get('state')
+
+    # attributes in Keycloak have their values returned as lists
+    # via the API. attributes is a dict, so we'll transparently convert
+    # the values to lists.
+    if module.params.get('attributes') is not None:
+        for key, val in module.params['attributes'].items():
+            module.params['attributes'][key] = [val] if not isinstance(val, list) else val
+
+    # Filter and map the parameters names that apply to the role
+    role_params = [x for x in module.params
+                   if x not in list(keycloak_argument_spec().keys()) + ['state', 'realm', 'client_id', 'composites'] and
+                   module.params.get(x) is not None]
+
+    # See if it already exists in Keycloak
+    if clientid is None:
+        before_role = kc.get_realm_role(name, realm)
+    else:
+        before_role = kc.get_client_role(name, clientid, realm)
+
+    if before_role is None:
+        before_role = {}
+
+    # Build a proposed changeset from parameters given to this module
+    changeset = {}
+
+    for param in role_params:
+        new_param_value = module.params.get(param)
+        old_value = before_role[param] if param in before_role else None
+        if new_param_value != old_value:
+            changeset[camel(param)] = new_param_value
+
+    # Prepare the desired values using the existing values (non-existence results in a dict that is save to use as a basis)
+    desired_role = before_role.copy()
+    desired_role.update(changeset)
+
+    result['proposed'] = changeset
+    result['existing'] = before_role
+
+    # Cater for when it doesn't exist (an empty dict)
+    if not before_role:
+        if state == 'absent':
+            # Do nothing and exit
+            if module._diff:
+                result['diff'] = dict(before='', after='')
+            result['changed'] = False
+            result['end_state'] = {}
+            result['msg'] = 'Role does not exist, doing nothing.'
+            module.exit_json(**result)
+
+        # Process a creation
+        result['changed'] = True
+
+        if name is None:
+            module.fail_json(msg='name must be specified when creating a new role')
+
+        if module._diff:
+            result['diff'] = dict(before='', after=desired_role)
+
+        if module.check_mode:
+            module.exit_json(**result)
+
+        # create it
+        if clientid is None:
+            kc.create_realm_role(desired_role, realm)
+            after_role = kc.get_realm_role(name, realm)
+        else:
+            kc.create_client_role(desired_role, clientid, realm)
+            after_role = kc.get_client_role(name, clientid, realm)
+
+        result['end_state'] = after_role
+
+        result['msg'] = 'Role {name} has been created'.format(name=name)
+        module.exit_json(**result)
+
+    else:
+        if state == 'present':
+            # Process an update
+
+            # no changes
+            if desired_role == before_role:
+                result['changed'] = False
+                result['end_state'] = desired_role
+                result['msg'] = "No changes required to role {name}.".format(name=name)
+                module.exit_json(**result)
+
+            # doing an update
+            result['changed'] = True
+
+            if module._diff:
+                result['diff'] = dict(before=before_role, after=desired_role)
+
+            if module.check_mode:
+                module.exit_json(**result)
+
+            # do the update
+            if clientid is None:
+                kc.update_realm_role(desired_role, realm)
+                after_role = kc.get_realm_role(name, realm)
+            else:
+                kc.update_client_role(desired_role, clientid, realm)
+                after_role = kc.get_client_role(name, clientid, realm)
+
+            result['end_state'] = after_role
+
+            result['msg'] = "Role {name} has been updated".format(name=name)
+            module.exit_json(**result)
+
+        else:
+            # Process a deletion (because state was not 'present')
+            result['changed'] = True
+
+            if module._diff:
+                result['diff'] = dict(before=before_role, after='')
+
+            if module.check_mode:
+                module.exit_json(**result)
+
+            # delete it
+            if clientid is None:
+                kc.delete_realm_role(name, realm)
+            else:
+                kc.delete_client_role(name, clientid, realm)
+
+            result['end_state'] = {}
+
+            result['msg'] = "Role {name} has been deleted".format(name=name)
+
+    module.exit_json(**result)
+
+
+if __name__ == '__main__':
+    main()
--- a/plugins/modules/keycloak_user_federation.py
+++ b/plugins/modules/keycloak_user_federation.py
--- a/requirements.yml
+++ b/requirements.yml
@@ -1,7 +1,4 @@
 ---
 collections:
-  - name: middleware_automation.redhat_csp_download
-    version: ">=1.2.1"
-  - name: middleware_automation.wildfly
-    version: ">=0.0.5"
-  - name: community.general
+  - name: middleware_automation.common
+  - name: ansible.posix
--- a/roles/keycloak/README.md
+++ b/roles/keycloak/README.md
@@ -10,6 +10,7 @@ Requirements
 This role requires the `python3-netaddr` library installed on the controller node.

 * to install via yum/dnf: `dnf install python3-netaddr`
+* to install via apt: `apt install python3-netaddr`
 * or via pip: `pip install netaddr==0.8.0`
 * or via the collection: `pip install -r requirements.txt`

@@ -19,8 +20,12 @@ Dependencies

 The roles depends on:

-* the `redhat_csp_download` role from [middleware_automation.redhat_csp_download](https://github.com/ansible-middleware/redhat-csp-download) collection if Red Hat Single Sign-on zip have to be downloaded from RHN.
-* the `wildfly_driver` role from [middleware_automation.wildfly](https://github.com/ansible-middleware/wildfly) collection
+* [middleware_automation.common](https://github.com/ansible-middleware/common)
+* [ansible-posix](https://docs.ansible.com/ansible/latest/collections/ansible/posix/index.html)
+
+To install all the dependencies via galaxy:
+
+    ansible-galaxy collection install -r requirements.yml


 Versions
@@ -28,18 +33,19 @@ Versions

 | RH-SSO VERSION | Release Date      | Keycloak Version | EAP Version | Notes           |
 |:---------------|:------------------|:-----------------|:------------|:----------------|
-|`7.5.0 GA`      |September 20, 2021 |`15.0.2`          | `7.4.0`     |[Release Notes](https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.5/html/release_notes/index)|
+|`7.5.0 GA`      |September 20, 2021 |`15.0.2`          | `7.4.6`     |[Release Notes](https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.5/html/release_notes/index)|
+|`7.6.0 GA`      |June 30, 2022      |`18.0.3`          | `7.4.6`     |[Release Notes](https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.6/html-single/release_notes/index)|


 Patching
 --------

-When variable `keycloak_rhsso_apply_patches` is `True` (default: `False`), the role will automatically apply the latest cumulative patch for the selected base version.
+When variable `keycloak_rhsso_apply_patches` is `true` (default: `false`), the role will automatically apply the latest cumulative patch for the selected base version.

 | RH-SSO VERSION | Release Date      | RH-SSO LATEST CP | Notes           |
 |:---------------|:------------------|:-----------------|:----------------|
-|`7.5.0 GA`      |January 20, 2022   |`7.5.1 GA`        |[Release Notes](https://access.redhat.com/articles/6646321)|
-
+|`7.5.0 GA`      |January 20, 2022   |`7.5.3 GA`        |[Release Notes](https://access.redhat.com/articles/6646321)|
+|`7.6.0 GA`      |November 11, 2022  |`7.6.1 GA`        |[Release Notes](https://access.redhat.com/articles/6982711)|


 Role Defaults
@@ -50,9 +56,12 @@ Role Defaults
 | Variable | Description | Default |
 |:---------|:------------|:---------|
 |`keycloak_ha_enabled`| Enable auto configuration for database backend, clustering and remote caches on infinispan | `False` |
+|`keycloak_ha_discovery`| Discovery protocol for HA cluster members | `JDBC_PING` if `keycloak_db_enabled` else `TCPPING` |
 |`keycloak_db_enabled`| Enable auto configuration for database backend | `True` if `keycloak_ha_enabled` is True, else `False` |
+|`keycloak_remote_cache_enabled`| Enable remote cache store when in clustered ha configurations | `True` if `keycloak_ha_enabled` else `False` |
 |`keycloak_admin_user`| Administration console user account | `admin` |
 |`keycloak_bind_address`| Address for binding service ports | `0.0.0.0` |
+|`keycloak_management_port_bind_address`| Address for binding management ports | `127.0.0.1` |
 |`keycloak_host`| hostname | `localhost` |
 |`keycloak_http_port`| HTTP port | `8080` |
 |`keycloak_https_port`| TLS HTTP port | `8443` |
@@ -60,13 +69,19 @@ Role Defaults
 |`keycloak_jgroups_port`| jgroups cluster tcp port | `7600` |
 |`keycloak_management_http_port`| Management port | `9990` |
 |`keycloak_management_https_port`| TLS management port | `9993` |
-|`keycloak_prefer_ipv4`| Prefer IPv4 stack and addresses for port binding | `True` |
+|`keycloak_prefer_ipv4`| Prefer IPv4 stack and addresses for port binding | `true` |
 |`keycloak_config_standalone_xml`| filename for configuration | `keycloak.xml` |
 |`keycloak_service_user`| posix account username | `keycloak` |
 |`keycloak_service_group`| posix account group | `keycloak` |
-|`keycloak_service_pidfile`| pid file path for service | `/run/keycloak.pid` |
+|`keycloak_service_restart_always`| systemd restart always behavior activation | `False` |
+|`keycloak_service_restart_on_failure`| systemd restart on-failure behavior activation | `False` |
+|`keycloak_service_startlimitintervalsec`| systemd StartLimitIntervalSec | `300` |
+|`keycloak_service_startlimitburst`| systemd StartLimitBurst | `5` |
+|`keycloak_service_restartsec`| systemd RestartSec | `10s` |
+|`keycloak_service_pidfile`| pid file path for service | `/run/keycloak/keycloak.pid` |
+|`keycloak_features` | List of `name`/`status` pairs of features (also known as profiles on RH-SSO) to `enable` or `disable`, example: `[ { name: 'docker', status: 'enabled' } ]` | `[]`
 |`keycloak_jvm_package`| RHEL java package runtime | `java-1.8.0-openjdk-headless` |
-|`keycloak_java_home`| JAVA_HOME of installed JRE, leave empty for using specified keycloak_jvm_package RPM path | `None` |
+|`keycloak_java_home`| `JAVA_HOME` of installed JRE, leave empty for using RPM path at `keycloak_jvm_package` | `None` |
 |`keycloak_java_opts`| Additional JVM options | `-Xms1024m -Xmx2048m` |


@@ -74,39 +89,37 @@ Role Defaults

 | Variable | Description | Default |
 |:---------|:------------|:---------|
-|`keycloak_rhsso_enable`| Enable Red Hat Single Sign-on installation | `False` |
-|`keycloak_offline_install` | perform an offline install | `False`|
-|`keycloak_download_url`| Download URL for keycloak | `https://github.com/keycloak/keycloak/releases/download/<version>/<archive>`| 
-|`keycloak_rhsso_download_url`| Download URL for RHSSO | `https://access.redhat.com/jbossnetwork/restricted/softwareDownload.html?softwareId=<productID>`|
-|`keycloak_version`| keycloak.org package version | `15.0.2` |
-|`keycloak_rhsso_version`| RHSSO version | `7.5.0` |
-|`keycloak_rhsso_apply_patches`| Install RHSSO more recent cumulative patch | `False` |
+|`keycloak_offline_install` | perform an offline install | `false`|
+|`keycloak_download_url`| Download URL for keycloak | `https://github.com/keycloak/keycloak/releases/download/<version>/<archive>`|
+|`keycloak_version`| keycloak.org package version | `18.0.2` |
 |`keycloak_dest`| Installation root path | `/opt/keycloak` |
 |`keycloak_download_url` | Download URL for keycloak | `https://github.com/keycloak/keycloak/releases/download/{{ keycloak_version }}/{{ keycloak_archive }}` |
-|`keycloak_rhn_url` | Base download URI for customer portal | `https://access.redhat.com/jbossnetwork/restricted/softwareDownload.html?softwareId=` |
-|`keycloak_configure_firewalld` | Ensure firewalld is running and configure keycloak ports | `False` |
+|`keycloak_configure_firewalld` | Ensure firewalld is running and configure keycloak ports | `false` |


 * Miscellaneous configuration

 | Variable | Description | Default |
 |:---------|:------------|:--------|
-|`keycloak_archive` | keycloak install archive filename | `keycloak-{{ keycloak_version }}.zip` |
+|`keycloak_archive` | keycloak install archive filename | `keycloak-legacy-{{ keycloak_version }}.zip` |
 |`keycloak_download_url_9x` | Download URL for keycloak (deprecated) | `https://downloads.jboss.org/keycloak/{{ keycloak_version }}/{{ keycloak_archive }}` |
 |`keycloak_installdir` | Installation path | `{{ keycloak_dest }}/keycloak-{{ keycloak_version }}` |
-|`keycloak_rhsso_archive` | Red Hat SSO install archive filename | `rh-sso-{{ keycloak_rhsso_version }}-server-dist.zip` |
-|`keycloak_rhsso_installdir`| Installation path for Red Hat SSO | `{{ keycloak_dest }}/rh-sso-{{ keycloak_rhsso_version | regex_replace('^([0-9])\.([0-9]*).*', '\1.\2') }}` |
-|`keycloak_rhsso_download_url`| Full download URI for Red Hat SSO | `{{ keycloak_rhn_url }}{{ rhsso_rhn_id }}` |
-|`keycloak_jboss_home` | Installation work directory | `{{ keycloak_rhsso_installdir if keycloak_rhsso_enable else keycloak_installdir }}` |
+|`keycloak_jboss_home` | Installation work directory | `{{ keycloak_rhsso_installdir }}` |
+|`keycloak_jboss_port_offset` | Port offset for the JBoss socket binding | `0` |
 |`keycloak_config_dir` | Path for configuration | `{{ keycloak_jboss_home }}/standalone/configuration` |
 |`keycloak_config_path_to_standalone_xml` | Custom path for configuration | `{{ keycloak_jboss_home }}/standalone/configuration/{{ keycloak_config_standalone_xml }}` |
 |`keycloak_config_override_template` | Path to custom template for standalone.xml configuration | `''` |
 |`keycloak_auth_realm` | Name for rest authentication realm | `master` |
 |`keycloak_auth_client` | Authentication client for configuration REST calls | `admin-cli` |
-|`keycloak_force_install` | Remove pre-existing versions of service | `False` |
-|`keycloak_url` | URL for configuration rest calls | `http://{{ keycloak_host }}:{{ keycloak_http_port }}` |
-|`keycloak_management_url` | URL for management console rest calls | `http://{{ keycloak_host }}:{{ keycloak_management_http_port }}` |
-|`rhsso_rhn_id` | Customer Portal product ID for Red Hat SSO | `{{ rhsso_rhn_ids[keycloak_rhsso_version].id }}` |
+|`keycloak_force_install` | Remove pre-existing versions of service | `false` |
+|`keycloak_url` | URL for configuration rest calls | `http://{{ keycloak_host }}:{{ keycloak_http_port + keycloak_jboss_port_offset }}` |
+|`keycloak_management_url` | URL for management console rest calls | `http://{{ keycloak_host }}:{{ keycloak_management_http_port + keycloak_jboss_port_offset }}` |
+|`keycloak_frontend_url_force` | Force backend requests to use the frontend URL | `false` |
+|`keycloak_db_background_validation` | Enable background validation of database connection | `false` |
+|`keycloak_db_background_validation_millis`| How frequenly the connection pool is validated in the background | `10000` if background validation enabled |
+|`keycloak_db_background_validate_on_match` | Enable validate on match for database connections | `false` |
+|`keycloak_frontend_url` | frontend URL for keycloak endpoint | `http://localhost:8080/auth/` |
+|`keycloak_log_target`| Set the destination of the keycloak log folder link | `/var/log/keycloak` |


 Role Variables
@@ -117,25 +130,28 @@ The following are a set of _required_ variables for the role:
 | Variable | Description |
 |:---------|:------------|
 |`keycloak_admin_password`| Password for the administration console user account (minimum 12 characters) |
-|`keycloak_frontend_url` | frontend URL for keycloak endpoint | `http://localhost:8080/auth` |
+|`keycloak_frontend_url` | frontend URL for keycloak endpoint | `http://localhost:8080/auth/` |


-The following variables are _required_ only when `keycloak_ha_enabled` is True:
+The following parameters are _required_ only when `keycloak_ha_enabled` is true:

 | Variable | Description | Default |
-|:---------|:------------|:---------|
-|`keycloak_modcluster_url` | URL for the modcluster reverse proxy | `localhost` |
-|`keycloak_jdbc_engine` | backend database engine when db is enabled: [ postgres, mariadb ] | `postgres` |
-|`infinispan_url` | URL for the infinispan remote-cache server | `localhost:11122` |
-|`infinispan_user` | username for connecting to infinispan | `supervisor` |
-|`infinispan_pass` | password for connecting to infinispan | `supervisor` |
-|`infinispan_sasl_mechanism`| Authentication type | `SCRAM-SHA-512` |
-|`infinispan_use_ssl`| Enable hotrod TLS communication | `False` |
-|`infinispan_trust_store_path`| Path to truststore with infinispan server certificate | `/etc/pki/java/cacerts` |
-|`infinispan_trust_store_password`| Password for opening truststore | `changeit` |
+|:---------|:------------|:--------|
+|`keycloak_modcluster_enabled`| Enable configuration for modcluster subsystem | `True` if `keycloak_ha_enabled` is True, else `False` |
+|`keycloak_modcluster_url` | _deprecated_ Host for the modcluster reverse proxy | `localhost` |
+|`keycloak_modcluster_port` | _deprecated_ Port for the modcluster reverse proxy | `6666` |
+|`keycloak_modcluster_urls` | List of {host,port} dicts for the modcluster reverse proxies | `[ { localhost:6666 } ]` |
+|`keycloak_jdbc_engine` | backend database engine when db is enabled: [ postgres, mariadb, sqlserver ] | `postgres` |
+|`keycloak_infinispan_url` | URL for the infinispan remote-cache server | `localhost:11122` |
+|`keycloak_infinispan_user` | username for connecting to infinispan | `supervisor` |
+|`keycloak_infinispan_pass` | password for connecting to infinispan | `supervisor` |
+|`keycloak_infinispan_sasl_mechanism`| Authentication type | `SCRAM-SHA-512` |
+|`keycloak_infinispan_use_ssl`| Enable hotrod TLS communication | `False` |
+|`keycloak_infinispan_trust_store_path`| Path to truststore with infinispan server certificate | `/etc/pki/java/cacerts` |
+|`keycloak_infinispan_trust_store_password`| Password for opening truststore | `changeit` |


-The following variables are _required_ only when `keycloak_db_enabled` is True:
+The following parameters are _required_ only when `keycloak_db_enabled` is true:

 | Variable | Description | Default |
 |:---------|:------------|:---------|
@@ -145,12 +161,17 @@ The following variables are _required_ only when `keycloak_db_enabled` is True:
 |`keycloak_db_pass` | password for connecting to postgres | `keycloak-pass` |


-Example Playbooks
+The following variables are _optional_:
+
+| Variable | Description |
+|:---------|:------------|
+|`keycloak_db_valid_conn_sql` | Override the default database connection validation query sql |
+|`keycloak_admin_url` | Override the default administration endpoint URL |
+|`keycloak_jgroups_subnet`| Override the subnet match for jgroups cluster formation; if not defined, it will be inferred from local machine route configuration |
+
+Example Playbook
 -----------------

-_NOTE_: use ansible vaults or other security systems for storing credentials.
-
-
 * The following is an example playbook that makes use of the role to install keycloak from remote:

 ```yaml
@@ -158,33 +179,10 @@ _NOTE_: use ansible vaults or other security systems for storing credentials.
 - hosts: ...
      vars:
        keycloak_admin_password: "remembertochangeme"
-      collections:
-        - middleware_automation.keycloak
      roles:
        - middleware_automation.keycloak.keycloak
 ```

-* The following is an example playbook that makes use of the role to install Red Hat Single Sign-On from RHN:
-
-```yaml
---
- name: Playbook for RHSSO
-  hosts: keycloak
-  collections:
-    - middleware_automation.redhat_csp_download
-  roles:
-    - redhat_csp_download
-  tasks:
-    - name: Keycloak Role
-      include_role:
-        name: keycloak
-      vars:
-        keycloak_admin_password: "remembertochangeme"
-        keycloak_rhsso_enable: True
-        rhn_username: '<customer portal username>'
-        rhn_password: '<customer portal password>'
-```
-

 * The following example playbook makes use of the role to install keycloak from the controller node:

@@ -199,49 +197,10 @@ _NOTE_: use ansible vaults or other security systems for storing credentials.
            name: keycloak
          vars:
            keycloak_admin_password: "remembertochangeme"
-            keycloak_offline_install: True
+            keycloak_offline_install: true
            # This should be the filename of keycloak archive on Ansible node: keycloak-16.1.0.zip
 ```

-
-* This playbook installs Red Hat Single Sign-On from an alternate url:
-
-```yaml
---
- hosts: keycloak
-  collections:
-    - middleware_automation.keycloak
-  tasks:
-    - name: Keycloak Role
-      include_role:
-        name: keycloak
-      vars:
-        keycloak_admin_password: "remembertochangeme"
-        keycloak_rhsso_enable: True
-        keycloak_rhsso_download_url: "<REPLACE with download url>"
-        # This should be the full of remote source rhsso zip file and can contain basic authentication credentials
-```
-
-
-* The following is an example playbook that makes use of the role to install Red Hat Single Sign-On offline from the controller node, and apply latest cumulative patch:
-
-```yaml
---
- hosts: keycloak
-  collections:
-    - middleware_automation.keycloak
-  tasks:
-    - name: Keycloak Role
-      include_role:
-        name: keycloak
-      vars:
-        keycloak_admin_password: "remembertochangeme"
-        keycloak_rhsso_enable: True
-        keycloak_offline_install: True
-        keycloak_rhsso_apply_patches: True
-        # This should be the filename of rhsso zip file on Ansible node: rh-sso-7.5-server-dist.zip
-```
-
 License
 -------

--- a/roles/keycloak/defaults/main.yml
+++ b/roles/keycloak/defaults/main.yml
@@ -1,38 +1,38 @@
 ---
 ### Configuration specific to keycloak
-keycloak_version: 15.0.2
-keycloak_archive: "keycloak-{{ keycloak_version }}.zip"
-keycloak_download_url: "https://github.com/keycloak/keycloak/releases/download/{{ keycloak_version }}/{{ keycloak_archive }}"  
+keycloak_version: 18.0.2
+keycloak_archive: "keycloak-legacy-{{ keycloak_version }}.zip"
+keycloak_download_url: "https://github.com/keycloak/keycloak/releases/download/{{ keycloak_version }}/{{ keycloak_archive }}"
 keycloak_download_url_9x: "https://downloads.jboss.org/keycloak/{{ keycloak_version }}/{{ keycloak_archive }}"
 keycloak_installdir: "{{ keycloak_dest }}/keycloak-{{ keycloak_version }}"
-
-### Configuration specific to Red Hat Single Sign-On
-keycloak_rhsso_version: 7.5.0
-rhsso_rhn_id: "{{ rhsso_rhn_ids[keycloak_rhsso_version].id }}"
-keycloak_rhsso_archive: "rh-sso-{{ keycloak_rhsso_version }}-server-dist.zip"
-keycloak_rhsso_installdir: "{{ keycloak_dest }}/rh-sso-{{ keycloak_rhsso_version | regex_replace('^([0-9])\\.([0-9]*).*', '\\1.\\2') }}"
-keycloak_rhn_url: 'https://access.redhat.com/jbossnetwork/restricted/softwareDownload.html?softwareId='
-keycloak_rhsso_download_url: "{{ keycloak_rhn_url }}{{ rhsso_rhn_id }}"
-keycloak_rhsso_apply_patches: False
-
-### keycloak/rhsso choice: by default install rhsso if rhn credentials are defined
-keycloak_rhsso_enable: "{{ True if rhsso_rhn_id is defined and rhn_username is defined and rhn_password is defined else False }}"
-# whether to install from local archive; filename must be keycloak_archive or keycloak_rhsso_archive depending on keycloak_rhsso_enable
-keycloak_offline_install: False
+keycloak_offline_install: false

 ### Install location and service settings
-keycloak_jvm_package: java-1.8.0-openjdk-headless
 keycloak_java_home:
 keycloak_dest: /opt/keycloak
-keycloak_jboss_home: "{{ keycloak_rhsso_installdir if keycloak_rhsso_enable else keycloak_installdir }}"
+keycloak_jboss_home: "{{ keycloak_installdir }}"
+keycloak_jboss_port_offset: 0
 keycloak_config_dir: "{{ keycloak_jboss_home }}/standalone/configuration"
 keycloak_config_standalone_xml: "keycloak.xml"
 keycloak_config_path_to_standalone_xml: "{{ keycloak_jboss_home }}/standalone/configuration/{{ keycloak_config_standalone_xml }}"
 keycloak_config_override_template: ''
+keycloak_config_path_to_properties: "{{ keycloak_jboss_home }}/standalone/configuration/profile.properties"
+keycloak_service_runas: false
 keycloak_service_user: keycloak
 keycloak_service_group: keycloak
-keycloak_service_pidfile: "/run/keycloak.pid"
-keycloak_configure_firewalld: False
+keycloak_service_pidfile: "/run/keycloak/keycloak.pid"
+keycloak_service_name: keycloak
+keycloak_service_desc: Keycloak
+keycloak_service_start_delay: 10
+keycloak_service_start_retries: 25
+keycloak_service_restart_always: false
+keycloak_service_restart_on_failure: false
+keycloak_service_startlimitintervalsec: "300"
+keycloak_service_startlimitburst: "5"
+keycloak_service_restartsec: "10s"
+
+keycloak_configure_firewalld: false
+keycloak_configure_iptables: false

 ### administrator console password
 keycloak_admin_password: ''
@@ -44,44 +44,62 @@ keycloak_http_port: 8080
 keycloak_https_port: 8443
 keycloak_ajp_port: 8009
 keycloak_jgroups_port: 7600
+keycloak_jgroups_subnet:
+keycloak_management_port_bind_address: 127.0.0.1
 keycloak_management_http_port: 9990
 keycloak_management_https_port: 9993
 keycloak_java_opts: "-Xms1024m -Xmx2048m"
-keycloak_prefer_ipv4: True
+keycloak_prefer_ipv4: true
+keycloak_features: []

 ### Enable configuration for database backend, clustering and remote caches on infinispan
-keycloak_ha_enabled: False
+keycloak_ha_enabled: false
 ### Enable database configuration, must be enabled when HA is configured
 keycloak_db_enabled: "{{ True if keycloak_ha_enabled else False }}"
+### Discovery protocol for ha cluster members, valus [ 'JDBC_PING', 'TCPPING' ]
+keycloak_ha_discovery: "{{ 'JDBC_PING' if keycloak_db_enabled else 'TCPPING' }}"
+### Remote cache store on infinispan cluster
+keycloak_remote_cache_enabled: "{{ True if keycloak_ha_enabled else False }}"

 ### Keycloak administration console user
 keycloak_admin_user: admin
 keycloak_auth_realm: master
 keycloak_auth_client: admin-cli

-keycloak_force_install: False
+keycloak_force_install: false

-### mod_cluster reverse proxy
+### mod_cluster reverse proxy list
+keycloak_modcluster_enabled: "{{ True if keycloak_ha_enabled else False }}"
 keycloak_modcluster_url: localhost
+keycloak_modcluster_port: 6666
+keycloak_modcluster_urls:
+  - host: "{{ keycloak_modcluster_url }}"
+    port: "{{ keycloak_modcluster_port }}"

 ### keycloak frontend url
-keycloak_frontend_url: http://localhost:8080/auth
+keycloak_frontend_url: http://localhost:8080/auth/
+keycloak_frontend_url_force: false
+keycloak_admin_url:

 ### infinispan remote caches access (hotrod)
-infinispan_user: supervisor
-infinispan_pass: supervisor
-infinispan_url: localhost
-infinispan_sasl_mechanism: SCRAM-SHA-512
-infinispan_use_ssl: False
+keycloak_infinispan_user: supervisor
+keycloak_infinispan_pass: supervisor
+keycloak_infinispan_url: localhost
+keycloak_infinispan_sasl_mechanism: SCRAM-SHA-512
+keycloak_infinispan_use_ssl: false
 # if ssl is enabled, import ispn server certificate here
-infinispan_trust_store_path: /etc/pki/java/cacerts
-infinispan_trust_store_password: changeit
+keycloak_infinispan_trust_store_path: /etc/pki/java/cacerts
+keycloak_infinispan_trust_store_password: changeit

-### database backend engine: values [ 'postgres', 'mariadb' ]
+### database backend engine: values [ 'postgres', 'mariadb', 'sqlserver' ]
 keycloak_jdbc_engine: postgres
 ### database backend credentials
 keycloak_db_user: keycloak-user
 keycloak_db_pass: keycloak-pass
+## connection validation
+keycloak_db_background_validation: false
+keycloak_db_background_validation_millis: "{{ 10000 if keycloak_db_background_validation else 0 }}"
+keycloak_db_background_validate_on_match: false
 keycloak_jdbc_url: "{{ keycloak_default_jdbc[keycloak_jdbc_engine].url }}"
 keycloak_jdbc_driver_version: "{{ keycloak_default_jdbc[keycloak_jdbc_engine].version }}"
 # override the variables above, following defaults show minimum supported versions
@@ -92,3 +110,11 @@ keycloak_default_jdbc:
  mariadb:
    url: 'jdbc:mariadb://localhost:3306/keycloak'
    version: 2.7.4
+  sqlserver:
+    url: 'jdbc:sqlserver://localhost:1433;databaseName=keycloak;'
+    version: 12.2.0
+# role specific vars
+keycloak_no_log: true
+
+### logging configuration
+keycloak_log_target: /var/log/keycloak
--- a/roles/keycloak/meta/argument_specs.yml
+++ b/roles/keycloak/meta/argument_specs.yml
@@ -2,82 +2,38 @@ argument_specs:
    main:
        options:
            keycloak_version:
-                # line 3 of keycloak/defaults/main.yml
-                default: "15.0.2"
+                default: "18.0.2"
                description: "keycloak.org package version"
                type: "str"
            keycloak_archive:
-                # line 4 of keycloak/defaults/main.yml
-                default: "keycloak-{{ keycloak_version }}.zip"
+                default: "keycloak-legacy-{{ keycloak_version }}.zip"
                description: "keycloak install archive filename"
                type: "str"
+            keycloak_configure_iptables:
+                default: false
+                description: "Ensure iptables is running and configure keycloak ports"
+                type: "bool"
            keycloak_configure_firewalld:
-                # line 33 of keycloak/defaults/main.yml
                default: false
                description: "Ensure firewalld is running and configure keycloak ports"
                type: "bool"
            keycloak_download_url:
-                # line 5 of keycloak/defaults/main.yml
                default: "https://github.com/keycloak/keycloak/releases/download/{{ keycloak_version }}/{{ keycloak_archive }}"
                description: "Download URL for keycloak"
                type: "str"
            keycloak_download_url_9x:
-                # line 6 of keycloak/defaults/main.yml
                default: "https://downloads.jboss.org/keycloak/{{ keycloak_version }}/{{ keycloak_archive }}"
                description: "Download URL for keycloak (deprecated)"
                type: "str"
            keycloak_installdir:
-                # line 7 of keycloak/defaults/main.yml
                default: "{{ keycloak_dest }}/keycloak-{{ keycloak_version }}"
                description: "Installation path"
                type: "str"
-            keycloak_rhsso_version:
-                # line 10 of keycloak/defaults/main.yml
-                default: "7.5.0"
-                description: "Red Hat Single Sign-On version"
-                type: "str"
-            rhsso_rhn_id:
-                # line 11 of keycloak/defaults/main.yml
-                default: "{{ rhsso_rhn_ids[keycloak_rhsso_version].id }}"
-                description: "Customer Portal product ID for Red Hat SSO"
-                type: "str"
-            keycloak_rhsso_archive:
-                # line 12 of keycloak/defaults/main.yml
-                default: "rh-sso-{{ keycloak_rhsso_version }}-server-dist.zip"
-                description: "ed Hat SSO install archive filename"
-                type: "str"
-            keycloak_rhsso_apply_patches:
-                # line 16 of keycloak/defaults/main.yml
-                default: false
-                description: "Install RHSSO more recent cumulative patch"
-                type: "bool"
-            keycloak_rhsso_installdir:
-                # line 13 of keycloak/defaults/main.yml
-                default: "{{ keycloak_dest }}/rh-sso-{{ keycloak_rhsso_version | regex_replace('^([0-9])\\.([0-9]*).*', '\\1.\\2') }}"
-                description: "Installation path for Red Hat SSO"
-                type: "str"
-            keycloak_rhn_url:
-                # line 14 of keycloak/defaults/main.yml
-                default: "https://access.redhat.com/jbossnetwork/restricted/softwareDownload.html?softwareId="
-                description: "Base download URI for customer portal"
-                type: "str"
-            keycloak_rhsso_download_url:
-                # line 15 of keycloak/defaults/main.yml
-                default: "{{ keycloak_rhn_url }}{{ rhsso_rhn_id }}"
-                description: "Full download URI for Red Hat SSO"
-                type: "str"
-            keycloak_rhsso_enable:
-                # line 18 of keycloak/defaults/main.yml
-                default: "{{ True if rhsso_rhn_id is defined and rhn_username is defined and rhn_password is defined else False }}"
-                description: "Enable Red Hat Single Sign-on installation"
-                type: "str"
            keycloak_offline_install:
-                # line 20 of keycloak/defaults/main.yml
                default: false
                description: "Perform an offline install"
                type: "bool"
            keycloak_jvm_package:
-                # line 23 of keycloak/defaults/main.yml
                default: "java-1.8.0-openjdk-headless"
                description: "RHEL java package runtime rpm"
                type: "str"
@@ -85,212 +41,341 @@ argument_specs:
                description: "JAVA_HOME of installed JRE, leave empty for using specified keycloak_jvm_package RPM path"
                type: "str"
            keycloak_dest:
-                # line 24 of keycloak/defaults/main.yml
                default: "/opt/keycloak"
                description: "Root installation directory"
                type: "str"
            keycloak_jboss_home:
-                # line 25 of keycloak/defaults/main.yml
-                default: "{{ keycloak_rhsso_installdir if keycloak_rhsso_enable else keycloak_installdir }}"
+                default: "{{ keycloak_installdir }}"
                description: "Installation work directory"
                type: "str"
+            keycloak_jboss_port_offset:
+                default: 0
+                description: "Port offset for the JBoss socket binding"
+                type: "int"
            keycloak_config_dir:
-                # line 26 of keycloak/defaults/main.yml
                default: "{{ keycloak_jboss_home }}/standalone/configuration"
                description: "Path for configuration"
                type: "str"
            keycloak_config_standalone_xml:
-                # line 27 of keycloak/defaults/main.yml
                default: "keycloak.xml"
                description: "Service configuration filename"
                type: "str"
            keycloak_config_path_to_standalone_xml:
-                # line 28 of keycloak/defaults/main.yml
                default: "{{ keycloak_jboss_home }}/standalone/configuration/{{ keycloak_config_standalone_xml }}"
                description: "Custom path for configuration"
                type: "str"
            keycloak_config_override_template:
-                # line 30 of keycloak/defaults/main.yml
                default: ""
                description: "Path to custom template for standalone.xml configuration"
                type: "str"
+            keycloak_service_runas:
+                default: false
+                description: "Enable execution of service as `keycloak_service_user`"
+                type: "bool"
            keycloak_service_user:
-                # line 29 of keycloak/defaults/main.yml
                default: "keycloak"
                description: "posix account username"
                type: "str"
            keycloak_service_group:
-                # line 30 of keycloak/defaults/main.yml
                default: "keycloak"
                description: "posix account group"
                type: "str"
            keycloak_service_pidfile:
-                # line 31 of keycloak/defaults/main.yml
-                default: "/run/keycloak.pid"
+                default: "/run/keycloak/keycloak.pid"
                description: "PID file path for service"
                type: "str"
+            keycloak_features:
+                default: "[]"
+                description: "List of `name`/`status` pairs of features (also known as profiles on RH-SSO) to `enable` or `disable`, example: `[ { name: 'docker', status: 'enabled' } ]`"
+                type: "list"
            keycloak_bind_address:
-                # line 34 of keycloak/defaults/main.yml
                default: "0.0.0.0"
                description: "Address for binding service ports"
                type: "str"
+            keycloak_management_port_bind_address:
+                default: "127.0.0.1"
+                description: "Address for binding the management ports"
+                type: "str"
            keycloak_host:
-                # line 35 of keycloak/defaults/main.yml
                default: "localhost"
                description: "Hostname for service"
                type: "str"
            keycloak_http_port:
-                # line 36 of keycloak/defaults/main.yml
                default: 8080
                description: "Listening HTTP port"
                type: "int"
            keycloak_https_port:
-                # line 37 of keycloak/defaults/main.yml
                default: 8443
                description: "Listening HTTPS port"
                type: "int"
            keycloak_ajp_port:
-                # line 38 of keycloak/defaults/main.yml
                default: 8009
                description: "Listening AJP port"
                type: "int"
            keycloak_jgroups_port:
-                # line 39 of keycloak/defaults/main.yml
                default: 7600
                description: "jgroups cluster tcp port"
                type: "int"
            keycloak_management_http_port:
-                # line 40 of keycloak/defaults/main.yml
                default: 9990
                description: "Management port (http)"
                type: "int"
            keycloak_management_https_port:
-                # line 41 of keycloak/defaults/main.yml
                default: 9993
                description: "Management port (https)"
                type: "int"
            keycloak_java_opts:
-                # line 42 of keycloak/defaults/main.yml
                default: "-Xms1024m -Xmx2048m"
                description: "Additional JVM options"
                type: "str"
            keycloak_prefer_ipv4:
-                # line 43 of keycloak/defaults/main.yml
                default: true
                description: "Prefer IPv4 stack and addresses for port binding"
                type: "bool"
            keycloak_ha_enabled:
-                # line 46 of keycloak/defaults/main.yml
                default: false
                description: "Enable auto configuration for database backend, clustering and remote caches on infinispan"
                type: "bool"
+            keycloak_ha_discovery:
+                default: "{{ 'JDBC_PING' if keycloak_db_enabled else 'TCPPING' }}"
+                description: "Discovery protocol for HA cluster members"
+                type: "str"
            keycloak_db_enabled:
-                # line 48 of keycloak/defaults/main.yml
                default: "{{ True if keycloak_ha_enabled else False }}"
                description: "Enable auto configuration for database backend"
-                type: "str"
+                type: "bool"
            keycloak_admin_user:
-                # line 51 of keycloak/defaults/main.yml
                default: "admin"
                description: "Administration console user account"
                type: "str"
            keycloak_auth_realm:
-                # line 52 of keycloak/defaults/main.yml
                default: "master"
                description: "Name for rest authentication realm"
                type: "str"
            keycloak_auth_client:
-                # line 53 of keycloak/defaults/main.yml
                default: "admin-cli"
                description: "Authentication client for configuration REST calls"
                type: "str"
            keycloak_force_install:
-                # line 55 of keycloak/defaults/main.yml
                default: false
                description: "Remove pre-existing versions of service"
                type: "bool"
+            keycloak_modcluster_enabled:
+                default: "{{ True if keycloak_ha_enabled else False }}"
+                description: "Enable configuration for modcluster subsystem"
+                type: "bool"
            keycloak_modcluster_url:
-                # line 58 of keycloak/defaults/main.yml
                default: "localhost"
                description: "URL for the modcluster reverse proxy"
                type: "str"
+            keycloak_modcluster_port:
+                default: 6666
+                description: "Port for the modcluster reverse proxy"
+                type: "int"
+            keycloak_modcluster_urls:
+                default: "[ { host: 'localhost', port: 6666 } ]"
+                description: "List of modproxy node URLs in the format { host, port } for the modcluster reverse proxy"
+                type: "list"
            keycloak_frontend_url:
-                # line 59 of keycloak/defaults/main.yml
                default: "http://localhost"
                description: "Frontend URL for keycloak endpoints when a reverse proxy is used"
                type: "str"
-            infinispan_user:
-                # line 62 of keycloak/defaults/main.yml
+            keycloak_frontend_url_force:
+                default: false
+                description: "Force backend requests to use the frontend URL"
+                type: "bool"
+            keycloak_infinispan_user:
                default: "supervisor"
                description: "Username for connecting to infinispan"
                type: "str"
-            infinispan_pass:
-                # line 63 of keycloak/defaults/main.yml
+            keycloak_infinispan_pass:
                default: "supervisor"
                description: "Password for connecting to infinispan"
                type: "str"
-            infinispan_url:
-                # line 64 of keycloak/defaults/main.yml
+            keycloak_infinispan_url:
                default: "localhost"
                description: "URL for the infinispan remote-cache server"
                type: "str"
-            infinispan_sasl_mechanism:
-                # line 65 of keycloak/defaults/main.yml
+            keycloak_infinispan_sasl_mechanism:
                default: "SCRAM-SHA-512"
                description: "Authentication type to infinispan server"
                type: "str"
-            infinispan_use_ssl:
-                # line 66 of keycloak/defaults/main.yml
+            keycloak_infinispan_use_ssl:
                default: false
                description: "Enable hotrod client TLS communication"
                type: "bool"
-            infinispan_trust_store_path:
-                # line 68 of keycloak/defaults/main.yml
+            keycloak_infinispan_trust_store_path:
                default: "/etc/pki/java/cacerts"
                description: "TODO document argument"
                type: "str"
-            infinispan_trust_store_password:
-                # line 69 of keycloak/defaults/main.yml
+            keycloak_infinispan_trust_store_password:
                default: "changeit"
                description: "Path to truststore containing infinispan server certificate"
                type: "str"
            keycloak_jdbc_engine:
-                # line 72 of keycloak/defaults/main.yml
                default: "postgres"
-                description: "Backend database flavour when db is enabled: [ postgres, mariadb ]"
+                description: "Backend database flavour when db is enabled: [ postgres, mariadb, sqlserver ]"
                type: "str"
            keycloak_db_user:
-                # line 74 of keycloak/defaults/main.yml
                default: "keycloak-user"
                description: "Username for connecting to database"
                type: "str"
            keycloak_db_pass:
-                # line 75 of keycloak/defaults/main.yml
                default: "keycloak-pass"
                description: "Password for connecting to database"
                type: "str"
            keycloak_jdbc_url:
-                # line 76 of keycloak/defaults/main.yml
                default: "{{ keycloak_default_jdbc[keycloak_jdbc_engine].url }}"
                description: "URL for connecting to backend database"
                type: "str"
            keycloak_jdbc_driver_version:
-                # line 77 of keycloak/defaults/main.yml
                default: "{{ keycloak_default_jdbc[keycloak_jdbc_engine].version }}"
                description: "Version for the JDBC driver to download"
                type: "str"
            keycloak_admin_password:
-                # line 4 of keycloak/vars/main.yml
                required: true
                description: "Password for the administration console user account"
                type: "str"
            keycloak_url:
-                # line 12 of keycloak/vars/main.yml
-                default: "http://{{ keycloak_host }}:{{ keycloak_http_port }}"
+                default: "http://{{ keycloak_host }}:{{ keycloak_http_port + keycloak_jboss_port_offset }}"
                description: "URL for configuration rest calls"
                type: "str"
            keycloak_management_url:
-                # line 13 of keycloak/vars/main.yml
-                default: "http://{{ keycloak_host }}:{{ keycloak_management_http_port }}"
+                default: "http://{{ keycloak_host }}:{{ keycloak_management_http_port + keycloak_jboss_port_offset }}"
                description: "URL for management console rest calls"
                type: "str"
+            keycloak_service_name:
+                default: "keycloak"
+                description: "systemd service name for keycloak"
+                type: "str"
+            keycloak_service_desc:
+                default: "Keycloak"
+                description: "systemd description for keycloak"
+                type: "str"
+            keycloak_service_start_delay:
+                default: "10"
+                description: "Expected delay in ms before the service is expected to be available after start."
+                type: "int"
+            keycloak_service_start_retries:
+                default: "25"
+                description: "How many time should Ansible retry to connect to the service after it was started, before failing."
+                type: "int"
+            keycloak_service_restart_always:
+                default: false
+                description: "systemd restart always behavior activation for keycloak"
+                type: "bool"
+            keycloak_service_restart_on_failure:
+                default: false
+                description: "systemd restart on-failure behavior activation for keycloak"
+                type: "bool"
+            keycloak_service_startlimitintervalsec:
+                default: 300
+                description: "systemd StartLimitIntervalSec for keycloak"
+                type: "int"
+            keycloak_service_startlimitburst:
+                default: 5
+                description: "systemd StartLimitBurst for keycloak"
+                type: "int"
+            keycloak_service_restartsec:
+                default: "5s"
+                description: "systemd RestartSec for keycloak"
+                type: "str"
+            keycloak_no_log:
+                default: true
+                type: "bool"
+                description: "Changes default behavior for no_log for debugging purpose, do not change for production system."
+            keycloak_remote_cache_enabled:
+                default: "{{ True if keycloak_ha_enabled else False }}"
+                description: "Enable remote cache store when in clustered ha configurations"
+                type: "bool"
+            keycloak_db_background_validation:
+                default: false
+                description: "Enable background validation of database connection"
+                type: "bool"
+            keycloak_db_background_validation_millis:
+                default: "{{ 10000 if keycloak_db_background_validation else 0 }}"
+                description: "How frequenly the connection pool is validated in the background"
+                type: 'int'
+            keycloak_db_background_validate_on_match:
+                default: false
+                description: "Enable validate on match for database connections"
+                type: "bool"
+            keycloak_db_valid_conn_sql:
+                required: false
+                description: "Override the default database connection validation query sql"
+                type: "str"
+            keycloak_admin_url:
+                required: false
+                description: "Override the default administration endpoint URL"
+                type: "str"
+            keycloak_jgroups_subnet:
+                required: false
+                description: "Override the subnet match for jgroups cluster formation; if not defined, it will be inferred from local machine route configuration"
+                type: "str"
+            keycloak_log_target:
+                default: '/var/log/keycloak'
+                type: "str"
+                description: "Set the destination of the keycloak log folder link"
+            keycloak_jdbc_download_url:
+                description: "Override the default Maven Central download URL for the JDBC driver"
+                type: "str"
+            keycloak_jdbc_download_user:
+                description: "Set a username with which to authenticate when downloading JDBC drivers from an alternative location"
+                type: "str"
+            keycloak_jdbc_download_pass:
+                description: "Set a password with which to authenticate when downloading JDBC drivers from an alternative location (requires keycloak_jdbc_download_user)"
+                type: "str"
+            keycloak_jdbc_download_validate_certs:
+                default: true
+                description: "Allow the option to ignore invalid certificates when downloading JDBC drivers from a custom URL"
+                type: "bool"
+    downstream:
+        options:
+            sso_version:
+                default: "7.6.0"
+                description: "Red Hat Single Sign-On version"
+                type: "str"
+            sso_archive:
+                default: "rh-sso-{{ sso_version }}-server-dist.zip"
+                description: "Red Hat SSO install archive filename"
+                type: "str"
+            sso_dest:
+                default: "/opt/sso"
+                description: "Root installation directory"
+                type: "str"
+            sso_installdir:
+                default: "{{ sso_dest }}/rh-sso-{{ sso_version.split('.')[0] }}.{{ sso_version.split('.')[1] }}"
+                description: "Installation path for Red Hat SSO"
+                type: "str"
+            sso_apply_patches:
+                default: false
+                description: "Install Red Hat SSO most recent cumulative patch"
+                type: "bool"
+            sso_enable:
+                default: true
+                description: "Enable Red Hat Single Sign-on installation"
+                type: "str"
+            sso_offline_install:
+                default: false
+                description: "Perform an offline install"
+                type: "bool"
+            sso_service_name:
+                default: "sso"
+                description: "systemd service name for Single Sign-On"
+                type: "str"
+            sso_service_desc:
+                default: "Red Hat Single Sign-On"
+                description: "systemd description for Red Hat Single Sign-On"
+                type: "str"
+            sso_patch_version:
+                required: false
+                description: "Red Hat Single Sign-On latest cumulative patch version to apply; defaults to latest version when sso_apply_patches is True"
+                type: "str"
+            sso_patch_bundle:
+                default: "rh-sso-{{ sso_patch_version | default('[0-9]+[.][0-9]+[.][0-9]+') }}-patch.zip"
+                description: "Red Hat SSO patch archive filename"
+                type: "str"
+            sso_product_category:
+                default: "core.service.rhsso"
+                description: "JBossNetwork API category for Single Sign-On"
+                type: "str"
--- a/roles/keycloak/meta/main.yml
+++ b/roles/keycloak/meta/main.yml
@@ -1,7 +1,7 @@
 ---
 collections:
-  - middleware_automation.redhat_csp_download
-  - middleware_automation.wildfly
+  - middleware_automation.common
+  - ansible.posix

 galaxy_info:
  role_name: keycloak
@@ -12,12 +12,12 @@ galaxy_info:

  license: Apache License 2.0

-  min_ansible_version: "2.9"
+  min_ansible_version: "2.14"

  platforms:
-   - name: EL
-     versions:
-     - 8
+    - name: EL
+      versions:
+        - "8"

  galaxy_tags:
    - keycloak
--- a/roles/keycloak/tasks/debian.yml
+++ b/roles/keycloak/tasks/debian.yml
@@ -0,0 +1,6 @@
+---
+- name: Include firewall config tasks
+  ansible.builtin.include_tasks: iptables.yml
+  when: keycloak_configure_iptables
+  tags:
+    - firewall
--- a/roles/keycloak/tasks/fastpackages.yml
+++ b/roles/keycloak/tasks/fastpackages.yml
@@ -1,22 +1,30 @@
 ---
- name: Check packages to be installed
-  block:
-  - name: "Check if packages are already installed"
-    ansible.builtin.command: "rpm -q {{ packages_list | join(' ') }}"
-    args:
-      warn: no
-    register: rpm_info
-    changed_when: rpm_info.failed
+- name: "Check if packages are already installed" # noqa command-instead-of-module this runs faster
+  ansible.builtin.command: "rpm -q {{ packages_list | join(' ') }}"
+  register: rpm_info
+  changed_when: false
+  failed_when: false
+  when: ansible_facts.os_family == "RedHat"

-  rescue:
-    - name: "Add missing packages to the yum install list"
-      ansible.builtin.set_fact:
-        packages_to_install: "{{ packages_to_install | default([]) + rpm_info.stdout_lines | map('regex_findall', 'package (.+) is not installed$') | flatten }}"
-      when: rpm_info.failed
+- name: "Add missing packages to the yum install list"
+  ansible.builtin.set_fact:
+    packages_to_install: "{{ packages_to_install | default([]) + rpm_info.stdout_lines | map('regex_findall', 'package (.+) is not installed$') | default([]) | flatten }}"
+  when: ansible_facts.os_family == "RedHat"

 - name: "Install packages: {{ packages_to_install }}"
-  become: yes
+  become: true
  ansible.builtin.yum:
    name: "{{ packages_to_install }}"
    state: present
-  when: packages_to_install | default([]) | length > 0
+  when:
+  - packages_to_install | default([]) | length > 0
+  - ansible_facts.os_family == "RedHat"
+
+- name: "Install packages: {{ packages_list }}"
+  become: true
+  ansible.builtin.package:
+    name: "{{ packages_list }}"
+    state: present
+  when:
+    - packages_list | default([]) | length > 0
+    - ansible_facts.os_family == "Debian"
--- a/roles/keycloak/tasks/firewalld.yml
+++ b/roles/keycloak/tasks/firewalld.yml
@@ -6,19 +6,19 @@
      - firewalld

 - name: Enable and start the firewalld service
-  become: yes
+  become: true
  ansible.builtin.systemd:
    name: firewalld
-    enabled: yes
+    enabled: true
    state: started

- name: "Configure firewall for {{ keycloak.service_name }} ports"
-  become: yes
-  firewalld:
+- name: "Configure firewall ports for {{ keycloak.service_name }}"
+  become: true
+  ansible.posix.firewalld:
    port: "{{ item }}"
    permanent: true
    state: enabled
-    immediate: yes
+    immediate: true
  loop:
    - "{{ keycloak_http_port }}/tcp"
    - "{{ keycloak_https_port }}/tcp"
--- a/roles/keycloak/tasks/install.yml
+++ b/roles/keycloak/tasks/install.yml
@@ -11,41 +11,41 @@
    quiet: true

 - name: Check for an existing deployment
-  become: yes
+  become: true
  ansible.builtin.stat:
    path: "{{ keycloak_jboss_home }}"
  register: existing_deploy

 - name: Stop and restart if existing deployment exists and install forced
+  when: existing_deploy.stat.exists and keycloak_force_install | bool
  block:
    - name: "Stop the old {{ keycloak.service_name }} service"
-      become: yes
-      ignore_errors: yes
+      become: true
+      failed_when: false
      ansible.builtin.systemd:
        name: keycloak
        state: stopped
    - name: "Remove the old {{ keycloak.service_name }} deployment"
-      become: yes
+      become: true
      ansible.builtin.file:
        path: "{{ keycloak_jboss_home }}"
        state: absent
-  when: existing_deploy.stat.exists and keycloak_force_install|bool

 - name: Check for an existing deployment after possible forced removal
-  become: yes
+  become: true
  ansible.builtin.stat:
    path: "{{ keycloak_jboss_home }}"

- name: "Create {{ keycloak.service_name }} service user/group"
-  become: yes
+- name: "Create service user/group for {{ keycloak.service_name }}"
+  become: true
  ansible.builtin.user:
    name: "{{ keycloak_service_user }}"
    home: /opt/keycloak
    system: yes
    create_home: no

- name: "Create {{ keycloak.service_name }} install location"
-  become: yes
+- name: "Create install location for {{ keycloak.service_name }}"
+  become: true
  ansible.builtin.file:
    dest: "{{ keycloak_dest }}"
    state: directory
@@ -53,13 +53,22 @@
    group: "{{ keycloak_service_group }}"
    mode: 0750

+- name: Create pidfile folder
+  become: true
+  ansible.builtin.file:
+    dest: "{{ keycloak_service_pidfile | dirname }}"
+    state: directory
+    owner: "{{ keycloak_service_user if keycloak_service_runas else omit }}"
+    group: "{{ keycloak_service_group if keycloak_service_runas else omit }}"
+    mode: 0750
+
 ## check remote archive
 - name: Set download archive path
  ansible.builtin.set_fact:
    archive: "{{ keycloak_dest }}/{{ keycloak.bundle }}"

 - name: Check download archive path
-  become: yes
+  become: true
  ansible.builtin.stat:
    path: "{{ archive }}"
  register: archive_path
@@ -77,28 +86,51 @@
    dest: "{{ local_path.stat.path }}/{{ keycloak.bundle }}"
    mode: 0644
  delegate_to: localhost
+  run_once: true
  when:
    - archive_path is defined
    - archive_path.stat is defined
    - not archive_path.stat.exists
-    - not keycloak_rhsso_enable
+    - not sso_enable is defined or not sso_enable
    - not keycloak_offline_install

- name: Perform download from RHN
-  middleware_automation.redhat_csp_download.redhat_csp_download:
-    url: "{{ keycloak_rhsso_download_url }}"
-    dest: "{{ local_path.stat.path }}/{{ keycloak.bundle }}"
-    username: "{{ rhn_username }}"
-    password: "{{ rhn_password }}"
-  no_log: "{{ omit_rhn_output | default(true) }}"
+- name: Perform download from RHN using JBoss Network API
  delegate_to: localhost
+  run_once: true
  when:
    - archive_path is defined
    - archive_path.stat is defined
    - not archive_path.stat.exists
-    - keycloak_rhsso_enable
+    - sso_enable is defined and sso_enable
    - not keycloak_offline_install
-    - keycloak_rhn_url in keycloak_rhsso_download_url
+  block:
+    - name: Retrieve product download using JBoss Network API
+      middleware_automation.common.product_search:
+        client_id: "{{ rhn_username }}"
+        client_secret: "{{ rhn_password }}"
+        product_type: DISTRIBUTION
+        product_version: "{{ sso_version.split('.')[:2] | join('.') }}"
+        product_category: "{{ sso_product_category }}"
+      register: rhn_products
+      no_log: "{{ omit_rhn_output | default(true) }}"
+      delegate_to: localhost
+      run_once: true
+
+    - name: Determine install zipfile from search results
+      ansible.builtin.set_fact:
+        rhn_filtered_products: "{{ rhn_products.results | selectattr('file_path', 'match', '[^/]*/' + sso_archive + '$') }}"
+      delegate_to: localhost
+      run_once: true
+
+    - name: Download Red Hat Single Sign-On
+      middleware_automation.common.product_download: # noqa risky-file-permissions delegated, uses controller host user
+        client_id: "{{ rhn_username }}"
+        client_secret: "{{ rhn_password }}"
+        product_id: "{{ (rhn_filtered_products | first).id }}"
+        dest: "{{ local_path.stat.path }}/{{ keycloak.bundle }}"
+      no_log: "{{ omit_rhn_output | default(true) }}"
+      delegate_to: localhost
+      run_once: true

 - name: Download rhsso archive from alternate location
  ansible.builtin.get_url: # noqa risky-file-permissions delegated, uses controller host user
@@ -106,13 +138,14 @@
    dest: "{{ local_path.stat.path }}/{{ keycloak.bundle }}"
    mode: 0644
  delegate_to: localhost
+  run_once: true
  when:
    - archive_path is defined
    - archive_path.stat is defined
    - not archive_path.stat.exists
-    - keycloak_rhsso_enable
+    - sso_enable is defined and sso_enable
    - not keycloak_offline_install
-    - not keycloak_rhn_url in keycloak_rhsso_download_url
+    - keycloak_rhsso_download_url is defined

 - name: Check downloaded archive
  ansible.builtin.stat:
@@ -133,23 +166,23 @@
    - not archive_path.stat.exists
    - local_archive_path.stat is defined
    - local_archive_path.stat.exists
-  become: yes
+  become: true

 - name: "Check target directory: {{ keycloak.home }}"
  ansible.builtin.stat:
    path: "{{ keycloak.home }}"
  register: path_to_workdir
-  become: yes
+  become: true

- name: "Extract {{ 'Red Hat Single Sign-On' if keycloak_rhsso_enable else 'Keycloak' }} archive on target"
+- name: "Extract {{ keycloak_service_desc }} archive on target"
  ansible.builtin.unarchive:
-    remote_src: yes
+    remote_src: true
    src: "{{ archive }}"
    dest: "{{ keycloak_dest }}"
    creates: "{{ keycloak.home }}"
    owner: "{{ keycloak_service_user }}"
    group: "{{ keycloak_service_group }}"
-  become: yes
+  become: true
  when:
    - new_version_downloaded.changed or not path_to_workdir.stat.exists
  notify:
@@ -167,37 +200,77 @@
    owner: "{{ keycloak_service_user }}"
    group: "{{ keycloak_service_group }}"
    recurse: true
-  become: yes
+  become: true
+  changed_when: false
+
+- name: Ensure permissions are correct on existing deploy
+  ansible.builtin.command: chown -R "{{ keycloak_service_user }}:{{ keycloak_service_group }}" "{{ keycloak.home }}"
+  when: keycloak_service_runas
+  become: true
  changed_when: false

 # driver and configuration
 - name: "Install {{ keycloak_jdbc_engine }} driver"
-  ansible.builtin.include_role:
-    name: middleware_automation.wildfly.wildfly_driver
-  vars:
-      wildfly_user: "{{ keycloak_service_user }}"
-      jdbc_driver_module_dir: "{{ keycloak_jdbc[keycloak_jdbc_engine].driver_module_dir }}"
-      jdbc_driver_version: "{{ keycloak_jdbc[keycloak_jdbc_engine].driver_version }}"
-      jdbc_driver_jar_filename: "{{ keycloak_jdbc[keycloak_jdbc_engine].driver_jar_filename }}"
-      jdbc_driver_jar_url: "{{ keycloak_jdbc[keycloak_jdbc_engine].driver_jar_url }}"
-      jdbc_driver_jar_installation_path: "{{ keycloak_jdbc[keycloak_jdbc_engine].driver_module_dir }}/{{ keycloak_jdbc[keycloak_jdbc_engine].driver_jar_filename }}"
-      jdbc_driver_module_name: "{{ keycloak_jdbc[keycloak_jdbc_engine].driver_module_name }}"
+  ansible.builtin.include_tasks: jdbc_driver.yml
  when: keycloak_jdbc[keycloak_jdbc_engine].enabled

- name: "Deploy {{ keycloak.service_name }} config to {{ keycloak_config_path_to_standalone_xml }} from {{ keycloak.config_template_source }}"
-  become: yes
+- name: "Deploy custom {{ keycloak.service_name }} config to {{ keycloak_config_path_to_standalone_xml }} from {{ keycloak_config_override_template }}"
+  become: true
  ansible.builtin.template:
-    src: "templates/{{ keycloak.config_template_source }}"
+    src: "templates/{{ keycloak_config_override_template }}"
    dest: "{{ keycloak_config_path_to_standalone_xml }}"
    owner: "{{ keycloak_service_user }}"
    group: "{{ keycloak_service_group }}"
    mode: 0640
  notify:
    - restart keycloak
-  when: not keycloak_remotecache.enabled or keycloak_config_override_template|length > 0
+  when: keycloak_config_override_template | length > 0

- name: "Deploy {{ keycloak.service_name }} config with remote cache store to {{ keycloak_config_path_to_standalone_xml }}"
-  become: yes
+- name: "Deploy standalone {{ keycloak.service_name }} config to {{ keycloak_config_path_to_standalone_xml }}"
+  become: true
+  ansible.builtin.template:
+    src: templates/standalone.xml.j2
+    dest: "{{ keycloak_config_path_to_standalone_xml }}"
+    owner: "{{ keycloak_service_user }}"
+    group: "{{ keycloak_service_group }}"
+    mode: 0640
+  notify:
+    - restart keycloak
+  when:
+    - not keycloak_ha_enabled
+    - keycloak_config_override_template | length == 0
+
+- name: Create tcpping cluster node list
+  ansible.builtin.set_fact:
+    keycloak_cluster_nodes: >
+      {{ keycloak_cluster_nodes | default([]) + [
+        {
+          "name": item,
+          "address": 'jgroups-' + item,
+          "inventory_host": hostvars[item].ansible_default_ipv4.address | default(item) + '[' + (keycloak_jgroups_port | string) + ']',
+          "value": hostvars[item].ansible_default_ipv4.address | default(item)
+        }
+      ] }}
+  loop: "{{ ansible_play_batch }}"
+  when: keycloak_ha_enabled and keycloak_ha_discovery == 'TCPPING'
+
+- name: "Deploy HA {{ keycloak.service_name }} config to {{ keycloak_config_path_to_standalone_xml }}"
+  become: true
+  ansible.builtin.template:
+    src: templates/standalone-ha.xml.j2
+    dest: "{{ keycloak_config_path_to_standalone_xml }}"
+    owner: "{{ keycloak_service_user }}"
+    group: "{{ keycloak_service_group }}"
+    mode: 0640
+  notify:
+    - restart keycloak
+  when:
+    - keycloak_ha_enabled
+    - not keycloak_remote_cache_enabled
+    - keycloak_config_override_template | length == 0
+
+- name: "Deploy HA {{ keycloak.service_name }} config with infinispan remote cache store to {{ keycloak_config_path_to_standalone_xml }}"
+  become: true
  ansible.builtin.template:
    src: templates/standalone-infinispan.xml.j2
    dest: "{{ keycloak_config_path_to_standalone_xml }}"
@@ -206,4 +279,19 @@
    mode: 0640
  notify:
    - restart keycloak
-  when: keycloak_remotecache.enabled
+  when:
+    - keycloak_ha_enabled
+    - keycloak_remote_cache_enabled
+    - keycloak_config_override_template | length == 0
+
+- name: "Deploy profile.properties file to {{ keycloak_config_path_to_properties }}"
+  become: true
+  ansible.builtin.template:
+    src: keycloak-profile.properties.j2
+    dest: "{{ keycloak_config_path_to_properties }}"
+    owner: "{{ keycloak_service_user }}"
+    group: "{{ keycloak_service_group }}"
+    mode: 0640
+  notify:
+    - restart keycloak
+  when: keycloak_features | length > 0
--- a/roles/keycloak/tasks/iptables.yml
+++ b/roles/keycloak/tasks/iptables.yml
@@ -0,0 +1,23 @@
+---
+- name: Ensure required package iptables are installed
+  ansible.builtin.include_tasks: fastpackages.yml
+  vars:
+    packages_list:
+      - iptables
+
+- name: "Configure firewall ports for {{ keycloak.service_name }}"
+  become: true
+  ansible.builtin.iptables:
+    destination_port: "{{ item }}"
+    action: "insert"
+    rule_num: 6 # magic number I forget why
+    chain: "INPUT"
+    policy: "ACCEPT"
+    protocol: tcp
+  loop:
+    - "{{ keycloak_http_port }}"
+    - "{{ keycloak_https_port }}"
+    - "{{ keycloak_management_http_port }}"
+    - "{{ keycloak_management_https_port }}"
+    - "{{ keycloak_jgroups_port }}"
+    - "{{ keycloak_ajp_port }}"
--- a/roles/keycloak/tasks/jdbc_driver.yml
+++ b/roles/keycloak/tasks/jdbc_driver.yml
@@ -0,0 +1,45 @@
+---
+- name: "Check module directory: {{ keycloak_jdbc[keycloak_jdbc_engine].driver_module_dir }}"
+  ansible.builtin.stat:
+    path: "{{ keycloak_jdbc[keycloak_jdbc_engine].driver_module_dir }}"
+  register: dest_path
+  become: true
+
+- name: "Set up module dir for JDBC Driver {{ keycloak_jdbc[keycloak_jdbc_engine].driver_module_name }}"
+  ansible.builtin.file:
+    path: "{{ keycloak_jdbc[keycloak_jdbc_engine].driver_module_dir }}"
+    state: directory
+    recurse: true
+    owner: "{{ keycloak_service_user }}"
+    group: "{{ keycloak_service_group }}"
+    mode: 0750
+  become: true
+  when:
+    - not dest_path.stat.exists
+- name: "Verify valid parameters for download credentials when specified"
+  ansible.builtin.fail:
+    msg: >-
+      When JDBC driver download credentials are set, both the username and the password MUST be set
+  when:
+    - (keycloak_jdbc_download_user is undefined and keycloak_jdbc_download_pass is not undefined) or (keycloak_jdbc_download_pass is undefined and keycloak_jdbc_download_user is not undefined)
+
+- name: "Retrieve JDBC Driver from {{ keycloak_jdbc[keycloak_jdbc_engine].driver_jar_url }}"
+  ansible.builtin.get_url:
+    url: "{{ keycloak_jdbc[keycloak_jdbc_engine].driver_jar_url }}"
+    dest: "{{ keycloak_jdbc[keycloak_jdbc_engine].driver_module_dir }}/{{ keycloak_jdbc[keycloak_jdbc_engine].driver_jar_filename }}"
+    group: "{{ keycloak_service_group }}"
+    owner: "{{ keycloak_service_user }}"
+    url_username: "{{ keycloak_jdbc_download_user | default(omit) }}"
+    url_password: "{{ keycloak_jdbc_download_pass | default(omit) }}"
+    validate_certs: "{{ keycloak_jdbc_download_validate_certs | default(omit) }}"
+    mode: 0640
+  become: true
+
+- name: "Deploy module.xml for JDBC Driver"
+  ansible.builtin.template:
+    src: "templates/jdbc_driver_module.xml.j2"
+    dest: "{{ keycloak_jdbc[keycloak_jdbc_engine].driver_module_dir }}/module.xml"
+    group: "{{ keycloak_service_group }}"
+    owner: "{{ keycloak_service_user }}"
+    mode: 0640
+  become: true
--- a/roles/keycloak/tasks/main.yml
+++ b/roles/keycloak/tasks/main.yml
@@ -1,16 +1,14 @@
 ---
 # tasks file for keycloak
-
 - name: Check prerequisites
  ansible.builtin.include_tasks: prereqs.yml
  tags:
    - prereqs

- name: Include firewall config tasks
-  ansible.builtin.include_tasks: firewalld.yml
-  when: keycloak_configure_firewalld
+- name: Distro specific tasks
+  ansible.builtin.include_tasks: "{{ ansible_os_family | lower }}.yml"
  tags:
-    - firewall
+    - unbound

 - name: Include install tasks
  ansible.builtin.include_tasks: install.yml
@@ -24,7 +22,10 @@

 - name: Include patch install tasks
  ansible.builtin.include_tasks: rhsso_patch.yml
-  when: keycloak_rhsso_apply_patches and keycloak_rhsso_enable
+  when:
+    - sso_apply_patches is defined and sso_apply_patches
+    - sso_enable is defined and sso_enable
+    - ansible_facts.os_family == "RedHat"
  tags:
    - install
    - patch
@@ -33,7 +34,8 @@
  ansible.builtin.file:
    state: link
    src: "{{ keycloak_jboss_home }}/standalone/log"
-    dest: /var/log/keycloak
+    dest: "{{ keycloak_log_target }}"
+  become: true

 - name: Set admin credentials and restart if not already created
  block:
@@ -42,7 +44,7 @@
        url: "{{ keycloak_url }}/auth/realms/master/protocol/openid-connect/token"
        method: POST
        body: "client_id={{ keycloak_auth_client }}&username={{ keycloak_admin_user }}&password={{ keycloak_admin_password }}&grant_type=password"
-        validate_certs: no
+        validate_certs: false
      register: keycloak_auth_response
      until: keycloak_auth_response.status == 200
      retries: 2
@@ -56,8 +58,8 @@
          - "-rmaster"
          - "-u{{ keycloak_admin_user }}"
          - "-p{{ keycloak_admin_password }}"
-      changed_when: yes
-      become: yes
+      changed_when: true
+      become: true
    - name: "Restart {{ keycloak.service_name }}"
      ansible.builtin.include_tasks: tasks/restart_keycloak.yml
    - name: "Wait until {{ keycloak.service_name }} becomes active {{ keycloak.health_url }}"
--- a/roles/keycloak/tasks/prereqs.yml
+++ b/roles/keycloak/tasks/prereqs.yml
@@ -3,7 +3,7 @@
  ansible.builtin.assert:
    that:
      - keycloak_admin_password | length > 12
-    quiet: True
+    quiet: true
    fail_msg: "The console administrator password is empty or invalid. Please set the keycloak_admin_password variable to a 12+ char long string"
    success_msg: "{{ 'Console administrator password OK' }}"

@@ -11,36 +11,45 @@
  ansible.builtin.assert:
    that:
      - (keycloak_ha_enabled and keycloak_db_enabled) or (not keycloak_ha_enabled and keycloak_db_enabled) or (not keycloak_ha_enabled and not keycloak_db_enabled)
-    quiet: True
+    quiet: true
    fail_msg: "Cannot install HA setup without a backend database service. Check keycloak_ha_enabled and keycloak_db_enabled"
    success_msg: "{{ 'Configuring HA' if keycloak_ha_enabled else 'Configuring standalone' }}"

 - name: Validate credentials
  ansible.builtin.assert:
    that:
-      - (rhn_username is defined and keycloak_rhsso_enable) or not keycloak_rhsso_enable or keycloak_offline_install
-      - (rhn_password is defined and keycloak_rhsso_enable) or not keycloak_rhsso_enable or keycloak_offline_install
-    quiet: True
+      - (rhn_username is defined and sso_enable is defined and sso_enable) or not sso_enable is defined or not sso_enable or keycloak_offline_install
+      - (rhn_password is defined and sso_enable is defined and sso_enable) or not sso_enable is defined or not sso_enable or keycloak_offline_install
+    quiet: true
    fail_msg: "Cannot install Red Hat SSO without RHN credentials. Check rhn_username and rhn_password are defined"
-    success_msg: "{{ 'Installing Red Hat Single Sign-On' if keycloak_rhsso_enable else 'Installing keycloak.org' }}"
+    success_msg: "Installing {{ keycloak_service_desc }}"

 - name: Validate persistence configuration
  ansible.builtin.assert:
    that:
-      - keycloak_jdbc_engine is defined and keycloak_jdbc_engine in [ 'postgres', 'mariadb' ]
+      - keycloak_jdbc_engine is defined and keycloak_jdbc_engine in [ 'postgres', 'mariadb', 'sqlserver' ]
      - keycloak_jdbc_url | length > 0
      - keycloak_db_user | length > 0
      - keycloak_db_pass | length > 0
-    quiet: True
+    quiet: true
    fail_msg: "Configuration for the JDBC persistence is invalid or incomplete"
    success_msg: "Configuring JDBC persistence using {{ keycloak_jdbc_engine }} database"
  when: keycloak_db_enabled

+- name: Validate OS family
+  ansible.builtin.assert:
+    that:
+      - ansible_os_family in ["RedHat", "Debian"]
+    quiet: true
+    fail_msg: "Can only install on RedHat or Debian OS families; found {{ ansible_os_family }}"
+    success_msg: "Installing on {{ ansible_os_family }}"
+
+- name: Load OS specific variables
+  ansible.builtin.include_vars: "vars/{{ ansible_os_family | lower }}.yml"
+  tags:
+    - always
+
 - name: Ensure required packages are installed
  ansible.builtin.include_tasks: fastpackages.yml
  vars:
-    packages_list:
-      - "{{ keycloak_jvm_package }}"
-      - unzip
-      - procps-ng
-      - initscripts
+    packages_list: "{{ keycloak_prereq_package_list }}"
--- a/roles/keycloak/tasks/redhat.yml
+++ b/roles/keycloak/tasks/redhat.yml
@@ -0,0 +1,6 @@
+---
+- name: Include firewall config tasks
+  ansible.builtin.include_tasks: firewalld.yml
+  when: keycloak_configure_firewalld
+  tags:
+    - firewall
--- a/roles/keycloak/tasks/restart_keycloak.yml
+++ b/roles/keycloak/tasks/restart_keycloak.yml
@@ -1,7 +1,28 @@
 ---
+- name: "Restart and enable {{ keycloak.service_name }} service"
+  ansible.builtin.systemd:
+    name: keycloak
+    enabled: true
+    state: restarted
+    daemon_reload: true
+  become: true
+  delegate_to: "{{ ansible_play_hosts | first }}"
+  run_once: true
+
+- name: "Wait until {{ keycloak.service_name }} becomes active {{ keycloak.health_url }}"
+  ansible.builtin.uri:
+    url: "{{ keycloak.health_url }}"
+  register: keycloak_status
+  until: keycloak_status.status == 200
+  delegate_to: "{{ ansible_play_hosts | first }}"
+  run_once: true
+  retries: "{{ keycloak_service_start_retries }}"
+  delay: "{{ keycloak_service_start_delay }}"
+
 - name: "Restart and enable {{ keycloak.service_name }} service"
  ansible.builtin.systemd:
    name: keycloak
    enabled: yes
    state: restarted
-  become: yes
+  become: true
+  when: inventory_hostname != ansible_play_hosts | first
--- a/roles/keycloak/tasks/rhsso_patch.yml
+++ b/roles/keycloak/tasks/rhsso_patch.yml
@@ -2,32 +2,96 @@
 ## check remote patch archive
 - name: Set download patch archive path
  ansible.builtin.set_fact:
-    patch_archive: "{{ keycloak_dest }}/{{ keycloak.patch_bundle }}"
+    patch_archive: "{{ keycloak_dest }}/{{ sso_patch_bundle }}"
+    patch_bundle: "{{ sso_patch_bundle }}"
+    patch_version: "{{ sso_patch_version }}"
+  when: sso_patch_version is defined

 - name: Check download patch archive path
  ansible.builtin.stat:
    path: "{{ patch_archive }}"
  register: patch_archive_path
+  when: sso_patch_version is defined
+  become: true

- name: Perform download from RHN
-  middleware_automation.redhat_csp_download.redhat_csp_download:
-    url: "{{ keycloak_rhn_url }}{{ rhsso_rhn_ids[keycloak_rhsso_version].latest_cp.id }}"
-    dest: "{{ local_path.stat.path }}/{{ keycloak.patch_bundle }}"
-    username: "{{ rhn_username }}"
-    password: "{{ rhn_password }}"
-  no_log: "{{ omit_rhn_output | default(true) }}"
+- name: Perform patch download from RHN via JBossNetwork API
  delegate_to: localhost
+  run_once: true
  when:
-    - patch_archive_path is defined
-    - patch_archive_path.stat is defined
-    - not patch_archive_path.stat.exists
-    - keycloak_rhsso_enable
+    - sso_enable is defined and sso_enable
    - not keycloak_offline_install
+    - sso_apply_patches
+  block:
+    - name: Retrieve product download using JBossNetwork API
+      middleware_automation.common.product_search:
+        client_id: "{{ rhn_username }}"
+        client_secret: "{{ rhn_password }}"
+        product_type: BUGFIX
+        product_version: "{{ sso_version.split('.')[:2] | join('.') }}"
+        product_category: "{{ sso_product_category }}"
+      register: rhn_products
+      no_log: "{{ omit_rhn_output | default(true) }}"
+      delegate_to: localhost
+      run_once: true
+
+    - name: Determine patch versions list
+      ansible.builtin.set_fact:
+        filtered_versions: "{{ rhn_products.results | map(attribute='file_path') | \
+                               select('match', '^[^/]*/rh-sso-.*[0-9]*[.][0-9]*[.][0-9]*.*$') | \
+                               map('regex_replace', '[^/]*/rh-sso-([0-9]*[.][0-9]*[.][0-9]*(-[0-9])?)-.*', '\\1') | list | unique }}"
+      when: sso_patch_version is not defined or sso_patch_version | length == 0
+      delegate_to: localhost
+      run_once: true
+
+    - name: Determine latest version
+      ansible.builtin.set_fact:
+         sso_latest_version: "{{ filtered_versions | middleware_automation.common.version_sort | last }}"
+      when: sso_patch_version is not defined or sso_patch_version | length == 0
+      delegate_to: localhost
+      run_once: true
+
+    - name: Determine install zipfile from search results
+      ansible.builtin.set_fact:
+        rhn_filtered_products: "{{ rhn_products.results | selectattr('file_path', 'match', '[^/]*/rh-sso-' + sso_latest_version + '-patch.zip$') }}"
+        patch_bundle: "rh-sso-{{ sso_latest_version }}-patch.zip"
+        patch_version: "{{ sso_latest_version }}"
+      when: sso_patch_version is not defined or sso_patch_version | length == 0
+      delegate_to: localhost
+      run_once: true
+
+    - name: "Determine selected patch from supplied version: {{ sso_patch_version }}"
+      ansible.builtin.set_fact:
+        rhn_filtered_products: "{{ rhn_products.results | selectattr('file_path', 'match', '[^/]*/' + sso_patch_bundle + '$') }}"
+        patch_bundle: "{{ sso_patch_bundle }}"
+        patch_version: "{{ sso_patch_version }}"
+      when: sso_patch_version is defined
+      delegate_to: localhost
+      run_once: true
+
+    - name: Download Red Hat Single Sign-On patch
+      middleware_automation.common.product_download: # noqa risky-file-permissions delegated, uses controller host user
+        client_id: "{{ rhn_username }}"
+        client_secret: "{{ rhn_password }}"
+        product_id: "{{ (rhn_filtered_products | sort | last).id }}"
+        dest: "{{ local_path.stat.path }}/{{ patch_bundle }}"
+      no_log: "{{ omit_rhn_output | default(true) }}"
+      delegate_to: localhost
+      run_once: true
+
+- name: Set download patch archive path
+  ansible.builtin.set_fact:
+    patch_archive: "{{ keycloak_dest }}/{{ patch_bundle }}"
+
+- name: Check download patch archive path
+  ansible.builtin.stat:
+    path: "{{ patch_archive }}"
+  register: patch_archive_path
+  become: true

 ## copy and unpack
 - name: Copy patch archive to target nodes
  ansible.builtin.copy:
-    src: "{{ local_path.stat.path }}/{{ keycloak.patch_bundle }}"
+    src: "{{ local_path.stat.path }}/{{ patch_bundle }}"
    dest: "{{ patch_archive }}"
    owner: "{{ keycloak_service_user }}"
    group: "{{ keycloak_service_group }}"
@@ -37,23 +101,31 @@
    - not patch_archive_path.stat.exists
    - local_archive_path.stat is defined
    - local_archive_path.stat.exists
-  become: yes
+  become: true

 - name: "Check installed patches"
  ansible.builtin.include_tasks: rhsso_cli.yml
  vars:
    query: "patch info"
+  args:
+    apply:
+      become: true
+      become_user: "{{ keycloak_service_user }}"

 - name: "Perform patching"
-  when: 
+  when:
    - cli_result is defined
    - cli_result.stdout is defined
-    - rhsso_rhn_ids[keycloak_rhsso_version].latest_cp.v not in cli_result.stdout
+    - patch_version | regex_replace('-[0-9]$', '') not in cli_result.stdout
  block:
-    - name: "Apply patch {{ rhsso_rhn_ids[keycloak_rhsso_version].latest_cp.v }} to server"
+    - name: "Apply patch {{ patch_version }} to server"
      ansible.builtin.include_tasks: rhsso_cli.yml
      vars:
        query: "patch apply {{ patch_archive }}"
+      args:
+        apply:
+          become: true
+          become_user: "{{ keycloak_service_user }}"

    - name: "Restart server to ensure patch content is running"
      ansible.builtin.include_tasks: rhsso_cli.yml
@@ -61,6 +133,10 @@
        query: "shutdown --restart"
      when:
        - cli_result.rc == 0
+      args:
+        apply:
+            become: true
+            become_user: "{{ keycloak_service_user }}"

    - name: "Wait until {{ keycloak.service_name }} becomes active {{ keycloak.health_url }}"
      ansible.builtin.uri:
@@ -74,14 +150,22 @@
      ansible.builtin.include_tasks: rhsso_cli.yml
      vars:
        query: "patch info"
-  
+      args:
+        apply:
+            become: true
+            become_user: "{{ keycloak_service_user }}"
+
    - name: "Verify installed patch version"
      ansible.builtin.assert:
        that:
-          - rhsso_rhn_ids[keycloak_rhsso_version].latest_cp.v not in cli_result.stdout
+          - patch_version not in cli_result.stdout
        fail_msg: "Patch installation failed"
        success_msg: "Patch installation successful"

 - name: "Skipping patch"
  ansible.builtin.debug:
-    msg: "Latest cumulative patch {{ rhsso_rhn_ids[keycloak_rhsso_version].latest_cp.v }} already installed, skipping patch installation."
+    msg: "Cumulative patch {{ patch_version }} already installed, skipping patch installation."
+  when:
+    - cli_result is defined
+    - cli_result.stdout is defined
+    - patch_version in cli_result.stdout
--- a/roles/keycloak/tasks/start_keycloak.yml
+++ b/roles/keycloak/tasks/start_keycloak.yml
@@ -2,14 +2,15 @@
 - name: "Start {{ keycloak.service_name }} service"
  ansible.builtin.systemd:
    name: keycloak
-    enabled: yes
+    enabled: true
    state: started
-  become: yes
+    daemon_reload: true
+  become: true

 - name: "Wait until {{ keycloak.service_name }} becomes active {{ keycloak.health_url }}"
  ansible.builtin.uri:
    url: "{{ keycloak.health_url }}"
  register: keycloak_status
  until: keycloak_status.status == 200
-  retries: 25
-  delay: 10
+  retries: "{{ keycloak_service_start_retries }}"
+  delay: "{{ keycloak_service_start_delay }}"
--- a/roles/keycloak/tasks/stop_keycloak.yml
+++ b/roles/keycloak/tasks/stop_keycloak.yml
@@ -2,6 +2,6 @@
 - name: "Stop {{ keycloak.service_name }}"
  ansible.builtin.systemd:
    name: keycloak
-    enabled: yes
+    enabled: true
    state: stopped
-  become: yes
+  become: true
--- a/roles/keycloak/tasks/systemd.yml
+++ b/roles/keycloak/tasks/systemd.yml
@@ -1,6 +1,6 @@
 ---
 - name: "Configure {{ keycloak.service_name }} service script wrapper"
-  become: yes
+  become: true
  ansible.builtin.template:
    src: keycloak-service.sh.j2
    dest: "{{ keycloak_dest }}/keycloak-service.sh"
@@ -10,25 +10,14 @@
  notify:
    - restart keycloak

- name: Determine JAVA_HOME for selected JVM RPM  # noqa blocked_modules
-  ansible.builtin.shell: |
-    set -o pipefail
-    rpm -ql {{ keycloak_jvm_package }} | grep -Po '/usr/lib/jvm/.*(?=/bin/java$)'
-  args:
-    executable: /bin/bash
-  changed_when: False
-  register: rpm_java_home
-
 - name: "Configure sysconfig file for {{ keycloak.service_name }} service"
-  become: yes
+  become: true
  ansible.builtin.template:
    src: keycloak-sysconfig.j2
-    dest: /etc/sysconfig/keycloak
+    dest: "{{ keycloak_sysconf_file }}"
    owner: root
    group: root
    mode: 0644
-  vars:
-    keycloak_rpm_java_home: "{{ rpm_java_home.stdout }}"
  notify:
    - restart keycloak

@@ -39,20 +28,14 @@
    owner: root
    group: root
    mode: 0644
-  become: yes
+  become: true
  register: systemdunit
  notify:
    - restart keycloak

- name: Reload systemd
-  become: yes
-  ansible.builtin.systemd:
-    daemon_reload: yes
-  when: systemdunit.changed
-
 - name: "Start and wait for {{ keycloak.service_name }} service (first node db)"
  ansible.builtin.include_tasks: start_keycloak.yml
-  run_once: yes
+  run_once: true
  when: keycloak_db_enabled

 - name: "Start and wait for {{ keycloak.service_name }} service (remaining nodes)"
@@ -61,7 +44,7 @@
 - name: Check service status
  ansible.builtin.command: "systemctl status keycloak"
  register: keycloak_service_status
-  changed_when: False
+  changed_when: false

 - name: Verify service status
  ansible.builtin.assert:
--- a/roles/keycloak/templates/15.0.8/standalone-infinispan.xml.j2
+++ b/roles/keycloak/templates/15.0.8/standalone-infinispan.xml.j2
@@ -0,0 +1,761 @@
+<?xml version='1.0' encoding='UTF-8'?>
+{{ ansible_managed | comment('xml') }}
+<server xmlns="urn:jboss:domain:16.0">
+    <extensions>
+        <extension module="org.jboss.as.clustering.infinispan"/>
+        <extension module="org.jboss.as.clustering.jgroups"/>
+        <extension module="org.jboss.as.connector"/>
+        <extension module="org.jboss.as.deployment-scanner"/>
+        <extension module="org.jboss.as.ee"/>
+        <extension module="org.jboss.as.ejb3"/>
+        <extension module="org.jboss.as.jaxrs"/>
+        <extension module="org.jboss.as.jmx"/>
+        <extension module="org.jboss.as.jpa"/>
+        <extension module="org.jboss.as.logging"/>
+        <extension module="org.jboss.as.mail"/>
+        <extension module="org.jboss.as.modcluster"/>
+        <extension module="org.jboss.as.naming"/>
+        <extension module="org.jboss.as.remoting"/>
+        <extension module="org.jboss.as.security"/>
+        <extension module="org.jboss.as.transactions"/>
+        <extension module="org.jboss.as.weld"/>
+        <extension module="org.keycloak.keycloak-server-subsystem"/>
+        <extension module="org.wildfly.extension.bean-validation"/>
+        <extension module="org.wildfly.extension.core-management"/>
+        <extension module="org.wildfly.extension.elytron"/>
+        <extension module="org.wildfly.extension.health"/>
+        <extension module="org.wildfly.extension.io"/>
+        <extension module="org.wildfly.extension.metrics"/>
+        <extension module="org.wildfly.extension.request-controller"/>
+        <extension module="org.wildfly.extension.security.manager"/>
+        <extension module="org.wildfly.extension.undertow"/>
+    </extensions>
+    <management>
+        <security-realms>
+            <security-realm name="ManagementRealm">
+                <authentication>
+                    <local default-user="$local" skip-group-loading="true"/>
+                    <properties path="mgmt-users.properties" relative-to="jboss.server.config.dir"/>
+                </authentication>
+                <authorization map-groups-to-roles="false">
+                    <properties path="mgmt-groups.properties" relative-to="jboss.server.config.dir"/>
+                </authorization>
+            </security-realm>
+            <security-realm name="ApplicationRealm">
+                <server-identities>
+                    <ssl>
+                        <keystore path="application.keystore" relative-to="jboss.server.config.dir" keystore-password="password" alias="server" key-password="password" generate-self-signed-certificate-host="localhost"/>
+                    </ssl>
+                </server-identities>
+                <authentication>
+                    <local default-user="$local" allowed-users="*" skip-group-loading="true"/>
+                    <properties path="application-users.properties" relative-to="jboss.server.config.dir"/>
+                </authentication>
+                <authorization>
+                    <properties path="application-roles.properties" relative-to="jboss.server.config.dir"/>
+                </authorization>
+            </security-realm>
+        </security-realms>
+        <audit-log>
+            <formatters>
+                <json-formatter name="json-formatter"/>
+            </formatters>
+            <handlers>
+                <file-handler name="file" formatter="json-formatter" path="audit-log.log" relative-to="jboss.server.data.dir"/>
+            </handlers>
+            <logger log-boot="true" log-read-only="false" enabled="false">
+                <handlers>
+                    <handler name="file"/>
+                </handlers>
+            </logger>
+        </audit-log>
+        <management-interfaces>
+            <http-interface security-realm="ManagementRealm">
+                <http-upgrade enabled="true"/>
+                <socket-binding http="management-http"/>
+            </http-interface>
+        </management-interfaces>
+        <access-control provider="simple">
+            <role-mapping>
+                <role name="SuperUser">
+                    <include>
+                        <user name="$local"/>
+                    </include>
+                </role>
+            </role-mapping>
+        </access-control>
+    </management>
+    <profile>
+        <subsystem xmlns="urn:jboss:domain:logging:8.0">
+            <console-handler name="CONSOLE">
+                <level name="INFO"/>
+                <formatter>
+                    <named-formatter name="COLOR-PATTERN"/>
+                </formatter>
+            </console-handler>
+            <periodic-rotating-file-handler name="FILE" autoflush="true">
+                <formatter>
+                    <named-formatter name="PATTERN"/>
+                </formatter>
+                <file relative-to="jboss.server.log.dir" path="server.log"/>
+                <suffix value=".yyyy-MM-dd"/>
+                <append value="true"/>
+            </periodic-rotating-file-handler>
+            <logger category="com.arjuna">
+                <level name="WARN"/>
+            </logger>
+            <logger category="io.jaegertracing.Configuration">
+                <level name="WARN"/>
+            </logger>
+            <logger category="org.jboss.as.config">
+                <level name="DEBUG"/>
+            </logger>
+            <logger category="sun.rmi">
+                <level name="WARN"/>
+            </logger>
+            <logger category="org.keycloak.cluster.infinispan">
+                <level name="DEBUG"/>
+            </logger>
+            <logger category="org.keycloak.connections.infinispan">
+                <level name="DEBUG"/>
+            </logger>
+            <logger category="org.keycloak.models.cache.infinispan">
+                <level name="DEBUG"/>
+            </logger>
+            <logger category="org.keycloak.models.sessions.infinispan">
+                <level name="DEBUG"/>
+            </logger>
+            <root-logger>
+                <level name="INFO"/>
+                <handlers>
+                    <handler name="CONSOLE"/>
+                    <handler name="FILE"/>
+                </handlers>
+            </root-logger>
+            <formatter name="PATTERN">
+                <pattern-formatter pattern="%d{yyyy-MM-dd HH:mm:ss,SSS} %-5p [%c] (%t) %s%e%n"/>
+            </formatter>
+            <formatter name="COLOR-PATTERN">
+                <pattern-formatter pattern="%K{level}%d{HH:mm:ss,SSS} %-5p [%c] (%t) %s%e%n"/>
+            </formatter>
+        </subsystem>
+        <subsystem xmlns="urn:jboss:domain:bean-validation:1.0"/>
+        <subsystem xmlns="urn:jboss:domain:core-management:1.0"/>
+        <subsystem xmlns="urn:jboss:domain:datasources:6.0">
+            <datasources>
+                <datasource jndi-name="java:jboss/datasources/ExampleDS" pool-name="ExampleDS" enabled="true" use-java-context="true" statistics-enabled="${wildfly.datasources.statistics-enabled:${wildfly.statistics-enabled:false}}">
+                    <connection-url>jdbc:h2:mem:test;DB_CLOSE_DELAY=-1;DB_CLOSE_ON_EXIT=FALSE</connection-url>
+                    <driver>h2</driver>
+                    <security>
+                        <user-name>sa</user-name>
+                        <password>sa</password>
+                    </security>
+                </datasource>
+                <datasource jndi-name="java:jboss/datasources/KeycloakDS" pool-name="KeycloakDS" enabled="true" use-java-context="true" statistics-enabled="${wildfly.datasources.statistics-enabled:${wildfly.statistics-enabled:false}}">
+{% if keycloak_jdbc[keycloak_jdbc_engine].enabled %}
+                    <connection-url>{{ keycloak_jdbc[keycloak_jdbc_engine].connection_url }}</connection-url>
+                    <driver>{{ keycloak_jdbc[keycloak_jdbc_engine].driver_module_name }}</driver>
+                    <pool>
+                       <max-pool-size>20</max-pool-size>
+                    </pool>
+                    <security>
+                        <user-name>{{ keycloak_jdbc[keycloak_jdbc_engine].db_user }}</user-name>
+                        <password>{{ keycloak_jdbc[keycloak_jdbc_engine].db_password }}</password>
+                    </security>
+{% else %}
+                    <connection-url>jdbc:h2:${jboss.server.data.dir}/keycloak;AUTO_SERVER=TRUE</connection-url>
+                    <driver>h2</driver>
+                    <security>
+                        <user-name>sa</user-name>
+                        <password>sa</password>
+                    </security>
+{% endif %}
+                </datasource>
+                <drivers>
+{% if keycloak_jdbc[keycloak_jdbc_engine].enabled %}
+                    <driver name="{{ keycloak_jdbc[keycloak_jdbc_engine].driver_module_name }}" module="{{ keycloak_jdbc[keycloak_jdbc_engine].driver_module_name }}">
+                        <driver-class>{{ keycloak_jdbc[keycloak_jdbc_engine].driver_class }}</driver-class>
+                        <xa-datasource-class>{{ keycloak_jdbc[keycloak_jdbc_engine].xa_datasource_class }}</xa-datasource-class>
+                    </driver>
+{% endif %}
+                    <driver name="h2" module="com.h2database.h2">
+                        <xa-datasource-class>org.h2.jdbcx.JdbcDataSource</xa-datasource-class>
+                    </driver>
+                </drivers>
+            </datasources>
+        </subsystem>
+        <subsystem xmlns="urn:jboss:domain:deployment-scanner:2.0">
+            <deployment-scanner path="deployments" relative-to="jboss.server.base.dir" scan-interval="5000" runtime-failure-causes-rollback="${jboss.deployment.scanner.rollback.on.failure:false}"/>
+        </subsystem>
+        <subsystem xmlns="urn:jboss:domain:ee:6.0">
+            <spec-descriptor-property-replacement>false</spec-descriptor-property-replacement>
+            <concurrent>
+                <context-services>
+                    <context-service name="default" jndi-name="java:jboss/ee/concurrency/context/default" use-transaction-setup-provider="true"/>
+                </context-services>
+                <managed-thread-factories>
+                    <managed-thread-factory name="default" jndi-name="java:jboss/ee/concurrency/factory/default" context-service="default"/>
+                </managed-thread-factories>
+                <managed-executor-services>
+                    <managed-executor-service name="default" jndi-name="java:jboss/ee/concurrency/executor/default" context-service="default" hung-task-termination-period="0" hung-task-threshold="60000" keepalive-time="5000"/>
+                </managed-executor-services>
+                <managed-scheduled-executor-services>
+                    <managed-scheduled-executor-service name="default" jndi-name="java:jboss/ee/concurrency/scheduler/default" context-service="default" hung-task-termination-period="0" hung-task-threshold="60000" keepalive-time="3000"/>
+                </managed-scheduled-executor-services>
+            </concurrent>
+            <default-bindings context-service="java:jboss/ee/concurrency/context/default" datasource="java:jboss/datasources/ExampleDS" managed-executor-service="java:jboss/ee/concurrency/executor/default" managed-scheduled-executor-service="java:jboss/ee/concurrency/scheduler/default" managed-thread-factory="java:jboss/ee/concurrency/factory/default"/>
+        </subsystem>
+        <subsystem xmlns="urn:jboss:domain:ejb3:9.0">
+             <session-bean>
+                <stateless>
+                    <bean-instance-pool-ref pool-name="slsb-strict-max-pool"/>
+                </stateless>
+                <stateful default-access-timeout="5000" cache-ref="distributable" passivation-disabled-cache-ref="simple"/>
+                <singleton default-access-timeout="5000"/>
+            </session-bean>
+            <pools>
+                <bean-instance-pools>
+                    <strict-max-pool name="mdb-strict-max-pool" derive-size="from-cpu-count" instance-acquisition-timeout="5" instance-acquisition-timeout-unit="MINUTES"/>
+                    <strict-max-pool name="slsb-strict-max-pool" derive-size="from-worker-pools" instance-acquisition-timeout="5" instance-acquisition-timeout-unit="MINUTES"/>
+                </bean-instance-pools>
+            </pools>
+            <caches>
+                <cache name="simple"/>
+                <cache name="distributable" passivation-store-ref="infinispan" aliases="passivating clustered"/>
+            </caches>
+            <passivation-stores>
+                <passivation-store name="infinispan" cache-container="ejb" max-size="10000"/>
+            </passivation-stores>
+            <async thread-pool-name="default"/>
+            <timer-service thread-pool-name="default" default-data-store="default-file-store">
+                <data-stores>
+                    <file-data-store name="default-file-store" path="timer-service-data" relative-to="jboss.server.data.dir"/>
+                </data-stores>
+            </timer-service>
+            <remote cluster="ejb" connectors="http-remoting-connector" thread-pool-name="default">
+                <channel-creation-options>
+                    <option name="MAX_OUTBOUND_MESSAGES" value="1234" type="remoting"/>
+                </channel-creation-options>
+            </remote>
+            <thread-pools>
+                <thread-pool name="default">
+                    <max-threads count="10"/>
+                    <keepalive-time time="60" unit="seconds"/>
+                </thread-pool>
+            </thread-pools>
+            <default-security-domain value="other"/>
+            <default-missing-method-permissions-deny-access value="true"/>
+            <statistics enabled="${wildfly.ejb3.statistics-enabled:${wildfly.statistics-enabled:false}}"/>
+            <log-system-exceptions value="true"/>
+        </subsystem>
+        <subsystem xmlns="urn:wildfly:elytron:13.0" final-providers="combined-providers" disallowed-providers="OracleUcrypto">
+            <providers>
+                <aggregate-providers name="combined-providers">
+                    <providers name="elytron"/>
+                    <providers name="openssl"/>
+                </aggregate-providers>
+                <provider-loader name="elytron" module="org.wildfly.security.elytron"/>
+                <provider-loader name="openssl" module="org.wildfly.openssl"/>
+            </providers>
+            <audit-logging>
+                <file-audit-log name="local-audit" path="audit.log" relative-to="jboss.server.log.dir" format="JSON"/>
+            </audit-logging>
+            <security-domains>
+                <security-domain name="ApplicationDomain" default-realm="ApplicationRealm" permission-mapper="default-permission-mapper">
+                    <realm name="ApplicationRealm" role-decoder="groups-to-roles"/>
+                    <realm name="local"/>
+                </security-domain>
+                <security-domain name="ManagementDomain" default-realm="ManagementRealm" permission-mapper="default-permission-mapper">
+                    <realm name="ManagementRealm" role-decoder="groups-to-roles"/>
+                    <realm name="local" role-mapper="super-user-mapper"/>
+                </security-domain>
+            </security-domains>
+            <security-realms>
+                <identity-realm name="local" identity="$local"/>
+                <properties-realm name="ApplicationRealm">
+                    <users-properties path="application-users.properties" relative-to="jboss.server.config.dir" digest-realm-name="ApplicationRealm"/>
+                    <groups-properties path="application-roles.properties" relative-to="jboss.server.config.dir"/>
+                </properties-realm>
+                <properties-realm name="ManagementRealm">
+                    <users-properties path="mgmt-users.properties" relative-to="jboss.server.config.dir" digest-realm-name="ManagementRealm"/>
+                    <groups-properties path="mgmt-groups.properties" relative-to="jboss.server.config.dir"/>
+                </properties-realm>
+            </security-realms>
+            <mappers>
+                <simple-permission-mapper name="default-permission-mapper" mapping-mode="first">
+                    <permission-mapping>
+                        <principal name="anonymous"/>
+                        <permission-set name="default-permissions"/>
+                    </permission-mapping>
+                    <permission-mapping match-all="true">
+                        <permission-set name="login-permission"/>
+                        <permission-set name="default-permissions"/>
+                    </permission-mapping>
+                </simple-permission-mapper>
+                <constant-realm-mapper name="local" realm-name="local"/>
+                <simple-role-decoder name="groups-to-roles" attribute="groups"/>
+                <constant-role-mapper name="super-user-mapper">
+                    <role name="SuperUser"/>
+                </constant-role-mapper>
+            </mappers>
+            <permission-sets>
+                <permission-set name="login-permission">
+                    <permission class-name="org.wildfly.security.auth.permission.LoginPermission"/>
+                </permission-set>
+                <permission-set name="default-permissions">
+                    <permission class-name="org.wildfly.extension.batch.jberet.deployment.BatchPermission" module="org.wildfly.extension.batch.jberet" target-name="*"/>
+                    <permission class-name="org.wildfly.transaction.client.RemoteTransactionPermission" module="org.wildfly.transaction.client"/>
+                    <permission class-name="org.jboss.ejb.client.RemoteEJBPermission" module="org.jboss.ejb-client"/>
+                    <permission class-name="org.jboss.ejb.client.RemoteEJBPermission" module="org.jboss.ejb-client"/>
+                </permission-set>
+            </permission-sets>
+            <http>
+                <http-authentication-factory name="management-http-authentication" security-domain="ManagementDomain" http-server-mechanism-factory="global">
+                    <mechanism-configuration>
+                        <mechanism mechanism-name="DIGEST">
+                            <mechanism-realm realm-name="ManagementRealm"/>
+                        </mechanism>
+                    </mechanism-configuration>
+                </http-authentication-factory>
+                <provider-http-server-mechanism-factory name="global"/>
+            </http>
+            <sasl>
+                <sasl-authentication-factory name="application-sasl-authentication" sasl-server-factory="configured" security-domain="ApplicationDomain">
+                    <mechanism-configuration>
+                        <mechanism mechanism-name="JBOSS-LOCAL-USER" realm-mapper="local"/>
+                        <mechanism mechanism-name="DIGEST-MD5">
+                            <mechanism-realm realm-name="ApplicationRealm"/>
+                        </mechanism>
+                    </mechanism-configuration>
+                </sasl-authentication-factory>
+                <sasl-authentication-factory name="management-sasl-authentication" sasl-server-factory="configured" security-domain="ManagementDomain">
+                    <mechanism-configuration>
+                        <mechanism mechanism-name="JBOSS-LOCAL-USER" realm-mapper="local"/>
+                        <mechanism mechanism-name="DIGEST-MD5">
+                            <mechanism-realm realm-name="ManagementRealm"/>
+                        </mechanism>
+                    </mechanism-configuration>
+                </sasl-authentication-factory>
+                <configurable-sasl-server-factory name="configured" sasl-server-factory="elytron">
+                    <properties>
+                        <property name="wildfly.sasl.local-user.default-user" value="$local"/>
+                    </properties>
+                </configurable-sasl-server-factory>
+                <mechanism-provider-filtering-sasl-server-factory name="elytron" sasl-server-factory="global">
+                    <filters>
+                        <filter provider-name="WildFlyElytron"/>
+                    </filters>
+                </mechanism-provider-filtering-sasl-server-factory>
+                <provider-sasl-server-factory name="global"/>
+            </sasl>
+            <tls>
+                <key-stores>
+                    <key-store name="applicationKS">
+                        <credential-reference clear-text="password"/>
+                        <implementation type="JKS"/>
+                        <file path="application.keystore" relative-to="jboss.server.config.dir"/>
+                    </key-store>
+                </key-stores>
+                <key-managers>
+                    <key-manager name="applicationKM" key-store="applicationKS" generate-self-signed-certificate-host="localhost">
+                        <credential-reference clear-text="password"/>
+                    </key-manager>
+                </key-managers>
+                <server-ssl-contexts>
+                    <server-ssl-context name="applicationSSC" key-manager="applicationKM"/>
+                </server-ssl-contexts>
+            </tls>
+        </subsystem>
+        <subsystem xmlns="urn:wildfly:health:1.0" security-enabled="false"/>
+        <subsystem xmlns="urn:jboss:domain:infinispan:12.0">
+            <cache-container name="ejb" default-cache="dist" aliases="sfsb" modules="org.wildfly.clustering.ejb.infinispan">
+                <transport lock-timeout="60000"/>
+                <distributed-cache name="dist">
+                    <locking isolation="REPEATABLE_READ"/>
+                    <transaction mode="BATCH"/>
+                    <file-store/>
+                </distributed-cache>
+            </cache-container>
+            <cache-container name="keycloak" modules="org.keycloak.keycloak-model-infinispan">
+                <transport lock-timeout="60000"/>
+                <local-cache name="realms">
+                    <heap-memory size="10000"/>
+                </local-cache>
+                <local-cache name="users">
+                    <heap-memory size="10000"/>
+                </local-cache>
+{% for cachename in [ "sessions", "offlineSessions", "clientSessions", "offlineClientSessions", "loginFailures", "actionTokens", "authenticationSessions" ] %}
+                <distributed-cache name="{{ cachename }}">
+                    <remote-store cache="{{ cachename }}"
+                                  remote-servers="remote-cache"
+                                  passivation="false"
+                                  fetch-state="false"
+                                  purge="false"
+                                  preload="false"
+                                  shared="true">
+                        <property name="rawValues">true</property>
+                        <property name="marshaller">org.keycloak.cluster.infinispan.KeycloakHotRodMarshallerFactory</property>
+                        <property name="remoteStoreSecurityEnabled">false</property>
+                        <property name="infinispan.client.hotrod.auth_username">{{ keycloak_remotecache.username }}</property>
+                        <property name="infinispan.client.hotrod.auth_password">{{ keycloak_remotecache.password }}</property>
+                        <property name="infinispan.client.hotrod.auth_realm">{{ keycloak_remotecache.realm | default('default') }}</property>
+                        <property name="infinispan.client.hotrod.auth_server_name">{{ keycloak_remotecache.server_name }}</property>
+                        <property name="infinispan.client.hotrod.sasl_mechanism">{{ keycloak_remotecache.sasl_mechanism }}</property>
+                        <property name="infinispan.client.hotrod.use_ssl">{{ keycloak_remotecache.use_ssl }}</property>
+                        <property name="infinispan.client.hotrod.trust_store_file_name">{{ keycloak_remotecache.trust_store_path }}</property>
+                        <property name="infinispan.client.hotrod.trust_store_type">JKS</property>
+                        <property name="infinispan.client.hotrod.trust_store_password">{{ keycloak_remotecache.trust_store_password }}</property>
+                        <property name="infinispan.client.hotrod.client_intelligence">TOPOLOGY_AWARE</property>
+                    </remote-store>
+                </distributed-cache>
+{% endfor %}
+                <replicated-cache name="work">
+                    <remote-store cache="work"
+                                  remote-servers="remote-cache"
+                                  passivation="false"
+                                  fetch-state="false"
+                                  purge="false"
+                                  preload="false"
+                                  shared="true">
+                        <property name="rawValues">true</property>
+                        <property name="marshaller">org.keycloak.cluster.infinispan.KeycloakHotRodMarshallerFactory</property>
+                        <property name="remoteStoreSecurityEnabled">false</property>
+                        <property name="infinispan.client.hotrod.auth_username">{{ keycloak_remotecache.username }}</property>
+                        <property name="infinispan.client.hotrod.auth_password">{{ keycloak_remotecache.password }}</property>
+                        <property name="infinispan.client.hotrod.auth_realm">{{ keycloak_remotecache.realm | default('default') }}</property>
+                        <property name="infinispan.client.hotrod.auth_server_name">{{ keycloak_remotecache.server_name }}</property>
+                        <property name="infinispan.client.hotrod.sasl_mechanism">{{ keycloak_remotecache.sasl_mechanism }}</property>
+                        <property name="infinispan.client.hotrod.use_ssl">{{ keycloak_remotecache.use_ssl }}</property>
+                        <property name="infinispan.client.hotrod.trust_store_file_name">{{ keycloak_remotecache.trust_store_path }}</property>
+                        <property name="infinispan.client.hotrod.trust_store_type">JKS</property>
+                        <property name="infinispan.client.hotrod.trust_store_password">{{ keycloak_remotecache.trust_store_password }}</property>
+                        <property name="infinispan.client.hotrod.client_intelligence">TOPOLOGY_AWARE</property>
+                    </remote-store>
+                </replicated-cache>
+                <local-cache name="authorization">
+                    <heap-memory size="10000"/>
+                </local-cache>
+                <local-cache name="keys">
+                    <heap-memory size="1000"/>
+                    <expiration max-idle="3600000"/>
+                </local-cache>
+            </cache-container>
+            <cache-container name="server" default-cache="default" aliases="singleton cluster" modules="org.wildfly.clustering.server">
+                <transport lock-timeout="60000"/>
+                <replicated-cache name="default">
+                    <transaction mode="BATCH"/>
+                </replicated-cache>
+            </cache-container>
+            <cache-container name="web" default-cache="dist" modules="org.wildfly.clustering.web.infinispan">
+                <transport lock-timeout="60000"/>
+                <replicated-cache name="sso">
+                    <locking isolation="REPEATABLE_READ"/>
+                    <transaction mode="BATCH"/>
+                </replicated-cache>
+                <distributed-cache name="dist">
+                    <locking isolation="REPEATABLE_READ"/>
+                    <transaction mode="BATCH"/>
+                    <file-store/>
+                </distributed-cache>
+                <distributed-cache name="routing"/>
+            </cache-container>
+            <cache-container name="hibernate" modules="org.infinispan.hibernate-cache">
+                <transport lock-timeout="60000"/>
+                <local-cache name="local-query">
+                    <heap-memory size="10000"/>
+                    <expiration max-idle="100000"/>
+                </local-cache>
+                <invalidation-cache name="entity">
+                    <transaction mode="NON_XA"/>
+                    <heap-memory size="10000"/>
+                    <expiration max-idle="100000"/>
+                </invalidation-cache>
+                <replicated-cache name="timestamps"/>
+            </cache-container>
+        </subsystem>
+        <subsystem xmlns="urn:jboss:domain:io:3.0">
+            <worker name="default"/>
+            <buffer-pool name="default"/>
+        </subsystem>
+        <subsystem xmlns="urn:jboss:domain:jaxrs:2.0"/>
+        <subsystem xmlns="urn:jboss:domain:jca:5.0">
+            <archive-validation enabled="true" fail-on-error="true" fail-on-warn="false"/>
+            <bean-validation enabled="true"/>
+            <default-workmanager>
+                <short-running-threads>
+                    <core-threads count="50"/>
+                    <queue-length count="50"/>
+                    <max-threads count="50"/>
+                    <keepalive-time time="10" unit="seconds"/>
+                </short-running-threads>
+                <long-running-threads>
+                    <core-threads count="50"/>
+                    <queue-length count="50"/>
+                    <max-threads count="50"/>
+                    <keepalive-time time="10" unit="seconds"/>
+                </long-running-threads>
+            </default-workmanager>
+            <cached-connection-manager/>
+        </subsystem>
+        <subsystem xmlns="urn:jboss:domain:jgroups:8.0">
+            <channels default="ee">
+                <channel name="ee" stack="tcp" cluster="ejb"/>
+            </channels>
+            <stacks>
+                <stack name="tcp">
+                    <transport site="${jboss.node.name}" type="TCP" socket-binding="jgroups-tcp"/>
+{% if keycloak_jdbc[keycloak_jdbc_engine].enabled %}
+                    <protocol type="JDBC_PING">
+                        <property name="datasource_jndi_name">java:jboss/datasources/KeycloakDS</property>
+                        <property name="initialize_sql">{{ keycloak_jdbc[keycloak_jdbc_engine].initialize_db }}</property>
+                        <property name="insert_single_sql">INSERT INTO JGROUPSPING (own_addr, cluster_name, ping_data) values (?, ?, ?)</property>
+                        <property name="delete_single_sql">DELETE FROM JGROUPSPING WHERE own_addr=? AND cluster_name=?</property>
+                        <property name="select_all_pingdata_sql">SELECT ping_data FROM JGROUPSPING WHERE cluster_name=?</property>
+                    </protocol>
+{% endif %}
+                    <protocol type="MERGE3"/>
+                    <protocol type="FD_SOCK"/>
+                    <protocol type="FD_ALL"/>
+                    <protocol type="VERIFY_SUSPECT"/>
+                    <protocol type="pbcast.NAKACK2"/>
+                    <protocol type="UNICAST3"/>
+                    <protocol type="pbcast.STABLE"/>
+                    <protocol type="pbcast.GMS">
+                        <property name="join_timeout">30000</property>
+                    </protocol>
+                    <protocol type="MFC"/>
+                    <protocol type="FRAG2"/>
+                </stack>
+            </stacks>
+        </subsystem>
+        <subsystem xmlns="urn:jboss:domain:jmx:1.3">
+            <expose-resolved-model/>
+            <expose-expression-model/>
+            <remoting-connector/>
+        </subsystem>
+        <subsystem xmlns="urn:jboss:domain:jpa:1.1">
+            <jpa default-extended-persistence-inheritance="DEEP"/>
+        </subsystem>
+        <subsystem xmlns="urn:jboss:domain:keycloak-server:1.1">
+            <web-context>auth</web-context>
+            <providers>
+                <provider>
+                    classpath:${jboss.home.dir}/providers/*
+                </provider>
+            </providers>
+            <master-realm-name>master</master-realm-name>
+            <scheduled-task-interval>900</scheduled-task-interval>
+            <theme>
+                <staticMaxAge>2592000</staticMaxAge>
+                <cacheThemes>true</cacheThemes>
+                <cacheTemplates>true</cacheTemplates>
+                <dir>${jboss.home.dir}/themes</dir>
+            </theme>
+{% if keycloak_ha_enabled %}
+            <spi name="dblock">
+                <provider name="jpa" enabled="true">
+                    <properties>
+                        <property name="lockWaitTimeout" value="900"/>
+                    </properties>
+                </provider>
+            </spi>
+{% endif %}
+            <spi name="eventsStore">
+                <provider name="jpa" enabled="true">
+                    <properties>
+                        <property name="exclude-events" value="[&quot;REFRESH_TOKEN&quot;]"/>
+                    </properties>
+                </provider>
+            </spi>
+            <spi name="userCache">
+                <provider name="default" enabled="true"/>
+            </spi>
+            <spi name="userSessionPersister">
+                <default-provider>jpa</default-provider>
+            </spi>
+            <spi name="timer">
+                <default-provider>basic</default-provider>
+            </spi>
+            <spi name="connectionsHttpClient">
+                <provider name="default" enabled="true"/>
+            </spi>
+            <spi name="connectionsJpa">
+                <provider name="default" enabled="true">
+                    <properties>
+                        <property name="dataSource" value="java:jboss/datasources/KeycloakDS"/>
+                        <property name="initializeEmpty" value="true"/>
+                        <property name="migrationStrategy" value="update"/>
+                        <property name="migrationExport" value="${jboss.home.dir}/keycloak-database-update.sql"/>
+                    </properties>
+                </provider>
+            </spi>
+            <spi name="realmCache">
+                <provider name="default" enabled="true"/>
+            </spi>
+            <spi name="connectionsInfinispan">
+                <default-provider>default</default-provider>
+                <provider name="default" enabled="true">
+                    <properties>
+                        <property name="cacheContainer" value="java:jboss/infinispan/container/keycloak"/>
+                    </properties>
+                </provider>
+            </spi>
+            <spi name="jta-lookup">
+                <default-provider>${keycloak.jta.lookup.provider:jboss}</default-provider>
+                <provider name="jboss" enabled="true"/>
+            </spi>
+            <spi name="publicKeyStorage">
+                <provider name="infinispan" enabled="true">
+                    <properties>
+                        <property name="minTimeBetweenRequests" value="10"/>
+                    </properties>
+                </provider>
+            </spi>
+            <spi name="x509cert-lookup">
+                <default-provider>${keycloak.x509cert.lookup.provider:default}</default-provider>
+                <provider name="default" enabled="true"/>
+            </spi>
+            <spi name="hostname">
+                <default-provider>default</default-provider>
+                <provider name="default" enabled="true">
+                    <properties>
+                        <property name="frontendUrl" value="{{ keycloak_modcluster.frontend_url }}"/>
+                        <property name="forceBackendUrlToFrontendUrl" value="true"/>
+                    </properties>
+                </provider>
+            </spi>
+        </subsystem>
+        <subsystem xmlns="urn:jboss:domain:mail:4.0">
+            <mail-session name="default" jndi-name="java:jboss/mail/Default">
+                <smtp-server outbound-socket-binding-ref="mail-smtp"/>
+            </mail-session>
+        </subsystem>
+        <subsystem xmlns="urn:wildfly:metrics:1.0" security-enabled="false" exposed-subsystems="*" prefix="${wildfly.metrics.prefix:jboss}"/>
+{% if keycloak_modcluster.enabled %}
+        <subsystem xmlns="urn:jboss:domain:modcluster:5.0">
+            <proxy name="default" advertise="false" listener="ajp" proxies="proxy1">
+                <dynamic-load-provider>
+                    <load-metric type="cpu"/>
+                </dynamic-load-provider>
+            </proxy>
+        </subsystem>
+{% endif %}
+        <subsystem xmlns="urn:jboss:domain:naming:2.0">
+            <remote-naming/>
+        </subsystem>
+        <subsystem xmlns="urn:jboss:domain:remoting:4.0">
+            <http-connector name="http-remoting-connector" connector-ref="default" security-realm="ApplicationRealm"/>
+        </subsystem>
+        <subsystem xmlns="urn:jboss:domain:request-controller:1.0"/>
+        <subsystem xmlns="urn:jboss:domain:security:2.0">
+            <security-domains>
+                <security-domain name="other" cache-type="default">
+                    <authentication>
+                        <login-module code="Remoting" flag="optional">
+                            <module-option name="password-stacking" value="useFirstPass"/>
+                        </login-module>
+                        <login-module code="RealmDirect" flag="required">
+                            <module-option name="password-stacking" value="useFirstPass"/>
+                        </login-module>
+                    </authentication>
+                </security-domain>
+                <security-domain name="jboss-web-policy" cache-type="default">
+                    <authorization>
+                        <policy-module code="Delegating" flag="required"/>
+                    </authorization>
+                </security-domain>
+                <security-domain name="jaspitest" cache-type="default">
+                    <authentication-jaspi>
+                        <login-module-stack name="dummy">
+                            <login-module code="Dummy" flag="optional"/>
+                        </login-module-stack>
+                        <auth-module code="Dummy"/>
+                    </authentication-jaspi>
+                </security-domain>
+                <security-domain name="jboss-ejb-policy" cache-type="default">
+                    <authorization>
+                        <policy-module code="Delegating" flag="required"/>
+                    </authorization>
+                </security-domain>
+            </security-domains>
+        </subsystem>
+        <subsystem xmlns="urn:jboss:domain:security-manager:1.0">
+            <deployment-permissions>
+                <maximum-set>
+                    <permission class="java.security.AllPermission"/>
+                </maximum-set>
+            </deployment-permissions>
+        </subsystem>
+        <subsystem xmlns="urn:jboss:domain:transactions:6.0">
+            <core-environment node-identifier="{{ inventory_hostname | default('${jboss.tx.node.id:1}') }}">
+                <process-id>
+                    <uuid/>
+                </process-id>
+            </core-environment>
+            <recovery-environment socket-binding="txn-recovery-environment" status-socket-binding="txn-status-manager"/>
+            <coordinator-environment statistics-enabled="${wildfly.transactions.statistics-enabled:${wildfly.statistics-enabled:false}}"/>
+            <object-store path="tx-object-store" relative-to="jboss.server.data.dir"/>
+        </subsystem>
+        <subsystem xmlns="urn:jboss:domain:undertow:12.0" default-server="default-server" default-virtual-host="default-host" default-servlet-container="default" default-security-domain="other" statistics-enabled="${wildfly.undertow.statistics-enabled:${wildfly.statistics-enabled:false}}">
+            <buffer-cache name="default"/>
+            <server name="default-server">
+                <ajp-listener name="ajp" socket-binding="ajp"/>
+                <http-listener name="default" socket-binding="http" redirect-socket="https" enable-http2="true" proxy-address-forwarding="true"/>
+                <https-listener name="https" socket-binding="https" security-realm="ApplicationRealm" enable-http2="true"/>
+                <host name="default-host" alias="localhost">
+                    <location name="/" handler="welcome-content"/>
+                    <http-invoker security-realm="ApplicationRealm"/>
+                    <filter-ref name="proxy-peer"/>
+                </host>
+            </server>
+            <servlet-container name="default">
+                <jsp-config/>
+                <websockets/>
+            </servlet-container>
+            <handlers>
+                <file name="welcome-content" path="${jboss.home.dir}/welcome-content"/>
+            </handlers>
+            <filters>
+                <filter name="proxy-peer" module="io.undertow.core"
+                        class-name="io.undertow.server.handlers.ProxyPeerAddressHandler"/>
+            </filters>
+        </subsystem>
+        <subsystem xmlns="urn:jboss:domain:weld:4.0"/>
+    </profile>
+    <interfaces>
+        <interface name="management">
+            <inet-address value="{{ keycloak_management_port_bind_address }}"/>
+        </interface>
+        <interface name="jgroups">
+{% if ansible_default_ipv4 is defined %}
+            <subnet-match value="{{ (ansible_default_ipv4.network + '/' + ansible_default_ipv4.netmask) | ansible.utils.ipaddr('net') }}"/>
+{% else %}
+            <any-address />
+{% endif %}
+        </interface>
+        <interface name="public">
+            <inet-address value="{{ keycloak_bind_address }}"/>
+        </interface>
+    </interfaces>
+    <socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:{{ keycloak_jboss_port_offset }}}">
+        <socket-binding name="ajp" port="{{ keycloak_ajp_port }}"/>
+        <socket-binding name="http" port="{{ keycloak_http_port }}"/>
+        <socket-binding name="https" port="{{ keycloak_https_port }}"/>
+        <socket-binding name="management-http" interface="management" port="{{ keycloak_management_http_port }}"/>
+        <socket-binding name="management-https" interface="management" port="{{ keycloak_management_https_port }}"/>
+        <socket-binding name="jgroups-tcp" interface="jgroups" port="{{ keycloak_jgroups_port }}"/>
+        <socket-binding name="txn-recovery-environment" port="4712"/>
+        <socket-binding name="txn-status-manager" port="4713"/>
+        <outbound-socket-binding name="mail-smtp">
+            <remote-destination host="${jboss.mail.server.host:localhost}" port="${jboss.mail.server.port:25}"/>
+        </outbound-socket-binding>
+{% if keycloak_modcluster.enabled %}
+        <outbound-socket-binding name="proxy1">
+            <remote-destination host="{{ keycloak_modcluster.reverse_proxy_url | default('localhost') }}" port="6666"/>
+        </outbound-socket-binding>
+{% endif %}
+        <outbound-socket-binding name="remote-cache">
+            <remote-destination host="{{ keycloak_remotecache.server_name | default('localhost') }}" port="${remote.cache.port:11222}"/>
+        </outbound-socket-binding>
+    </socket-binding-group>
+</server>
--- a/roles/keycloak/templates/15.0.8/standalone.xml.j2
+++ b/roles/keycloak/templates/15.0.8/standalone.xml.j2
@@ -0,0 +1,658 @@
+<?xml version='1.0' encoding='UTF-8'?>
+{{ ansible_managed | comment('xml') }}
+<server xmlns="urn:jboss:domain:16.0">
+    <extensions>
+        <extension module="org.jboss.as.clustering.infinispan"/>
+        <extension module="org.jboss.as.connector"/>
+        <extension module="org.jboss.as.deployment-scanner"/>
+        <extension module="org.jboss.as.ee"/>
+        <extension module="org.jboss.as.ejb3"/>
+        <extension module="org.jboss.as.jaxrs"/>
+        <extension module="org.jboss.as.jmx"/>
+        <extension module="org.jboss.as.jpa"/>
+        <extension module="org.jboss.as.logging"/>
+        <extension module="org.jboss.as.mail"/>
+        <extension module="org.jboss.as.modcluster"/>
+        <extension module="org.jboss.as.naming"/>
+        <extension module="org.jboss.as.remoting"/>
+        <extension module="org.jboss.as.security"/>
+        <extension module="org.jboss.as.transactions"/>
+        <extension module="org.jboss.as.weld"/>
+        <extension module="org.keycloak.keycloak-server-subsystem"/>
+        <extension module="org.wildfly.extension.bean-validation"/>
+        <extension module="org.wildfly.extension.core-management"/>
+        <extension module="org.wildfly.extension.elytron"/>
+        <extension module="org.wildfly.extension.health"/>
+        <extension module="org.wildfly.extension.io"/>
+        <extension module="org.wildfly.extension.metrics"/>
+        <extension module="org.wildfly.extension.request-controller"/>
+        <extension module="org.wildfly.extension.security.manager"/>
+        <extension module="org.wildfly.extension.undertow"/>
+    </extensions>
+    <management>
+        <security-realms>
+            <security-realm name="ManagementRealm">
+                <authentication>
+                    <local default-user="$local" skip-group-loading="true"/>
+                    <properties path="mgmt-users.properties" relative-to="jboss.server.config.dir"/>
+                </authentication>
+                <authorization map-groups-to-roles="false">
+                    <properties path="mgmt-groups.properties" relative-to="jboss.server.config.dir"/>
+                </authorization>
+            </security-realm>
+            <security-realm name="ApplicationRealm">
+                <server-identities>
+                    <ssl>
+                        <keystore path="application.keystore" relative-to="jboss.server.config.dir" keystore-password="password" alias="server" key-password="password" generate-self-signed-certificate-host="localhost"/>
+                    </ssl>
+                </server-identities>
+                <authentication>
+                    <local default-user="$local" allowed-users="*" skip-group-loading="true"/>
+                    <properties path="application-users.properties" relative-to="jboss.server.config.dir"/>
+                </authentication>
+                <authorization>
+                    <properties path="application-roles.properties" relative-to="jboss.server.config.dir"/>
+                </authorization>
+            </security-realm>
+        </security-realms>
+        <audit-log>
+            <formatters>
+                <json-formatter name="json-formatter"/>
+            </formatters>
+            <handlers>
+                <file-handler name="file" formatter="json-formatter" path="audit-log.log" relative-to="jboss.server.data.dir"/>
+            </handlers>
+            <logger log-boot="true" log-read-only="false" enabled="false">
+                <handlers>
+                    <handler name="file"/>
+                </handlers>
+            </logger>
+        </audit-log>
+        <management-interfaces>
+            <http-interface security-realm="ManagementRealm">
+                <http-upgrade enabled="true"/>
+                <socket-binding http="management-http"/>
+            </http-interface>
+        </management-interfaces>
+        <access-control provider="simple">
+            <role-mapping>
+                <role name="SuperUser">
+                    <include>
+                        <user name="$local"/>
+                    </include>
+                </role>
+            </role-mapping>
+        </access-control>
+    </management>
+    <profile>
+        <subsystem xmlns="urn:jboss:domain:logging:8.0">
+            <console-handler name="CONSOLE">
+                <level name="INFO"/>
+                <formatter>
+                    <named-formatter name="COLOR-PATTERN"/>
+                </formatter>
+            </console-handler>
+            <periodic-rotating-file-handler name="FILE" autoflush="true">
+                <formatter>
+                    <named-formatter name="PATTERN"/>
+                </formatter>
+                <file relative-to="jboss.server.log.dir" path="server.log"/>
+                <suffix value=".yyyy-MM-dd"/>
+                <append value="true"/>
+            </periodic-rotating-file-handler>
+            <logger category="com.arjuna">
+                <level name="WARN"/>
+            </logger>
+            <logger category="io.jaegertracing.Configuration">
+                <level name="WARN"/>
+            </logger>
+            <logger category="org.jboss.as.config">
+                <level name="DEBUG"/>
+            </logger>
+            <logger category="sun.rmi">
+                <level name="WARN"/>
+            </logger>
+            <root-logger>
+                <level name="INFO"/>
+                <handlers>
+                    <handler name="CONSOLE"/>
+                    <handler name="FILE"/>
+                </handlers>
+            </root-logger>
+            <formatter name="PATTERN">
+                <pattern-formatter pattern="%d{yyyy-MM-dd HH:mm:ss,SSS} %-5p [%c] (%t) %s%e%n"/>
+            </formatter>
+            <formatter name="COLOR-PATTERN">
+                <pattern-formatter pattern="%K{level}%d{HH:mm:ss,SSS} %-5p [%c] (%t) %s%e%n"/>
+            </formatter>
+        </subsystem>
+        <subsystem xmlns="urn:jboss:domain:bean-validation:1.0"/>
+        <subsystem xmlns="urn:jboss:domain:core-management:1.0"/>
+        <subsystem xmlns="urn:jboss:domain:datasources:6.0">
+            <datasources>
+                <datasource jndi-name="java:jboss/datasources/ExampleDS" pool-name="ExampleDS" enabled="true" use-java-context="true" statistics-enabled="${wildfly.datasources.statistics-enabled:${wildfly.statistics-enabled:false}}">
+                    <connection-url>jdbc:h2:mem:test;DB_CLOSE_DELAY=-1;DB_CLOSE_ON_EXIT=FALSE</connection-url>
+                    <driver>h2</driver>
+                    <security>
+                        <user-name>sa</user-name>
+                        <password>sa</password>
+                    </security>
+                </datasource>
+                <datasource jndi-name="java:jboss/datasources/KeycloakDS" pool-name="KeycloakDS" enabled="true" use-java-context="true" statistics-enabled="${wildfly.datasources.statistics-enabled:${wildfly.statistics-enabled:false}}">
+{% if keycloak_jdbc[keycloak_jdbc_engine].enabled %}
+                    <connection-url>{{ keycloak_jdbc[keycloak_jdbc_engine].connection_url }}</connection-url>
+                    <driver>{{ keycloak_jdbc[keycloak_jdbc_engine].driver_module_name }}</driver>
+                    <pool>
+                       <max-pool-size>20</max-pool-size>
+                    </pool>
+                    <security>
+                        <user-name>{{ keycloak_jdbc[keycloak_jdbc_engine].db_user }}</user-name>
+                        <password>{{ keycloak_jdbc[keycloak_jdbc_engine].db_password }}</password>
+                    </security>
+{% else %}
+                    <connection-url>jdbc:h2:${jboss.server.data.dir}/keycloak;AUTO_SERVER=TRUE</connection-url>
+                    <driver>h2</driver>
+                    <security>
+                        <user-name>sa</user-name>
+                        <password>sa</password>
+                    </security>
+{% endif %}
+                </datasource>
+                <drivers>
+{% if keycloak_jdbc[keycloak_jdbc_engine].enabled %}
+                    <driver name="{{ keycloak_jdbc[keycloak_jdbc_engine].driver_module_name }}" module="{{ keycloak_jdbc[keycloak_jdbc_engine].driver_module_name }}">
+                        <driver-class>{{ keycloak_jdbc[keycloak_jdbc_engine].driver_class }}</driver-class>
+                        <xa-datasource-class>{{ keycloak_jdbc[keycloak_jdbc_engine].xa_datasource_class }}</xa-datasource-class>
+                    </driver>
+{% endif %}
+                    <driver name="h2" module="com.h2database.h2">
+                        <xa-datasource-class>org.h2.jdbcx.JdbcDataSource</xa-datasource-class>
+                    </driver>
+                </drivers>
+            </datasources>
+        </subsystem>
+        <subsystem xmlns="urn:jboss:domain:deployment-scanner:2.0">
+            <deployment-scanner path="deployments" relative-to="jboss.server.base.dir" scan-interval="5000" runtime-failure-causes-rollback="${jboss.deployment.scanner.rollback.on.failure:false}"/>
+        </subsystem>
+        <subsystem xmlns="urn:jboss:domain:ee:6.0">
+            <spec-descriptor-property-replacement>false</spec-descriptor-property-replacement>
+            <concurrent>
+                <context-services>
+                    <context-service name="default" jndi-name="java:jboss/ee/concurrency/context/default" use-transaction-setup-provider="true"/>
+                </context-services>
+                <managed-thread-factories>
+                    <managed-thread-factory name="default" jndi-name="java:jboss/ee/concurrency/factory/default" context-service="default"/>
+                </managed-thread-factories>
+                <managed-executor-services>
+                    <managed-executor-service name="default" jndi-name="java:jboss/ee/concurrency/executor/default" context-service="default" hung-task-termination-period="0" hung-task-threshold="60000" keepalive-time="5000"/>
+                </managed-executor-services>
+                <managed-scheduled-executor-services>
+                    <managed-scheduled-executor-service name="default" jndi-name="java:jboss/ee/concurrency/scheduler/default" context-service="default" hung-task-termination-period="0" hung-task-threshold="60000" keepalive-time="3000"/>
+                </managed-scheduled-executor-services>
+            </concurrent>
+            <default-bindings context-service="java:jboss/ee/concurrency/context/default" datasource="java:jboss/datasources/ExampleDS" managed-executor-service="java:jboss/ee/concurrency/executor/default" managed-scheduled-executor-service="java:jboss/ee/concurrency/scheduler/default" managed-thread-factory="java:jboss/ee/concurrency/factory/default"/>
+        </subsystem>
+        <subsystem xmlns="urn:jboss:domain:ejb3:9.0">
+            <session-bean>
+                <stateless>
+                    <bean-instance-pool-ref pool-name="slsb-strict-max-pool"/>
+                </stateless>
+                <stateful default-access-timeout="5000" cache-ref="simple" passivation-disabled-cache-ref="simple"/>
+                <singleton default-access-timeout="5000"/>
+            </session-bean>
+            <pools>
+                <bean-instance-pools>
+                    <strict-max-pool name="mdb-strict-max-pool" derive-size="from-cpu-count" instance-acquisition-timeout="5" instance-acquisition-timeout-unit="MINUTES"/>
+                    <strict-max-pool name="slsb-strict-max-pool" derive-size="from-worker-pools" instance-acquisition-timeout="5" instance-acquisition-timeout-unit="MINUTES"/>
+                </bean-instance-pools>
+            </pools>
+            <caches>
+                <cache name="simple"/>
+                <cache name="distributable" passivation-store-ref="infinispan" aliases="passivating clustered"/>
+            </caches>
+            <passivation-stores>
+                <passivation-store name="infinispan" cache-container="ejb" max-size="10000"/>
+            </passivation-stores>
+            <async thread-pool-name="default"/>
+            <timer-service thread-pool-name="default" default-data-store="default-file-store">
+                <data-stores>
+                    <file-data-store name="default-file-store" path="timer-service-data" relative-to="jboss.server.data.dir"/>
+                </data-stores>
+            </timer-service>
+            <remote cluster="ejb" connectors="http-remoting-connector" thread-pool-name="default">
+                <channel-creation-options>
+                    <option name="MAX_OUTBOUND_MESSAGES" value="1234" type="remoting"/>
+                </channel-creation-options>
+            </remote>
+            <thread-pools>
+                <thread-pool name="default">
+                    <max-threads count="10"/>
+                    <keepalive-time time="60" unit="seconds"/>
+                </thread-pool>
+            </thread-pools>
+            <default-security-domain value="other"/>
+            <default-missing-method-permissions-deny-access value="true"/>
+            <statistics enabled="${wildfly.ejb3.statistics-enabled:${wildfly.statistics-enabled:false}}"/>
+            <log-system-exceptions value="true"/>
+        </subsystem>
+        <subsystem xmlns="urn:wildfly:elytron:13.0" final-providers="combined-providers" disallowed-providers="OracleUcrypto">
+            <providers>
+                <aggregate-providers name="combined-providers">
+                    <providers name="elytron"/>
+                    <providers name="openssl"/>
+                </aggregate-providers>
+                <provider-loader name="elytron" module="org.wildfly.security.elytron"/>
+                <provider-loader name="openssl" module="org.wildfly.openssl"/>
+            </providers>
+            <audit-logging>
+                <file-audit-log name="local-audit" path="audit.log" relative-to="jboss.server.log.dir" format="JSON"/>
+            </audit-logging>
+            <security-domains>
+                <security-domain name="ApplicationDomain" default-realm="ApplicationRealm" permission-mapper="default-permission-mapper">
+                    <realm name="ApplicationRealm" role-decoder="groups-to-roles"/>
+                    <realm name="local"/>
+                </security-domain>
+                <security-domain name="ManagementDomain" default-realm="ManagementRealm" permission-mapper="default-permission-mapper">
+                    <realm name="ManagementRealm" role-decoder="groups-to-roles"/>
+                    <realm name="local" role-mapper="super-user-mapper"/>
+                </security-domain>
+            </security-domains>
+            <security-realms>
+                <identity-realm name="local" identity="$local"/>
+                <properties-realm name="ApplicationRealm">
+                    <users-properties path="application-users.properties" relative-to="jboss.server.config.dir" digest-realm-name="ApplicationRealm"/>
+                    <groups-properties path="application-roles.properties" relative-to="jboss.server.config.dir"/>
+                </properties-realm>
+                <properties-realm name="ManagementRealm">
+                    <users-properties path="mgmt-users.properties" relative-to="jboss.server.config.dir" digest-realm-name="ManagementRealm"/>
+                    <groups-properties path="mgmt-groups.properties" relative-to="jboss.server.config.dir"/>
+                </properties-realm>
+            </security-realms>
+            <mappers>
+                <simple-permission-mapper name="default-permission-mapper" mapping-mode="first">
+                    <permission-mapping>
+                        <principal name="anonymous"/>
+                        <permission-set name="default-permissions"/>
+                    </permission-mapping>
+                    <permission-mapping match-all="true">
+                        <permission-set name="login-permission"/>
+                        <permission-set name="default-permissions"/>
+                    </permission-mapping>
+                </simple-permission-mapper>
+                <constant-realm-mapper name="local" realm-name="local"/>
+                <simple-role-decoder name="groups-to-roles" attribute="groups"/>
+                <constant-role-mapper name="super-user-mapper">
+                    <role name="SuperUser"/>
+                </constant-role-mapper>
+            </mappers>
+            <permission-sets>
+                <permission-set name="login-permission">
+                    <permission class-name="org.wildfly.security.auth.permission.LoginPermission"/>
+                </permission-set>
+                <permission-set name="default-permissions">
+                    <permission class-name="org.wildfly.extension.batch.jberet.deployment.BatchPermission" module="org.wildfly.extension.batch.jberet" target-name="*"/>
+                    <permission class-name="org.wildfly.transaction.client.RemoteTransactionPermission" module="org.wildfly.transaction.client"/>
+                    <permission class-name="org.jboss.ejb.client.RemoteEJBPermission" module="org.jboss.ejb-client"/>
+                    <permission class-name="org.jboss.ejb.client.RemoteEJBPermission" module="org.jboss.ejb-client"/>
+                </permission-set>
+            </permission-sets>
+            <http>
+                <http-authentication-factory name="management-http-authentication" security-domain="ManagementDomain" http-server-mechanism-factory="global">
+                    <mechanism-configuration>
+                        <mechanism mechanism-name="DIGEST">
+                            <mechanism-realm realm-name="ManagementRealm"/>
+                        </mechanism>
+                    </mechanism-configuration>
+                </http-authentication-factory>
+                <provider-http-server-mechanism-factory name="global"/>
+            </http>
+            <sasl>
+                <sasl-authentication-factory name="application-sasl-authentication" sasl-server-factory="configured" security-domain="ApplicationDomain">
+                    <mechanism-configuration>
+                        <mechanism mechanism-name="JBOSS-LOCAL-USER" realm-mapper="local"/>
+                        <mechanism mechanism-name="DIGEST-MD5">
+                            <mechanism-realm realm-name="ApplicationRealm"/>
+                        </mechanism>
+                    </mechanism-configuration>
+                </sasl-authentication-factory>
+                <sasl-authentication-factory name="management-sasl-authentication" sasl-server-factory="configured" security-domain="ManagementDomain">
+                    <mechanism-configuration>
+                        <mechanism mechanism-name="JBOSS-LOCAL-USER" realm-mapper="local"/>
+                        <mechanism mechanism-name="DIGEST-MD5">
+                            <mechanism-realm realm-name="ManagementRealm"/>
+                        </mechanism>
+                    </mechanism-configuration>
+                </sasl-authentication-factory>
+                <configurable-sasl-server-factory name="configured" sasl-server-factory="elytron">
+                    <properties>
+                        <property name="wildfly.sasl.local-user.default-user" value="$local"/>
+                    </properties>
+                </configurable-sasl-server-factory>
+                <mechanism-provider-filtering-sasl-server-factory name="elytron" sasl-server-factory="global">
+                    <filters>
+                        <filter provider-name="WildFlyElytron"/>
+                    </filters>
+                </mechanism-provider-filtering-sasl-server-factory>
+                <provider-sasl-server-factory name="global"/>
+            </sasl>
+            <tls>
+                <key-stores>
+                    <key-store name="applicationKS">
+                        <credential-reference clear-text="password"/>
+                        <implementation type="JKS"/>
+                        <file path="application.keystore" relative-to="jboss.server.config.dir"/>
+                    </key-store>
+                </key-stores>
+                <key-managers>
+                    <key-manager name="applicationKM" key-store="applicationKS" generate-self-signed-certificate-host="localhost">
+                        <credential-reference clear-text="password"/>
+                    </key-manager>
+                </key-managers>
+                <server-ssl-contexts>
+                    <server-ssl-context name="applicationSSC" key-manager="applicationKM"/>
+                </server-ssl-contexts>
+            </tls>
+        </subsystem>
+        <subsystem xmlns="urn:wildfly:health:1.0" security-enabled="false"/>
+        <subsystem xmlns="urn:jboss:domain:infinispan:12.0">
+            <cache-container name="ejb" default-cache="passivation" aliases="sfsb" modules="org.wildfly.clustering.ejb.infinispan">
+                <local-cache name="passivation">
+                    <locking isolation="REPEATABLE_READ"/>
+                    <transaction mode="BATCH"/>
+                    <file-store passivation="true" purge="false"/>
+                </local-cache>
+            </cache-container>
+            <cache-container name="keycloak" modules="org.keycloak.keycloak-model-infinispan">
+                <local-cache name="realms">
+                    <heap-memory size="10000"/>
+                </local-cache>
+                <local-cache name="users">
+                    <heap-memory size="10000"/>
+                </local-cache>
+                <local-cache name="sessions"/>
+                <local-cache name="authenticationSessions"/>
+                <local-cache name="offlineSessions"/>
+                <local-cache name="clientSessions"/>
+                <local-cache name="offlineClientSessions"/>
+                <local-cache name="loginFailures"/>
+                <local-cache name="work"/>
+                <local-cache name="authorization">
+                    <heap-memory size="10000"/>
+                </local-cache>
+                <local-cache name="keys">
+                    <heap-memory size="1000"/>
+                    <expiration max-idle="3600000"/>
+                </local-cache>
+                <local-cache name="actionTokens">
+                    <heap-memory size="-1"/>
+                    <expiration interval="300000" max-idle="-1"/>
+                </local-cache>
+            </cache-container>
+            <cache-container name="server" default-cache="default" modules="org.wildfly.clustering.server">
+                <local-cache name="default">
+                    <transaction mode="BATCH"/>
+                </local-cache>
+            </cache-container>
+            <cache-container name="web" default-cache="passivation" modules="org.wildfly.clustering.web.infinispan">
+                <local-cache name="passivation">
+                    <locking isolation="REPEATABLE_READ"/>
+                    <transaction mode="BATCH"/>
+                    <file-store passivation="true" purge="false"/>
+                </local-cache>
+                <local-cache name="sso">
+                    <locking isolation="REPEATABLE_READ"/>
+                    <transaction mode="BATCH"/>
+                </local-cache>
+                <local-cache name="routing"/>
+            </cache-container>
+            <cache-container name="hibernate" modules="org.infinispan.hibernate-cache">
+                <local-cache name="entity">
+                    <heap-memory size="10000"/>
+                    <expiration max-idle="100000"/>
+                </local-cache>
+                <local-cache name="local-query">
+                    <heap-memory size="10000"/>
+                    <expiration max-idle="100000"/>
+                </local-cache>
+                <local-cache name="timestamps"/>
+            </cache-container>
+        </subsystem>
+        <subsystem xmlns="urn:jboss:domain:io:3.0">
+            <worker name="default"/>
+            <buffer-pool name="default"/>
+        </subsystem>
+        <subsystem xmlns="urn:jboss:domain:jaxrs:2.0"/>
+        <subsystem xmlns="urn:jboss:domain:jca:5.0">
+            <archive-validation enabled="true" fail-on-error="true" fail-on-warn="false"/>
+            <bean-validation enabled="true"/>
+            <default-workmanager>
+                <short-running-threads>
+                    <core-threads count="50"/>
+                    <queue-length count="50"/>
+                    <max-threads count="50"/>
+                    <keepalive-time time="10" unit="seconds"/>
+                </short-running-threads>
+                <long-running-threads>
+                    <core-threads count="50"/>
+                    <queue-length count="50"/>
+                    <max-threads count="50"/>
+                    <keepalive-time time="10" unit="seconds"/>
+                </long-running-threads>
+            </default-workmanager>
+            <cached-connection-manager/>
+        </subsystem>
+        <subsystem xmlns="urn:jboss:domain:jmx:1.3">
+            <expose-resolved-model/>
+            <expose-expression-model/>
+            <remoting-connector/>
+        </subsystem>
+        <subsystem xmlns="urn:jboss:domain:jpa:1.1">
+            <jpa default-extended-persistence-inheritance="DEEP"/>
+        </subsystem>
+        <subsystem xmlns="urn:jboss:domain:keycloak-server:1.1">
+            <web-context>auth</web-context>
+            <providers>
+                <provider>
+                    classpath:${jboss.home.dir}/providers/*
+                </provider>
+            </providers>
+            <master-realm-name>master</master-realm-name>
+            <scheduled-task-interval>900</scheduled-task-interval>
+            <theme>
+                <staticMaxAge>2592000</staticMaxAge>
+                <cacheThemes>true</cacheThemes>
+                <cacheTemplates>true</cacheTemplates>
+                <dir>${jboss.home.dir}/themes</dir>
+            </theme>
+{% if keycloak_ha_enabled %}
+            <spi name="dblock">
+                <provider name="jpa" enabled="true">
+                    <properties>
+                        <property name="lockWaitTimeout" value="900"/>
+                    </properties>
+                </provider>
+            </spi>
+{% endif %}
+            <spi name="eventsStore">
+                <provider name="jpa" enabled="true">
+                    <properties>
+                        <property name="exclude-events" value="[&quot;REFRESH_TOKEN&quot;]"/>
+                    </properties>
+                </provider>
+            </spi>
+            <spi name="userCache">
+                <provider name="default" enabled="true"/>
+            </spi>
+            <spi name="userSessionPersister">
+                <default-provider>jpa</default-provider>
+            </spi>
+            <spi name="timer">
+                <default-provider>basic</default-provider>
+            </spi>
+            <spi name="connectionsHttpClient">
+                <provider name="default" enabled="true"/>
+            </spi>
+            <spi name="connectionsJpa">
+                <provider name="default" enabled="true">
+                    <properties>
+                        <property name="dataSource" value="java:jboss/datasources/KeycloakDS"/>
+                        <property name="initializeEmpty" value="true"/>
+                        <property name="migrationStrategy" value="update"/>
+                        <property name="migrationExport" value="${jboss.home.dir}/keycloak-database-update.sql"/>
+                    </properties>
+                </provider>
+            </spi>
+            <spi name="realmCache">
+                <provider name="default" enabled="true"/>
+            </spi>
+            <spi name="connectionsInfinispan">
+                <default-provider>default</default-provider>
+                <provider name="default" enabled="true">
+                    <properties>
+                        <property name="cacheContainer" value="java:jboss/infinispan/container/keycloak"/>
+                    </properties>
+                </provider>
+            </spi>
+            <spi name="jta-lookup">
+                <default-provider>${keycloak.jta.lookup.provider:jboss}</default-provider>
+                <provider name="jboss" enabled="true"/>
+            </spi>
+            <spi name="publicKeyStorage">
+                <provider name="infinispan" enabled="true">
+                    <properties>
+                        <property name="minTimeBetweenRequests" value="10"/>
+                    </properties>
+                </provider>
+            </spi>
+            <spi name="x509cert-lookup">
+                <default-provider>${keycloak.x509cert.lookup.provider:default}</default-provider>
+                <provider name="default" enabled="true"/>
+            </spi>
+            <spi name="hostname">
+                <default-provider>default</default-provider>
+                <provider name="default" enabled="true">
+                    <properties>
+                        <property name="frontendUrl" value="{{ keycloak_modcluster.frontend_url }}"/>
+                        <property name="forceBackendUrlToFrontendUrl" value="true"/>
+                    </properties>
+                </provider>
+            </spi>
+        </subsystem>
+        <subsystem xmlns="urn:jboss:domain:mail:4.0">
+            <mail-session name="default" jndi-name="java:jboss/mail/Default">
+                <smtp-server outbound-socket-binding-ref="mail-smtp"/>
+            </mail-session>
+        </subsystem>
+        <subsystem xmlns="urn:wildfly:metrics:1.0" security-enabled="false" exposed-subsystems="*" prefix="${wildfly.metrics.prefix:jboss}"/>
+{% if keycloak_modcluster.enabled %}        
+        <subsystem xmlns="urn:jboss:domain:modcluster:5.0">
+            <proxy name="default" advertise="false" listener="ajp" proxies="proxy1">
+                <dynamic-load-provider>
+                    <load-metric type="cpu"/>
+                </dynamic-load-provider>
+            </proxy>
+        </subsystem>
+{% endif %}        
+        <subsystem xmlns="urn:jboss:domain:naming:2.0">
+            <remote-naming/>
+        </subsystem>
+        <subsystem xmlns="urn:jboss:domain:remoting:4.0">
+            <http-connector name="http-remoting-connector" connector-ref="default" security-realm="ApplicationRealm"/>
+        </subsystem>
+        <subsystem xmlns="urn:jboss:domain:request-controller:1.0"/>
+        <subsystem xmlns="urn:jboss:domain:security:2.0">
+            <security-domains>
+                <security-domain name="other" cache-type="default">
+                    <authentication>
+                        <login-module code="Remoting" flag="optional">
+                            <module-option name="password-stacking" value="useFirstPass"/>
+                        </login-module>
+                        <login-module code="RealmDirect" flag="required">
+                            <module-option name="password-stacking" value="useFirstPass"/>
+                        </login-module>
+                    </authentication>
+                </security-domain>
+                <security-domain name="jboss-web-policy" cache-type="default">
+                    <authorization>
+                        <policy-module code="Delegating" flag="required"/>
+                    </authorization>
+                </security-domain>
+                <security-domain name="jaspitest" cache-type="default">
+                    <authentication-jaspi>
+                        <login-module-stack name="dummy">
+                            <login-module code="Dummy" flag="optional"/>
+                        </login-module-stack>
+                        <auth-module code="Dummy"/>
+                    </authentication-jaspi>
+                </security-domain>
+                <security-domain name="jboss-ejb-policy" cache-type="default">
+                    <authorization>
+                        <policy-module code="Delegating" flag="required"/>
+                    </authorization>
+                </security-domain>
+            </security-domains>
+        </subsystem>
+        <subsystem xmlns="urn:jboss:domain:security-manager:1.0">
+            <deployment-permissions>
+                <maximum-set>
+                    <permission class="java.security.AllPermission"/>
+                </maximum-set>
+            </deployment-permissions>
+        </subsystem>
+        <subsystem xmlns="urn:jboss:domain:transactions:6.0">
+            <core-environment node-identifier="${jboss.tx.node.id:1}">
+                <process-id>
+                    <uuid/>
+                </process-id>
+            </core-environment>
+            <recovery-environment socket-binding="txn-recovery-environment" status-socket-binding="txn-status-manager"/>
+            <coordinator-environment statistics-enabled="${wildfly.transactions.statistics-enabled:${wildfly.statistics-enabled:false}}"/>
+            <object-store path="tx-object-store" relative-to="jboss.server.data.dir"/>
+        </subsystem>
+        <subsystem xmlns="urn:jboss:domain:undertow:12.0" default-server="default-server" default-virtual-host="default-host" default-servlet-container="default" default-security-domain="other" statistics-enabled="${wildfly.undertow.statistics-enabled:${wildfly.statistics-enabled:false}}">
+            <buffer-cache name="default"/>
+            <server name="default-server">
+                <ajp-listener name="ajp" socket-binding="ajp"/>
+                <http-listener name="default" socket-binding="http" redirect-socket="https" enable-http2="true"/>
+                <https-listener name="https" socket-binding="https" security-realm="ApplicationRealm" enable-http2="true"/>
+                <host name="default-host" alias="localhost">
+                    <location name="/" handler="welcome-content"/>
+                    <http-invoker security-realm="ApplicationRealm"/>
+                </host>
+            </server>
+            <servlet-container name="default">
+                <jsp-config/>
+                <websockets/>
+            </servlet-container>
+            <handlers>
+                <file name="welcome-content" path="${jboss.home.dir}/welcome-content"/>
+            </handlers>
+        </subsystem>
+        <subsystem xmlns="urn:jboss:domain:weld:4.0"/>
+    </profile>
+    <interfaces>
+        <interface name="management">
+            <inet-address value="{{ keycloak_management_port_bind_address }}"/>
+        </interface>
+        <interface name="public">
+            <inet-address value="{{ keycloak_bind_address }}"/>
+        </interface>
+    </interfaces>
+    <socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:{{ keycloak_jboss_port_offset }}}">
+        <socket-binding name="ajp" port="{{ keycloak_ajp_port }}"/>
+        <socket-binding name="http" port="{{ keycloak_http_port }}"/>
+        <socket-binding name="https" port="{{ keycloak_https_port }}"/>
+        <socket-binding name="management-http" interface="management" port="{{ keycloak_management_http_port }}"/>
+        <socket-binding name="management-https" interface="management" port="{{ keycloak_management_https_port }}"/>
+        <socket-binding name="txn-recovery-environment" port="4712"/>
+        <socket-binding name="txn-status-manager" port="4713"/>
+        <outbound-socket-binding name="mail-smtp">
+            <remote-destination host="${jboss.mail.server.host:localhost}" port="${jboss.mail.server.port:25}"/>
+        </outbound-socket-binding>
+{% if keycloak_modcluster.enabled %}        
+        <outbound-socket-binding name="proxy1">
+            <remote-destination host="{{ keycloak_modcluster.reverse_proxy_url | default('localhost') }}" port="6666"/>
+        </outbound-socket-binding>
+{% endif %}        
+    </socket-binding-group>
+</server>
--- a/roles/keycloak/templates/9.0.2/standalone-infinispan.xml.j2
+++ b/roles/keycloak/templates/9.0.2/standalone-infinispan.xml.j2
@@ -725,7 +725,7 @@
        </interface>
        <interface name="jgroups">
 {% if ansible_default_ipv4 is defined %}
-            <subnet-match value="{{ (ansible_default_ipv4.network + '/' + ansible_default_ipv4.netmask) | ipaddr('net') }}"/>
+            <subnet-match value="{{ (ansible_default_ipv4.network + '/' + ansible_default_ipv4.netmask) | ansible.utils.ipaddr('net') }}"/>
 {% else %}
            <any-address />
 {% endif %}
@@ -734,7 +734,7 @@
            <inet-address value="${jboss.bind.address:127.0.0.1}"/>
        </interface>
    </interfaces>
-    <socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
+    <socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:{{ keycloak_jboss_port_offset }}}">
        <socket-binding name="ajp" port="${jboss.ajp.port:8009}"/>
        <socket-binding name="http" port="${jboss.http.port:8080}"/>
        <socket-binding name="https" port="${jboss.https.port:8443}"/>
--- a/roles/keycloak/templates/9.0.2/standalone.xml.j2
+++ b/roles/keycloak/templates/9.0.2/standalone.xml.j2
@@ -598,7 +598,7 @@
            <inet-address value="${jboss.bind.address:127.0.0.1}"/>
        </interface>
    </interfaces>
-    <socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
+    <socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:{{ keycloak_jboss_port_offset }}}">
        <socket-binding name="ajp" port="${jboss.ajp.port:8009}"/>
        <socket-binding name="http" port="${jboss.http.port:8080}"/>
        <socket-binding name="https" port="${jboss.https.port:8443}"/>
--- a/roles/keycloak/templates/jdbc_driver_module.xml.j2
+++ b/roles/keycloak/templates/jdbc_driver_module.xml.j2
@@ -0,0 +1,10 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<module xmlns="urn:jboss:module:1.0" name="{{ keycloak_jdbc[keycloak_jdbc_engine].driver_module_name }}">
+  <resources>
+    <resource-root path="{{ keycloak_jdbc[keycloak_jdbc_engine].driver_jar_filename }}"/>
+  </resources>
+  <dependencies>
+    <module name="javax.api"/>
+    <module name="javax.transaction.api"/>
+  </dependencies>
+</module>
--- a/roles/keycloak/templates/keycloak-profile.properties.j2
+++ b/roles/keycloak/templates/keycloak-profile.properties.j2
@@ -0,0 +1,3 @@
+{% for feature in keycloak.features %}
+feature.{{ feature.name }}={{ feature.status | default('enabled') }}
+{% endfor %}
--- a/roles/keycloak/templates/keycloak-service.sh.j2
+++ b/roles/keycloak/templates/keycloak-service.sh.j2
@@ -1,5 +1,5 @@
 #!/bin/bash -eu
-# {{ ansible_managed }}
+{{ ansible_managed | comment }}

 set +u -o pipefail

--- a/roles/keycloak/templates/keycloak-sysconfig.j2
+++ b/roles/keycloak/templates/keycloak-sysconfig.j2
@@ -1,6 +1,6 @@
-# {{ ansible_managed }}
+{{ ansible_managed | comment }}
 JAVA_OPTS='{{ keycloak_java_opts }}'
-JAVA_HOME={{ keycloak_java_home  | default(keycloak_rpm_java_home, true) }}
+JAVA_HOME={{ keycloak_java_home | default(keycloak_pkg_java_home, true) }}
 JBOSS_HOME={{ keycloak.home }}
 KEYCLOAK_BIND_ADDRESS={{ keycloak_bind_address }}
 KEYCLOAK_HTTP_PORT={{ keycloak_http_port }}
@@ -8,4 +8,12 @@ KEYCLOAK_HTTPS_PORT={{ keycloak_https_port }}
 KEYCLOAK_MANAGEMENT_HTTP_PORT={{ keycloak_management_http_port }}
 KEYCLOAK_MANAGEMENT_HTTPS_PORT={{ keycloak_management_https_port }}
 JBOSS_PIDFILE='{{ keycloak_service_pidfile }}'
-LAUNCH_JBOSS_IN_BACKGROUND=1
+
+WILDFLY_OPTS=-Djboss.bind.address=${KEYCLOAK_BIND_ADDRESS} \
+        -Djboss.http.port=${KEYCLOAK_HTTP_PORT} \
+        -Djboss.https.port=${KEYCLOAK_HTTPS_PORT} \
+        -Djboss.management.http.port=${KEYCLOAK_MANAGEMENT_HTTP_PORT} \
+        -Djboss.management.https.port=${KEYCLOAK_MANAGEMENT_HTTPS_PORT} \
+        -Djboss.node.name={{ inventory_hostname }} \
+      {% if keycloak_prefer_ipv4 %}-Djava.net.preferIPv4Stack=true -Djava.net.preferIPv4Addresses=true {% endif %}\
+      {% if keycloak_config_standalone_xml is defined %}--server-config={{ keycloak_config_standalone_xml }}{% endif %}
--- a/roles/keycloak/templates/keycloak.service.j2
+++ b/roles/keycloak/templates/keycloak.service.j2
@@ -1,17 +1,29 @@
-# {{ ansible_managed }}
+{{ ansible_managed | comment }}
 [Unit]
 Description={{ keycloak.service_name }} Server
 After=network.target
+StartLimitIntervalSec={{ keycloak_service_startlimitintervalsec }}
+StartLimitBurst={{ keycloak_service_startlimitburst }}
+

 [Service]
-Type=forking
-EnvironmentFile=-/etc/sysconfig/keycloak
+{% if keycloak_service_runas %}
+User={{ keycloak_service_user }}
+Group={{ keycloak_service_group }}
+{% endif -%}
+EnvironmentFile=-{{ keycloak_sysconf_file }}
 PIDFile={{ keycloak_service_pidfile }}
-ExecStart={{ keycloak_dest }}/keycloak-service.sh start
-ExecStop={{ keycloak_dest }}/keycloak-service.sh stop
+ExecStart={{ keycloak.home }}/bin/standalone.sh $WILDFLY_OPTS
+WorkingDirectory={{ keycloak.home }}
 TimeoutStartSec=30
 TimeoutStopSec=30
 LimitNOFILE=102642
+{% if keycloak_service_restart_always %}
+Restart=always
+{% elif keycloak_service_restart_on_failure %}
+Restart=on-failure
+{% endif %}
+RestartSec={{ keycloak_service_restartsec }}

 [Install]
 WantedBy=multi-user.target
--- a/roles/keycloak/templates/standalone-ha.xml.j2
+++ b/roles/keycloak/templates/standalone-ha.xml.j2
@@ -0,0 +1,707 @@
+<?xml version='1.0' encoding='UTF-8'?>
+{{ ansible_managed | comment('xml') }}
+<server xmlns="urn:jboss:domain:16.0">
+    <extensions>
+        <extension module="org.jboss.as.clustering.infinispan"/>
+        <extension module="org.jboss.as.clustering.jgroups"/>
+        <extension module="org.jboss.as.connector"/>
+        <extension module="org.jboss.as.deployment-scanner"/>
+        <extension module="org.jboss.as.ee"/>
+        <extension module="org.jboss.as.ejb3"/>
+        <extension module="org.jboss.as.jaxrs"/>
+        <extension module="org.jboss.as.jmx"/>
+        <extension module="org.jboss.as.jpa"/>
+        <extension module="org.jboss.as.logging"/>
+        <extension module="org.jboss.as.mail"/>
+        <extension module="org.jboss.as.modcluster"/>
+        <extension module="org.jboss.as.naming"/>
+        <extension module="org.jboss.as.remoting"/>
+        <extension module="org.jboss.as.transactions"/>
+        <extension module="org.jboss.as.weld"/>
+        <extension module="org.keycloak.keycloak-server-subsystem"/>
+        <extension module="org.wildfly.extension.bean-validation"/>
+        <extension module="org.wildfly.extension.core-management"/>
+        <extension module="org.wildfly.extension.elytron"/>
+        <extension module="org.wildfly.extension.health"/>
+        <extension module="org.wildfly.extension.io"/>
+        <extension module="org.wildfly.extension.metrics"/>
+        <extension module="org.wildfly.extension.request-controller"/>
+        <extension module="org.wildfly.extension.security.manager"/>
+        <extension module="org.wildfly.extension.undertow"/>
+    </extensions>
+    <management>
+        <audit-log>
+            <formatters>
+                <json-formatter name="json-formatter"/>
+            </formatters>
+            <handlers>
+                <file-handler name="file" formatter="json-formatter" path="audit-log.log" relative-to="jboss.server.data.dir"/>
+            </handlers>
+            <logger log-boot="true" log-read-only="false" enabled="false">
+                <handlers>
+                    <handler name="file"/>
+                </handlers>
+            </logger>
+        </audit-log>
+        <management-interfaces>
+            <http-interface http-authentication-factory="management-http-authentication">
+                <http-upgrade enabled="true"  sasl-authentication-factory="management-sasl-authentication"/>
+                <socket-binding http="management-http"/>
+            </http-interface>
+        </management-interfaces>
+        <access-control provider="simple">
+            <role-mapping>
+                <role name="SuperUser">
+                    <include>
+                        <user name="$local"/>
+                    </include>
+                </role>
+            </role-mapping>
+        </access-control>
+    </management>
+    <profile>
+        <subsystem xmlns="urn:jboss:domain:logging:8.0">
+            <console-handler name="CONSOLE">
+                <level name="INFO"/>
+                <formatter>
+                    <named-formatter name="COLOR-PATTERN"/>
+                </formatter>
+            </console-handler>
+            <periodic-rotating-file-handler name="FILE" autoflush="true">
+                <formatter>
+                    <named-formatter name="PATTERN"/>
+                </formatter>
+                <file relative-to="jboss.server.log.dir" path="server.log"/>
+                <suffix value=".yyyy-MM-dd"/>
+                <append value="true"/>
+            </periodic-rotating-file-handler>
+            <logger category="com.arjuna">
+                <level name="WARN"/>
+            </logger>
+            <logger category="io.jaegertracing.Configuration">
+                <level name="WARN"/>
+            </logger>
+            <logger category="org.jboss.as.config">
+                <level name="DEBUG"/>
+            </logger>
+            <logger category="sun.rmi">
+                <level name="WARN"/>
+            </logger>
+            <logger category="org.keycloak.cluster.infinispan">
+                <level name="INFO"/>
+            </logger>
+            <logger category="org.keycloak.connections.infinispan">
+                <level name="INFO"/>
+            </logger>
+            <logger category="org.keycloak.models.cache.infinispan">
+                <level name="INFO"/>
+            </logger>
+            <logger category="org.keycloak.models.sessions.infinispan">
+                <level name="INFO"/>
+            </logger>
+            <root-logger>
+                <level name="INFO"/>
+                <handlers>
+                    <handler name="CONSOLE"/>
+                    <handler name="FILE"/>
+                </handlers>
+            </root-logger>
+            <formatter name="PATTERN">
+                <pattern-formatter pattern="%d{yyyy-MM-dd HH:mm:ss,SSS} %-5p [%c] (%t) %s%e%n"/>
+            </formatter>
+            <formatter name="COLOR-PATTERN">
+                <pattern-formatter pattern="%K{level}%d{HH:mm:ss,SSS} %-5p [%c] (%t) %s%e%n"/>
+            </formatter>
+        </subsystem>
+        <subsystem xmlns="urn:jboss:domain:bean-validation:1.0"/>
+        <subsystem xmlns="urn:jboss:domain:core-management:1.0"/>
+        <subsystem xmlns="urn:jboss:domain:datasources:6.0">
+            <datasources>
+                <datasource jndi-name="java:jboss/datasources/ExampleDS" pool-name="ExampleDS" enabled="true" use-java-context="true" statistics-enabled="${wildfly.datasources.statistics-enabled:${wildfly.statistics-enabled:false}}">
+                    <connection-url>jdbc:h2:mem:test;DB_CLOSE_DELAY=-1;DB_CLOSE_ON_EXIT=FALSE</connection-url>
+                    <driver>h2</driver>
+                    <security>
+                        <user-name>sa</user-name>
+                        <password>sa</password>
+                    </security>
+                </datasource>
+                <datasource jndi-name="java:jboss/datasources/KeycloakDS" pool-name="KeycloakDS" enabled="true" use-java-context="true" statistics-enabled="${wildfly.datasources.statistics-enabled:${wildfly.statistics-enabled:false}}">
+{% if keycloak_jdbc[keycloak_jdbc_engine].enabled %}
+                    <connection-url>{{ keycloak_jdbc[keycloak_jdbc_engine].connection_url }}</connection-url>
+                    <driver>{{ keycloak_jdbc[keycloak_jdbc_engine].driver_module_name }}</driver>
+                    <pool>
+                       <max-pool-size>20</max-pool-size>
+                    </pool>
+                    <security>
+                        <user-name>{{ keycloak_jdbc[keycloak_jdbc_engine].db_user }}</user-name>
+                        <password>{{ keycloak_jdbc[keycloak_jdbc_engine].db_password }}</password>
+                    </security>
+                    <validation>
+                        <check-valid-connection-sql>{{ keycloak_jdbc[keycloak_jdbc_engine].validate_query }}</check-valid-connection-sql>
+                        <validate-on-match>{{ keycloak_db_background_validate_on_match }}</validate-on-match>
+{% if keycloak_db_background_validation_millis | int > 0 or keycloak_db_background_validation %}
+                        <background-validation>{{ keycloak_db_background_validation }}</background-validation>
+                        <background-validation-millis>{{ keycloak_db_background_validation_millis }}</background-validation-millis>
+{% endif %}
+                    </validation>
+{% else %}
+                    <connection-url>jdbc:h2:${jboss.server.data.dir}/keycloak;AUTO_SERVER=TRUE</connection-url>
+                    <driver>h2</driver>
+                    <security>
+                        <user-name>sa</user-name>
+                        <password>sa</password>
+                    </security>
+{% endif %}
+                </datasource>
+                <drivers>
+{% if keycloak_jdbc[keycloak_jdbc_engine].enabled %}
+                    <driver name="{{ keycloak_jdbc[keycloak_jdbc_engine].driver_module_name }}" module="{{ keycloak_jdbc[keycloak_jdbc_engine].driver_module_name }}">
+                        <driver-class>{{ keycloak_jdbc[keycloak_jdbc_engine].driver_class }}</driver-class>
+                        <xa-datasource-class>{{ keycloak_jdbc[keycloak_jdbc_engine].xa_datasource_class }}</xa-datasource-class>
+                    </driver>
+{% endif %}
+                    <driver name="h2" module="com.h2database.h2">
+                        <xa-datasource-class>org.h2.jdbcx.JdbcDataSource</xa-datasource-class>
+                    </driver>
+                </drivers>
+            </datasources>
+        </subsystem>
+        <subsystem xmlns="urn:jboss:domain:deployment-scanner:2.0">
+            <deployment-scanner path="deployments" relative-to="jboss.server.base.dir" scan-interval="5000" runtime-failure-causes-rollback="${jboss.deployment.scanner.rollback.on.failure:false}"/>
+        </subsystem>
+        <subsystem xmlns="urn:jboss:domain:ee:6.0">
+            <spec-descriptor-property-replacement>false</spec-descriptor-property-replacement>
+            <concurrent>
+                <context-services>
+                    <context-service name="default" jndi-name="java:jboss/ee/concurrency/context/default" use-transaction-setup-provider="true"/>
+                </context-services>
+                <managed-thread-factories>
+                    <managed-thread-factory name="default" jndi-name="java:jboss/ee/concurrency/factory/default" context-service="default"/>
+                </managed-thread-factories>
+                <managed-executor-services>
+                    <managed-executor-service name="default" jndi-name="java:jboss/ee/concurrency/executor/default" context-service="default" hung-task-termination-period="0" hung-task-threshold="60000" keepalive-time="5000"/>
+                </managed-executor-services>
+                <managed-scheduled-executor-services>
+                    <managed-scheduled-executor-service name="default" jndi-name="java:jboss/ee/concurrency/scheduler/default" context-service="default" hung-task-termination-period="0" hung-task-threshold="60000" keepalive-time="3000"/>
+                </managed-scheduled-executor-services>
+            </concurrent>
+            <default-bindings context-service="java:jboss/ee/concurrency/context/default" datasource="java:jboss/datasources/ExampleDS" managed-executor-service="java:jboss/ee/concurrency/executor/default" managed-scheduled-executor-service="java:jboss/ee/concurrency/scheduler/default" managed-thread-factory="java:jboss/ee/concurrency/factory/default"/>
+        </subsystem>
+        <subsystem xmlns="urn:jboss:domain:ejb3:9.0">
+             <session-bean>
+                <stateless>
+                    <bean-instance-pool-ref pool-name="slsb-strict-max-pool"/>
+                </stateless>
+                <stateful default-access-timeout="5000" cache-ref="distributable" passivation-disabled-cache-ref="simple"/>
+                <singleton default-access-timeout="5000"/>
+            </session-bean>
+            <pools>
+                <bean-instance-pools>
+                    <strict-max-pool name="mdb-strict-max-pool" derive-size="from-cpu-count" instance-acquisition-timeout="5" instance-acquisition-timeout-unit="MINUTES"/>
+                    <strict-max-pool name="slsb-strict-max-pool" derive-size="from-worker-pools" instance-acquisition-timeout="5" instance-acquisition-timeout-unit="MINUTES"/>
+                </bean-instance-pools>
+            </pools>
+            <caches>
+                <cache name="simple"/>
+                <cache name="distributable" passivation-store-ref="infinispan" aliases="passivating clustered"/>
+            </caches>
+            <passivation-stores>
+                <passivation-store name="infinispan" cache-container="ejb" max-size="10000"/>
+            </passivation-stores>
+            <async thread-pool-name="default"/>
+            <timer-service thread-pool-name="default" default-data-store="default-file-store">
+                <data-stores>
+                    <file-data-store name="default-file-store" path="timer-service-data" relative-to="jboss.server.data.dir"/>
+                </data-stores>
+            </timer-service>
+            <remote cluster="ejb" connectors="http-remoting-connector" thread-pool-name="default">
+                <channel-creation-options>
+                    <option name="MAX_OUTBOUND_MESSAGES" value="1234" type="remoting"/>
+                </channel-creation-options>
+            </remote>
+            <thread-pools>
+                <thread-pool name="default">
+                    <max-threads count="10"/>
+                    <keepalive-time time="60" unit="seconds"/>
+                </thread-pool>
+            </thread-pools>
+            <default-security-domain value="other"/>
+            <application-security-domains>
+                <application-security-domain name="other" security-domain="ApplicationDomain"/>
+            </application-security-domains>
+            <default-missing-method-permissions-deny-access value="true"/>
+            <statistics enabled="${wildfly.ejb3.statistics-enabled:${wildfly.statistics-enabled:false}}"/>
+            <log-system-exceptions value="true"/>
+        </subsystem>
+        <subsystem xmlns="urn:wildfly:elytron:13.0" final-providers="combined-providers" disallowed-providers="OracleUcrypto">
+            <providers>
+                <aggregate-providers name="combined-providers">
+                    <providers name="elytron"/>
+                    <providers name="openssl"/>
+                </aggregate-providers>
+                <provider-loader name="elytron" module="org.wildfly.security.elytron"/>
+                <provider-loader name="openssl" module="org.wildfly.openssl"/>
+            </providers>
+            <audit-logging>
+                <file-audit-log name="local-audit" path="audit.log" relative-to="jboss.server.log.dir" format="JSON"/>
+            </audit-logging>
+            <security-domains>
+                <security-domain name="ApplicationDomain" default-realm="ApplicationRealm" permission-mapper="default-permission-mapper">
+                    <realm name="ApplicationRealm" role-decoder="groups-to-roles"/>
+                    <realm name="local"/>
+                </security-domain>
+                <security-domain name="ManagementDomain" default-realm="ManagementRealm" permission-mapper="default-permission-mapper">
+                    <realm name="ManagementRealm" role-decoder="groups-to-roles"/>
+                    <realm name="local" role-mapper="super-user-mapper"/>
+                </security-domain>
+            </security-domains>
+            <security-realms>
+                <identity-realm name="local" identity="$local"/>
+                <properties-realm name="ApplicationRealm">
+                    <users-properties path="application-users.properties" relative-to="jboss.server.config.dir" digest-realm-name="ApplicationRealm"/>
+                    <groups-properties path="application-roles.properties" relative-to="jboss.server.config.dir"/>
+                </properties-realm>
+                <properties-realm name="ManagementRealm">
+                    <users-properties path="mgmt-users.properties" relative-to="jboss.server.config.dir" digest-realm-name="ManagementRealm"/>
+                    <groups-properties path="mgmt-groups.properties" relative-to="jboss.server.config.dir"/>
+                </properties-realm>
+            </security-realms>
+            <mappers>
+                <simple-permission-mapper name="default-permission-mapper" mapping-mode="first">
+                    <permission-mapping>
+                        <principal name="anonymous"/>
+                        <permission-set name="default-permissions"/>
+                    </permission-mapping>
+                    <permission-mapping match-all="true">
+                        <permission-set name="login-permission"/>
+                        <permission-set name="default-permissions"/>
+                    </permission-mapping>
+                </simple-permission-mapper>
+                <constant-realm-mapper name="local" realm-name="local"/>
+                <simple-role-decoder name="groups-to-roles" attribute="groups"/>
+                <constant-role-mapper name="super-user-mapper">
+                    <role name="SuperUser"/>
+                </constant-role-mapper>
+            </mappers>
+            <permission-sets>
+                <permission-set name="login-permission">
+                    <permission class-name="org.wildfly.security.auth.permission.LoginPermission"/>
+                </permission-set>
+                <permission-set name="default-permissions">
+                    <permission class-name="org.wildfly.extension.batch.jberet.deployment.BatchPermission" module="org.wildfly.extension.batch.jberet" target-name="*"/>
+                    <permission class-name="org.wildfly.transaction.client.RemoteTransactionPermission" module="org.wildfly.transaction.client"/>
+                    <permission class-name="org.jboss.ejb.client.RemoteEJBPermission" module="org.jboss.ejb-client"/>
+                    <permission class-name="org.jboss.ejb.client.RemoteEJBPermission" module="org.jboss.ejb-client"/>
+                </permission-set>
+            </permission-sets>
+            <http>
+                <http-authentication-factory name="management-http-authentication" security-domain="ManagementDomain" http-server-mechanism-factory="global">
+                    <mechanism-configuration>
+                        <mechanism mechanism-name="DIGEST">
+                            <mechanism-realm realm-name="ManagementRealm"/>
+                        </mechanism>
+                    </mechanism-configuration>
+                </http-authentication-factory>
+                <http-authentication-factory name="application-http-authentication" security-domain="ApplicationDomain" http-server-mechanism-factory="global">
+                    <mechanism-configuration>
+                        <mechanism mechanism-name="BASIC">
+                            <mechanism-realm realm-name="ApplicationRealm"/>
+                        </mechanism>
+                    </mechanism-configuration>
+                </http-authentication-factory>
+                <provider-http-server-mechanism-factory name="global"/>
+            </http>
+            <sasl>
+                <sasl-authentication-factory name="application-sasl-authentication" sasl-server-factory="configured" security-domain="ApplicationDomain">
+                    <mechanism-configuration>
+                        <mechanism mechanism-name="JBOSS-LOCAL-USER" realm-mapper="local"/>
+                        <mechanism mechanism-name="DIGEST-MD5">
+                            <mechanism-realm realm-name="ApplicationRealm"/>
+                        </mechanism>
+                    </mechanism-configuration>
+                </sasl-authentication-factory>
+                <sasl-authentication-factory name="management-sasl-authentication" sasl-server-factory="configured" security-domain="ManagementDomain">
+                    <mechanism-configuration>
+                        <mechanism mechanism-name="JBOSS-LOCAL-USER" realm-mapper="local"/>
+                        <mechanism mechanism-name="DIGEST-MD5">
+                            <mechanism-realm realm-name="ManagementRealm"/>
+                        </mechanism>
+                    </mechanism-configuration>
+                </sasl-authentication-factory>
+                <configurable-sasl-server-factory name="configured" sasl-server-factory="elytron">
+                    <properties>
+                        <property name="wildfly.sasl.local-user.default-user" value="$local"/>
+                    </properties>
+                </configurable-sasl-server-factory>
+                <mechanism-provider-filtering-sasl-server-factory name="elytron" sasl-server-factory="global">
+                    <filters>
+                        <filter provider-name="WildFlyElytron"/>
+                    </filters>
+                </mechanism-provider-filtering-sasl-server-factory>
+                <provider-sasl-server-factory name="global"/>
+            </sasl>
+            <tls>
+                <key-stores>
+                    <key-store name="applicationKS">
+                        <credential-reference clear-text="password"/>
+                        <implementation type="JKS"/>
+                        <file path="application.keystore" relative-to="jboss.server.config.dir"/>
+                    </key-store>
+                </key-stores>
+                <key-managers>
+                    <key-manager name="applicationKM" key-store="applicationKS" generate-self-signed-certificate-host="localhost">
+                        <credential-reference clear-text="password"/>
+                    </key-manager>
+                </key-managers>
+                <server-ssl-contexts>
+                    <server-ssl-context name="applicationSSC" key-manager="applicationKM"/>
+                </server-ssl-contexts>
+            </tls>
+        </subsystem>
+        <subsystem xmlns="urn:wildfly:health:1.0" security-enabled="false"/>
+        <subsystem xmlns="urn:jboss:domain:infinispan:12.0">
+            <cache-container name="ejb" default-cache="dist" aliases="sfsb" modules="org.wildfly.clustering.ejb.infinispan">
+                <transport lock-timeout="60000"/>
+                <distributed-cache name="dist">
+                    <locking isolation="REPEATABLE_READ"/>
+                    <transaction mode="BATCH"/>
+                    <file-store/>
+                </distributed-cache>
+            </cache-container>
+            <cache-container name="keycloak">
+                <transport lock-timeout="60000"/>
+                <local-cache name="realms">
+                    <heap-memory size="10000"/>
+                </local-cache>
+                <local-cache name="users">
+                    <heap-memory size="10000"/>
+                </local-cache>
+                <replicated-cache name="work"/>
+                <distributed-cache name="sessions" owners="2"/>
+                <distributed-cache name="authenticationSessions" owners="2"/>
+                <distributed-cache name="offlineSessions" owners="2"/>
+                <distributed-cache name="clientSessions" owners="2"/>
+                <distributed-cache name="offlineClientSessions" owners="2"/>
+                <distributed-cache name="loginFailures" owners="2"/>
+                <distributed-cache name="actionTokens" owners="2">
+                    <expiration interval="300000" max-idle="-1"/>
+                </distributed-cache>
+                <local-cache name="authorization">
+                    <heap-memory size="10000"/>
+                </local-cache>
+                <local-cache name="keys">
+                    <heap-memory size="1000"/>
+                    <expiration max-idle="3600000"/>
+                </local-cache>
+            </cache-container>
+            <cache-container name="server" default-cache="default" aliases="singleton cluster" modules="org.wildfly.clustering.server">
+                <transport lock-timeout="60000"/>
+                <replicated-cache name="default">
+                    <transaction mode="BATCH"/>
+                </replicated-cache>
+            </cache-container>
+            <cache-container name="web" default-cache="dist" modules="org.wildfly.clustering.web.infinispan">
+                <transport lock-timeout="60000"/>
+                <replicated-cache name="sso">
+                    <locking isolation="REPEATABLE_READ"/>
+                    <transaction mode="BATCH"/>
+                </replicated-cache>
+                <distributed-cache name="dist">
+                    <locking isolation="REPEATABLE_READ"/>
+                    <transaction mode="BATCH"/>
+                    <file-store/>
+                </distributed-cache>
+                <distributed-cache name="routing"/>
+            </cache-container>
+            <cache-container name="hibernate" modules="org.infinispan.hibernate-cache">
+                <transport lock-timeout="60000"/>
+                <local-cache name="local-query">
+                    <heap-memory size="10000"/>
+                    <expiration max-idle="100000"/>
+                </local-cache>
+                <invalidation-cache name="entity">
+                    <transaction mode="NON_XA"/>
+                    <heap-memory size="10000"/>
+                    <expiration max-idle="100000"/>
+                </invalidation-cache>
+                <replicated-cache name="timestamps"/>
+            </cache-container>
+        </subsystem>
+        <subsystem xmlns="urn:jboss:domain:io:3.0">
+            <worker name="default"/>
+            <buffer-pool name="default"/>
+        </subsystem>
+        <subsystem xmlns="urn:jboss:domain:jaxrs:2.0"/>
+        <subsystem xmlns="urn:jboss:domain:jca:5.0">
+            <archive-validation enabled="true" fail-on-error="true" fail-on-warn="false"/>
+            <bean-validation enabled="true"/>
+            <default-workmanager>
+                <short-running-threads>
+                    <core-threads count="50"/>
+                    <queue-length count="50"/>
+                    <max-threads count="50"/>
+                    <keepalive-time time="10" unit="seconds"/>
+                </short-running-threads>
+                <long-running-threads>
+                    <core-threads count="50"/>
+                    <queue-length count="50"/>
+                    <max-threads count="50"/>
+                    <keepalive-time time="10" unit="seconds"/>
+                </long-running-threads>
+            </default-workmanager>
+            <cached-connection-manager/>
+        </subsystem>
+        <subsystem xmlns="urn:jboss:domain:jgroups:8.0">
+            <channels default="ee">
+                <channel name="ee" stack="tcp" cluster="ejb"/>
+            </channels>
+            <stacks>
+                <stack name="tcp">
+                    <transport site="${jboss.node.name}" type="TCP" socket-binding="jgroups-tcp"/>
+{% if keycloak_ha_discovery == 'JDBC_PING' and keycloak_jdbc[keycloak_jdbc_engine].enabled %}
+                    <protocol type="JDBC_PING">
+                        <property name="datasource_jndi_name">java:jboss/datasources/KeycloakDS</property>
+                        <property name="initialize_sql">{{ keycloak_jdbc[keycloak_jdbc_engine].initialize_db }}</property>
+                        <property name="insert_single_sql">INSERT INTO JGROUPSPING (own_addr, cluster_name, ping_data) values (?, ?, ?)</property>
+                        <property name="delete_single_sql">DELETE FROM JGROUPSPING WHERE own_addr=? AND cluster_name=?</property>
+                        <property name="select_all_pingdata_sql">SELECT ping_data FROM JGROUPSPING WHERE cluster_name=?</property>
+                    </protocol>
+{% elif keycloak_ha_discovery == 'TCPPING' %}
+                    <protocol type="TCPPING">
+                        <property name="initial_hosts">{{ keycloak_cluster_nodes | map(attribute='inventory_host') | join (',') }}</property>
+                        <property name="port_range">0</property>
+                        <property name="timeout">3000</property>
+                        <property name="num_initial_members">2</property>
+                    </protocol>
+{% endif %}
+                    <protocol type="MERGE3"/>
+                    <protocol type="FD_SOCK"/>
+                    <protocol type="FD_ALL"/>
+                    <protocol type="VERIFY_SUSPECT"/>
+                    <protocol type="pbcast.NAKACK2"/>
+                    <protocol type="UNICAST3"/>
+                    <protocol type="pbcast.STABLE"/>
+                    <protocol type="pbcast.GMS">
+                        <property name="join_timeout">30000</property>
+                    </protocol>
+                    <protocol type="MFC"/>
+                    <protocol type="FRAG2"/>
+                </stack>
+            </stacks>
+        </subsystem>
+        <subsystem xmlns="urn:jboss:domain:jmx:1.3">
+            <expose-resolved-model/>
+            <expose-expression-model/>
+            <remoting-connector/>
+        </subsystem>
+        <subsystem xmlns="urn:jboss:domain:jpa:1.1">
+            <jpa default-extended-persistence-inheritance="DEEP"/>
+        </subsystem>
+        <subsystem xmlns="urn:jboss:domain:keycloak-server:1.1">
+            <web-context>auth</web-context>
+            <providers>
+                <provider>
+                    classpath:${jboss.home.dir}/providers/*
+                </provider>
+            </providers>
+            <master-realm-name>master</master-realm-name>
+            <scheduled-task-interval>900</scheduled-task-interval>
+            <theme>
+                <staticMaxAge>2592000</staticMaxAge>
+                <cacheThemes>true</cacheThemes>
+                <cacheTemplates>true</cacheTemplates>
+                <dir>${jboss.home.dir}/themes</dir>
+            </theme>
+{% if keycloak_ha_enabled %}
+            <spi name="dblock">
+                <provider name="jpa" enabled="true">
+                    <properties>
+                        <property name="lockWaitTimeout" value="900"/>
+                    </properties>
+                </provider>
+            </spi>
+{% endif %}
+            <spi name="eventsStore">
+                <provider name="jpa" enabled="true">
+                    <properties>
+                        <property name="exclude-events" value="[&quot;REFRESH_TOKEN&quot;]"/>
+                    </properties>
+                </provider>
+            </spi>
+            <spi name="userCache">
+                <provider name="default" enabled="true"/>
+            </spi>
+            <spi name="userSessionPersister">
+                <default-provider>jpa</default-provider>
+            </spi>
+            <spi name="timer">
+                <default-provider>basic</default-provider>
+            </spi>
+            <spi name="connectionsHttpClient">
+                <provider name="default" enabled="true"/>
+            </spi>
+            <spi name="connectionsJpa">
+                <provider name="default" enabled="true">
+                    <properties>
+                        <property name="dataSource" value="java:jboss/datasources/KeycloakDS"/>
+                        <property name="initializeEmpty" value="true"/>
+                        <property name="migrationStrategy" value="update"/>
+                        <property name="migrationExport" value="${jboss.home.dir}/keycloak-database-update.sql"/>
+                    </properties>
+                </provider>
+            </spi>
+            <spi name="realmCache">
+                <provider name="default" enabled="true"/>
+            </spi>
+            <spi name="connectionsInfinispan">
+                <default-provider>default</default-provider>
+                <provider name="default" enabled="true">
+                    <properties>
+                        <property name="cacheContainer" value="java:jboss/infinispan/container/keycloak"/>
+                    </properties>
+                </provider>
+            </spi>
+            <spi name="jta-lookup">
+                <default-provider>${keycloak.jta.lookup.provider:jboss}</default-provider>
+                <provider name="jboss" enabled="true"/>
+            </spi>
+            <spi name="publicKeyStorage">
+                <provider name="infinispan" enabled="true">
+                    <properties>
+                        <property name="minTimeBetweenRequests" value="10"/>
+                    </properties>
+                </provider>
+            </spi>
+            <spi name="x509cert-lookup">
+                <default-provider>${keycloak.x509cert.lookup.provider:default}</default-provider>
+                <provider name="default" enabled="true"/>
+            </spi>
+            <spi name="hostname">
+                <default-provider>default</default-provider>
+                <provider name="default" enabled="true">
+                    <properties>
+                        <property name="frontendUrl" value="{{ keycloak_modcluster.frontend_url }}"/>
+                        <property name="forceBackendUrlToFrontendUrl" value="{{ keycloak_modcluster.force_frontend_url }}"/>
+{% if keycloak_modcluster.admin_url | length > 0 %}
+                        <property name="adminUrl" value="{{ keycloak_modcluster.admin_url }}" />
+{% endif %}
+                    </properties>
+                </provider>
+            </spi>
+        </subsystem>
+        <subsystem xmlns="urn:jboss:domain:mail:4.0">
+            <mail-session name="default" jndi-name="java:jboss/mail/Default">
+                <smtp-server outbound-socket-binding-ref="mail-smtp"/>
+            </mail-session>
+        </subsystem>
+        <subsystem xmlns="urn:wildfly:metrics:1.0" security-enabled="false" exposed-subsystems="*" prefix="${wildfly.metrics.prefix:jboss}"/>
+{% if keycloak_modcluster.enabled %}
+        <subsystem xmlns="urn:jboss:domain:modcluster:5.0">
+            <proxy name="default" advertise="false" listener="ajp" proxies="{{ ['proxy_'] | product(keycloak_modcluster.reverse_proxy_urls | map(attribute='host')) | map('join') | list | join(' ') }}">
+                <dynamic-load-provider>
+                    <load-metric type="cpu"/>
+                </dynamic-load-provider>
+            </proxy>
+        </subsystem>
+{% endif %}
+        <subsystem xmlns="urn:jboss:domain:naming:2.0">
+            <remote-naming/>
+        </subsystem>
+        <subsystem xmlns="urn:jboss:domain:remoting:4.0">
+            <http-connector name="http-remoting-connector" connector-ref="default" sasl-authentication-factory="application-sasl-authentication"/>
+        </subsystem>
+        <subsystem xmlns="urn:jboss:domain:request-controller:1.0"/>
+        <subsystem xmlns="urn:jboss:domain:security-manager:1.0">
+            <deployment-permissions>
+                <maximum-set>
+                    <permission class="java.security.AllPermission"/>
+                </maximum-set>
+            </deployment-permissions>
+        </subsystem>
+        <subsystem xmlns="urn:jboss:domain:transactions:6.0">
+            <core-environment node-identifier="{{ inventory_hostname | default('${jboss.tx.node.id:1}') }}">
+                <process-id>
+                    <uuid/>
+                </process-id>
+            </core-environment>
+            <recovery-environment socket-binding="txn-recovery-environment" status-socket-binding="txn-status-manager"/>
+            <coordinator-environment statistics-enabled="${wildfly.transactions.statistics-enabled:${wildfly.statistics-enabled:false}}"/>
+            <object-store path="tx-object-store" relative-to="jboss.server.data.dir"/>
+        </subsystem>
+        <subsystem xmlns="urn:jboss:domain:undertow:12.0" default-server="default-server" default-virtual-host="default-host" default-servlet-container="default" default-security-domain="other" statistics-enabled="${wildfly.undertow.statistics-enabled:${wildfly.statistics-enabled:false}}">
+            <buffer-cache name="default"/>
+            <server name="default-server">
+                <ajp-listener name="ajp" socket-binding="ajp"/>
+                <http-listener name="default" socket-binding="http" redirect-socket="https" enable-http2="true" proxy-address-forwarding="true"/>
+                <https-listener name="https" socket-binding="https" ssl-context="applicationSSC" enable-http2="true"/>
+                <host name="default-host" alias="localhost">
+                    <location name="/" handler="welcome-content"/>
+                    <http-invoker http-authentication-factory="application-http-authentication"/>
+                    <filter-ref name="proxy-peer"/>
+                </host>
+            </server>
+            <servlet-container name="default">
+                <jsp-config/>
+                <websockets/>
+            </servlet-container>
+            <handlers>
+                <file name="welcome-content" path="${jboss.home.dir}/welcome-content"/>
+            </handlers>
+            <application-security-domains>
+                <application-security-domain name="other" security-domain="ApplicationDomain"/>
+            </application-security-domains>
+            <filters>
+                <filter name="proxy-peer" module="io.undertow.core"
+                        class-name="io.undertow.server.handlers.ProxyPeerAddressHandler"/>
+            </filters>
+        </subsystem>
+        <subsystem xmlns="urn:jboss:domain:weld:4.0"/>
+    </profile>
+    <interfaces>
+        <interface name="management">
+            <inet-address value="{{ keycloak_management_port_bind_address }}"/>
+        </interface>
+        <interface name="jgroups">
+{% if keycloak_jgroups_subnet is defined and keycloak_jgroups_subnet is not none and keycloak_jgroups_subnet | string | length > 0 %}
+            <subnet-match value="{{ keycloak_jgroups_subnet | string }}"/>
+{% elif ansible_default_ipv4 is defined and (ansible_default_ipv4.network + '/' + ansible_default_ipv4.netmask) | ansible.utils.ipaddr('net') | length > 0 %}
+            <subnet-match value="{{ (ansible_default_ipv4.network + '/' + ansible_default_ipv4.netmask) | ansible.utils.ipaddr('net') }}"/>
+{% else %}
+            <any-address />
+{% endif %}
+        </interface>
+        <interface name="public">
+            <inet-address value="{{ keycloak_bind_address }}"/>
+        </interface>
+    </interfaces>
+    <socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:{{ keycloak_jboss_port_offset }}}">
+        <socket-binding name="ajp" port="{{ keycloak_ajp_port }}"/>
+        <socket-binding name="http" port="{{ keycloak_http_port }}"/>
+        <socket-binding name="https" port="{{ keycloak_https_port }}"/>
+        <socket-binding name="management-http" interface="management" port="{{ keycloak_management_http_port }}"/>
+        <socket-binding name="management-https" interface="management" port="{{ keycloak_management_https_port }}"/>
+        <socket-binding name="jgroups-tcp" interface="jgroups" port="{{ keycloak_jgroups_port }}"/>
+        <socket-binding name="txn-recovery-environment" port="4712"/>
+        <socket-binding name="txn-status-manager" port="4713"/>
+        <outbound-socket-binding name="mail-smtp">
+            <remote-destination host="${jboss.mail.server.host:localhost}" port="${jboss.mail.server.port:25}"/>
+        </outbound-socket-binding>
+{% if keycloak_modcluster.enabled %}
+{% for modcluster in keycloak_modcluster.reverse_proxy_urls %}
+        <outbound-socket-binding name="proxy_{{ modcluster.host }}">
+            <remote-destination host="{{ modcluster.host }}" port="{{ modcluster.port }}"/>
+        </outbound-socket-binding>
+{% endfor %}
+{% endif %}
+{% if keycloak_ha_discovery == 'TCPPING' %}
+{% for node in keycloak_cluster_nodes %}
+        <outbound-socket-binding name="jgroups_{{ node.address }}">
+            <remote-destination host="{{ node.value }}" port="{{ keycloak_jgroups_port }}"/>
+        </outbound-socket-binding>
+{% endfor %}
+{% endif %}
+        <outbound-socket-binding name="remote-cache">
+            <remote-destination host="{{ keycloak_remotecache.server_name | default('localhost') }}" port="${remote.cache.port:11222}"/>
+        </outbound-socket-binding>
+    </socket-binding-group>
+</server>
--- a/roles/keycloak/templates/standalone-infinispan.xml.j2
+++ b/roles/keycloak/templates/standalone-infinispan.xml.j2
@@ -1,5 +1,5 @@
 <?xml version='1.0' encoding='UTF-8'?>
-<!-- {{ ansible_managed }} -->
+{{ ansible_managed | comment('xml') }}
 <server xmlns="urn:jboss:domain:16.0">
    <extensions>
        <extension module="org.jboss.as.clustering.infinispan"/>
@@ -16,7 +16,6 @@
        <extension module="org.jboss.as.modcluster"/>
        <extension module="org.jboss.as.naming"/>
        <extension module="org.jboss.as.remoting"/>
-        <extension module="org.jboss.as.security"/>
        <extension module="org.jboss.as.transactions"/>
        <extension module="org.jboss.as.weld"/>
        <extension module="org.keycloak.keycloak-server-subsystem"/>
@@ -31,31 +30,6 @@
        <extension module="org.wildfly.extension.undertow"/>
    </extensions>
    <management>
-        <security-realms>
-            <security-realm name="ManagementRealm">
-                <authentication>
-                    <local default-user="$local" skip-group-loading="true"/>
-                    <properties path="mgmt-users.properties" relative-to="jboss.server.config.dir"/>
-                </authentication>
-                <authorization map-groups-to-roles="false">
-                    <properties path="mgmt-groups.properties" relative-to="jboss.server.config.dir"/>
-                </authorization>
-            </security-realm>
-            <security-realm name="ApplicationRealm">
-                <server-identities>
-                    <ssl>
-                        <keystore path="application.keystore" relative-to="jboss.server.config.dir" keystore-password="password" alias="server" key-password="password" generate-self-signed-certificate-host="localhost"/>
-                    </ssl>
-                </server-identities>
-                <authentication>
-                    <local default-user="$local" allowed-users="*" skip-group-loading="true"/>
-                    <properties path="application-users.properties" relative-to="jboss.server.config.dir"/>
-                </authentication>
-                <authorization>
-                    <properties path="application-roles.properties" relative-to="jboss.server.config.dir"/>
-                </authorization>
-            </security-realm>
-        </security-realms>
        <audit-log>
            <formatters>
                <json-formatter name="json-formatter"/>
@@ -70,8 +44,8 @@
            </logger>
        </audit-log>
        <management-interfaces>
-            <http-interface security-realm="ManagementRealm">
-                <http-upgrade enabled="true"/>
+            <http-interface http-authentication-factory="management-http-authentication">
+                <http-upgrade enabled="true"  sasl-authentication-factory="management-sasl-authentication"/>
                <socket-binding http="management-http"/>
            </http-interface>
        </management-interfaces>
@@ -162,6 +136,14 @@
                        <user-name>{{ keycloak_jdbc[keycloak_jdbc_engine].db_user }}</user-name>
                        <password>{{ keycloak_jdbc[keycloak_jdbc_engine].db_password }}</password>
                    </security>
+                    <validation>
+                        <check-valid-connection-sql>{{ keycloak_jdbc[keycloak_jdbc_engine].validate_query }}</check-valid-connection-sql>
+                        <validate-on-match>{{ keycloak_db_background_validate_on_match }}</validate-on-match>
+{% if keycloak_db_background_validation_millis | int > 0 or keycloak_db_background_validation %}
+                        <background-validation>{{ keycloak_db_background_validation }}</background-validation>
+                        <background-validation-millis>{{ keycloak_db_background_validation_millis }}</background-validation-millis>
+{% endif %}
+                    </validation>
 {% else %}
                    <connection-url>jdbc:h2:${jboss.server.data.dir}/keycloak;AUTO_SERVER=TRUE</connection-url>
                    <driver>h2</driver>
@@ -244,6 +226,9 @@
                </thread-pool>
            </thread-pools>
            <default-security-domain value="other"/>
+            <application-security-domains>
+                <application-security-domain name="other" security-domain="ApplicationDomain"/>
+            </application-security-domains>
            <default-missing-method-permissions-deny-access value="true"/>
            <statistics enabled="${wildfly.ejb3.statistics-enabled:${wildfly.statistics-enabled:false}}"/>
            <log-system-exceptions value="true"/>
@@ -317,6 +302,13 @@
                        </mechanism>
                    </mechanism-configuration>
                </http-authentication-factory>
+                <http-authentication-factory name="application-http-authentication" security-domain="ApplicationDomain" http-server-mechanism-factory="global">
+                    <mechanism-configuration>
+                        <mechanism mechanism-name="BASIC">
+                            <mechanism-realm realm-name="ApplicationRealm"/>
+                        </mechanism>
+                    </mechanism-configuration>
+                </http-authentication-factory>
                <provider-http-server-mechanism-factory name="global"/>
            </http>
            <sasl>
@@ -504,7 +496,7 @@
            <stacks>
                <stack name="tcp">
                    <transport site="${jboss.node.name}" type="TCP" socket-binding="jgroups-tcp"/>
-{% if keycloak_jdbc[keycloak_jdbc_engine].enabled %}
+{% if keycloak_ha_discovery == 'JDBC_PING' and keycloak_jdbc[keycloak_jdbc_engine].enabled %}
                    <protocol type="JDBC_PING">
                        <property name="datasource_jndi_name">java:jboss/datasources/KeycloakDS</property>
                        <property name="initialize_sql">{{ keycloak_jdbc[keycloak_jdbc_engine].initialize_db }}</property>
@@ -512,6 +504,13 @@
                        <property name="delete_single_sql">DELETE FROM JGROUPSPING WHERE own_addr=? AND cluster_name=?</property>
                        <property name="select_all_pingdata_sql">SELECT ping_data FROM JGROUPSPING WHERE cluster_name=?</property>
                    </protocol>
+{% elif keycloak_ha_discovery == 'TCPPING' %}
+                    <protocol type="TCPPING">
+                        <property name="initial_hosts">{{ keycloak_cluster_nodes | map(attribute='inventory_host') | join (',') }}</property>
+                        <property name="port_range">0</property>
+                        <property name="timeout">3000</property>
+                        <property name="num_initial_members">2</property>
+                    </protocol>
 {% endif %}
                    <protocol type="MERGE3"/>
                    <protocol type="FD_SOCK"/>
@@ -620,7 +619,10 @@
                <provider name="default" enabled="true">
                    <properties>
                        <property name="frontendUrl" value="{{ keycloak_modcluster.frontend_url }}"/>
-                        <property name="forceBackendUrlToFrontendUrl" value="true"/>
+                        <property name="forceBackendUrlToFrontendUrl" value="{{ keycloak_modcluster.force_frontend_url }}"/>
+{% if keycloak_modcluster.admin_url | length > 0 %}
+                        <property name="adminUrl" value="{{ keycloak_modcluster.admin_url }}" />
+{% endif %}
                    </properties>
                </provider>
            </spi>
@@ -631,54 +633,22 @@
            </mail-session>
        </subsystem>
        <subsystem xmlns="urn:wildfly:metrics:1.0" security-enabled="false" exposed-subsystems="*" prefix="${wildfly.metrics.prefix:jboss}"/>
-{% if keycloak_modcluster.enabled %}    
+{% if keycloak_modcluster.enabled %}
        <subsystem xmlns="urn:jboss:domain:modcluster:5.0">
-            <proxy name="default" advertise="false" listener="ajp" proxies="proxy1">
+            <proxy name="default" advertise="false" listener="ajp" proxies="{{ ['proxy_'] | product(keycloak_modcluster.reverse_proxy_urls | map(attribute='host')) | map('join') | list | join(' ') }}">
                <dynamic-load-provider>
                    <load-metric type="cpu"/>
                </dynamic-load-provider>
            </proxy>
        </subsystem>
-{% endif %}        
+{% endif %}
        <subsystem xmlns="urn:jboss:domain:naming:2.0">
            <remote-naming/>
        </subsystem>
        <subsystem xmlns="urn:jboss:domain:remoting:4.0">
-            <http-connector name="http-remoting-connector" connector-ref="default" security-realm="ApplicationRealm"/>
+            <http-connector name="http-remoting-connector" connector-ref="default" sasl-authentication-factory="application-sasl-authentication"/>
        </subsystem>
        <subsystem xmlns="urn:jboss:domain:request-controller:1.0"/>
-        <subsystem xmlns="urn:jboss:domain:security:2.0">
-            <security-domains>
-                <security-domain name="other" cache-type="default">
-                    <authentication>
-                        <login-module code="Remoting" flag="optional">
-                            <module-option name="password-stacking" value="useFirstPass"/>
-                        </login-module>
-                        <login-module code="RealmDirect" flag="required">
-                            <module-option name="password-stacking" value="useFirstPass"/>
-                        </login-module>
-                    </authentication>
-                </security-domain>
-                <security-domain name="jboss-web-policy" cache-type="default">
-                    <authorization>
-                        <policy-module code="Delegating" flag="required"/>
-                    </authorization>
-                </security-domain>
-                <security-domain name="jaspitest" cache-type="default">
-                    <authentication-jaspi>
-                        <login-module-stack name="dummy">
-                            <login-module code="Dummy" flag="optional"/>
-                        </login-module-stack>
-                        <auth-module code="Dummy"/>
-                    </authentication-jaspi>
-                </security-domain>
-                <security-domain name="jboss-ejb-policy" cache-type="default">
-                    <authorization>
-                        <policy-module code="Delegating" flag="required"/>
-                    </authorization>
-                </security-domain>
-            </security-domains>
-        </subsystem>
        <subsystem xmlns="urn:jboss:domain:security-manager:1.0">
            <deployment-permissions>
                <maximum-set>
@@ -701,10 +671,10 @@
            <server name="default-server">
                <ajp-listener name="ajp" socket-binding="ajp"/>
                <http-listener name="default" socket-binding="http" redirect-socket="https" enable-http2="true" proxy-address-forwarding="true"/>
-                <https-listener name="https" socket-binding="https" security-realm="ApplicationRealm" enable-http2="true"/>
+                <https-listener name="https" socket-binding="https" ssl-context="applicationSSC" enable-http2="true"/>
                <host name="default-host" alias="localhost">
                    <location name="/" handler="welcome-content"/>
-                    <http-invoker security-realm="ApplicationRealm"/>
+                    <http-invoker http-authentication-factory="application-http-authentication"/>
                    <filter-ref name="proxy-peer"/>
                </host>
            </server>
@@ -715,6 +685,9 @@
            <handlers>
                <file name="welcome-content" path="${jboss.home.dir}/welcome-content"/>
            </handlers>
+            <application-security-domains>
+                <application-security-domain name="other" security-domain="ApplicationDomain"/>
+            </application-security-domains>
            <filters>
                <filter name="proxy-peer" module="io.undertow.core"
                        class-name="io.undertow.server.handlers.ProxyPeerAddressHandler"/>
@@ -724,20 +697,22 @@
    </profile>
    <interfaces>
        <interface name="management">
-            <inet-address value="${jboss.bind.address.management:127.0.0.1}"/>
+            <inet-address value="{{ keycloak_management_port_bind_address }}"/>
        </interface>
        <interface name="jgroups">
-{% if ansible_default_ipv4 is defined %}
-            <subnet-match value="{{ (ansible_default_ipv4.network + '/' + ansible_default_ipv4.netmask) | ipaddr('net') }}"/>
+{% if keycloak_jgroups_subnet is defined and keycloak_jgroups_subnet is not none and keycloak_jgroups_subnet | string | length > 0 %}
+            <subnet-match value="{{ keycloak_jgroups_subnet | string }}"/>
+{% elif ansible_default_ipv4 is defined and (ansible_default_ipv4.network + '/' + ansible_default_ipv4.netmask) | ansible.utils.ipaddr('net') | length > 0 %}
+            <subnet-match value="{{ (ansible_default_ipv4.network + '/' + ansible_default_ipv4.netmask) | ansible.utils.ipaddr('net') }}"/>
 {% else %}
            <any-address />
 {% endif %}
        </interface>
        <interface name="public">
-            <inet-address value="${jboss.bind.address:127.0.0.1}"/>
+            <inet-address value="{{ keycloak_bind_address }}"/>
        </interface>
    </interfaces>
-    <socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
+    <socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:{{ keycloak_jboss_port_offset }}}">
        <socket-binding name="ajp" port="{{ keycloak_ajp_port }}"/>
        <socket-binding name="http" port="{{ keycloak_http_port }}"/>
        <socket-binding name="https" port="{{ keycloak_https_port }}"/>
@@ -750,9 +725,18 @@
            <remote-destination host="${jboss.mail.server.host:localhost}" port="${jboss.mail.server.port:25}"/>
        </outbound-socket-binding>
 {% if keycloak_modcluster.enabled %}
-        <outbound-socket-binding name="proxy1">
-            <remote-destination host="{{ keycloak_modcluster.reverse_proxy_url | default('localhost') }}" port="6666"/>
+{% for modcluster in keycloak_modcluster.reverse_proxy_urls %}
+        <outbound-socket-binding name="proxy_{{ modcluster.host }}">
+            <remote-destination host="{{ modcluster.host }}" port="{{ modcluster.port }}"/>
        </outbound-socket-binding>
+{% endfor %}
+{% endif %}
+{% if keycloak_ha_discovery == 'TCPPING' %}
+{% for node in keycloak_cluster_nodes %}
+        <outbound-socket-binding name="jgroups_{{ node.address }}">
+            <remote-destination host="{{ node.value }}" port="{{ keycloak_jgroups_port }}"/>
+        </outbound-socket-binding>
+{% endfor %}
 {% endif %}
        <outbound-socket-binding name="remote-cache">
            <remote-destination host="{{ keycloak_remotecache.server_name | default('localhost') }}" port="${remote.cache.port:11222}"/>
--- a/roles/keycloak/templates/standalone.xml.j2
+++ b/roles/keycloak/templates/standalone.xml.j2
@@ -1,5 +1,5 @@
 <?xml version='1.0' encoding='UTF-8'?>
-<!-- {{ ansible_managed }} -->
+{{ ansible_managed | comment('xml') }}
 <server xmlns="urn:jboss:domain:16.0">
    <extensions>
        <extension module="org.jboss.as.clustering.infinispan"/>
@@ -15,7 +15,6 @@
        <extension module="org.jboss.as.modcluster"/>
        <extension module="org.jboss.as.naming"/>
        <extension module="org.jboss.as.remoting"/>
-        <extension module="org.jboss.as.security"/>
        <extension module="org.jboss.as.transactions"/>
        <extension module="org.jboss.as.weld"/>
        <extension module="org.keycloak.keycloak-server-subsystem"/>
@@ -30,31 +29,6 @@
        <extension module="org.wildfly.extension.undertow"/>
    </extensions>
    <management>
-        <security-realms>
-            <security-realm name="ManagementRealm">
-                <authentication>
-                    <local default-user="$local" skip-group-loading="true"/>
-                    <properties path="mgmt-users.properties" relative-to="jboss.server.config.dir"/>
-                </authentication>
-                <authorization map-groups-to-roles="false">
-                    <properties path="mgmt-groups.properties" relative-to="jboss.server.config.dir"/>
-                </authorization>
-            </security-realm>
-            <security-realm name="ApplicationRealm">
-                <server-identities>
-                    <ssl>
-                        <keystore path="application.keystore" relative-to="jboss.server.config.dir" keystore-password="password" alias="server" key-password="password" generate-self-signed-certificate-host="localhost"/>
-                    </ssl>
-                </server-identities>
-                <authentication>
-                    <local default-user="$local" allowed-users="*" skip-group-loading="true"/>
-                    <properties path="application-users.properties" relative-to="jboss.server.config.dir"/>
-                </authentication>
-                <authorization>
-                    <properties path="application-roles.properties" relative-to="jboss.server.config.dir"/>
-                </authorization>
-            </security-realm>
-        </security-realms>
        <audit-log>
            <formatters>
                <json-formatter name="json-formatter"/>
@@ -69,8 +43,8 @@
            </logger>
        </audit-log>
        <management-interfaces>
-            <http-interface security-realm="ManagementRealm">
-                <http-upgrade enabled="true"/>
+            <http-interface http-authentication-factory="management-http-authentication">
+                <http-upgrade enabled="true" sasl-authentication-factory="management-sasl-authentication"/>
                <socket-binding http="management-http"/>
            </http-interface>
        </management-interfaces>
@@ -149,6 +123,14 @@
                        <user-name>{{ keycloak_jdbc[keycloak_jdbc_engine].db_user }}</user-name>
                        <password>{{ keycloak_jdbc[keycloak_jdbc_engine].db_password }}</password>
                    </security>
+                    <validation>
+                        <check-valid-connection-sql>{{ keycloak_jdbc[keycloak_jdbc_engine].validate_query }}</check-valid-connection-sql>
+                        <validate-on-match>{{ keycloak_db_background_validate_on_match }}</validate-on-match>
+{% if keycloak_db_background_validation_millis | int > 0 or keycloak_db_background_validation %}
+                        <background-validation>{{ keycloak_db_background_validation }}</background-validation>
+                        <background-validation-millis>{{ keycloak_db_background_validation_millis }}</background-validation-millis>
+{% endif %}
+                    </validation>
 {% else %}
                    <connection-url>jdbc:h2:${jboss.server.data.dir}/keycloak;AUTO_SERVER=TRUE</connection-url>
                    <driver>h2</driver>
@@ -231,6 +213,9 @@
                </thread-pool>
            </thread-pools>
            <default-security-domain value="other"/>
+            <application-security-domains>
+                <application-security-domain name="other" security-domain="ApplicationDomain"/>
+            </application-security-domains>
            <default-missing-method-permissions-deny-access value="true"/>
            <statistics enabled="${wildfly.ejb3.statistics-enabled:${wildfly.statistics-enabled:false}}"/>
            <log-system-exceptions value="true"/>
@@ -304,6 +289,13 @@
                        </mechanism>
                    </mechanism-configuration>
                </http-authentication-factory>
+                <http-authentication-factory name="application-http-authentication" security-domain="ApplicationDomain" http-server-mechanism-factory="global">
+                    <mechanism-configuration>
+                        <mechanism mechanism-name="BASIC">
+                            <mechanism-realm realm-name="ApplicationRealm"/>
+                        </mechanism>
+                    </mechanism-configuration>
+                </http-authentication-factory>
                <provider-http-server-mechanism-factory name="global"/>
            </http>
            <sasl>
@@ -533,7 +525,10 @@
                <provider name="default" enabled="true">
                    <properties>
                        <property name="frontendUrl" value="{{ keycloak_modcluster.frontend_url }}"/>
-                        <property name="forceBackendUrlToFrontendUrl" value="true"/>
+                        <property name="forceBackendUrlToFrontendUrl" value="{{ keycloak_modcluster.force_frontend_url }}"/>
+{% if keycloak_modcluster.admin_url | length > 0 %}
+                        <property name="adminUrl" value="{{ keycloak_modcluster.admin_url }}" />
+{% endif %}
                    </properties>
                </provider>
            </spi>
@@ -544,54 +539,22 @@
            </mail-session>
        </subsystem>
        <subsystem xmlns="urn:wildfly:metrics:1.0" security-enabled="false" exposed-subsystems="*" prefix="${wildfly.metrics.prefix:jboss}"/>
-{% if keycloak_modcluster.enabled %}        
+{% if keycloak_modcluster.enabled %}
        <subsystem xmlns="urn:jboss:domain:modcluster:5.0">
-            <proxy name="default" advertise="false" listener="ajp" proxies="proxy1">
+            <proxy name="default" advertise="false" listener="ajp" proxies="{{ ['proxy_'] | product(keycloak_modcluster.reverse_proxy_urls | map(attribute='host')) | map('join') | list | join(' ') }}">
                <dynamic-load-provider>
                    <load-metric type="cpu"/>
                </dynamic-load-provider>
            </proxy>
        </subsystem>
-{% endif %}        
+{% endif %}
        <subsystem xmlns="urn:jboss:domain:naming:2.0">
            <remote-naming/>
        </subsystem>
        <subsystem xmlns="urn:jboss:domain:remoting:4.0">
-            <http-connector name="http-remoting-connector" connector-ref="default" security-realm="ApplicationRealm"/>
+            <http-connector name="http-remoting-connector" connector-ref="default" sasl-authentication-factory="application-sasl-authentication"/>
        </subsystem>
        <subsystem xmlns="urn:jboss:domain:request-controller:1.0"/>
-        <subsystem xmlns="urn:jboss:domain:security:2.0">
-            <security-domains>
-                <security-domain name="other" cache-type="default">
-                    <authentication>
-                        <login-module code="Remoting" flag="optional">
-                            <module-option name="password-stacking" value="useFirstPass"/>
-                        </login-module>
-                        <login-module code="RealmDirect" flag="required">
-                            <module-option name="password-stacking" value="useFirstPass"/>
-                        </login-module>
-                    </authentication>
-                </security-domain>
-                <security-domain name="jboss-web-policy" cache-type="default">
-                    <authorization>
-                        <policy-module code="Delegating" flag="required"/>
-                    </authorization>
-                </security-domain>
-                <security-domain name="jaspitest" cache-type="default">
-                    <authentication-jaspi>
-                        <login-module-stack name="dummy">
-                            <login-module code="Dummy" flag="optional"/>
-                        </login-module-stack>
-                        <auth-module code="Dummy"/>
-                    </authentication-jaspi>
-                </security-domain>
-                <security-domain name="jboss-ejb-policy" cache-type="default">
-                    <authorization>
-                        <policy-module code="Delegating" flag="required"/>
-                    </authorization>
-                </security-domain>
-            </security-domains>
-        </subsystem>
        <subsystem xmlns="urn:jboss:domain:security-manager:1.0">
            <deployment-permissions>
                <maximum-set>
@@ -614,10 +577,10 @@
            <server name="default-server">
                <ajp-listener name="ajp" socket-binding="ajp"/>
                <http-listener name="default" socket-binding="http" redirect-socket="https" enable-http2="true"/>
-                <https-listener name="https" socket-binding="https" security-realm="ApplicationRealm" enable-http2="true"/>
+                <https-listener name="https" socket-binding="https" ssl-context="applicationSSC" enable-http2="true"/>
                <host name="default-host" alias="localhost">
                    <location name="/" handler="welcome-content"/>
-                    <http-invoker security-realm="ApplicationRealm"/>
+                    <http-invoker http-authentication-factory="application-http-authentication"/>
                </host>
            </server>
            <servlet-container name="default">
@@ -627,18 +590,21 @@
            <handlers>
                <file name="welcome-content" path="${jboss.home.dir}/welcome-content"/>
            </handlers>
+            <application-security-domains>
+                <application-security-domain name="other" security-domain="ApplicationDomain"/>
+            </application-security-domains>
        </subsystem>
        <subsystem xmlns="urn:jboss:domain:weld:4.0"/>
    </profile>
    <interfaces>
        <interface name="management">
-            <inet-address value="${jboss.bind.address.management:127.0.0.1}"/>
+            <inet-address value="{{ keycloak_management_port_bind_address }}"/>
        </interface>
        <interface name="public">
-            <inet-address value="${jboss.bind.address:127.0.0.1}"/>
+            <inet-address value="{{ keycloak_bind_address }}"/>
        </interface>
    </interfaces>
-    <socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
+    <socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:{{ keycloak_jboss_port_offset }}}">
        <socket-binding name="ajp" port="{{ keycloak_ajp_port }}"/>
        <socket-binding name="http" port="{{ keycloak_http_port }}"/>
        <socket-binding name="https" port="{{ keycloak_https_port }}"/>
@@ -649,10 +615,12 @@
        <outbound-socket-binding name="mail-smtp">
            <remote-destination host="${jboss.mail.server.host:localhost}" port="${jboss.mail.server.port:25}"/>
        </outbound-socket-binding>
-{% if keycloak_modcluster.enabled %}        
-        <outbound-socket-binding name="proxy1">
-            <remote-destination host="{{ keycloak_modcluster.reverse_proxy_url | default('localhost') }}" port="6666"/>
+{% if keycloak_modcluster.enabled %}
+{% for modcluster in keycloak_modcluster.reverse_proxy_urls %}
+        <outbound-socket-binding name="proxy_{{ modcluster.host }}">
+            <remote-destination host="{{ modcluster.host }}" port="{{ modcluster.port }}"/>
        </outbound-socket-binding>
-{% endif %}        
+{% endfor %}
+{% endif %}
    </socket-binding-group>
 </server>
--- a/roles/keycloak/vars/debian.yml
+++ b/roles/keycloak/vars/debian.yml
@@ -0,0 +1,11 @@
+---
+keycloak_varjvm_package: "{{ keycloak_jvm_package | default('openjdk-11-jdk-headless') }}"
+keycloak_prereq_package_list:
+      - "{{ keycloak_varjvm_package }}"
+      - unzip
+      - procps
+      - apt
+      - tzdata
+keycloak_configure_iptables: True
+keycloak_sysconf_file: /etc/default/keycloak
+keycloak_pkg_java_home: "/usr/lib/jvm/java-{{ keycloak_varjvm_package | regex_search('(?!:openjdk-)[0-9.]+') }}-openjdk-{{ 'arm64' if ansible_architecture == 'aarch64' else 'amd64' }}"
--- a/roles/keycloak/vars/main.yml
+++ b/roles/keycloak/vars/main.yml
@@ -1,26 +1,20 @@
 ---
 # internal variables below
-rhsso_rhn_ids:
-  '7.5.0': # noqa vars_in_vars_files_have_valid_names
-    id: '101971'
-    latest_cp:
-      id: '103836'
-      v: '7.5.1'

 # locations
-keycloak_url: "http://{{ keycloak_host }}:{{ keycloak_http_port }}"
-keycloak_management_url: "http://{{ keycloak_host }}:{{ keycloak_management_http_port }}"
+keycloak_url: "http://{{ keycloak_host }}:{{ keycloak_http_port + keycloak_jboss_port_offset }}"
+keycloak_management_url: "http://{{ keycloak_host }}:{{ keycloak_management_http_port + keycloak_jboss_port_offset }}"


 keycloak:
  home: "{{ keycloak_jboss_home }}"
  config_dir: "{{ keycloak_config_dir }}"
-  bundle: "{{ keycloak_rhsso_archive if keycloak_rhsso_enable else keycloak_archive }}"
-  patch_bundle: "rh-sso-{{ rhsso_rhn_ids[keycloak_rhsso_version].latest_cp.v }}-patch.zip"
-  service_name: "{{ 'rhsso' if keycloak_rhsso_enable else 'keycloak' }}"
+  bundle: "{{ keycloak_archive }}"
+  service_name: "{{ keycloak_service_name }}"
  health_url: "{{ keycloak_management_url }}/health"
  cli_path: "{{ keycloak_jboss_home }}/bin/jboss-cli.sh"
-  config_template_source: "{{ keycloak_config_override_template if keycloak_config_override_template | length > 0 else 'standalone.xml.j2' }}"
+  config_template_source: "{{ keycloak_config_override_template if keycloak_config_override_template | length > 0 else 'standalone-ha.xml.j2' if keycloak_remote_cache_enabled else 'standalone.xml.j2' }}"
+  features: "{{ keycloak_features }}"

 # database
 keycloak_jdbc:
@@ -36,6 +30,7 @@ keycloak_jdbc:
    connection_url: "{{ keycloak_jdbc_url }}"
    db_user: "{{ keycloak_db_user }}"
    db_password: "{{ keycloak_db_pass }}"
+    validate_query: "{{ keycloak_db_valid_conn_sql | default('select 1') }}"
    initialize_db: >
      CREATE TABLE IF NOT EXISTS JGROUPSPING (
        own_addr varchar(200) NOT NULL,
@@ -46,15 +41,16 @@ keycloak_jdbc:
  mariadb:
    enabled: "{{ (keycloak_ha_enabled or keycloak_db_enabled) and keycloak_jdbc_engine == 'mariadb' }}"
    driver_class: org.mariadb.jdbc.Driver
-    xa_datasource_class: org.mariadb.jdbc.MySQLDataSource
+    xa_datasource_class: org.mariadb.jdbc.MariaDbDataSource
    driver_module_name: "org.mariadb"
    driver_module_dir: "{{ keycloak_jboss_home }}/modules/org/mariadb/main"
    driver_version: "{{ keycloak_jdbc_driver_version }}"
    driver_jar_filename: "mariadb-java-client-{{ keycloak_jdbc_driver_version }}.jar"
    driver_jar_url: "https://repo1.maven.org/maven2/org/mariadb/jdbc/mariadb-java-client/{{ keycloak_jdbc_driver_version }}/mariadb-java-client-{{ keycloak_jdbc_driver_version }}.jar"
    connection_url: "{{ keycloak_jdbc_url }}"
-    db_user: "{{ keycloak_db_user  }}"
+    db_user: "{{ keycloak_db_user }}"
    db_password: "{{ keycloak_db_pass }}"
+    validate_query: "{{ keycloak_db_valid_conn_sql | default('select 1') }}"
    initialize_db: >
      CREATE TABLE IF NOT EXISTS JGROUPSPING (
        own_addr varchar(200) NOT NULL,
@@ -63,21 +59,46 @@ keycloak_jdbc:
        ping_data varbinary(5000) DEFAULT NULL,
        PRIMARY KEY (own_addr, cluster_name))
      ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_bin
+  sqlserver:
+    enabled: "{{ (keycloak_ha_enabled or keycloak_db_enabled) and keycloak_jdbc_engine == 'sqlserver' }}"
+    driver_class: com.microsoft.sqlserver.jdbc.SQLServerDriver
+    xa_datasource_class: com.microsoft.sqlserver.jdbc.SQLServerXADataSource
+    driver_module_name: "com.microsoft.sqlserver"
+    driver_module_dir: "{{ keycloak_jboss_home }}/modules/com/microsoft/sqlserver/main"
+    driver_version: "{{ keycloak_jdbc_driver_version }}"
+    driver_jar_filename: "mssql-java-client-{{ keycloak_jdbc_driver_version }}.jar"
+    driver_jar_url: "https://repo1.maven.org/maven2/com/microsoft/sqlserver/mssql-jdbc/{{ keycloak_jdbc_driver_version }}.jre11/mssql-jdbc-{{ keycloak_jdbc_driver_version }}.jre11.jar" # e.g., https://repo1.maven.org/maven2/com/microsoft/sqlserver/mssql-jdbc/12.2.0.jre11/mssql-jdbc-12.2.0.jre11.jar
+    connection_url: "{{ keycloak_jdbc_url }}"
+    db_user: "{{ keycloak_db_user }}"
+    db_password: "{{ keycloak_db_pass }}"
+    validate_query: "{{ keycloak_db_valid_conn_sql | default('select 1') }}"
+    initialize_db: >
+      IF  NOT EXISTS (SELECT * FROM sys.objects WHERE object_id = OBJECT_ID(N'[dbo].[JGROUPSPING]') AND type in (N'U'))
+      BEGIN
+        CREATE TABLE JGROUPSPING (
+          own_addr varchar(200) NOT NULL,
+          cluster_name varchar(200) NOT NULL,
+          updated DATETIME2 DEFAULT SYSUTCDATETIME(),
+          ping_data varbinary(5000) DEFAULT NULL,
+          PRIMARY KEY (own_addr, cluster_name))
+      END

 # reverse proxy mod_cluster
 keycloak_modcluster:
-  enabled: "{{ keycloak_ha_enabled }}"
-  reverse_proxy_url: "{{ keycloak_modcluster_url }}"
+  enabled: "{{ keycloak_ha_enabled or keycloak_modcluster_enabled }}"
+  reverse_proxy_urls: "{{ keycloak_modcluster_urls }}"
  frontend_url: "{{ keycloak_frontend_url }}"
+  force_frontend_url: "{{ keycloak_frontend_url_force }}"
+  admin_url: "{{ keycloak_admin_url | default('') }}"

 # infinispan
 keycloak_remotecache:
  enabled: "{{ keycloak_ha_enabled }}"
-  username: "{{ infinispan_user }}"
-  password: "{{ infinispan_pass }}"
+  username: "{{ keycloak_infinispan_user }}"
+  password: "{{ keycloak_infinispan_pass }}"
  realm: default
-  sasl_mechanism: "{{ infinispan_sasl_mechanism }}"
-  server_name: "{{ infinispan_url }}"
-  use_ssl: "{{ infinispan_use_ssl }}"
-  trust_store_path: "{{ infinispan_trust_store_path }}"
-  trust_store_password: "{{ infinispan_trust_store_password }}"
+  sasl_mechanism: "{{ keycloak_infinispan_sasl_mechanism }}"
+  server_name: "{{ keycloak_infinispan_url }}"
+  use_ssl: "{{ keycloak_infinispan_use_ssl }}"
+  trust_store_path: "{{ keycloak_infinispan_trust_store_path }}"
+  trust_store_password: "{{ keycloak_infinispan_trust_store_password }}"
--- a/roles/keycloak/vars/redhat.yml
+++ b/roles/keycloak/vars/redhat.yml
@@ -0,0 +1,10 @@
+---
+keycloak_varjvm_package: "{{ keycloak_jvm_package | default('java-1.8.0-openjdk-headless') }}"
+keycloak_prereq_package_list:
+      - "{{ keycloak_varjvm_package }}"
+      - unzip
+      - procps-ng
+      - initscripts
+      - tzdata-java
+keycloak_sysconf_file: /etc/sysconfig/keycloak
+keycloak_pkg_java_home: "/etc/alternatives/jre_{{ keycloak_varjvm_package | regex_search('(?<=java-)[0-9.]+') }}"
--- a/roles/keycloak_quarkus/README.md
+++ b/roles/keycloak_quarkus/README.md
@@ -1,83 +1,118 @@
 keycloak_quarkus
 ================

-Install [keycloak](https://keycloak.org/) >= 17.0.0 (quarkus) server configurations.
+Install [keycloak](https://keycloak.org/) >= 20.0.0 (quarkus) server configurations.


 Role Defaults
 -------------

-* Installation options
+#### Installation options

 | Variable | Description | Default |
 |:---------|:------------|:--------|
-|`keycloak_quarkus_version`| keycloak.org package version | `17.0.1` |
+|`keycloak_quarkus_version`| keycloak.org package version | `24.0.3` |
+|`keycloak_quarkus_offline_install` | Perform an offline install | `False`|
+|`keycloak_quarkus_dest`| Installation root path | `/opt/keycloak` |
+|`keycloak_quarkus_download_url` | Download URL for keycloak | `https://github.com/keycloak/keycloak/releases/download/{{ keycloak_quarkus_version }}/{{ keycloak_quarkus_archive }}` |


-* Service configuration
+#### Service configuration
+
+| Variable | Description | Default |
+|:---------|:------------|:--------|
+|`keycloak_quarkus_admin_user`| Administration console user account | `admin` |
+|`keycloak_quarkus_bind_address`| Address for binding service ports | `0.0.0.0` |
+|`keycloak_quarkus_host`| Hostname for the Keycloak server | `localhost` |
+|`keycloak_quarkus_port`| The port used by the proxy when exposing the hostname | `-1` |
+|`keycloak_quarkus_path`| This should be set if proxy uses a different context-path for Keycloak | |
+|`keycloak_quarkus_http_port`| HTTP listening port | `8080` |
+|`keycloak_quarkus_https_port`| TLS HTTP listening port | `8443` |
+|`keycloak_quarkus_ajp_port`| AJP port | `8009` |
+|`keycloak_quarkus_service_user`| Posix account username | `keycloak` |
+|`keycloak_quarkus_service_group`| Posix account group | `keycloak` |
+|`keycloak_quarkus_service_restart_always`| systemd restart always behavior activation | `False` |
+|`keycloak_quarkus_service_restart_on_failure`| systemd restart on-failure behavior activation | `False` |
+|`keycloak_quarkus_service_restartsec`| systemd RestartSec | `10s` |
+|`keycloak_quarkus_jvm_package`| RHEL java package runtime | `java-17-openjdk-headless` |
+|`keycloak_quarkus_java_home`| JAVA_HOME of installed JRE, leave empty for using specified keycloak_quarkus_jvm_package RPM path | `None` |
+|`keycloak_quarkus_java_heap_opts`| Heap memory JVM setting | `-Xms1024m -Xmx2048m` |
+|`keycloak_quarkus_java_jvm_opts`| Other JVM settings | same as keycloak |
+|`keycloak_quarkus_java_opts`| JVM arguments; if overriden, it takes precedence over `keycloak_quarkus_java_*` | `{{ keycloak_quarkus_java_heap_opts + ' ' + keycloak_quarkus_java_jvm_opts }}` |
+|`keycloak_quarkus_frontend_url`| Set the base URL for frontend URLs, including scheme, host, port and path | |
+|`keycloak_quarkus_admin_url`| Set the base URL for accessing the administration console, including scheme, host, port and path | |
+|`keycloak_quarkus_http_relative_path` | Set the path relative to / for serving resources. The path must start with a / | `/` |
+|`keycloak_quarkus_http_enabled`| Enable listener on HTTP port | `True` |
+|`keycloak_quarkus_https_key_file_enabled`| Enable listener on HTTPS port | `False` |
+|`keycloak_quarkus_key_file_copy_enabled`| Enable copy of key file to target host | `False` |
+|`keycloak_quarkus_key_content`| Content of the TLS private key. Use `"{{ lookup('file', 'server.key.pem') }}"` to lookup a file. | `""` |
+|`keycloak_quarkus_key_file`| The file path to a private key in PEM format | `/etc/pki/tls/private/server.key.pem` |
+|`keycloak_quarkus_cert_file_copy_enabled`| Enable copy of cert file to target host | `False`|
+|`keycloak_quarkus_cert_file_src`| Set the source file path | `""` |
+|`keycloak_quarkus_cert_file`| The file path to a server certificate or certificate chain in PEM format | `/etc/pki/tls/certs/server.crt.pem` |
+|`keycloak_quarkus_https_key_store_enabled`| Enable configuration of HTTPS via a key store | `False` |
+|`keycloak_quarkus_key_store_file`| Deprecated, use `keycloak_quarkus_https_key_store_file` instead. ||
+|`keycloak_quarkus_key_store_password`| Deprecated, use `keycloak_quarkus_https_key_store_password` instead.||
+|`keycloak_quarkus_https_key_store_file`| The file path to the key store | `{{ keycloak.home }}/conf/key_store.p12` |
+|`keycloak_quarkus_https_key_store_password`| Password for the key store | `""` |
+|`keycloak_quarkus_https_trust_store_enabled`| Enable configuration of the https trust store | `False` |
+|`keycloak_quarkus_https_trust_store_file`| The file path to the trust store | `{{ keycloak.home }}/conf/trust_store.p12` |
+|`keycloak_quarkus_https_trust_store_password`| Password for the trust store | `""` |
+|`keycloak_quarkus_proxy_headers`| Parse reverse proxy headers (`forwarded` or `xforwarded`) | `""` |
+|`keycloak_quarkus_config_key_store_file`| Path to the configuration key store; only used if `keycloak_quarkus_keystore_password` is not empty  | `{{ keycloak.home }}/conf/conf_store.p12` if `keycloak_quarkus_keystore_password != ''`, else `''` |
+|`keycloak_quarkus_config_key_store_password`| Password of the configuration keystore; if non-empty, `keycloak_quarkus_db_pass` will be saved to the keystore at `keycloak_quarkus_config_key_store_file` instead of being written to the configuration file in clear text | `""` |
+|`keycloak_quarkus_configure_firewalld` | Ensure firewalld is running and configure keycloak ports | `False` |
+|`keycloak_quarkus_configure_iptables` | Ensure iptables is configured for keycloak ports | `False` |
+
+
+#### High-availability

 | Variable | Description | Default |
 |:---------|:------------|:--------|
 |`keycloak_quarkus_ha_enabled`| Enable auto configuration for database backend, clustering and remote caches on infinispan | `False` |
+|`keycloak_quarkus_ha_discovery`| Discovery protocol for HA cluster members | `TCPPING` |
 |`keycloak_quarkus_db_enabled`| Enable auto configuration for database backend | `True` if `keycloak_quarkus_ha_enabled` is True, else `False` |
-|`keycloak_quarkus_admin_user`| Administration console user account | `admin` |
-|`keycloak_quarkus_bind_address`| Address for binding service ports | `0.0.0.0` |
-|`keycloak_quarkus_host`| hostname | `localhost` |
-|`keycloak_quarkus_http_port`| HTTP port | `8080` |
-|`keycloak_quarkus_https_port`| TLS HTTP port | `8443` |
-|`keycloak_quarkus_ajp_port`| AJP port | `8009` |
-|`keycloak_quarkus_jgroups_port`| jgroups cluster tcp port | `7600` |
-|`keycloak_quarkus_service_user`| Posix account username | `keycloak` |
-|`keycloak_quarkus_service_group`| Posix account group | `keycloak` |
-|`keycloak_quarkus_service_pidfile`| Pid file path for service | `/run/keycloak.pid` |
-|`keycloak_quarkus_jvm_package`| RHEL java package runtime | `java-11-openjdk-headless` |
-|`keycloak_quarkus_java_home`| JAVA_HOME of installed JRE, leave empty for using specified keycloak_quarkus_jvm_package RPM path | `None` |
-|`keycloak_quarkus_java_opts`| Additional JVM options | `-Xms1024m -Xmx2048m` |
-|`keycloak_quarkus_frontend_url`| Service public URL | `http://localhost:8080/auth` |
-|`keycloak_quarkus_http_relative_path` | Service context path | `auth` |
-|`keycloak_quarkus_http_enabled`| Enable listener on HTTP port | `True` |
-|`keycloak_quarkus_https_enabled`| Enable listener on HTTPS port | `False` |
-|`keycloak_quarkus_key_file`| The file path to a private key in PEM format | `conf/server.key.pem` |
-|`keycloak_quarkus_cert_file`| The file path to a server certificate or certificate chain in PEM format | `conf/server.crt.pem` |
+|`keycloak_quarkus_jgroups_port`| jgroups cluster tcp port | `7800` |
+|`keycloak_quarkus_systemd_wait_for_port` | Whether systemd unit should wait for keycloak port before returning | `{{ keycloak_quarkus_ha_enabled }}` |
+|`keycloak_quarkus_systemd_wait_for_log` | Whether systemd unit should wait for service to be up in logs | `false` |
+|`keycloak_quarkus_systemd_wait_for_timeout`| How long to wait for service to be alive (seconds) | `60` |
+|`keycloak_quarkus_systemd_wait_for_delay`| Activation delay for service systemd unit (seconds) | `10` |


-* Database configuration
+#### Hostname configuration

 | Variable | Description | Default |
 |:---------|:------------|:--------|
-|`keycloak_quarkus_jdbc_engine` | Database engine [mariadb,postres] | `postgres` |
+|`keycloak_quarkus_http_relative_path`| Set the path relative to / for serving resources. The path must start with a / | `/` |
+|`keycloak_quarkus_hostname_strict`| Disables dynamically resolving the hostname from request headers | `true` |
+|`keycloak_quarkus_hostname_strict_backchannel`| By default backchannel URLs are dynamically resolved from request headers to allow internal and external applications. If all applications use the public URL this option should be enabled. | `false` |
+
+
+#### Database configuration
+
+| Variable | Description | Default |
+|:---------|:------------|:--------|
+|`keycloak_quarkus_jdbc_engine` | Database engine [mariadb,postres,mssql] | `postgres` |
 |`keycloak_quarkus_db_user` | User for database connection | `keycloak-user` |
 |`keycloak_quarkus_db_pass` | Password for database connection | `keycloak-pass` |
 |`keycloak_quarkus_jdbc_url` | JDBC URL for connecting to database | `jdbc:postgresql://localhost:5432/keycloak` |
 |`keycloak_quarkus_jdbc_driver_version` | Version for JDBC driver | `9.4.1212` |


-* Remote caches configuration
+#### Remote caches configuration

 | Variable | Description | Default |
 |:---------|:------------|:--------|
 |`keycloak_quarkus_ispn_user` | Username for connecting to infinispan | `supervisor` |
 |`keycloak_quarkus_ispn_pass` | Password for connecting to infinispan | `supervisor` |
-|`keycloak_quarkus_ispn_url` | URL for connecting to infinispan | `localhost` |
+|`keycloak_quarkus_ispn_hosts` | host name/port for connecting to infinispan, eg. host1:11222;host2:11222 | `localhost:11222` |
 |`keycloak_quarkus_ispn_sasl_mechanism` | Infinispan auth mechanism | `SCRAM-SHA-512` |
 |`keycloak_quarkus_ispn_use_ssl` | Whether infinispan uses TLS connection | `false` |
 |`keycloak_quarkus_ispn_trust_store_path` | Path to infinispan server trust certificate | `/etc/pki/java/cacerts` |
-|`keycloak_quarkus_ispn_trust_store_password` | Password for infinispan certificate keystore | `changeit` | 
+|`keycloak_quarkus_ispn_trust_store_password` | Password for infinispan certificate keystore | `changeit` |


-* Install options
-
-| Variable | Description | Default |
-|:---------|:------------|:---------|
-|`keycloak_quarkus_offline_install` | Perform an offline install | `False`|
-|`keycloak_quarkus_download_url`| Download URL for keycloak | `https://github.com/keycloak/keycloak/releases/download/<version>/<archive>`| 
-|`keycloak_quarkus_version`| keycloak.org package version | `17.0.1` |
-|`keycloak_quarkus_dest`| Installation root path | `/opt/keycloak` |
-|`keycloak_quarkus_download_url` | Download URL for keycloak | `https://github.com/keycloak/keycloak/releases/download/{{ keycloak_quarkus_version }}/{{ keycloak_quarkus_archive }}` |
-|`keycloak_quarkus_configure_firewalld` | Ensure firewalld is running and configure keycloak ports | `False` |
-
-
-* Miscellaneous configuration
+#### Miscellaneous configuration

 | Variable | Description | Default |
 |:---------|:------------|:--------|
@@ -91,12 +126,54 @@ Role Defaults
 |`keycloak_auth_client` | Authentication client for configuration REST calls | `admin-cli` |
 |`keycloak_force_install` | Remove pre-existing versions of service | `False` |
 |`keycloak_url` | URL for configuration rest calls | `http://{{ keycloak_quarkus_host }}:{{ keycloak_http_port }}` |
-|`keycloak_management_url` | URL for management console rest calls | `http://{{ keycloak_quarkus_host }}:{{ keycloak_management_http_port }}` |
 |`keycloak_quarkus_log`| Enable one or more log handlers in a comma-separated list | `file` |
 |`keycloak_quarkus_log_level`| The log level of the root category or a comma-separated list of individual categories and their levels | `info` |
 |`keycloak_quarkus_log_file`| Set the log file path and filename relative to keycloak home | `data/log/keycloak.log` |
 |`keycloak_quarkus_log_format`| Set a format specific to file log entries | `%d{yyyy-MM-dd HH:mm:ss,SSS} %-5p [%c] (%t) %s%e%n` |
+|`keycloak_quarkus_log_target`| Set the destination of the keycloak log folder link | `/var/log/keycloak` |
+|`keycloak_quarkus_log_max_file_size`| Set the maximum log file size before a log rotation happens; A size configuration option recognises string in this format (shown as a regular expression): `[0-9]+[KkMmGgTtPpEeZzYy]?`. If no suffix is given, assume bytes. | `10M` |
+|`keycloak_quarkus_log_max_backup_index`| Set the maximum number of archived log files to keep" | `10` |
+|`keycloak_quarkus_log_file_suffix`| Set the log file handler rotation file suffix. When used, the file will be rotated based on its suffix; Note: If the suffix ends with `.zip` or `.gz`, the rotation file will also be compressed. | `.yyyy-MM-dd.zip` |
 |`keycloak_quarkus_proxy_mode`| The proxy address forwarding mode if the server is behind a reverse proxy | `edge` |
+|`keycloak_quarkus_start_dev`| Whether to start the service in development mode (start-dev) | `False` |
+|`keycloak_quarkus_transaction_xa_enabled`| Whether to use XA transactions | `True` |
+|`keycloak_quarkus_spi_sticky_session_encoder_infinispan_should_attach_route`| If the route should be attached to cookies to reflect the node that owns a particular session. If false, route is not attached to cookies and we rely on the session affinity capabilities from reverse proxy | `True` |
+
+
+#### Vault SPI
+
+| Variable | Description | Default |
+|:---------|:------------|:--------|
+|`keycloak_quarkus_ks_vault_enabled`| Whether to enable the vault SPI | `false` |
+|`keycloak_quarkus_ks_vault_file`| The keystore path for the vault SPI | `{{ keycloak_quarkus_config_dir }}/keystore.p12` |
+|`keycloak_quarkus_ks_vault_type`| Type of the keystore used for the vault SPI | `PKCS12` |
+
+
+#### Configuring providers
+
+| Variable | Description | Default |
+|:---------|:------------|:--------|
+|`keycloak_quarkus_providers`| List of provider definitions; see below | `[]` |
+
+Provider definition:
+
+```yaml
+keycloak_quarkus_providers:
+  - id: http-client                         # required
+    spi: connections                        # required if url is not specified
+    default: true                           # optional, whether to set default for spi, default false
+    restart: true                           # optional, whether to restart, default true
+    url: https://.../.../custom_spi.jar     # optional, url for download
+    properties:                             # optional, list of key-values
+      - key: default-connection-pool-size
+        value: 10
+```
+
+the definition above will generate the following build command:
+
+```
+bin/kc.sh build --spi-connections-provider=http-client --spi-connections-http-client-default-connection-pool-size=10
+```


 Role Variables
@@ -105,7 +182,18 @@ Role Variables
 | Variable | Description | Required |
 |:---------|:------------|----------|
 |`keycloak_quarkus_admin_pass`| Password of console admin account | `yes` |
+|`keycloak_quarkus_frontend_url`| Base URL for frontend URLs, including scheme, host, port and path | `no` |
+|`keycloak_quarkus_admin_url`| Base URL for accessing the administration console, including scheme, host, port and path | `no` |
+|`keycloak_quarkus_ks_vault_pass`| The password for accessing the keystore vault SPI | `no` |

+Role custom facts
+-----------------
+
+The role uses the following [custom facts](https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_vars_facts.html#adding-custom-facts) found in `/etc/ansible/facts.d/keycloak.fact` (and thus identified by the `ansible_local.keycloak.` prefix):
+
+| Variable | Description |
+|:---------|:------------|
+|`general.bootstrapped` | A custom fact indicating whether this role has been used for bootstrapping keycloak on the respective host before; set to `false` (e.g., when starting off with a new, empty database) ensures that the initial admin user as defined by `keycloak_quarkus_admin_user[_pass]` gets created |

 License
 -------
--- a/roles/keycloak_quarkus/defaults/main.yml
+++ b/roles/keycloak_quarkus/defaults/main.yml
@@ -1,65 +1,114 @@
 ---
 ### Configuration specific to keycloak
-keycloak_quarkus_version: 18.0.0
+keycloak_quarkus_version: 24.0.3
 keycloak_quarkus_archive: "keycloak-{{ keycloak_quarkus_version }}.zip"
-keycloak_quarkus_download_url: "https://github.com/keycloak/keycloak/releases/download/{{ keycloak_quarkus_version }}/{{ keycloak_quarkus_archive }}"  
+keycloak_quarkus_download_url: "https://github.com/keycloak/keycloak/releases/download/{{ keycloak_quarkus_version }}/{{ keycloak_quarkus_archive }}"
 keycloak_quarkus_installdir: "{{ keycloak_quarkus_dest }}/keycloak-{{ keycloak_quarkus_version }}"

 # whether to install from local archive
-keycloak_quarkus_offline_install: False
+keycloak_quarkus_offline_install: false

 ### Install location and service settings
-keycloak_quarkus_jvm_package: java-11-openjdk-headless
 keycloak_quarkus_java_home:
 keycloak_quarkus_dest: /opt/keycloak
 keycloak_quarkus_home: "{{ keycloak_quarkus_installdir }}"
 keycloak_quarkus_config_dir: "{{ keycloak_quarkus_home }}/conf"
+keycloak_quarkus_start_dev: false
 keycloak_quarkus_service_user: keycloak
 keycloak_quarkus_service_group: keycloak
-keycloak_quarkus_service_pidfile: "/run/keycloak.pid"
-keycloak_quarkus_configure_firewalld: False
+keycloak_quarkus_service_restart_always: false
+keycloak_quarkus_service_restart_on_failure: false
+keycloak_quarkus_service_restartsec: "10s"
+
+keycloak_quarkus_configure_firewalld: false
+keycloak_quarkus_configure_iptables: false

 ### administrator console password
 keycloak_quarkus_admin_user: admin
-keycloak_quarkus_admin_pass: ''
+keycloak_quarkus_admin_pass:
 keycloak_quarkus_master_realm: master

 ### Configuration settings
 keycloak_quarkus_bind_address: 0.0.0.0
 keycloak_quarkus_host: localhost
-keycloak_quarkus_http_enabled: True
+keycloak_quarkus_port: -1
+keycloak_quarkus_path:
+keycloak_quarkus_http_enabled: true
 keycloak_quarkus_http_port: 8080
 keycloak_quarkus_https_port: 8443
 keycloak_quarkus_ajp_port: 8009
-keycloak_quarkus_jgroups_port: 7600
-keycloak_quarkus_java_opts: "-Xms1024m -Xmx2048m"
+keycloak_quarkus_jgroups_port: 7800
+keycloak_quarkus_java_heap_opts: "-Xms1024m -Xmx2048m"
+keycloak_quarkus_java_jvm_opts: "-XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Dfile.encoding=UTF-8 -Dsun.stdout.encoding=UTF-8
+  -Dsun.err.encoding=UTF-8 -Dstdout.encoding=UTF-8 -Dstderr.encoding=UTF-8 -XX:+ExitOnOutOfMemoryError
+  -Djava.security.egd=file:/dev/urandom -XX:+UseParallelGC -XX:GCTimeRatio=4
+  -XX:AdaptiveSizePolicyWeight=90 -XX:FlightRecorderOptions=stackdepth=512"
+keycloak_quarkus_java_opts: "{{ keycloak_quarkus_java_heap_opts + ' ' + keycloak_quarkus_java_jvm_opts }}"

 ### TLS/HTTPS configuration
-keycloak_quarkus_https_enabled: False
-keycloak_quarkus_key_file: conf/server.key.pem
-keycloak_quarkus_cert_file: conf/server.crt.pem
+keycloak_quarkus_https_key_file_enabled: false
+keycloak_quarkus_key_file_copy_enabled: false
+keycloak_quarkus_key_content: ""
+keycloak_quarkus_key_file: "/etc/pki/tls/private/server.key.pem"
+keycloak_quarkus_cert_file_copy_enabled: false
+keycloak_quarkus_cert_file_src: ""
+keycloak_quarkus_cert_file: "/etc/pki/tls/certs/server.crt.pem"
+#### key store configuration
+keycloak_quarkus_https_key_store_enabled: false
+keycloak_quarkus_https_key_store_file: "{{ keycloak.home }}/conf/key_store.p12"
+keycloak_quarkus_https_key_store_password: ''
+##### trust store configuration
+keycloak_quarkus_https_trust_store_enabled: false
+keycloak_quarkus_https_trust_store_file: "{{ keycloak.home }}/conf/trust_store.p12"
+keycloak_quarkus_https_trust_store_password: ''
+### configuration key store configuration
+keycloak_quarkus_config_key_store_file: "{{ keycloak.home }}/conf/conf_store.p12"
+keycloak_quarkus_config_key_store_password: ''

 ### Enable configuration for database backend, clustering and remote caches on infinispan
-keycloak_quarkus_ha_enabled: False
+keycloak_quarkus_ha_enabled: false
+keycloak_quarkus_ha_discovery: "TCPPING"
 ### Enable database configuration, must be enabled when HA is configured
-keycloak_quarkus_db_enabled: "{{ True if keycloak_quarkus_ha_enabled else False }}"
+keycloak_quarkus_db_enabled: "{{ keycloak_quarkus_ha_enabled }}"
+keycloak_quarkus_systemd_wait_for_port: "{{ keycloak_quarkus_ha_enabled }}"
+keycloak_quarkus_systemd_wait_for_log: false
+keycloak_quarkus_systemd_wait_for_timeout: 60
+keycloak_quarkus_systemd_wait_for_delay: 10

 ### keycloak frontend url
-keycloak_quarkus_http_relative_path: auth
-keycloak_quarkus_frontend_url: http://localhost:8080/auth
+keycloak_quarkus_frontend_url:
+keycloak_quarkus_admin_url:

-# proxy address forwarding mode if the server is behind a reverse proxy. [edge, reencrypt, passthrough]
+### Set the path relative to / for serving resources. The path must start with a /
+### (set to `/auth` for retrocompatibility with pre-quarkus releases)
+keycloak_quarkus_http_relative_path: /
+
+# Disables dynamically resolving the hostname from request headers.
+# Should always be set to true in production, unless proxy verifies the Host header.
+keycloak_quarkus_hostname_strict: true
+# By default backchannel URLs are dynamically resolved from request headers to allow internal and external applications.
+# If all applications use the public URL this option should be enabled.
+keycloak_quarkus_hostname_strict_backchannel: false
+
+# proxy address forwarding mode if the server is behind a reverse proxy. [none, edge, reencrypt, passthrough]
 keycloak_quarkus_proxy_mode: edge

-keycloak_quarkus_metrics_enabled: False
-keycloak_quarkus_health_enabled: True
+# disable xa transactions
+keycloak_quarkus_transaction_xa_enabled: true
+
+# If the route should be attached to cookies to reflect the node that owns a particular session.
+# If false, route is not attached to cookies and we rely on the session affinity capabilities from reverse proxy
+keycloak_quarkus_spi_sticky_session_encoder_infinispan_should_attach_route: true
+
+keycloak_quarkus_metrics_enabled: false
+keycloak_quarkus_health_enabled: true

 ### infinispan remote caches access (hotrod)
 keycloak_quarkus_ispn_user: supervisor
 keycloak_quarkus_ispn_pass: supervisor
-keycloak_quarkus_ispn_url: localhost
+keycloak_quarkus_ispn_hosts: "localhost:11222"
 keycloak_quarkus_ispn_sasl_mechanism: SCRAM-SHA-512
-keycloak_quarkus_ispn_use_ssl: False
+keycloak_quarkus_ispn_use_ssl: false
 # if ssl is enabled, import ispn server certificate here
 keycloak_quarkus_ispn_trust_store_path: /etc/pki/java/cacerts
 keycloak_quarkus_ispn_trust_store_password: changeit
@@ -79,9 +128,25 @@ keycloak_quarkus_default_jdbc:
  mariadb:
    url: 'jdbc:mariadb://localhost:3306/keycloak'
    version: 2.7.4
-
+  mssql:
+    url: 'jdbc:sqlserver://localhost:1433;databaseName=keycloak;'
+    version: 12.2.0
+    driver_jar_url: "https://repo1.maven.org/maven2/com/microsoft/sqlserver/mssql-jdbc/12.2.0.jre11/mssql-jdbc-12.2.0.jre11.jar"
+    # cf. https://access.redhat.com/documentation/en-us/red_hat_build_of_keycloak/22.0/html/server_guide/db-#db-installing-the-microsoft-sql-server-driver
 ### logging configuration
 keycloak_quarkus_log: file
 keycloak_quarkus_log_level: info
 keycloak_quarkus_log_file: data/log/keycloak.log
 keycloak_quarkus_log_format: '%d{yyyy-MM-dd HH:mm:ss,SSS} %-5p [%c] (%t) %s%e%n'
+keycloak_quarkus_log_target: /var/log/keycloak
+keycloak_quarkus_log_max_file_size: 10M
+keycloak_quarkus_log_max_backup_index: 10
+keycloak_quarkus_log_file_suffix: '.yyyy-MM-dd.zip'
+
+# keystore-based vault
+keycloak_quarkus_ks_vault_enabled: false
+keycloak_quarkus_ks_vault_file: "{{ keycloak_quarkus_config_dir }}/keystore.p12"
+keycloak_quarkus_ks_vault_type: PKCS12
+keycloak_quarkus_ks_vault_pass:
+
+keycloak_quarkus_providers: []
--- a/roles/keycloak_quarkus/handlers/main.yml
+++ b/roles/keycloak_quarkus/handlers/main.yml
@@ -1,4 +1,17 @@
 ---
+# handler should be invoked anytime a [build configuration](https://www.keycloak.org/server/all-config?f=build) changes
+- name: "Rebuild {{ keycloak.service_name }} config"
+  ansible.builtin.include_tasks: rebuild_config.yml
+  listen: "rebuild keycloak config"
+- name: "Bootstrapped"
+  ansible.builtin.include_tasks: bootstrapped.yml
+  listen: bootstrapped
 - name: "Restart {{ keycloak.service_name }}"
  ansible.builtin.include_tasks: restart.yml
-  listen: "restart keycloak"
+  listen: "restart keycloak"
+- name: "Print deprecation warning"
+  ansible.builtin.fail:
+    msg: "Deprecation warning: you are using the deprecated variable '{{ deprecated_variable | d('NotSet') }}', check docs on how to upgrade."
+  ignore_errors: true
+  failed_when: false
+  listen: "print deprecation warning"
--- a/roles/keycloak_quarkus/meta/argument_specs.yml
+++ b/roles/keycloak_quarkus/meta/argument_specs.yml
@@ -2,32 +2,26 @@ argument_specs:
    main:
        options:
            keycloak_quarkus_version:
-                # line 3 of defaults/main.yml
-                default: "17.0.1"
+                default: "24.0.3"
                description: "keycloak.org package version"
                type: "str"
            keycloak_quarkus_archive:
-                # line 4 of defaults/main.yml
                default: "keycloak-{{ keycloak_quarkus_version }}.zip"
                description: "keycloak install archive filename"
                type: "str"
            keycloak_quarkus_download_url:
-                # line 5 of defaults/main.yml
                default: "https://github.com/keycloak/keycloak/releases/download/{{ keycloak_quarkus_version }}/{{ keycloak_quarkus_archive }}"
                description: "Download URL for keycloak"
                type: "str"
            keycloak_quarkus_installdir:
-                # line 6 of defaults/main.yml
                default: "{{ keycloak_quarkus_dest }}/keycloak-{{ keycloak_quarkus_version }}"
                description: "Installation path"
                type: "str"
            keycloak_quarkus_offline_install:
-                # line 9 of defaults/main.yml
                default: false
                description: "Perform an offline install"
                type: "bool"
            keycloak_quarkus_jvm_package:
-                # line 12 of defaults/main.yml
                default: "java-11-openjdk-headless"
                description: "RHEL java package runtime"
                type: "str"
@@ -35,128 +29,202 @@ argument_specs:
                description: "JAVA_HOME of installed JRE, leave empty for using specified keycloak_jvm_package RPM path"
                type: "str"
            keycloak_quarkus_dest:
-                # line 13 of defaults/main.yml
                default: "/opt/keycloak"
                description: "Installation root path"
                type: "str"
            keycloak_quarkus_home:
-                # line 14 of defaults/main.yml
                default: "{{ keycloak_quarkus_installdir }}"
                description: "Installation work directory"
                type: "str"
            keycloak_quarkus_config_dir:
-                # line 15 of defaults/main.yml
                default: "{{ keycloak_quarkus_home }}/conf"
                description: "Path for configuration"
                type: "str"
            keycloak_quarkus_service_user:
-                # line 16 of defaults/main.yml
                default: "keycloak"
                description: "Posix account username"
                type: "str"
            keycloak_quarkus_service_group:
-                # line 17 of defaults/main.yml
                default: "keycloak"
                description: "Posix account group"
                type: "str"
-            keycloak_quarkus_service_pidfile:
-                # line 18 of defaults/main.yml
-                default: "/run/keycloak.pid"
-                description: "Pid file path for service"
-                type: "str"
            keycloak_quarkus_configure_firewalld:
-                # line 19 of defaults/main.yml
                default: false
                description: "Ensure firewalld is running and configure keycloak ports"
                type: "bool"
+            keycloak_quarkus_configure_iptables:
+                default: false
+                description: "Ensure firewalld is running and configure keycloak ports"
+                type: "bool"
+            keycloak_service_restart_always:
+                default: false
+                description: "systemd restart always behavior of service; takes precedence over keycloak_service_restart_on_failure if true"
+                type: "bool"
+            keycloak_service_restart_on_failure:
+                default: false
+                description: "systemd restart on-failure behavior of service"
+                type: "bool"
+            keycloak_service_restartsec:
+                default: "10s"
+                description: "systemd RestartSec for service"
+                type: "str"
            keycloak_quarkus_admin_user:
-                # line 22 of defaults/main.yml
                default: "admin"
                description: "Administration console user account"
                type: "str"
            keycloak_quarkus_admin_pass:
-                # line 23 of defaults/main.yml
-                default: ""
+                required: true
                description: "Password of console admin account"
                type: "str"
            keycloak_quarkus_master_realm:
-                # line 24 of defaults/main.yml
                default: "master"
                description: "Name for rest authentication realm"
                type: "str"
            keycloak_quarkus_bind_address:
-                # line 27 of defaults/main.yml
                default: "0.0.0.0"
                description: "Address for binding service ports"
                type: "str"
            keycloak_quarkus_host:
-                # line 28 of defaults/main.yml
                default: "localhost"
-                description: "hostname"
+                description: "Hostname for the Keycloak server"
+                type: "str"
+            keycloak_quarkus_port:
+                default: -1
+                description: "The port used by the proxy when exposing the hostname"
+                type: "int"
+            keycloak_quarkus_path:
+                required: false
+                description: "This should be set if proxy uses a different context-path for Keycloak"
                type: "str"
            keycloak_quarkus_http_enabled:
                default: true
                description: "Enable listener on HTTP port"
-                type: "bool"                
+                type: "bool"
            keycloak_quarkus_http_port:
-                # line 29 of defaults/main.yml
                default: 8080
                description: "HTTP port"
                type: "int"
-            keycloak_quarkus_https_enabled:
+            keycloak_quarkus_https_key_file_enabled:
                default: false
-                description: "Enable listener on HTTPS port"
-                type: "bool" 
+                description: "Enable configuration of HTTPS via files in PEM format"
+                type: "bool"
+            keycloak_quarkus_key_file_copy_enabled:
+                default: false
+                description: "Enable copy of key file to target host"
+                type: "bool"
+            keycloak_quarkus_key_content:
+                default: ""
+                description: "Content of the TLS private key"
+                type: "str"
            keycloak_quarkus_key_file:
-                default: "conf/server.key.pem"
+                default: "/etc/pki/tls/private/server.key.pem"
                description: "The file path to a private key in PEM format"
                type: "str"
+            keycloak_quarkus_cert_file_copy_enabled:
+                default: false
+                description: "Enable copy of cert file to target host"
+                type: "bool"
+            keycloak_quarkus_cert_file_src:
+                default: ""
+                description: "Set the source file path"
+                type: "str"
            keycloak_quarkus_cert_file:
-                default: "conf/server.crt.pem"
+                default: "/etc/pki/tls/certs/server.crt.pem"
                description: "The file path to a server certificate or certificate chain in PEM format"
                type: "str"
+            keycloak_quarkus_https_key_store_enabled:
+                default: false
+                description: "Enable configuration of HTTPS via a key store"
+                type: "bool"
+            keycloak_quarkus_key_store_file:
+                default: ""
+                description: "Deprecated, use `keycloak_quarkus_https_key_store_file` instead."
+                type: "str"
+            keycloak_quarkus_key_store_password:
+                default: ""
+                description: "Deprecated, use `keycloak_quarkus_https_key_store_password` instead."
+                type: "str"
+            keycloak_quarkus_https_key_store_file:
+                default: "{{ keycloak.home }}/conf/key_store.p12"
+                description: "The file path to the key store"
+                type: "str"
+            keycloak_quarkus_https_key_store_password:
+                default: ""
+                description: "Password for the key store"
+                type: "str"
+            keycloak_quarkus_https_trust_store_enabled:
+                default: false
+                description: "Enable configuration of the https trust store"
+                type: "bool"
+            keycloak_quarkus_https_trust_store_file:
+                default: "{{ keycloak.home }}/conf/trust_store.p12"
+                description: "The file path to the trust store"
+                type: "str"
+            keycloak_quarkus_https_trust_store_password:
+                default: ""
+                description: "Password for the trust store"
+                type: "str"
+            keycloak_quarkus_config_key_store_file:
+                default: "{{ keycloak.home }}/conf/conf_store.p12"
+                description: "Path to the configuration key store; only used if `keycloak_quarkus_keystore_password` is not empty"
+                type: "str"
+            keycloak_quarkus_config_key_store_password:
+                default: ""
+                description: "Password of the configuration key store; if non-empty, `keycloak_quarkus_db_pass` will be saved to the key store at `keycloak_quarkus_config_key_store_file` (instead of being written to the configuration file in clear text"
+                type: "str"
            keycloak_quarkus_https_port:
-                # line 30 of defaults/main.yml
                default: 8443
                description: "HTTPS port"
                type: "int"
            keycloak_quarkus_ajp_port:
-                # line 31 of defaults/main.yml
                default: 8009
                description: "AJP port"
                type: "int"
            keycloak_quarkus_jgroups_port:
-                # line 32 of defaults/main.yml
-                default: 7600
+                default: 7800
                description: "jgroups cluster tcp port"
                type: "int"
-            keycloak_quarkus_java_opts:
-                # line 33 of defaults/main.yml
+            keycloak_quarkus_java_heap_opts:
                default: "-Xms1024m -Xmx2048m"
-                description: "Additional JVM options"
+                description: "Heap memory JVM setting"
+                type: "str"
+            keycloak_quarkus_java_jvm_opts:
+                default: >
+                  -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Dfile.encoding=UTF-8 -Dsun.stdout.encoding=UTF-8 -Dsun.err.encoding=UTF-8
+                  -Dstdout.encoding=UTF-8 -Dstderr.encoding=UTF-8 -XX:+ExitOnOutOfMemoryError -Djava.security.egd=file:/dev/urandom -XX:+UseParallelGC
+                  -XX:GCTimeRatio=4 -XX:AdaptiveSizePolicyWeight=90 -XX:FlightRecorderOptions=stackdepth=512
+                description: "Other JVM settings"
+                type: "str"
+            keycloak_quarkus_java_opts:
+                default: "{{ keycloak_quarkus_java_heap_opts + ' ' + keycloak_quarkus_java_jvm_opts }}"
+                description: "JVM arguments, by default heap_opts + jvm_opts, if overriden it takes precedence over them"
                type: "str"
            keycloak_quarkus_ha_enabled:
-                # line 36 of defaults/main.yml
                default: false
                description: "Enable auto configuration for database backend, clustering and remote caches on infinispan"
                type: "bool"
+            keycloak_quarkus_ha_discovery:
+                default: "TCPPING"
+                description: "Discovery protocol for HA cluster members"
+                type: "str"
            keycloak_quarkus_db_enabled:
-                # line 38 of defaults/main.yml
                default: "{{ True if keycloak_quarkus_ha_enabled else False }}"
                description: "Enable auto configuration for database backend"
                type: "str"
            keycloak_quarkus_http_relative_path:
-                # line 41 of defaults/main.yml
-                default: "auth"
-                description: "Service context path"
+                required: false
+                default: /
+                description: "Set the path relative to / for serving resources. The path must start with a /"
                type: "str"
            keycloak_quarkus_frontend_url:
-                # line 41 of defaults/main.yml
-                default: "http://localhost:8080/auth"
+                required: false
                description: "Service public URL"
                type: "str"
+            keycloak_quarkus_admin_url:
+                required: false
+                description: "Service URL for the admin console"
+                type: "str"
            keycloak_quarkus_metrics_enabled:
-                # line 43 of defaults/main.yml
                default: false
                description: "Whether to enable metrics"
                type: "bool"
@@ -165,62 +233,50 @@ argument_specs:
                description: "If the server should expose health check endpoints"
                type: "bool"
            keycloak_quarkus_ispn_user:
-                # line 46 of defaults/main.yml
                default: "supervisor"
                description: "Username for connecting to infinispan"
                type: "str"
            keycloak_quarkus_ispn_pass:
-                # line 47 of defaults/main.yml
                default: "supervisor"
                description: "Password for connecting to infinispan"
                type: "str"
-            keycloak_quarkus_ispn_url:
-                # line 48 of defaults/main.yml
-                default: "localhost"
-                description: "URL for connecting to infinispan"
+            keycloak_quarkus_ispn_hosts:
+                default: "localhost:11222"
+                description: "host name/port for connecting to infinispan, eg. host1:11222;host2:11222"
                type: "str"
            keycloak_quarkus_ispn_sasl_mechanism:
-                # line 49 of defaults/main.yml
                default: "SCRAM-SHA-512"
                description: "Infinispan auth mechanism"
                type: "str"
            keycloak_quarkus_ispn_use_ssl:
-                # line 50 of defaults/main.yml
                default: false
                description: "Whether infinispan uses TLS connection"
                type: "bool"
            keycloak_quarkus_ispn_trust_store_path:
-                # line 52 of defaults/main.yml
                default: "/etc/pki/java/cacerts"
                description: "Path to infinispan server trust certificate"
                type: "str"
            keycloak_quarkus_ispn_trust_store_password:
-                # line 53 of defaults/main.yml
                default: "changeit"
                description: "Password for infinispan certificate keystore"
                type: "str"
            keycloak_quarkus_jdbc_engine:
-                # line 56 of defaults/main.yml
                default: "postgres"
-                description: "Database engine [mariadb,postres]"
+                description: "Database engine [mariadb,postres,mssql]"
                type: "str"
            keycloak_quarkus_db_user:
-                # line 58 of defaults/main.yml
                default: "keycloak-user"
                description: "User for database connection"
                type: "str"
            keycloak_quarkus_db_pass:
-                # line 59 of defaults/main.yml
                default: "keycloak-pass"
                description: "Password for database connection"
                type: "str"
            keycloak_quarkus_jdbc_url:
-                # line 60 of defaults/main.yml
                default: "{{ keycloak_quarkus_default_jdbc[keycloak_quarkus_jdbc_engine].url }}"
                description: "JDBC URL for connecting to database"
                type: "str"
            keycloak_quarkus_jdbc_driver_version:
-                # line 61 of defaults/main.yml
                default: "{{ keycloak_quarkus_default_jdbc[keycloak_quarkus_jdbc_engine].version }}"
                description: "Version for JDBC driver"
                type: "str"
@@ -240,7 +296,162 @@ argument_specs:
                default: '%d{yyyy-MM-dd HH:mm:ss,SSS} %-5p [%c] (%t) %s%e%n'
                type: "str"
                description: "Set a format specific to file log entries"
+            keycloak_quarkus_log_target:
+                default: '/var/log/keycloak'
+                type: "str"
+                description: "Set the destination of the keycloak log folder link"
+            keycloak_quarkus_log_max_file_size:
+                default: 10M
+                type: "str"
+                description: >
+                  Set the maximum log file size before a log rotation happens; A size configuration option recognises string in this format (shown as a regular
+                  expression): [0-9]+[KkMmGgTtPpEeZzYy]?. If no suffix is given, assume bytes.
+            keycloak_quarkus_log_max_backup_index:
+                default: 10
+                type: "str"
+                description: "Set the maximum number of archived log files to keep"
+            keycloak_quarkus_log_file_suffix:
+                default: '.yyyy-MM-dd.zip'
+                type: "str"
+                description: >
+                  Set the log file handler rotation file suffix. When used, the file will be rotated based on its suffix. Note: If the suffix ends
+                  with .zip or .gz, the rotation file will also be compressed.
            keycloak_quarkus_proxy_mode:
                default: 'edge'
                type: "str"
-                description: "The proxy address forwarding mode if the server is behind a reverse proxy"
+                description: "The proxy address forwarding mode if the server is behind a reverse proxy. Set to 'none' if not using a proxy"
+            keycloak_quarkus_proxy_headers:
+                default: ""
+                type: "str"
+                description: "Parse reverse proxy headers (`forwarded` or `xforwarded`), overrides the deprecated keycloak_quarkus_proxy_mode argument"
+            keycloak_quarkus_start_dev:
+                default: false
+                type: "bool"
+                description: "Whether to start the service in development mode (start-dev)"
+            keycloak_quarkus_transaction_xa_enabled:
+                default: true
+                type: "bool"
+                description: "Enable or disable XA transactions which may not be supported by some DBMS"
+            keycloak_quarkus_hostname_strict:
+                default: true
+                type: "bool"
+                description: >
+                  Disables dynamically resolving the hostname from request headers. Should always be set to true in production, unless
+                  proxy verifies the Host header.
+            keycloak_quarkus_hostname_strict_backchannel:
+                default: false
+                type: "bool"
+                description: >
+                  By default backchannel URLs are dynamically resolved from request headers to allow internal and external applications. If all
+                  applications use the public URL this option should be enabled.
+            keycloak_quarkus_spi_sticky_session_encoder_infinispan_should_attach_route:
+                default: true
+                type: "bool"
+                description: >
+                  If the route should be attached to cookies to reflect the node that owns a particular session. If false, route is not attached to cookies
+                  and we rely on the session affinity capabilities from reverse proxy
+            keycloak_quarkus_hostname_strict_https:
+                type: "bool"
+                required: false
+                description: >
+                  By default, Keycloak requires running using TLS/HTTPS. If the service MUST run without TLS/HTTPS, then set
+                  this option to "true"
+            keycloak_quarkus_ks_vault_enabled:
+                default: false
+                type: "bool"
+                description: "Whether to enable vault SPI"
+            keycloak_quarkus_ks_vault_file:
+                default: "{{ keycloak_quarkus_config_dir }}/keystore.p12"
+                type: "str"
+                description: "The keystore path for the vault SPI"
+            keycloak_quarkus_ks_vault_type:
+                default: "PKCS12"
+                type: "str"
+                description: "Type of the keystore used for the vault SPI"
+            keycloak_quarkus_ks_vault_pass:
+                required: false
+                type: "str"
+                description: "The password for accessing the keystore vault SPI"
+            keycloak_quarkus_systemd_wait_for_port:
+                description: 'Whether systemd unit should wait for keycloak port before returning'
+                default: "{{ keycloak_quarkus_ha_enabled }}"
+                type: "bool"
+            keycloak_quarkus_systemd_wait_for_log:
+                description: 'Whether systemd unit should wait for service to be up in logs'
+                default: false
+                type: "bool"
+            keycloak_quarkus_systemd_wait_for_timeout:
+                description: "How long to wait for service to be alive (seconds)"
+                default: 60
+                type: 'int'
+            keycloak_quarkus_systemd_wait_for_delay:
+                description: "Activation delay for service systemd unit (seconds)"
+                default: 10
+                type: 'int'
+            keycloak_quarkus_providers:
+                description: "List of provider definition dicts: { 'id': str, 'spi': str, 'url': str, 'default': bool, 'properties': list of key/value }"
+                default: []
+                type: "list"
+            keycloak_quarkus_jdbc_download_url:
+                description: "Override the default Maven Central download URL for the JDBC driver"
+                type: "str"
+            keycloak_quarkus_jdbc_download_user:
+                description: "Set a username with which to authenticate when downloading JDBC drivers from an alternative location"
+                type: "str"
+            keycloak_quarkus_jdbc_download_pass:
+                description: "Set a password with which to authenticate when downloading JDBC drivers from an alternative location (requires keycloak_quarkus_jdbc_download_user)"
+                type: "str"
+            keycloak_quarkus_jdbc_download_validate_certs:
+                default: true
+                description: "Allow the option to ignore invalid certificates when downloading JDBC drivers from a custom URL"
+                type: "bool"
+    downstream:
+        options:
+            rhbk_version:
+                default: "22.0.10"
+                description: "Red Hat Build of Keycloak version"
+                type: "str"
+            rhbk_archive:
+                default: "rhbk-{{ rhbk_version }}.zip"
+                description: "Red Hat Build of Keycloak install archive filename"
+                type: "str"
+            rhbk_dest:
+                default: "/opt/rhbk"
+                description: "Root installation directory"
+                type: "str"
+            rhbk_installdir:
+                default: "{{ rhbk_dest }}/rhbk-{{ rhbk_version }}"
+                description: "Installation path for Red Hat Build of Keycloak"
+                type: "str"
+            rhbk_apply_patches:
+                default: false
+                description: "Install Red Hat Build of Keycloak most recent cumulative patch"
+                type: "bool"
+            rhbk_enable:
+                default: true
+                description: "Enable Red Hat Build of Keycloak installation"
+                type: "bool"
+            rhbk_offline_install:
+                default: false
+                description: "Perform an offline install"
+                type: "bool"
+            rhbk_service_name:
+                default: "rhbk"
+                description: "systemd service name for Red Hat Build of Keycloak"
+                type: "str"
+            rhbk_service_desc:
+                default: "Red Hat Build of Keycloak"
+                description: "systemd description for Red Hat Build of Keycloak"
+                type: "str"
+            rhbk_patch_version:
+                required: false
+                description: "Red Hat Build of Keycloak latest cumulative patch version to apply; defaults to latest version when rhbk_apply_patches is True"
+                type: "str"
+            rhbk_patch_bundle:
+                default: "rhbk-{{ rhbk_patch_version | default('[0-9]+[.][0-9]+[.][0-9]+') }}-patch.zip"
+                description: "Red Hat Build of Keycloak patch archive filename"
+                type: "str"
+            rhbk_product_category:
+                default: "rhbk"
+                description: "JBossNetwork API category for Red Hat Build of Keycloak"
+                type: "str"
--- a/roles/keycloak_quarkus/meta/main.yml
+++ b/roles/keycloak_quarkus/meta/main.yml
@@ -1,6 +1,4 @@
 ---
-collections:
-
 galaxy_info:
  role_name: keycloak_quarkus
  namespace: middleware_automation
@@ -10,12 +8,17 @@ galaxy_info:

  license: Apache License 2.0

-  min_ansible_version: "2.9"
+  min_ansible_version: "2.14"

  platforms:
-   - name: EL
-     versions:
-     - 8
+    - name: EL
+      versions:
+        - "8"
+        - "9"
+    - name: Fedora
+    - name: Debian
+    - name: Ubuntu
+

  galaxy_tags:
    - keycloak
@@ -26,3 +29,5 @@ galaxy_info:
    - authentication
    - identity
    - security
+    - rhbk
+    - debian
--- a/Show More
+++ b/Show More