Merge pull request #9 from guidograzioli/prerelease_0.2.0

Prerelease 0.2.0
fix: unpack archive only if needed
2026-05-08 06:13:11 +00:00 · 2022-01-28 15:45:49 +01:00 · 2022-01-28 15:18:49 +01:00 · 2022-01-28 14:46:12 +01:00 · 2022-01-27 16:34:52 +01:00 · 2022-01-27 16:34:06 +01:00
34 changed files with 1160 additions and 792 deletions
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -28,10 +28,9 @@ jobs:
          python -m pip install --upgrade pip
          pip install yamllint 'molecule[docker]~=3.5.2' ansible-core flake8 ansible-lint voluptuous
-      - name: Create default collection path symlink
+      - name: Create default collection path
        run: |
-          mkdir -p /home/runner/.ansible
+          mkdir -p /home/runner/.ansible/collections/ansible_collections
          ln -s /home/runner/work/middleware_automation/keycloak /home/runner/.ansible/collections
      - name: Run sanity tests
        run: ansible-test sanity --docker -v --color --python ${{ matrix.python_version }}
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -9,7 +9,8 @@ jobs:
  release:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v2
+      - name: Checkout code
        uses: actions/checkout@v2
      - name: Set up Python
        uses: actions/setup-python@v1
        with:
@@ -35,4 +36,18 @@ jobs:
        env:
          ANSIBLE_GALAXY_API_KEY: ${{ secrets.ANSIBLE_GALAXY_API_KEY }}
        run: |
-          ansible-galaxy collection publish *.tar.gz --api-key $ANSIBLE_GALAXY_API_KEY
+          ansible-galaxy collection publish *.tar.gz --api-key $ANSIBLE_GALAXY_API_KEY
  dispatch:
    needs: release
    strategy:
      matrix:
        repo: ['ansible-middleware/cross-dc-rhsso-demo', 'ansible-middleware/flange-demo']
    runs-on: ubuntu-latest
    steps:
      - name: Repository Dispatch
        uses: peter-evans/repository-dispatch@v1
        with:
          token: ${{ secrets.TRIGGERING_PAT }}
          repository: ${{ matrix.repo }}
          event-type: "Dependency released - Keycloak"
          client-payload: '{ "github": ${{toJson(github)}} }'
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1,2 @@
-*.tar.gz
+*.tar.gz
 *.zip
--- a/README.md
+++ b/README.md
@@ -29,25 +29,87 @@ collections:
  - name: middleware_automation.keycloak
 ```
 The keycloak collection also depends on the following python packages to be present on the controller host:
 * netaddr
 A requirement file is provided to install:
    pip install -r requirements.txt
 ### Included roles
 * [`keycloak`](https://github.com/ansible-middleware/keycloak/blob/main/roles/keycloak/README.md): role for installing the service.
 * [`keycloak_realm`](https://github.com/ansible-middleware/keycloak/blob/main/roles/keycloak_realm/README.md): role for configuring a realm, user federation(s), clients and users, in an installed service.
 ## Usage
 ### Install Playbook
-`playbooks/keycloak.yml` installs the keycloak or Red Hat Single Sign-On based on the defined variables.
+* [`playbooks/keycloak.yml`](playbooks/keycloak.yml) installs the upstream(Keycloak) based on the defined variables.
 * [`playbooks/rhsso.yml`](playbooks/rhsso.yml) installs Red Hat Single Sign-On(RHSSO) based on defined variables.
-### Choosing between Red Hat products and upstream project
+Both playbooks include the `keycloak` role, with different settings, as described in the following sections.
-The roles supports installing Red Hat Single Sign-On from the Customer Portal, when the following variables are defined:
+For service configuration details, refer to the [keycloak role README](roles/keycloak/README.md).
-```
+
 ### Choosing between upstream project (Keycloak) and Red Hat Single Sign-On (RHSSO)
 The general flag `keycloak_rhsso_enable` controls what to install between upstream(Keycloak, when `False`) or Red Hat Single Sign-On (when `True`).
 The default value for the flag if `True` when Red Hat Network credentials are defined, `False` otherwise.
 #### Install upstream (Keycloak) from keycloak releases
 This is the default approach when RHN credentials are not defined. Keycloak is downloaded from keycloak builds (hosted on github.com) locally, and distributed to target nodes.
 #### Install RHSSO from the Red Hat Customer Support Portal
 Define the credentials as follows, and the default behaviour is to download a fresh archive of RHSSO on the controller node, then distribute to target nodes.
 ```yaml
 rhn_username: '<customer_portal_username>'
 rhn_password: '<customer_portal_password>'
-rhsso_rhn_id: '<sso_product_id>'
+# (keycloak_rhsso_enable defaults to True)
 ```
 where `sso_product_id` is the ID for the specific Red Hat Single Sign-On version, ie. _101971_ will install version _7.5_)
-### Install role
+#### Install from controller node (local source)
 Making the keycloak zip archive (or the RHSSO zip archive), available to the playbook repository root directory, and setting `keycloak_offline_install` to `True`, allows to skip
 the download tasks. The local path for the archive matches the downloaded archive path, so it is also used as a cache when multiple hosts are provisioned in a cluster.
 ```yaml
 keycloak_offline_install: True
 ```
 And depending on `keycloak_rhsso_enable`:
 * `True`: install RHSSO using file rh-sso-x.y.z-server-dist.zip
 * `False`: install keycloak using file keycloak-x.y.zip
 #### Install from alternate sources (like corporate Nexus, artifactory, proxy, etc)
 For RHSSO:
 ```yaml
 keycloak_rhsso_enable: True
 keycloak_rhsso_download_url: "https://<internal-nexus.private.net>/<path>/<to>/rh-sso-x.y.z-server-dist.zip"
 ```
 For keycloak:
 ```yaml
 keycloak_rhsso_enable: False
 keycloak_download_url: "https://<internal-nexus.private.net>/<path>/<to>/keycloak-x.y.zip"
 ```
 * [`keycloak`](https://github.com/ansible-middleware/keycloak/blob/main/roles/keycloak/README.md): role for installing the service. _Requires: python3-netaddr_
 ### Example installation command
@@ -65,22 +127,21 @@ ansible-playbook -i <ansible_hosts> -e @rhn-creds.yml playbooks/keycloak.yml -e
  localhost ansible_connection=local
  ```
 ## Configuration
 ### Config Playbook
-`playbooks/keycloak-realm.yml` creates provided realm, client(s), client role(s) and client user(s) if they don't exist.
+[`playbooks/keycloak-realm.yml`](playbooks/keycloak-realm.yml) creates provided realm, user federation(s), client(s), client role(s) and client user(s) if they don't exist.
 ### Config role
 * [`keycloak_realm`](https://github.com/ansible-middleware/keycloak/blob/main/roles/keycloak_realm/README.md): role for configuring a realm, with clients and users, in an installed service.
 ### Example configuration command
 Execute the following command from the source root directory
-```
+```bash
-ansible-playbook -i <ansible_hosts> -e @rhn-creds.yml playbooks/keycloak.yml -e keycloak_admin_password=<changeme> -e keycloak_realm=test
+ansible-playbook -i <ansible_hosts> playbooks/keycloak-realm.yml -e keycloak_admin_password=<changeme> -e keycloak_realm=test
 ```
 - `keycloak_admin_password` password for the administration console user account.
@@ -92,9 +153,12 @@ ansible-playbook -i <ansible_hosts> -e @rhn-creds.yml playbooks/keycloak.yml -e
  localhost ansible_connection=local
  ```
 For configuration details, refer to the [keycloak_realm role README](roles/keycloak_realm/README.md).
 ## License
 Apache License v2.0 or later
-See [LICENCE](LICENSE) to view the full text.
+See [LICENSE](LICENSE) to view the full text.
--- a/galaxy.yml
+++ b/galaxy.yml
@@ -1,10 +1,11 @@
 namespace: middleware_automation
 name: keycloak
-version: "0.1.4"
+version: "0.2.0"
 readme: README.md
 authors:
  - Romain Pelisse <rpelisse@redhat.com>
  - Guido Grazioli <ggraziol@redhat.com>
  - Pavan Kumar Motaparthi <pmotapar@redhat.com>
 description: Install and configure a keycloak, or Red Hat Single Sign-on, service.
 license_file: "LICENSE"
 tags:
--- a/molecule/default/converge.yml
+++ b/molecule/default/converge.yml
@@ -40,3 +40,4 @@
            public_client: "{{ keycloak_client_public }}"
            web_origins: "{{ keycloak_client_web_origins }}"
            users: "{{ keycloak_client_users }}"
            client_id: TestClient
--- a/molecule/default/molecule.yml
+++ b/molecule/default/molecule.yml
@@ -1,6 +1,7 @@
 ---
 dependency:
-  name: galaxy
+  name: shell
  command: ansible-galaxy collection install -r molecule/default/requirements.yml -p $HOME/.ansible/collections --force-with-deps
 driver:
  name: docker
 platforms:
--- a/molecule/default/prepare.yml
+++ b/molecule/default/prepare.yml
@@ -2,7 +2,11 @@
 - name: Prepare
  hosts: all
  tasks:
    - name: Disable beta repos
      command: yum config-manager --disable '*beta*'
      ignore_errors: yes
    - name: Install sudo
      yum:
        name: sudo
-        state: present
+        state: present
--- a/molecule/default/requirements.yml
+++ b/molecule/default/requirements.yml
@@ -0,0 +1,10 @@
 ---
 collections:
  - name: middleware_automation.redhat_csp_download
    version: ">=1.2.1"
  - name: middleware_automation.jcliff
    version: ">=0.0.19"
  - name: community.general
  - name: community.docker
    version: ">=1.9.1"
--- a/playbooks/keycloak-realm.yml
+++ b/playbooks/keycloak-realm.yml
@@ -8,6 +8,46 @@
      vars:
        keycloak_admin_password: "changeme"
        keycloak_realm: TestRealm
        keycloak_user_federation:
          - realm: TestRealm
            name: my-ldap
            provider_id: ldap
            provider_type: org.keycloak.storage.UserStorageProvider
            config:
              priority: '0'
              enabled: true
              cachePolicy: DEFAULT
              batchSizeForSync: '1000'
              editMode: READ_ONLY
              importEnabled: true
              syncRegistrations: false
              vendor: other
              usernameLDAPAttribute: uid
              rdnLDAPAttribute: uid
              uuidLDAPAttribute: entryUUID
              userObjectClasses: inetOrgPerson, organizationalPerson
              connectionUrl: ldaps://ldap.example.com:636
              usersDn: ou=Users,dc=example,dc=com
              authType: simple
              bindDn: cn=directory reader
              bindCredential: password
              searchScope: '1'
              validatePasswordPolicy: false
              trustEmail: false
              useTruststoreSpi: ldapsOnly
              connectionPooling: true
              pagination: true
              allowKerberosAuthentication: false
              debug: false
              useKerberosForPasswordAuthentication: false
            mappers:
              - name: "full name"
                providerId: "full-name-ldap-mapper"
                providerType: "org.keycloak.storage.ldap.mappers.LDAPStorageMapper"
                config:
                  ldap.full.name.attribute: cn
                  read.only: true
                  write.only: false
        keycloak_clients:
          - name: TestClient1
            roles:
--- a/playbooks/keycloak.yml
+++ b/playbooks/keycloak.yml
@@ -2,11 +2,9 @@
 - name: Playbook for Keycloak Hosts
  hosts: keycloak
  collections:
-    - middleware_automation.redhat_csp_download
+    - middleware_automation.keycloak
  roles:
    - redhat_csp_download
  tasks:
-    - name: Keycloak Role
+    - name: Include keycloak role
      include_role:
        name: keycloak
      vars:
--- a/playbooks/rhsso.yml
+++ b/playbooks/rhsso.yml
@@ -0,0 +1,14 @@
 ---
 - name: Playbook for Keycloak Hosts
  hosts: keycloak
  collections:
    - middleware_automation.redhat_csp_download
  roles:
    - redhat_csp_download
  tasks:
    - name: Keycloak Role
      include_role:
        name: keycloak
      vars:
        keycloak_admin_password: "changeme"
        keycloak_rhsso_enable: True
--- a/requirements.txt
+++ b/requirements.txt
@@ -0,0 +1,6 @@
 #################################################
 # python dependencies required to be installed 
 # on the controller host with:
 # pip install -r requirements.txt
 #
 netaddr
--- a/roles/keycloak/README.md
+++ b/roles/keycloak/README.md
@@ -9,25 +9,68 @@ Requirements
 This role requires the `python3-netaddr` library installed on the controller node.
 * to install via yum/dnf: `dnf install python3-netaddr`
 * or via pip: `pip install netaddr==0.8.0`
 * or via the collection: `pip install -r requirements.txt`
 Dependencies
 ------------
 The roles depends on:
 * the `redhat_csp_download` role from [middleware_automation.redhat_csp_download](https://github.com/ansible-middleware/redhat-csp-download) collection if Red Hat Single Sign-on zip have to be downloaded from RHN.
 * the `wildfly_driver` role from [middleware_automation.wildfly](https://github.com/ansible-middleware/wildfly) collection
 Versions
 --------
 | RH-SSO VERSION | Release Date      | Keycloak Version | EAP Version | Notes           |
 |:---------------|:------------------|:-----------------|:------------|:----------------|
 |`7.5.0 GA`      |September 20, 2021 |`15.0.2`          | `7.4.0`     |[Release Notes](https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.5/html/release_notes/index)|
 Role Defaults
 -------------
 * Service configuration
 | Variable | Description | Default |
 |:---------|:------------|:---------|
 |`keycloak_ha_enabled`| Enable auto configuration for database backend, clustering and remote caches on infinispan | `False` |
-|`keycloak_db_enabled`| Enable auto configuration for database backend | `True` if keycloak_ha_enabled is True, else `False` |
+|`keycloak_db_enabled`| Enable auto configuration for database backend | `True` if `keycloak_ha_enabled` is True, else `False` |
 |`keycloak_admin_user`| Administration console user account | `admin` |
 |`keycloak_bind_address`| Address for binding service ports | `0.0.0.0` |
 |`keycloak_host`| hostname | `localhost` |
 |`keycloak_http_port`| HTTP port | `8080` |
 |`keycloak_https_port`| TLS HTTP port | `8443` |
 |`keycloak_ajp_port`| AJP port | `8009` |
 |`keycloak_jgroups_port`| jgroups cluster tcp port | `7600` |
 |`keycloak_management_http_port`| Management port | `9990` |
 |`keycloak_management_https_port`| TLS management port | `9993` |
-|`keycloak_java_opts`| Additional JVM options | `-Xms1024m -Xmx20480m -XX:MaxPermSize=768m` |
+|`keycloak_java_opts`| Additional JVM options | `-Xms1024m -Xmx2048m` |
 |`keycloak_prefer_ipv4`| Prefer IPv4 stack and addresses for port binding | `True` |
 |`keycloak_config_standalone_xml`| filename for configuration | `keycloak.xml` |
 |`keycloak_service_user`| posix account username | `keycloak` |
 |`keycloak_service_group`| posix account group | `keycloak` |
 |`keycloak_service_pidfile`| pid file path for service | `/run/keycloak.pid` |
 |`jvm_package`| RHEL java package runtime | `java-1.8.0-openjdk-devel` |
 * Install options
 | Variable | Description | Default |
 |:---------|:------------|:---------|
 |`keycloak_rhsso_enable`| Enable Red Hat Single Sign-on installation  | `False` |
 |`keycloak_offline_install` | perform an offline install | `False`|
 |`keycloak_download_url`| Download URL for keycloak | `https://github.com/keycloak/keycloak/releases/download/<version>/<archive>`| 
 |`keycloak_rhsso_download_url`| Download URL for RHSSO | `https://access.redhat.com/jbossnetwork/restricted/softwareDownload.html?softwareId=<productID>`|
 |`keycloak_version`| keycloak.org package version | `15.0.2` |
 |`keycloak_rhsso_version`| RHSSO version | `7.5.0` |
 |`keycloak_dest`| Installation root path | `/opt/keycloak` |
 Role Variables
 --------------
@@ -38,11 +81,12 @@ The following are a set of _required_ variables for the role:
 |`keycloak_admin_password`| Password for the administration console user account |
-The following variables are _required_ only when keycloak_ha_enabled is True:
+The following variables are _required_ only when `keycloak_ha_enabled` is True:
 | Variable | Description | Default |
 |:---------|:------------|:---------|
 |`keycloak_modcluster_url` | URL for the modcluster reverse proxy | `localhost` |
 |`keycloak_frontend_url` | frontend URL for keycloak endpoints when a reverse proxy is used | `http://localhost` |
 |`keycloak_jdbc_engine` | backend database flavour when db is enabled: [ postgres, mariadb ] | `postgres` |
 |`infinispan_url` | URL for the infinispan remote-cache server | `localhost:11122` |
 |`infinispan_user` | username for connecting to infinispan | `supervisor` |
@@ -53,7 +97,7 @@ The following variables are _required_ only when keycloak_ha_enabled is True:
 |`infinispan_trust_store_password`| Password for opening truststore | `changeit` |
-The following variables are _required_ only when keycloak_db_enabled is True:
+The following variables are _required_ only when `keycloak_db_enabled` is True:
 | Variable | Description | Default |
 |:---------|:------------|:---------|
@@ -63,19 +107,13 @@ The following variables are _required_ only when keycloak_db_enabled is True:
 |`keycloak_db_pass` | password for connecting to postgres | `keycloak-pass` |
-Dependencies
+Example Playbooks
------------
+-----------------
-The roles depends on:
+_NOTE_: use ansible vaults or other security systems for storing credentials.
 * the redhat_csp_download role from [middleware_automation.redhat_csp_download](https://github.com/ansible-middleware/redhat-csp-download) collection
 * the wildfly_driver role from [middleware_automation.wildfly](https://github.com/ansible-middleware/wildfly) collection
-Example Playbook
+* The following is an example playbook that makes use of the role to install keycloak from remote:
 ----------------
 The following is an example playbook that makes use of the role to install keycloak
 ```yaml
 ---
@@ -90,6 +128,83 @@ The following is an example playbook that makes use of the role to install keycl
            keycloak_admin_password: "changeme"
 ```
 * The following is an example playbook that makes use of the role to install Red Hat Single Sign-On from RHN:
 ```yaml
 ---
 - name: Playbook for RHSSO
  hosts: keycloak
  collections:
    - middleware_automation.redhat_csp_download
  roles:
    - redhat_csp_download
  tasks:
    - name: Keycloak Role
      include_role:
        name: keycloak
      vars:
        keycloak_admin_password: "changeme"
        keycloak_rhsso_enable: True
        rhn_username: '<customer portal username>'
        rhn_password: '<customer portal password>'
 ```
 * The following example playbook makes use of the role to install keycloak from the controller node:
 ```yaml
 ---
 - hosts: ...
      collections:
        - middleware_automation.keycloak
      tasks:
        - name: Include keycloak role
          include_role:
            name: keycloak
          vars:
            keycloak_admin_password: "changeme"
            keycloak_offline_install: True
            # This should be the filename of keycloak archive on Ansible node: keycloak-16.1.0.zip
 ```
 * This playbook installs Red Hat Single Sign-On from an alternate url:
 ```yaml
 ---
 - hosts: keycloak
  collections:
    - middleware_automation.keycloak
  tasks:
    - name: Keycloak Role
      include_role:
        name: keycloak
      vars:
        keycloak_admin_password: "changeme"
        keycloak_rhsso_enable: True
        keycloak_rhsso_download_url: "<REPLACE with download url>"
        # This should be the full of remote source rhsso zip file and can contain basic authentication credentials
 ```
 * The following is an example playbook that makes use of the role to install Red Hat Single Sign-On from the controller node:
 ```yaml
 ---
 - hosts: keycloak
  collections:
    - middleware_automation.keycloak
  tasks:
    - name: Keycloak Role
      include_role:
        name: keycloak
      vars:
        keycloak_admin_password: "changeme"
        keycloak_rhsso_enable: True
        keycloak_offline_install: True
        # This should be the filename of rhsso zip file on Ansible node: rh-sso-7.5-server-dist.zip
 ```
 License
 -------
@@ -100,4 +215,5 @@ Author Information
 ------------------
 * [Guido Grazioli](https://github.com/guidograzioli)
-* [Romain Pelisse](https://github.com/rpelisse)
+* [Romain Pelisse](https://github.com/rpelisse)
 * [Pavan Kumar Motaparthi](https://github.com/motaparthipavankumar)
--- a/roles/keycloak/defaults/main.yml
+++ b/roles/keycloak/defaults/main.yml
@@ -1,39 +1,46 @@
 ---
 ### Configuration specific to keycloak
-keycloak_version: 9.0.2
+keycloak_version: 15.0.2
-keycloak_archive: keycloak-{{ keycloak_version }}.zip
+keycloak_archive: "keycloak-{{ keycloak_version }}.zip"
-keycloak_download_url: https://downloads.jboss.org/keycloak/{{ keycloak_version }}/{{ keycloak_archive }}
+keycloak_download_url: "https://github.com/keycloak/keycloak/releases/download/{{ keycloak_version }}/{{ keycloak_archive }}"  
 keycloak_download_url_9x: "https://downloads.jboss.org/keycloak/{{ keycloak_version }}/{{ keycloak_archive }}"
 keycloak_installdir: "{{ keycloak_dest }}/keycloak-{{ keycloak_version }}"
 ### Configuration specific to Red Hat Single Sing-On
-keycloak_rhsso_enable: "{{ True if rhsso_rhn_id is defined else False }}"
+keycloak_rhsso_version: 7.5.0
-keycloak_rhsso_version: 7.5
+rhsso_rhn_id: "{{ rhsso_rhn_ids[keycloak_rhsso_version] }}"
-keycloak_rhsso_archive: rh-sso-{{ keycloak_rhsso_version }}-server-dist.zip
+keycloak_rhsso_archive: "rh-sso-{{ keycloak_rhsso_version }}-server-dist.zip"
-keycloak_rhsso_installdir: "{{ keycloak_dest }}/rh-sso-{{ keycloak_rhsso_version }}"
+keycloak_rhsso_installdir: "{{ keycloak_dest }}/rh-sso-{{ keycloak_rhsso_version | regex_replace('^([0-9])\\.([0-9]*).*', '\\1.\\2') }}"
-keycloak_rhsso_base_url: 'https://access.redhat.com/jbossnetwork/restricted/softwareDownload.html?softwareId='
+keycloak_rhn_url: 'https://access.redhat.com/jbossnetwork/restricted/softwareDownload.html?softwareId='
 keycloak_rhsso_download_url: "{{ keycloak_rhn_url }}{{ rhsso_rhn_id }}"
 ### keycloak/rhsso choice: by default install rhsso if rhn credentials are defined
 keycloak_rhsso_enable: "{{ True if rhsso_rhn_id is defined and rhn_username is defined and rhn_password is defined else False }}"
 # whether to install from local archive; filename must be keycloak_archive or keycloak_rhsso_archive depending on keycloak_rhsso_enable
 keycloak_offline_install: False
 ### Install location and service settings
 jvm_package: java-1.8.0-openjdk-devel
 keycloak_dest: /opt/keycloak
-keycloak_jboss_home: "{{ keycloak_rhsso_installdir if rhsso_rhn_id is defined else keycloak_installdir }}"
+keycloak_jboss_home: "{{ keycloak_rhsso_installdir if keycloak_rhsso_enable else keycloak_installdir }}"
 keycloak_config_dir: "{{ keycloak_jboss_home }}/standalone/configuration"
 keycloak_config_standalone_xml: "keycloak.xml"
 keycloak_config_path_to_standalone_xml: "{{ keycloak_jboss_home }}/standalone/configuration/{{ keycloak_config_standalone_xml }}"
 keycloak_service_user: keycloak
 keycloak_service_group: keycloak
 keycloak_service_pidfile: "/run/keycloak.pid"
 keycloak_service_logfile: "{{ keycloak_dest }}/keycloak.log"
-### Keycloak configuration settings
+### Common configuration settings
 keycloak_bind_address: 0.0.0.0
 keycloak_host: localhost
 keycloak_http_port: 8080
 keycloak_https_port: 8443
 keycloak_ajp_port: 8009
 keycloak_jgroups_port: 7600
 keycloak_management_http_port: 9990
 keycloak_management_https_port: 9993
-keycloak_java_opts: "-Xms1024m -Xmx20480m -XX:MaxPermSize=768m"
+keycloak_java_opts: "-Xms1024m -Xmx2048m"
 keycloak_prefer_ipv4: True
 ### Enable configuration for database backend, clustering and remote caches on infinispan
 keycloak_ha_enabled: False
@@ -49,6 +56,7 @@ keycloak_force_install: False
 ### mod_cluster reverse proxy
 keycloak_modcluster_url: localhost
 keycloak_frontend_url: http://localhost
 ### infinispan remote caches access (hotrod)
 infinispan_user: supervisor
--- a/roles/keycloak/tasks/download_from_rhn.yml
+++ b/roles/keycloak/tasks/download_from_rhn.yml
@@ -1,75 +0,0 @@
 ---
 - assert:
    that:
      - zipfile_dest is defined
      - rhn_id_file is defined
      - rhn_username is defined
      - rhn_password is defined
    quiet: true
 - set_fact:
    rhn_download_url: "{{ keycloak_rhsso_base_url }}{{ rhn_id_file }}"
 - name: "Check zipfile dest directory {{ zipfile_dest }}"
  stat:
    path: "{{ zipfile_dest }}"
  register: archive_path
 - name: "Install zipfile from RHN: {{ rhn_download_url }}"
  redhat_csp_download:
    url: "{{ rhn_download_url }}"
    dest: "{{ zipfile_dest }}"
    username: "{{ rhn_username }}"
    password: "{{ rhn_password }}"
  no_log: "{{ omit_rhn_output | default(true) }}"
  when:
    - archive_path is defined
    - archive_path.stat is defined
    - not archive_path.stat.exists
 - name: "Check zipfile dest directory {{ zipfile_dest }}"
  stat:
    path: "{{ zipfile_dest }}"
  register: path_to_downloaded_artefact
 - block:
    - file:
        path: "{{ work_dir }}"
        state: directory
        owner: "{{ keycloak_service_user }}"
        group: "{{ keycloak_service_group }}"
        mode: 0750
    - name: "Check directory {{ target_dir }}"
      stat:
        path: "{{ target_dir }}"
      register: target_dir_state
    - assert:
        that:
          - target_dir_state is defined
          - target_dir_state.stat is defined
        fail_msg: "Directory layout for {{ target_dir }} is invalid."
        quiet: true
    - name: "Decompress {{ zipfile_dest }} into {{ work_dir }} (results in {{ target_dir }}."
      unarchive:
        src: "{{ zipfile_dest }}"
        dest: "{{ work_dir }}"
        owner: "{{ keycloak_service_user }}"
        group: "{{ keycloak_service_user }}"
        remote_src: yes
        creates: "{{ target_dir }}"
      when:
        - not target_dir_state.stat.exists
    - debug:
        msg: "{{ target_dir }} already exists, skipping decompressing {{ zipfile_dest }}"
      when:
        - target_dir_state.stat.exists
  when:
    - path_to_downloaded_artefact is defined
    - path_to_downloaded_artefact.stat is defined
    - path_to_downloaded_artefact.stat.exists
    - target_dir is defined
    - work_dir is defined
--- a/roles/keycloak/tasks/firewalld.yml
+++ b/roles/keycloak/tasks/firewalld.yml
@@ -12,7 +12,7 @@
    enabled: yes
    state: started
- name: Configure firewall for jdg ports
+- name: Configure firewall for keycloak ports
  become: yes
  firewalld:
    port: "{{ item }}"
@@ -24,4 +24,5 @@
    - "{{ keycloak_https_port }}/tcp"
    - "{{ keycloak_management_http_port }}/tcp"
    - "{{ keycloak_management_https_port }}/tcp"
-    - "8009/tcp"
+    - "{{ keycloak_jgroups_port }}/tcp"
    - "{{ keycloak_ajp_port }}/tcp"
--- a/roles/keycloak/tasks/install.yml
+++ b/roles/keycloak/tasks/install.yml
@@ -1,5 +1,6 @@
 ---
- assert:
+- name: Validate parameters
  assert:
    that:
      - keycloak_jboss_home is defined
      - keycloak_service_user is defined
@@ -9,25 +10,20 @@
      - keycloak_version is defined
    quiet: true
- set_fact:
+- name: Check for an existing deployment
    keycloak_service_group: "{{ keycloak_service_user }}"
  when:
    - not keycloak_service_group is defined
 - name: check for an existing deployment
  become: yes
  stat:
    path: "{{ keycloak_jboss_home }}"
  register: existing_deploy
 - block:
-    - name: stop the old keycloak service
+    - name: Stop the old keycloak service
      become: yes
      ignore_errors: yes
      systemd:
        name: keycloak
        state: stopped
-    - name: remove the old Keycloak deployment
+    - name: Remove the old Keycloak deployment
      become: yes
      file:
        path: "{{ keycloak_jboss_home }}"
@@ -56,62 +52,111 @@
    group: "{{ keycloak_service_group }}"
    mode: 0750
- block:
+## check remote archive
-    - set_fact:
+- name: Set download archive path
-        archive: "{{ keycloak_dest }}/{{ keycloak_archive }}"
+  set_fact:
-    - name: "Check archive directory {{ archive }}"
+    archive: "{{ keycloak_dest }}/{{ keycloak.bundle }}"
      stat:
        path: "{{ archive }}"
      register: archive_path
-    - name: download Keycloak archive to target
+- name: Check download archive path
-      get_url:
+  stat:
-        url: "{{ keycloak_download_url }}"
+    path: "{{ archive }}"
-        dest: "{{ keycloak_dest }}"
+  register: archive_path
        owner: "{{ keycloak_service_user }}"
        group: "{{ keycloak_service_group }}"
      when:
        - archive_path is defined
        - archive_path.stat is defined
        - not archive_path.stat.exists
-    - name: extract Keycloak archive on target
+## download to controller
-      unarchive:
+- name: Check load download archive path
-        remote_src: yes
+  stat:
-        src: "{{ archive }}"
+    path: "{{ lookup('env', 'PWD') }}"
-        dest: "{{ keycloak_dest }}"
+  register: local_path
-        creates: "{{ keycloak_jboss_home }}"
+  delegate_to: localhost
-        owner: "{{ keycloak_service_user }}"
+
-        group: "{{ keycloak_service_group }}"
+- name: Download keycloak archive
-      notify:
+  get_url:
-        - restart keycloak
+    url: "{{ keycloak_download_url }}"
    dest: "{{ local_path.stat.path }}/{{ keycloak.bundle }}"
  delegate_to: localhost
  when:
    - archive_path is defined
    - archive_path.stat is defined
    - not archive_path.stat.exists
    - not keycloak_rhsso_enable
    - not keycloak_offline_install
 - name: Performing download from RHN
  redhat_csp_download:
    url: "{{ keycloak_rhsso_download_url }}"
    dest: "{{ local_path.stat.path }}/{{ keycloak.bundle }}"
    username: "{{ rhn_username }}"
    password: "{{ rhn_password }}"
  no_log: "{{ omit_rhn_output | default(true) }}"
  delegate_to: localhost
  when:
    - archive_path is defined
    - archive_path.stat is defined
    - not archive_path.stat.exists
    - keycloak_rhsso_enable
    - not keycloak_offline_install
    - keycloak_rhn_url in keycloak_rhsso_download_url
 - name: Download rhsso archive from alternate location
  get_url:
    url: "{{ keycloak_rhsso_download_url }}"
    dest: "{{ local_path.stat.path }}/{{ keycloak.bundle }}"
  delegate_to: localhost
  when:
    - archive_path is defined
    - archive_path.stat is defined
    - not archive_path.stat.exists
    - keycloak_rhsso_enable
    - not keycloak_offline_install
    - not keycloak_rhn_url in keycloak_rhsso_download_url
 ## copy and unpack
 - name: Copy archive to target nodes
  copy:
    src: "{{ local_path.stat.path }}/{{ keycloak.bundle }}"
    dest: "{{ archive }}"
    owner: "{{ keycloak_service_user }}"
    group: "{{ keycloak_service_group }}"
    mode: 0750
  register: new_version_downloaded
  become: yes
  when: not keycloak_rhsso_enable
- block:
+- name: "Check target directory: {{ keycloak.home }}"
-    - assert:
+  stat:
-        that:
+    path: "{{ keycloak.home }}"
-          - rhsso_rhn_id is defined
+  register: path_to_workdir
        quiet: true
        fail_msg: "Can't install RHSSO without RHN ID."
    - name: create download directory
      file:
        path: /opt/apps
        state: directory
        owner: "{{ keycloak_service_user }}"
        group: "{{ keycloak_service_group }}"
        mode: 0750
    - include_tasks: download_from_rhn.yml
      vars:
        rhn_id_file: "{{ rhsso_rhn_id }}"
        zipfile_dest: "{{ keycloak_dest }}/{{ keycloak_rhsso_archive }}"
        work_dir: "{{ keycloak_dest }}"
        target_dir: "{{ keycloak_jboss_home }}"
  become: yes
  when: keycloak_rhsso_enable
 - name: "Extract {{ 'Red Hat Single Sign-On' if keycloak_rhsso_enable else 'Keycloak' }} archive on target"
  unarchive:
    remote_src: yes
    src: "{{ archive }}"
    dest: "{{ keycloak_dest }}"
    creates: "{{ keycloak.home }}"
    owner: "{{ keycloak_service_user }}"
    group: "{{ keycloak_service_group }}"
  become: yes
  when:
    - new_version_downloaded.changed or not path_to_workdir.stat.exists
  notify:
    - restart keycloak
 - name: Inform decompression was not executed
  debug:
    msg: "{{ keycloak.home }} already exists and version unchanged, skipping decompression"
  when:
    - not new_version_downloaded.changed and path_to_workdir.stat.exists
 - name: "Reown installation directory to {{ keycloak_service_user }}"
  file:
    path: "{{ keycloak.home }}"
    owner: "{{ keycloak_service_user }}"
    group: "{{ keycloak_service_group }}"
    recurse: true
  become: yes
  changed_when: false
 # driver and configuration
 - name: "Install {{ keycloak_jdbc_engine }} driver"
  include_role:
    name: wildfly_driver
@@ -126,10 +171,10 @@
      jdbc_driver_module_name: "{{ keycloak_jdbc[keycloak_jdbc_engine].driver_module_name }}"
  when: keycloak_jdbc[keycloak_jdbc_engine].enabled
- name: "Deploy Keycloak's standalone.xml"
+- name: "Deploy {{ keycloak.service_name }} config to {{ keycloak_config_path_to_standalone_xml }}"
  become: yes
  template:
-    src: "{{ 'templates/standalone-rhsso.xml.j2' if keycloak_rhsso_enable else 'templates/standalone.xml.j2' }}"
+    src: templates/standalone.xml.j2
    dest: "{{ keycloak_config_path_to_standalone_xml }}"
    owner: "{{ keycloak_service_user }}"
    group: "{{ keycloak_service_group }}"
@@ -138,10 +183,10 @@
    - restart keycloak
  when: not keycloak_remotecache.enabled
- name: "Deploy Keycloak's standalone.xml with remote cache store"
+- name: "Deploy {{ keycloak.service_name }} config with remote cache store to {{ keycloak_config_path_to_standalone_xml }}"
  become: yes
  template:
-    src: "{{ 'templates/standalone-rhsso-jdg.xml.j2' if keycloak_rhsso_enable else 'templates/standalone-infinispan.xml.j2' }}"
+    src: templates/standalone-infinispan.xml.j2
    dest: "{{ keycloak_config_path_to_standalone_xml }}"
    owner: "{{ keycloak_service_user }}"
    group: "{{ keycloak_service_group }}"
--- a/roles/keycloak/tasks/main.yml
+++ b/roles/keycloak/tasks/main.yml
@@ -6,9 +6,17 @@
  tags:
    - prereqs
- include_tasks: tasks/install.yml
+- name: Include install tasks
  include_tasks: tasks/install.yml
- include_tasks: tasks/systemd.yml
+- name: Include systemd tasks
  include_tasks: tasks/systemd.yml
 - name: Link default logs directory
  file:
    state: link
    src: "{{ keycloak_jboss_home }}/standalone/log"
    dest: /var/log/keycloak
 - block:
    - name: Check admin credentials by generating a token
@@ -22,14 +30,21 @@
      retries: 2
      delay: 2
  rescue:
-    - name: create Keycloak admin user
+    - name: "Create {{ keycloak.service_name }} admin user"
      command:
      args:
        argv:
          - "{{ keycloak_jboss_home }}/bin/add-user-keycloak.sh"
-          - -rmaster
+          - "-rmaster"
-          - -u{{ keycloak_admin_user }}
+          - "-u{{ keycloak_admin_user }}"
-          - -p{{ keycloak_admin_password }}
+          - "-p{{ keycloak_admin_password }}"
      become: yes
-    - name: restart keycloak
+    - name: "Restart {{ keycloak.service_name }}"
      include_tasks: tasks/restart_keycloak.yml
    - name: "Wait until {{ keycloak.service_name }} becomes active {{ keycloak.health_url }}"
      uri:
        url: "{{ keycloak.health_url }}"
      register: keycloak_status
      until: keycloak_status.status == 200
      retries: 25
      delay: 10
--- a/roles/keycloak/tasks/prereqs.yml
+++ b/roles/keycloak/tasks/prereqs.yml
@@ -10,11 +10,11 @@
 - name: Validate credentials
  assert:
    that:
-      - (rhn_username is defined and rhsso_rhn_id is defined) or rhsso_rhn_id is not defined
+      - (rhn_username is defined and keycloak_rhsso_enable) or not keycloak_rhsso_enable or keycloak_offline_install
-      - (rhn_password is defined and rhsso_rhn_id is defined) or rhsso_rhn_id is not defined
+      - (rhn_password is defined and keycloak_rhsso_enable) or not keycloak_rhsso_enable or keycloak_offline_install
    quiet: True
    fail_msg: "Cannot install Red Hat SSO without RHN credentials. Check rhn_username and rhn_password are defined"
-    success_msg: "{{ 'Installing Red Hat Single Sign-On' if rhsso_rhn_id is defined else 'Installing keycloak.org' }}"
+    success_msg: "{{ 'Installing Red Hat Single Sign-On' if keycloak_rhsso_enable else 'Installing keycloak.org' }}"
 - name: Set required packages facts
  set_fact:
--- a/roles/keycloak/tasks/systemd.yml
+++ b/roles/keycloak/tasks/systemd.yml
@@ -45,23 +45,22 @@
    state: started
  become: yes
- command: "systemctl status keycloak"
+- name: Check service status
  command: "systemctl status keycloak"
  register: keycloak_service_status
  changed_when: False
- assert:
+- name: Verify service status
  assert:
    that:
      - keycloak_service_status is defined
      - keycloak_service_status.stdout is defined
 - meta: flush_handlers
- set_fact:
+- name: "Wait until Keycloak becomes active {{ keycloak.health_url }}"
    health_url: "{{ keycloak_management_url }}/health"
 - name: "Wait until Keycloak becomes active {{ health_url }}"
  uri:
-    url: "{{ health_url }}"
+    url: "{{ keycloak.health_url }}"
  register: keycloak_status
  until: keycloak_status.status == 200
  retries: 25
--- a/roles/keycloak/templates/9.0.2/standalone-infinispan.xml.j2
+++ b/roles/keycloak/templates/9.0.2/standalone-infinispan.xml.j2
@@ -1,6 +1,6 @@
 <?xml version='1.0' encoding='UTF-8'?>
-<server xmlns="urn:jboss:domain:16.0">
+<server xmlns="urn:jboss:domain:10.0">
    <extensions>
        <extension module="org.jboss.as.clustering.infinispan"/>
        <extension module="org.jboss.as.clustering.jgroups"/>
@@ -23,9 +23,10 @@
        <extension module="org.wildfly.extension.bean-validation"/>
        <extension module="org.wildfly.extension.core-management"/>
        <extension module="org.wildfly.extension.elytron"/>
        <extension module="org.wildfly.extension.health"/>
        <extension module="org.wildfly.extension.io"/>
-        <extension module="org.wildfly.extension.metrics"/>
+        <extension module="org.wildfly.extension.microprofile.config-smallrye"/>
        <extension module="org.wildfly.extension.microprofile.health-smallrye"/>
        <extension module="org.wildfly.extension.microprofile.metrics-smallrye"/>
        <extension module="org.wildfly.extension.request-controller"/>
        <extension module="org.wildfly.extension.security.manager"/>
        <extension module="org.wildfly.extension.undertow"/>
@@ -44,7 +45,8 @@
            <security-realm name="ApplicationRealm">
                <server-identities>
                    <ssl>
-                        <keystore path="application.keystore" relative-to="jboss.server.config.dir" keystore-password="password" alias="server" key-password="password" generate-self-signed-certificate-host="localhost"/>
+                        <keystore path="application.keystore" relative-to="jboss.server.config.dir" keystore-password="password"
                                  alias="server" key-password="password" generate-self-signed-certificate-host="localhost"/>
                    </ssl>
                </server-identities>
                <authentication>
@@ -141,7 +143,7 @@
        </subsystem>
        <subsystem xmlns="urn:jboss:domain:bean-validation:1.0"/>
        <subsystem xmlns="urn:jboss:domain:core-management:1.0"/>
-        <subsystem xmlns="urn:jboss:domain:datasources:6.0">
+        <subsystem xmlns="urn:jboss:domain:datasources:5.0">
            <datasources>
                <datasource jndi-name="java:jboss/datasources/ExampleDS" pool-name="ExampleDS" enabled="true" use-java-context="true" statistics-enabled="${wildfly.datasources.statistics-enabled:${wildfly.statistics-enabled:false}}">
                    <connection-url>jdbc:h2:mem:test;DB_CLOSE_DELAY=-1;DB_CLOSE_ON_EXIT=FALSE</connection-url>
@@ -152,15 +154,15 @@
                    </security>
                </datasource>
                <datasource jndi-name="java:jboss/datasources/KeycloakDS" pool-name="KeycloakDS" enabled="true" use-java-context="true" statistics-enabled="${wildfly.datasources.statistics-enabled:${wildfly.statistics-enabled:false}}">
-{% if keycloak_jdbc[keycloak_jdbc_engine].enabled %}
+{% if keycloak_jdbc.postgres.enabled %}
-                    <connection-url>{{ keycloak_jdbc[keycloak_jdbc_engine].connection_url }}</connection-url>
+                    <connection-url>{{ keycloak_jdbc.postgres.connection_url }}</connection-url>
-                    <driver>{{ keycloak_jdbc[keycloak_jdbc_engine].driver_module_name }}</driver>
+                    <driver>{{ keycloak_jdbc.postgres.driver_module_name }}</driver>
                    <pool>
                       <max-pool-size>20</max-pool-size>
                    </pool>
                    <security>
-                        <user-name>{{ keycloak_jdbc[keycloak_jdbc_engine].db_user }}</user-name>
+                        <user-name>{{ keycloak_jdbc.postgres.db_user }}</user-name>
-                        <password>{{ keycloak_jdbc[keycloak_jdbc_engine].db_password }}</password>
+                        <password>{{ keycloak_jdbc.postgres.db_password }}</password>
                    </security>
 {% else %}
                    <connection-url>jdbc:h2:${jboss.server.data.dir}/keycloak;AUTO_SERVER=TRUE</connection-url>
@@ -172,10 +174,10 @@
 {% endif %}
                </datasource>
                <drivers>
-{% if keycloak_jdbc[keycloak_jdbc_engine].enabled %}
+{% if keycloak_jdbc.postgres.enabled %}
-                    <driver name="{{ keycloak_jdbc[keycloak_jdbc_engine].driver_module_name }}" module="{{ keycloak_jdbc[keycloak_jdbc_engine].driver_module_name }}">
+                    <driver name="{{ keycloak_jdbc.postgres.driver_module_name }}" module="{{ keycloak_jdbc.postgres.driver_module_name }}">
-                        <driver-class>{{ keycloak_jdbc[keycloak_jdbc_engine].driver_class }}</driver-class>
+                         <driver-class>org.postgresql.Driver</driver-class>
-                        <xa-datasource-class>{{ keycloak_jdbc[keycloak_jdbc_engine].xa_datasource_class }}</xa-datasource-class>
+                        <xa-datasource-class>org.postgresql.xa.PGXADataSource</xa-datasource-class>
                    </driver>
 {% endif %}
                    <driver name="h2" module="com.h2database.h2">
@@ -187,7 +189,7 @@
        <subsystem xmlns="urn:jboss:domain:deployment-scanner:2.0">
            <deployment-scanner path="deployments" relative-to="jboss.server.base.dir" scan-interval="5000" runtime-failure-causes-rollback="${jboss.deployment.scanner.rollback.on.failure:false}"/>
        </subsystem>
-        <subsystem xmlns="urn:jboss:domain:ee:6.0">
+        <subsystem xmlns="urn:jboss:domain:ee:4.0">
            <spec-descriptor-property-replacement>false</spec-descriptor-property-replacement>
            <concurrent>
                <context-services>
@@ -197,15 +199,17 @@
                    <managed-thread-factory name="default" jndi-name="java:jboss/ee/concurrency/factory/default" context-service="default"/>
                </managed-thread-factories>
                <managed-executor-services>
-                    <managed-executor-service name="default" jndi-name="java:jboss/ee/concurrency/executor/default" context-service="default" hung-task-termination-period="0" hung-task-threshold="60000" keepalive-time="5000"/>
+                    <managed-executor-service name="default" jndi-name="java:jboss/ee/concurrency/executor/default" context-service="default" hung-task-threshold="60000" keepalive-time="5000"/>
                </managed-executor-services>
                <managed-scheduled-executor-services>
-                    <managed-scheduled-executor-service name="default" jndi-name="java:jboss/ee/concurrency/scheduler/default" context-service="default" hung-task-termination-period="0" hung-task-threshold="60000" keepalive-time="3000"/>
+                    <managed-scheduled-executor-service name="default" jndi-name="java:jboss/ee/concurrency/scheduler/default" context-service="default" hung-task-threshold="60000" keepalive-time="3000"/>
                </managed-scheduled-executor-services>
            </concurrent>
-            <default-bindings context-service="java:jboss/ee/concurrency/context/default" datasource="java:jboss/datasources/ExampleDS" managed-executor-service="java:jboss/ee/concurrency/executor/default" managed-scheduled-executor-service="java:jboss/ee/concurrency/scheduler/default" managed-thread-factory="java:jboss/ee/concurrency/factory/default"/>
+            <default-bindings context-service="java:jboss/ee/concurrency/context/default" datasource="java:jboss/datasources/ExampleDS"
                              managed-executor-service="java:jboss/ee/concurrency/executor/default" managed-scheduled-executor-service="java:jboss/ee/concurrency/scheduler/default"
                              managed-thread-factory="java:jboss/ee/concurrency/factory/default"/>
        </subsystem>
-        <subsystem xmlns="urn:jboss:domain:ejb3:9.0">
+        <subsystem xmlns="urn:jboss:domain:ejb3:6.0">
            <session-bean>
                <stateless>
                    <bean-instance-pool-ref pool-name="slsb-strict-max-pool"/>
@@ -232,7 +236,7 @@
                    <file-data-store name="default-file-store" path="timer-service-data" relative-to="jboss.server.data.dir"/>
                </data-stores>
            </timer-service>
-            <remote cluster="ejb" connectors="http-remoting-connector" thread-pool-name="default">
+            <remote cluster="ejb" connector-ref="http-remoting-connector" thread-pool-name="default">
                <channel-creation-options>
                    <option name="MAX_OUTBOUND_MESSAGES" value="1234" type="remoting"/>
                </channel-creation-options>
@@ -248,7 +252,7 @@
            <statistics enabled="${wildfly.ejb3.statistics-enabled:${wildfly.statistics-enabled:false}}"/>
            <log-system-exceptions value="true"/>
        </subsystem>
-        <subsystem xmlns="urn:wildfly:elytron:13.0" final-providers="combined-providers" disallowed-providers="OracleUcrypto">
+        <subsystem xmlns="urn:wildfly:elytron:8.0" final-providers="combined-providers" disallowed-providers="OracleUcrypto">
            <providers>
                <aggregate-providers name="combined-providers">
                    <providers name="elytron"/>
@@ -357,7 +361,7 @@
                    </key-store>
                </key-stores>
                <key-managers>
-                    <key-manager name="applicationKM" key-store="applicationKS" generate-self-signed-certificate-host="localhost">
+                    <key-manager name="applicationKM" key-store="applicationKS">
                        <credential-reference clear-text="password"/>
                    </key-manager>
                </key-managers>
@@ -366,25 +370,24 @@
                </server-ssl-contexts>
            </tls>
        </subsystem>
-        <subsystem xmlns="urn:wildfly:health:1.0" security-enabled="false"/>
+        <subsystem xmlns="urn:jboss:domain:infinispan:9.0">
-        <subsystem xmlns="urn:jboss:domain:infinispan:12.0">
+            <cache-container name="ejb" default-cache="passivation" aliases="sfsb" module="org.wildfly.clustering.ejb.infinispan">
            <cache-container name="ejb" default-cache="passivation" aliases="sfsb" modules="org.wildfly.clustering.ejb.infinispan">
                <local-cache name="passivation">
                    <locking isolation="REPEATABLE_READ"/>
                    <transaction mode="BATCH"/>
                    <file-store passivation="true" purge="false"/>
                </local-cache>
            </cache-container>
-            <cache-container name="keycloak" modules="org.keycloak.keycloak-model-infinispan">
+            <cache-container name="keycloak" module="org.keycloak.keycloak-model-infinispan">
                <transport lock-timeout="60000"/>
                <local-cache name="realms">
-                    <heap-memory size="10000"/>
+                    <object-memory size="10000"/>
                </local-cache>
                <local-cache name="users">
-                    <heap-memory size="10000"/>
+                    <object-memory size="10000"/>
                </local-cache>
                <local-cache name="authenticationSessions"/>
-{% for cachename in [ "sessions", "offlineSessions", "clientSessions", "offlineClientSessions", "loginFailures", "actionTokens" ] %}
+                {% for cachename in [ "sessions", "offlineSessions", "clientSessions", "offlineClientSessions", "loginFailures", "actionTokens" ] %}
                <distributed-cache name="{{ cachename }}">
                    <remote-store cache="{{ cachename }}"
                                  remote-servers="remote-cache"
@@ -400,15 +403,15 @@
                        <property name="infinispan.client.hotrod.auth_password">{{ keycloak_remotecache.password }}</property>
                        <property name="infinispan.client.hotrod.auth_realm">{{ keycloak_remotecache.realm | default('default') }}</property>
                        <property name="infinispan.client.hotrod.auth_server_name">{{ keycloak_remotecache.server_name }}</property>
-                        <property name="infinispan.client.hotrod.sasl_mechanism">{{ keycloak_remotecache.sasl_mechanism }}</property>
+                        <property name="infinispan.client.hotrod.sasl_mechanism">{{ keycloak_remotecache.sasl_mechanism | default('SCRAM-SHA-512') }}</property>
-                        <property name="infinispan.client.hotrod.use_ssl">{{ keycloak_remotecache.use_ssl }}</property>
+                        <property name="infinispan.client.hotrod.use_ssl">false</property>
-                        <property name="infinispan.client.hotrod.trust_store_file_name">{{ keycloak_remotecache.trust_store_path }}</property>
+                        <property name="infinispan.client.hotrod.trust_store_file_name">{{ keycloak_remotecache.trust_store_path | default('/etc/truststore/truststore.jks') }}</property>
                        <property name="infinispan.client.hotrod.trust_store_type">JKS</property>
-                        <property name="infinispan.client.hotrod.trust_store_password">{{ keycloak_remotecache.trust_store_password }}</property>
+                        <property name="infinispan.client.hotrod.trust_store_password">{{ keycloak_remotecache.trust_store_password | default("changeme") }}</property>
                        <property name="infinispan.client.hotrod.client_intelligence">TOPOLOGY_AWARE</property>
                    </remote-store>
                </distributed-cache>
-{% endfor %}
+                {% endfor %}
                <replicated-cache name="work">
                    <remote-store cache="work"
                                  remote-servers="remote-cache"
@@ -424,28 +427,28 @@
                        <property name="infinispan.client.hotrod.auth_password">{{ keycloak_remotecache.password }}</property>
                        <property name="infinispan.client.hotrod.auth_realm">{{ keycloak_remotecache.realm | default('default') }}</property>
                        <property name="infinispan.client.hotrod.auth_server_name">{{ keycloak_remotecache.server_name }}</property>
-                        <property name="infinispan.client.hotrod.sasl_mechanism">{{ keycloak_remotecache.sasl_mechanism }}</property>
+                        <property name="infinispan.client.hotrod.sasl_mechanism">{{ keycloak_remotecache.sasl_mechanism | default('SCRAM-SHA-512') }}</property>
-                        <property name="infinispan.client.hotrod.use_ssl">{{ keycloak_remotecache.use_ssl }}</property>
+                        <property name="infinispan.client.hotrod.use_ssl">false</property>
-                        <property name="infinispan.client.hotrod.trust_store_file_name">{{ keycloak_remotecache.trust_store_path }}</property>
+                        <property name="infinispan.client.hotrod.trust_store_file_name">{{ keycloak_remotecache.trust_store_path | default('/etc/truststore/truststore.jks') }}</property>
                        <property name="infinispan.client.hotrod.trust_store_type">JKS</property>
-                        <property name="infinispan.client.hotrod.trust_store_password">{{ keycloak_remotecache.trust_store_password }}</property>
+                        <property name="infinispan.client.hotrod.trust_store_password">{{ keycloak_remotecache.trust_store_password | default("changeme") }}</property>
                        <property name="infinispan.client.hotrod.client_intelligence">TOPOLOGY_AWARE</property>
                    </remote-store>
                </replicated-cache>
                <local-cache name="authorization">
-                    <heap-memory size="10000"/>
+                    <object-memory size="10000"/>
                </local-cache>
                <local-cache name="keys">
-                    <heap-memory size="1000"/>
+                    <object-memory size="1000"/>
                    <expiration max-idle="3600000"/>
                </local-cache>
            </cache-container>
-            <cache-container name="server" default-cache="default" modules="org.wildfly.clustering.server">
+            <cache-container name="server" default-cache="default" module="org.wildfly.clustering.server">
                <local-cache name="default">
                    <transaction mode="BATCH"/>
                </local-cache>
            </cache-container>
-            <cache-container name="web" default-cache="passivation" modules="org.wildfly.clustering.web.infinispan">
+            <cache-container name="web" default-cache="passivation" module="org.wildfly.clustering.web.infinispan">
                <local-cache name="passivation">
                    <locking isolation="REPEATABLE_READ"/>
                    <transaction mode="BATCH"/>
@@ -457,13 +460,13 @@
                </local-cache>
                <local-cache name="routing"/>
            </cache-container>
-            <cache-container name="hibernate" modules="org.infinispan.hibernate-cache">
+            <cache-container name="hibernate" module="org.infinispan.hibernate-cache">
                <local-cache name="entity">
-                    <heap-memory size="10000"/>
+                    <object-memory size="10000"/>
                    <expiration max-idle="100000"/>
                </local-cache>
                <local-cache name="local-query">
-                    <heap-memory size="10000"/>
+                    <object-memory size="10000"/>
                    <expiration max-idle="100000"/>
                </local-cache>
                <local-cache name="timestamps"/>
@@ -473,7 +476,7 @@
            <worker name="default"/>
            <buffer-pool name="default"/>
        </subsystem>
-        <subsystem xmlns="urn:jboss:domain:jaxrs:2.0"/>
+        <subsystem xmlns="urn:jboss:domain:jaxrs:1.0"/>
        <subsystem xmlns="urn:jboss:domain:jca:5.0">
            <archive-validation enabled="true" fail-on-error="true" fail-on-warn="false"/>
            <bean-validation enabled="true"/>
@@ -493,7 +496,7 @@
            </default-workmanager>
            <cached-connection-manager/>
        </subsystem>
-        <subsystem xmlns="urn:jboss:domain:jgroups:8.0">
+        <subsystem xmlns="urn:jboss:domain:jgroups:7.0">
            <channels default="ee">
                <channel name="ee" stack="tcp" cluster="ejb"/>
            </channels>
@@ -530,7 +533,7 @@
            <remoting-connector/>
        </subsystem>
        <subsystem xmlns="urn:jboss:domain:jpa:1.1">
-            <jpa default-extended-persistence-inheritance="DEEP"/>
+            <jpa default-datasource="" default-extended-persistence-inheritance="DEEP"/>
        </subsystem>
        <subsystem xmlns="urn:jboss:domain:keycloak-server:1.1">
            <web-context>auth</web-context>
@@ -606,19 +609,18 @@
                <default-provider>default</default-provider>
                <provider name="default" enabled="true">
                    <properties>
-                        <property name="frontendUrl" value="${keycloak.frontendUrl:}"/>
+                        <property name="frontendUrl" value="{{ keycloak_modcluster.frontend_url }}"/>
-                        <property name="forceBackendUrlToFrontendUrl" value="false"/>
+                        <property name="forceBackendUrlToFrontendUrl" value="true"/>
                    </properties>
                </provider>
            </spi>
        </subsystem>
-        <subsystem xmlns="urn:jboss:domain:mail:4.0">
+        <subsystem xmlns="urn:jboss:domain:mail:3.0">
            <mail-session name="default" jndi-name="java:jboss/mail/Default">
                <smtp-server outbound-socket-binding-ref="mail-smtp"/>
            </mail-session>
        </subsystem>
-        <subsystem xmlns="urn:wildfly:metrics:1.0" security-enabled="false" exposed-subsystems="*" prefix="${wildfly.metrics.prefix:jboss}"/>
+{% if keycloak_modcluster.enabled %}
 {% if keycloak_modcluster.enabled %}    
        <subsystem xmlns="urn:jboss:domain:modcluster:5.0">
            <proxy name="default" advertise-socket="modcluster" listener="ajp" proxies="proxy1">
                <dynamic-load-provider>
@@ -626,7 +628,7 @@
                </dynamic-load-provider>
            </proxy>
        </subsystem>
-{% endif %}        
+{% endif %}
        <subsystem xmlns="urn:jboss:domain:naming:2.0">
            <remote-naming/>
        </subsystem>
@@ -673,7 +675,7 @@
                </maximum-set>
            </deployment-permissions>
        </subsystem>
-        <subsystem xmlns="urn:jboss:domain:transactions:6.0">
+        <subsystem xmlns="urn:jboss:domain:transactions:5.0">
            <core-environment node-identifier="{{ inventory_hostname | default('${jboss.tx.node.id:1}') }}">
                <process-id>
                    <uuid/>
@@ -683,7 +685,9 @@
            <coordinator-environment statistics-enabled="${wildfly.transactions.statistics-enabled:${wildfly.statistics-enabled:false}}"/>
            <object-store path="tx-object-store" relative-to="jboss.server.data.dir"/>
        </subsystem>
-        <subsystem xmlns="urn:jboss:domain:undertow:12.0" default-server="default-server" default-virtual-host="default-host" default-servlet-container="default" default-security-domain="other" statistics-enabled="${wildfly.undertow.statistics-enabled:${wildfly.statistics-enabled:false}}">
+        <subsystem xmlns="urn:jboss:domain:undertow:10.0" default-server="default-server" default-virtual-host="default-host"
                   default-servlet-container="default" default-security-domain="other"
                   statistics-enabled="${wildfly.undertow.statistics-enabled:${wildfly.statistics-enabled:false}}">
            <buffer-cache name="default"/>
            <server name="default-server">
                <ajp-listener name="ajp" socket-binding="ajp"/>
@@ -708,12 +712,18 @@
            </filters>
        </subsystem>
        <subsystem xmlns="urn:jboss:domain:weld:4.0"/>
-    </profile>
+        <subsystem xmlns="urn:wildfly:microprofile-config-smallrye:1.0"/>
        <subsystem xmlns="urn:wildfly:microprofile-health-smallrye:2.0" security-enabled="false"
                   empty-liveness-checks-status="${env.MP_HEALTH_EMPTY_LIVENESS_CHECKS_STATUS:UP}"
                   empty-readiness-checks-status="${env.MP_HEALTH_EMPTY_READINESS_CHECKS_STATUS:UP}"/>
        <subsystem xmlns="urn:wildfly:microprofile-metrics-smallrye:2.0" security-enabled="false"
                   exposed-subsystems="*" prefix="${wildfly.metrics.prefix:wildfly}"/>
   </profile>
    <interfaces>
        <interface name="management">
            <inet-address value="${jboss.bind.address.management:127.0.0.1}"/>
        </interface>
-	    <interface name="jgroups">
+        <interface name="jgroups">
 {% if ansible_default_ipv4 is defined %}
            <subnet-match value="{{ (ansible_default_ipv4.network + '/' + ansible_default_ipv4.netmask) | ipaddr('net') }}"/>
 {% else %}
--- a/roles/keycloak/templates/9.0.2/standalone.xml.j2
+++ b/roles/keycloak/templates/9.0.2/standalone.xml.j2
@@ -1,6 +1,6 @@
 <?xml version='1.0' encoding='UTF-8'?>
-<server xmlns="urn:jboss:domain:16.0">
+<server xmlns="urn:jboss:domain:10.0">
    <extensions>
        <extension module="org.jboss.as.clustering.infinispan"/>
        <extension module="org.jboss.as.connector"/>
@@ -22,9 +22,10 @@
        <extension module="org.wildfly.extension.bean-validation"/>
        <extension module="org.wildfly.extension.core-management"/>
        <extension module="org.wildfly.extension.elytron"/>
        <extension module="org.wildfly.extension.health"/>
        <extension module="org.wildfly.extension.io"/>
-        <extension module="org.wildfly.extension.metrics"/>
+        <extension module="org.wildfly.extension.microprofile.config-smallrye"/>
        <extension module="org.wildfly.extension.microprofile.health-smallrye"/>
        <extension module="org.wildfly.extension.microprofile.metrics-smallrye"/>
        <extension module="org.wildfly.extension.request-controller"/>
        <extension module="org.wildfly.extension.security.manager"/>
        <extension module="org.wildfly.extension.undertow"/>
@@ -43,7 +44,8 @@
            <security-realm name="ApplicationRealm">
                <server-identities>
                    <ssl>
-                        <keystore path="application.keystore" relative-to="jboss.server.config.dir" keystore-password="password" alias="server" key-password="password" generate-self-signed-certificate-host="localhost"/>
+                        <keystore path="application.keystore" relative-to="jboss.server.config.dir" keystore-password="password"
                                  alias="server" key-password="password" generate-self-signed-certificate-host="localhost"/>
                    </ssl>
                </server-identities>
                <authentication>
@@ -128,7 +130,7 @@
        </subsystem>
        <subsystem xmlns="urn:jboss:domain:bean-validation:1.0"/>
        <subsystem xmlns="urn:jboss:domain:core-management:1.0"/>
-        <subsystem xmlns="urn:jboss:domain:datasources:6.0">
+        <subsystem xmlns="urn:jboss:domain:datasources:5.0">
            <datasources>
                <datasource jndi-name="java:jboss/datasources/ExampleDS" pool-name="ExampleDS" enabled="true" use-java-context="true" statistics-enabled="${wildfly.datasources.statistics-enabled:${wildfly.statistics-enabled:false}}">
                    <connection-url>jdbc:h2:mem:test;DB_CLOSE_DELAY=-1;DB_CLOSE_ON_EXIT=FALSE</connection-url>
@@ -156,7 +158,7 @@
        <subsystem xmlns="urn:jboss:domain:deployment-scanner:2.0">
            <deployment-scanner path="deployments" relative-to="jboss.server.base.dir" scan-interval="5000" runtime-failure-causes-rollback="${jboss.deployment.scanner.rollback.on.failure:false}"/>
        </subsystem>
-        <subsystem xmlns="urn:jboss:domain:ee:6.0">
+        <subsystem xmlns="urn:jboss:domain:ee:4.0">
            <spec-descriptor-property-replacement>false</spec-descriptor-property-replacement>
            <concurrent>
                <context-services>
@@ -166,15 +168,17 @@
                    <managed-thread-factory name="default" jndi-name="java:jboss/ee/concurrency/factory/default" context-service="default"/>
                </managed-thread-factories>
                <managed-executor-services>
-                    <managed-executor-service name="default" jndi-name="java:jboss/ee/concurrency/executor/default" context-service="default" hung-task-termination-period="0" hung-task-threshold="60000" keepalive-time="5000"/>
+                    <managed-executor-service name="default" jndi-name="java:jboss/ee/concurrency/executor/default" context-service="default" hung-task-threshold="60000" keepalive-time="5000"/>
                </managed-executor-services>
                <managed-scheduled-executor-services>
-                    <managed-scheduled-executor-service name="default" jndi-name="java:jboss/ee/concurrency/scheduler/default" context-service="default" hung-task-termination-period="0" hung-task-threshold="60000" keepalive-time="3000"/>
+                    <managed-scheduled-executor-service name="default" jndi-name="java:jboss/ee/concurrency/scheduler/default" context-service="default" hung-task-threshold="60000" keepalive-time="3000"/>
                </managed-scheduled-executor-services>
            </concurrent>
-            <default-bindings context-service="java:jboss/ee/concurrency/context/default" datasource="java:jboss/datasources/ExampleDS" managed-executor-service="java:jboss/ee/concurrency/executor/default" managed-scheduled-executor-service="java:jboss/ee/concurrency/scheduler/default" managed-thread-factory="java:jboss/ee/concurrency/factory/default"/>
+            <default-bindings context-service="java:jboss/ee/concurrency/context/default" datasource="java:jboss/datasources/ExampleDS"
                              managed-executor-service="java:jboss/ee/concurrency/executor/default" managed-scheduled-executor-service="java:jboss/ee/concurrency/scheduler/default"
                              managed-thread-factory="java:jboss/ee/concurrency/factory/default"/>
        </subsystem>
-        <subsystem xmlns="urn:jboss:domain:ejb3:9.0">
+        <subsystem xmlns="urn:jboss:domain:ejb3:6.0">
            <session-bean>
                <stateless>
                    <bean-instance-pool-ref pool-name="slsb-strict-max-pool"/>
@@ -201,7 +205,7 @@
                    <file-data-store name="default-file-store" path="timer-service-data" relative-to="jboss.server.data.dir"/>
                </data-stores>
            </timer-service>
-            <remote cluster="ejb" connectors="http-remoting-connector" thread-pool-name="default">
+            <remote connector-ref="http-remoting-connector" thread-pool-name="default">
                <channel-creation-options>
                    <option name="MAX_OUTBOUND_MESSAGES" value="1234" type="remoting"/>
                </channel-creation-options>
@@ -217,7 +221,130 @@
            <statistics enabled="${wildfly.ejb3.statistics-enabled:${wildfly.statistics-enabled:false}}"/>
            <log-system-exceptions value="true"/>
        </subsystem>
-        <subsystem xmlns="urn:wildfly:elytron:13.0" final-providers="combined-providers" disallowed-providers="OracleUcrypto">
+        <subsystem xmlns="urn:jboss:domain:io:3.0">
            <worker name="default"/>
            <buffer-pool name="default"/>
        </subsystem>
        <subsystem xmlns="urn:jboss:domain:infinispan:9.0">
            <cache-container name="keycloak">
                <local-cache name="realms">
                    <object-memory size="10000"/>
                </local-cache>
                <local-cache name="users">
                    <object-memory size="10000"/>
                </local-cache>
                <local-cache name="sessions"/>
                <local-cache name="authenticationSessions"/>
                <local-cache name="offlineSessions"/>
                <local-cache name="clientSessions"/>
                <local-cache name="offlineClientSessions"/>
                <local-cache name="loginFailures"/>
                <local-cache name="work"/>
                <local-cache name="authorization">
                    <object-memory size="10000"/>
                </local-cache>
                <local-cache name="keys">
                    <object-memory size="1000"/>
                    <expiration max-idle="3600000"/>
                </local-cache>
                <local-cache name="actionTokens">
                    <object-memory size="-1"/>
                    <expiration max-idle="-1" interval="300000"/>
                </local-cache>
            </cache-container>
            <cache-container name="server" default-cache="default" module="org.wildfly.clustering.server">
                <local-cache name="default">
                    <transaction mode="BATCH"/>
                </local-cache>
            </cache-container>
            <cache-container name="web" default-cache="passivation" module="org.wildfly.clustering.web.infinispan">
                <local-cache name="passivation">
                    <locking isolation="REPEATABLE_READ"/>
                    <transaction mode="BATCH"/>
                    <file-store passivation="true" purge="false"/>
                </local-cache>
                <local-cache name="sso">
                    <locking isolation="REPEATABLE_READ"/>
                    <transaction mode="BATCH"/>
                </local-cache>
                <local-cache name="routing"/>
            </cache-container>
            <cache-container name="ejb" aliases="sfsb" default-cache="passivation" module="org.wildfly.clustering.ejb.infinispan">
                <local-cache name="passivation">
                    <locking isolation="REPEATABLE_READ"/>
                    <transaction mode="BATCH"/>
                    <file-store passivation="true" purge="false"/>
                </local-cache>
            </cache-container>
            <cache-container name="hibernate" module="org.infinispan.hibernate-cache">
                <local-cache name="entity">
                    <object-memory size="10000"/>
                    <expiration max-idle="100000"/>
                </local-cache>
                <local-cache name="local-query">
                    <object-memory size="10000"/>
                    <expiration max-idle="100000"/>
                </local-cache>
                <local-cache name="timestamps"/>
            </cache-container>
        </subsystem>
        <subsystem xmlns="urn:jboss:domain:jaxrs:1.0"/>
        <subsystem xmlns="urn:jboss:domain:jca:5.0">
            <archive-validation enabled="true" fail-on-error="true" fail-on-warn="false"/>
            <bean-validation enabled="true"/>
            <default-workmanager>
                <short-running-threads>
                    <core-threads count="50"/>
                    <queue-length count="50"/>
                    <max-threads count="50"/>
                    <keepalive-time time="10" unit="seconds"/>
                </short-running-threads>
                <long-running-threads>
                    <core-threads count="50"/>
                    <queue-length count="50"/>
                    <max-threads count="50"/>
                    <keepalive-time time="10" unit="seconds"/>
                </long-running-threads>
            </default-workmanager>
            <cached-connection-manager/>
        </subsystem>
        <subsystem xmlns="urn:jboss:domain:jmx:1.3">
            <expose-resolved-model/>
            <expose-expression-model/>
            <remoting-connector/>
        </subsystem>
        <subsystem xmlns="urn:jboss:domain:jpa:1.1">
            <jpa default-datasource="" default-extended-persistence-inheritance="DEEP"/>
        </subsystem>
        <subsystem xmlns="urn:jboss:domain:mail:3.0">
            <mail-session name="default" jndi-name="java:jboss/mail/Default">
                <smtp-server outbound-socket-binding-ref="mail-smtp"/>
            </mail-session>
        </subsystem>
 {% if keycloak_modcluster.enabled %}
        <subsystem xmlns="urn:jboss:domain:modcluster:5.0">
            <proxy name="default" advertise-socket="modcluster" listener="ajp" proxies="proxy1">
                <dynamic-load-provider>
                    <load-metric type="cpu"/>
                </dynamic-load-provider>
            </proxy>
        </subsystem>
 {% endif %}
        <subsystem xmlns="urn:jboss:domain:naming:2.0">
            <remote-naming/>
        </subsystem>
        <subsystem xmlns="urn:jboss:domain:remoting:4.0">
            <http-connector name="http-remoting-connector" connector-ref="default" security-realm="ApplicationRealm"/>
        </subsystem>
        <subsystem xmlns="urn:jboss:domain:request-controller:1.0"/>
        <subsystem xmlns="urn:jboss:domain:security-manager:1.0">
            <deployment-permissions>
                <maximum-set>
                    <permission class="java.security.AllPermission"/>
                </maximum-set>
            </deployment-permissions>
        </subsystem>
        <subsystem xmlns="urn:wildfly:elytron:8.0" final-providers="combined-providers" disallowed-providers="OracleUcrypto">
            <providers>
                <aggregate-providers name="combined-providers">
                    <providers name="elytron"/>
@@ -275,7 +402,6 @@
                    <permission class-name="org.wildfly.extension.batch.jberet.deployment.BatchPermission" module="org.wildfly.extension.batch.jberet" target-name="*"/>
                    <permission class-name="org.wildfly.transaction.client.RemoteTransactionPermission" module="org.wildfly.transaction.client"/>
                    <permission class-name="org.jboss.ejb.client.RemoteEJBPermission" module="org.jboss.ejb-client"/>
                    <permission class-name="org.jboss.ejb.client.RemoteEJBPermission" module="org.jboss.ejb-client"/>
                </permission-set>
            </permission-sets>
            <http>
@@ -317,126 +443,78 @@
                </mechanism-provider-filtering-sasl-server-factory>
                <provider-sasl-server-factory name="global"/>
            </sasl>
            <tls>
                <key-stores>
                    <key-store name="applicationKS">
                        <credential-reference clear-text="password"/>
                        <implementation type="JKS"/>
                        <file path="application.keystore" relative-to="jboss.server.config.dir"/>
                    </key-store>
                </key-stores>
                <key-managers>
                    <key-manager name="applicationKM" key-store="applicationKS" generate-self-signed-certificate-host="localhost">
                        <credential-reference clear-text="password"/>
                    </key-manager>
                </key-managers>
                <server-ssl-contexts>
                    <server-ssl-context name="applicationSSC" key-manager="applicationKM"/>
                </server-ssl-contexts>
            </tls>
        </subsystem>
-        <subsystem xmlns="urn:wildfly:health:1.0" security-enabled="false"/>
+        <subsystem xmlns="urn:jboss:domain:security:2.0">
-        <subsystem xmlns="urn:jboss:domain:infinispan:12.0">
+            <security-domains>
-            <cache-container name="ejb" default-cache="passivation" aliases="sfsb" modules="org.wildfly.clustering.ejb.infinispan">
+                <security-domain name="other" cache-type="default">
-                <local-cache name="passivation">
+                    <authentication>
-                    <locking isolation="REPEATABLE_READ"/>
+                        <login-module code="Remoting" flag="optional">
-                    <transaction mode="BATCH"/>
+                            <module-option name="password-stacking" value="useFirstPass"/>
-                    <file-store passivation="true" purge="false"/>
+                        </login-module>
-                </local-cache>
+                        <login-module code="RealmDirect" flag="required">
-            </cache-container>
+                            <module-option name="password-stacking" value="useFirstPass"/>
-            <cache-container name="keycloak" modules="org.keycloak.keycloak-model-infinispan">
+                        </login-module>
-                <local-cache name="realms">
+                    </authentication>
-                    <heap-memory size="10000"/>
+                </security-domain>
-                </local-cache>
+                <security-domain name="jboss-web-policy" cache-type="default">
-                <local-cache name="users">
+                    <authorization>
-                    <heap-memory size="10000"/>
+                        <policy-module code="Delegating" flag="required"/>
-                </local-cache>
+                    </authorization>
-                <local-cache name="sessions"/>
+                </security-domain>
-                <local-cache name="authenticationSessions"/>
+                <security-domain name="jaspitest" cache-type="default">
-                <local-cache name="offlineSessions"/>
+                    <authentication-jaspi>
-                <local-cache name="clientSessions"/>
+                        <login-module-stack name="dummy">
-                <local-cache name="offlineClientSessions"/>
+                            <login-module code="Dummy" flag="optional"/>
-                <local-cache name="loginFailures"/>
+                        </login-module-stack>
-                <local-cache name="work"/>
+                        <auth-module code="Dummy"/>
-                <local-cache name="authorization">
+                    </authentication-jaspi>
-                    <heap-memory size="10000"/>
+                </security-domain>
-                </local-cache>
+                <security-domain name="jboss-ejb-policy" cache-type="default">
-                <local-cache name="keys">
+                    <authorization>
-                    <heap-memory size="1000"/>
+                        <policy-module code="Delegating" flag="required"/>
-                    <expiration max-idle="3600000"/>
+                    </authorization>
-                </local-cache>
+                </security-domain>
-                <local-cache name="actionTokens">
+            </security-domains>
                    <heap-memory size="-1"/>
                    <expiration interval="300000" max-idle="-1"/>
                </local-cache>
            </cache-container>
            <cache-container name="server" default-cache="default" modules="org.wildfly.clustering.server">
                <local-cache name="default">
                    <transaction mode="BATCH"/>
                </local-cache>
            </cache-container>
            <cache-container name="web" default-cache="passivation" modules="org.wildfly.clustering.web.infinispan">
                <local-cache name="passivation">
                    <locking isolation="REPEATABLE_READ"/>
                    <transaction mode="BATCH"/>
                    <file-store passivation="true" purge="false"/>
                </local-cache>
                <local-cache name="sso">
                    <locking isolation="REPEATABLE_READ"/>
                    <transaction mode="BATCH"/>
                </local-cache>
                <local-cache name="routing"/>
            </cache-container>
            <cache-container name="hibernate" modules="org.infinispan.hibernate-cache">
                <local-cache name="entity">
                    <heap-memory size="10000"/>
                    <expiration max-idle="100000"/>
                </local-cache>
                <local-cache name="local-query">
                    <heap-memory size="10000"/>
                    <expiration max-idle="100000"/>
                </local-cache>
                <local-cache name="timestamps"/>
            </cache-container>
        </subsystem>
-        <subsystem xmlns="urn:jboss:domain:io:3.0">
+        <subsystem xmlns="urn:jboss:domain:transactions:5.0">
-            <worker name="default"/>
+            <core-environment node-identifier="${jboss.tx.node.id:1}">
-            <buffer-pool name="default"/>
+                <process-id>
                    <uuid/>
                </process-id>
            </core-environment>
            <recovery-environment socket-binding="txn-recovery-environment" status-socket-binding="txn-status-manager"/>
            <coordinator-environment statistics-enabled="${wildfly.transactions.statistics-enabled:${wildfly.statistics-enabled:false}}"/>
            <object-store path="tx-object-store" relative-to="jboss.server.data.dir"/>
        </subsystem>
-        <subsystem xmlns="urn:jboss:domain:jaxrs:2.0"/>
+        <subsystem xmlns="urn:jboss:domain:weld:4.0"/>
-        <subsystem xmlns="urn:jboss:domain:jca:5.0">
+        <subsystem xmlns="urn:wildfly:microprofile-config-smallrye:1.0"/>
-            <archive-validation enabled="true" fail-on-error="true" fail-on-warn="false"/>
+        <subsystem xmlns="urn:wildfly:microprofile-health-smallrye:2.0" security-enabled="false"
-            <bean-validation enabled="true"/>
+                   empty-liveness-checks-status="${env.MP_HEALTH_EMPTY_LIVENESS_CHECKS_STATUS:UP}" empty-readiness-checks-status="${env.MP_HEALTH_EMPTY_READINESS_CHECKS_STATUS:UP}"/>
-            <default-workmanager>
+        <subsystem xmlns="urn:wildfly:microprofile-metrics-smallrye:2.0" security-enabled="false" exposed-subsystems="*" prefix="${wildfly.metrics.prefix:wildfly}"/>
-                <short-running-threads>
+        <subsystem xmlns="urn:jboss:domain:undertow:10.0" default-server="default-server" default-virtual-host="default-host"
-                    <core-threads count="50"/>
+                   default-servlet-container="default" default-security-domain="other" statistics-enabled="${wildfly.undertow.statistics-enabled:${wildfly.statistics-enabled:false}}">
-                    <queue-length count="50"/>
+            <buffer-cache name="default"/>
-                    <max-threads count="50"/>
+            <server name="default-server">
-                    <keepalive-time time="10" unit="seconds"/>
+                <ajp-listener name="ajp" socket-binding="ajp"/>
-                </short-running-threads>
+                <http-listener name="default" socket-binding="http" redirect-socket="https" enable-http2="true"/>
-                <long-running-threads>
+                <https-listener name="https" socket-binding="https" security-realm="ApplicationRealm" enable-http2="true"/>
-                    <core-threads count="50"/>
+                <host name="default-host" alias="localhost">
-                    <queue-length count="50"/>
+                    <location name="/" handler="welcome-content"/>
-                    <max-threads count="50"/>
+                    <http-invoker security-realm="ApplicationRealm"/>
-                    <keepalive-time time="10" unit="seconds"/>
+                </host>
-                </long-running-threads>
+            </server>
-            </default-workmanager>
+            <servlet-container name="default">
-            <cached-connection-manager/>
+                <jsp-config/>
-        </subsystem>
+                <websockets/>
-        <subsystem xmlns="urn:jboss:domain:jmx:1.3">
+            </servlet-container>
-            <expose-resolved-model/>
+            <handlers>
-            <expose-expression-model/>
+                <file name="welcome-content" path="${jboss.home.dir}/welcome-content"/>
-            <remoting-connector/>
+            </handlers>
        </subsystem>
        <subsystem xmlns="urn:jboss:domain:jpa:1.1">
            <jpa default-extended-persistence-inheritance="DEEP"/>
        </subsystem>
        <subsystem xmlns="urn:jboss:domain:keycloak-server:1.1">
            <web-context>auth</web-context>
            <providers>
-                <provider>
+                <provider>classpath:${jboss.home.dir}/providers/*</provider>
                    classpath:${jboss.home.dir}/providers/*
                </provider>
            </providers>
            <master-realm-name>master</master-realm-name>
            <scheduled-task-interval>900</scheduled-task-interval>
@@ -505,103 +583,12 @@
                <default-provider>default</default-provider>
                <provider name="default" enabled="true">
                    <properties>
-                        <property name="frontendUrl" value="${keycloak.frontendUrl:}"/>
+                        <property name="frontendUrl" value="{{ keycloak_modcluster.frontend_url }}"/>
-                        <property name="forceBackendUrlToFrontendUrl" value="false"/>
+                        <property name="forceBackendUrlToFrontendUrl" value="true"/>
                    </properties>
                </provider>
            </spi>
        </subsystem>
        <subsystem xmlns="urn:jboss:domain:mail:4.0">
            <mail-session name="default" jndi-name="java:jboss/mail/Default">
                <smtp-server outbound-socket-binding-ref="mail-smtp"/>
            </mail-session>
        </subsystem>
        <subsystem xmlns="urn:wildfly:metrics:1.0" security-enabled="false" exposed-subsystems="*" prefix="${wildfly.metrics.prefix:jboss}"/>
 {% if keycloak_modcluster.enabled %}        
        <subsystem xmlns="urn:jboss:domain:modcluster:5.0">
            <proxy name="default" advertise-socket="modcluster" listener="ajp" proxies="proxy1">
                <dynamic-load-provider>
                    <load-metric type="cpu"/>
                </dynamic-load-provider>
            </proxy>
        </subsystem>
 {% endif %}        
        <subsystem xmlns="urn:jboss:domain:naming:2.0">
            <remote-naming/>
        </subsystem>
        <subsystem xmlns="urn:jboss:domain:remoting:4.0">
            <http-connector name="http-remoting-connector" connector-ref="default" security-realm="ApplicationRealm"/>
        </subsystem>
        <subsystem xmlns="urn:jboss:domain:request-controller:1.0"/>
        <subsystem xmlns="urn:jboss:domain:security:2.0">
            <security-domains>
                <security-domain name="other" cache-type="default">
                    <authentication>
                        <login-module code="Remoting" flag="optional">
                            <module-option name="password-stacking" value="useFirstPass"/>
                        </login-module>
                        <login-module code="RealmDirect" flag="required">
                            <module-option name="password-stacking" value="useFirstPass"/>
                        </login-module>
                    </authentication>
                </security-domain>
                <security-domain name="jboss-web-policy" cache-type="default">
                    <authorization>
                        <policy-module code="Delegating" flag="required"/>
                    </authorization>
                </security-domain>
                <security-domain name="jaspitest" cache-type="default">
                    <authentication-jaspi>
                        <login-module-stack name="dummy">
                            <login-module code="Dummy" flag="optional"/>
                        </login-module-stack>
                        <auth-module code="Dummy"/>
                    </authentication-jaspi>
                </security-domain>
                <security-domain name="jboss-ejb-policy" cache-type="default">
                    <authorization>
                        <policy-module code="Delegating" flag="required"/>
                    </authorization>
                </security-domain>
            </security-domains>
        </subsystem>
        <subsystem xmlns="urn:jboss:domain:security-manager:1.0">
            <deployment-permissions>
                <maximum-set>
                    <permission class="java.security.AllPermission"/>
                </maximum-set>
            </deployment-permissions>
        </subsystem>
        <subsystem xmlns="urn:jboss:domain:transactions:6.0">
            <core-environment node-identifier="${jboss.tx.node.id:1}">
                <process-id>
                    <uuid/>
                </process-id>
            </core-environment>
            <recovery-environment socket-binding="txn-recovery-environment" status-socket-binding="txn-status-manager"/>
            <coordinator-environment statistics-enabled="${wildfly.transactions.statistics-enabled:${wildfly.statistics-enabled:false}}"/>
            <object-store path="tx-object-store" relative-to="jboss.server.data.dir"/>
        </subsystem>
        <subsystem xmlns="urn:jboss:domain:undertow:12.0" default-server="default-server" default-virtual-host="default-host" default-servlet-container="default" default-security-domain="other" statistics-enabled="${wildfly.undertow.statistics-enabled:${wildfly.statistics-enabled:false}}">
            <buffer-cache name="default"/>
            <server name="default-server">
                <ajp-listener name="ajp" socket-binding="ajp"/>
                <http-listener name="default" socket-binding="http" redirect-socket="https" enable-http2="true"/>
                <https-listener name="https" socket-binding="https" security-realm="ApplicationRealm" enable-http2="true"/>
                <host name="default-host" alias="localhost">
                    <location name="/" handler="welcome-content"/>
                    <http-invoker security-realm="ApplicationRealm"/>
                </host>
            </server>
            <servlet-container name="default">
                <jsp-config/>
                <websockets/>
            </servlet-container>
            <handlers>
                <file name="welcome-content" path="${jboss.home.dir}/welcome-content"/>
            </handlers>
        </subsystem>
        <subsystem xmlns="urn:jboss:domain:weld:4.0"/>
    </profile>
    <interfaces>
        <interface name="management">
@@ -621,12 +608,12 @@
        <socket-binding name="txn-recovery-environment" port="4712"/>
        <socket-binding name="txn-status-manager" port="4713"/>
        <outbound-socket-binding name="mail-smtp">
-            <remote-destination host="${jboss.mail.server.host:localhost}" port="${jboss.mail.server.port:25}"/>
+            <remote-destination host="localhost" port="25"/>
        </outbound-socket-binding>
-{% if keycloak_modcluster.enabled %}        
+{% if keycloak_modcluster.enabled %}
        <outbound-socket-binding name="proxy1">
            <remote-destination host="{{ keycloak_modcluster.reverse_proxy_url | default('localhost') }}" port="6666"/>
        </outbound-socket-binding>
-{% endif %}        
+{% endif %}
    </socket-binding-group>
 </server>
--- a/roles/keycloak/templates/keycloak-service.sh.j2
+++ b/roles/keycloak/templates/keycloak-service.sh.j2
@@ -1,4 +1,5 @@
 #!/bin/bash -eu
 # {{ ansible_managed }}
 set +u -o pipefail
@@ -22,7 +23,6 @@ readonly KEYCLOAK_HTTP_PORT=${KEYCLOAK_HTTP_PORT}
 readonly KEYCLOAK_HTTPS_PORT=${KEYCLOAK_HTTPS_PORT}
 readonly KEYCLOAK_MANAGEMENT_HTTP_PORT=${KEYCLOAK_MANAGEMENT_HTTP_PORT}
 readonly KEYCLOAK_MANAGEMENT_HTTPS_PORT=${KEYCLOAK_MANAGEMENT_HTTPS_PORT}
 readonly KEYCLOAK_LOGFILE={{ keycloak_service_logfile }}
 readonly KEYCLOAK_PIDFILE={{ keycloak_service_pidfile }}
 set -u
@@ -70,7 +70,6 @@ startKeycloak() {
  checkEnvVar "${KEYCLOAK_HTTPS_PORT}"   'KEYCLOAK_HTTPS_PORT not provided' 5
  checkEnvVar "${KEYCLOAK_MANAGEMENT_HTTP_PORT}" 'KEYCLOAK_MANAGEMENT_HTTP_PORT not provided' 6
  checkEnvVar "${KEYCLOAK_MANAGEMENT_HTTPS_PORT}" 'KEYCLOAK_MANAGEMENT_HTTPS_PORT not provided' 7
  checkEnvVar "${KEYCLOAK_LOGFILE}" 'KEYCLOAK_LOGFILE not provided' 8
  if [ "$(isKeyCloakRunning)" -eq 1 ]; then
    statusKeycloak
@@ -82,9 +81,8 @@ startKeycloak() {
        -Djboss.management.http.port=${KEYCLOAK_MANAGEMENT_HTTP_PORT} \
        -Djboss.management.https.port=${KEYCLOAK_MANAGEMENT_HTTPS_PORT} \
        -Djboss.node.name={{ inventory_hostname }} \
-      {% if ansible_facts.virtualization_type in ['docker','oci','containerd'] %}-Djava.net.preferIPv4Stack=true -Djava.net.preferIPv4Addresses=true {% endif %}\
+      {% if keycloak_prefer_ipv4 %}-Djava.net.preferIPv4Stack=true -Djava.net.preferIPv4Addresses=true {% endif %}\
-      {% if keycloak_config_standalone_xml is defined %}--server-config={{ keycloak_config_standalone_xml }}{% endif %} \
+      {% if keycloak_config_standalone_xml is defined %}--server-config={{ keycloak_config_standalone_xml }}{% endif %} &
      2>&1 >> "${KEYCLOAK_LOGFILE}" &
    while [ ! -f ${KEYCLOAK_PIDFILE} ]; do sleep 1; done
  fi
 }
--- a/roles/keycloak/templates/keycloak-sysconfig.j2
+++ b/roles/keycloak/templates/keycloak-sysconfig.j2
@@ -1,3 +1,4 @@
 # {{ ansible_managed }}
 JAVA_OPTS='{{ keycloak_java_opts }}'
 JBOSS_HOME={{ keycloak_jboss_home }}
 KEYCLOAK_BIND_ADDRESS={{ keycloak_bind_address }}
--- a/roles/keycloak/templates/keycloak.service.j2
+++ b/roles/keycloak/templates/keycloak.service.j2
@@ -1,3 +1,4 @@
 # {{ ansible_managed }}
 [Unit]
 Description=Keycloak Server
 After=network.target
--- a/roles/keycloak/templates/standalone-infinispan.xml.j2
+++ b/roles/keycloak/templates/standalone-infinispan.xml.j2
@@ -1,6 +1,6 @@
 <?xml version='1.0' encoding='UTF-8'?>
-
+<!-- {{ ansible_managed }} -->
-<server xmlns="urn:jboss:domain:10.0">
+<server xmlns="urn:jboss:domain:16.0">
    <extensions>
        <extension module="org.jboss.as.clustering.infinispan"/>
        <extension module="org.jboss.as.clustering.jgroups"/>
@@ -23,10 +23,9 @@
        <extension module="org.wildfly.extension.bean-validation"/>
        <extension module="org.wildfly.extension.core-management"/>
        <extension module="org.wildfly.extension.elytron"/>
        <extension module="org.wildfly.extension.health"/>
        <extension module="org.wildfly.extension.io"/>
-        <extension module="org.wildfly.extension.microprofile.config-smallrye"/>
+        <extension module="org.wildfly.extension.metrics"/>
        <extension module="org.wildfly.extension.microprofile.health-smallrye"/>
        <extension module="org.wildfly.extension.microprofile.metrics-smallrye"/>
        <extension module="org.wildfly.extension.request-controller"/>
        <extension module="org.wildfly.extension.security.manager"/>
        <extension module="org.wildfly.extension.undertow"/>
@@ -142,7 +141,7 @@
        </subsystem>
        <subsystem xmlns="urn:jboss:domain:bean-validation:1.0"/>
        <subsystem xmlns="urn:jboss:domain:core-management:1.0"/>
-        <subsystem xmlns="urn:jboss:domain:datasources:5.0">
+        <subsystem xmlns="urn:jboss:domain:datasources:6.0">
            <datasources>
                <datasource jndi-name="java:jboss/datasources/ExampleDS" pool-name="ExampleDS" enabled="true" use-java-context="true" statistics-enabled="${wildfly.datasources.statistics-enabled:${wildfly.statistics-enabled:false}}">
                    <connection-url>jdbc:h2:mem:test;DB_CLOSE_DELAY=-1;DB_CLOSE_ON_EXIT=FALSE</connection-url>
@@ -153,15 +152,15 @@
                    </security>
                </datasource>
                <datasource jndi-name="java:jboss/datasources/KeycloakDS" pool-name="KeycloakDS" enabled="true" use-java-context="true" statistics-enabled="${wildfly.datasources.statistics-enabled:${wildfly.statistics-enabled:false}}">
-{% if keycloak_jdbc.postgres.enabled %}
+{% if keycloak_jdbc[keycloak_jdbc_engine].enabled %}
-                    <connection-url>{{ keycloak_jdbc.postgres.connection_url }}</connection-url>
+                    <connection-url>{{ keycloak_jdbc[keycloak_jdbc_engine].connection_url }}</connection-url>
-                    <driver>{{ keycloak_jdbc.postgres.driver_module_name }}</driver>
+                    <driver>{{ keycloak_jdbc[keycloak_jdbc_engine].driver_module_name }}</driver>
                    <pool>
                       <max-pool-size>20</max-pool-size>
                    </pool>
                    <security>
-                        <user-name>{{ keycloak_jdbc.postgres.db_user }}</user-name>
+                        <user-name>{{ keycloak_jdbc[keycloak_jdbc_engine].db_user }}</user-name>
-                        <password>{{ keycloak_jdbc.postgres.db_password }}</password>
+                        <password>{{ keycloak_jdbc[keycloak_jdbc_engine].db_password }}</password>
                    </security>
 {% else %}
                    <connection-url>jdbc:h2:${jboss.server.data.dir}/keycloak;AUTO_SERVER=TRUE</connection-url>
@@ -173,10 +172,10 @@
 {% endif %}
                </datasource>
                <drivers>
-{% if keycloak_jdbc.postgres.enabled %}
+{% if keycloak_jdbc[keycloak_jdbc_engine].enabled %}
-                    <driver name="{{ keycloak_jdbc.postgres.driver_module_name }}" module="{{ keycloak_jdbc.postgres.driver_module_name }}">
+                    <driver name="{{ keycloak_jdbc[keycloak_jdbc_engine].driver_module_name }}" module="{{ keycloak_jdbc[keycloak_jdbc_engine].driver_module_name }}">
-                         <driver-class>org.postgresql.Driver</driver-class>
+                        <driver-class>{{ keycloak_jdbc[keycloak_jdbc_engine].driver_class }}</driver-class>
-                        <xa-datasource-class>org.postgresql.xa.PGXADataSource</xa-datasource-class>
+                        <xa-datasource-class>{{ keycloak_jdbc[keycloak_jdbc_engine].xa_datasource_class }}</xa-datasource-class>
                    </driver>
 {% endif %}
                    <driver name="h2" module="com.h2database.h2">
@@ -188,7 +187,7 @@
        <subsystem xmlns="urn:jboss:domain:deployment-scanner:2.0">
            <deployment-scanner path="deployments" relative-to="jboss.server.base.dir" scan-interval="5000" runtime-failure-causes-rollback="${jboss.deployment.scanner.rollback.on.failure:false}"/>
        </subsystem>
-        <subsystem xmlns="urn:jboss:domain:ee:4.0">
+        <subsystem xmlns="urn:jboss:domain:ee:6.0">
            <spec-descriptor-property-replacement>false</spec-descriptor-property-replacement>
            <concurrent>
                <context-services>
@@ -198,20 +197,20 @@
                    <managed-thread-factory name="default" jndi-name="java:jboss/ee/concurrency/factory/default" context-service="default"/>
                </managed-thread-factories>
                <managed-executor-services>
-                    <managed-executor-service name="default" jndi-name="java:jboss/ee/concurrency/executor/default" context-service="default" hung-task-threshold="60000" keepalive-time="5000"/>
+                    <managed-executor-service name="default" jndi-name="java:jboss/ee/concurrency/executor/default" context-service="default" hung-task-termination-period="0" hung-task-threshold="60000" keepalive-time="5000"/>
                </managed-executor-services>
                <managed-scheduled-executor-services>
-                    <managed-scheduled-executor-service name="default" jndi-name="java:jboss/ee/concurrency/scheduler/default" context-service="default" hung-task-threshold="60000" keepalive-time="3000"/>
+                    <managed-scheduled-executor-service name="default" jndi-name="java:jboss/ee/concurrency/scheduler/default" context-service="default" hung-task-termination-period="0" hung-task-threshold="60000" keepalive-time="3000"/>
                </managed-scheduled-executor-services>
            </concurrent>
            <default-bindings context-service="java:jboss/ee/concurrency/context/default" datasource="java:jboss/datasources/ExampleDS" managed-executor-service="java:jboss/ee/concurrency/executor/default" managed-scheduled-executor-service="java:jboss/ee/concurrency/scheduler/default" managed-thread-factory="java:jboss/ee/concurrency/factory/default"/>
        </subsystem>
-        <subsystem xmlns="urn:jboss:domain:ejb3:6.0">
+        <subsystem xmlns="urn:jboss:domain:ejb3:9.0">
-            <session-bean>
+             <session-bean>
                <stateless>
                    <bean-instance-pool-ref pool-name="slsb-strict-max-pool"/>
                </stateless>
-                <stateful default-access-timeout="5000" cache-ref="simple" passivation-disabled-cache-ref="simple"/>
+                <stateful default-access-timeout="5000" cache-ref="distributable" passivation-disabled-cache-ref="simple"/>
                <singleton default-access-timeout="5000"/>
            </session-bean>
            <pools>
@@ -233,7 +232,7 @@
                    <file-data-store name="default-file-store" path="timer-service-data" relative-to="jboss.server.data.dir"/>
                </data-stores>
            </timer-service>
-            <remote cluster="ejb" connector-ref="http-remoting-connector" thread-pool-name="default">
+            <remote cluster="ejb" connectors="http-remoting-connector" thread-pool-name="default">
                <channel-creation-options>
                    <option name="MAX_OUTBOUND_MESSAGES" value="1234" type="remoting"/>
                </channel-creation-options>
@@ -249,7 +248,7 @@
            <statistics enabled="${wildfly.ejb3.statistics-enabled:${wildfly.statistics-enabled:false}}"/>
            <log-system-exceptions value="true"/>
        </subsystem>
-        <subsystem xmlns="urn:wildfly:elytron:8.0" final-providers="combined-providers" disallowed-providers="OracleUcrypto">
+        <subsystem xmlns="urn:wildfly:elytron:13.0" final-providers="combined-providers" disallowed-providers="OracleUcrypto">
            <providers>
                <aggregate-providers name="combined-providers">
                    <providers name="elytron"/>
@@ -358,7 +357,7 @@
                    </key-store>
                </key-stores>
                <key-managers>
-                    <key-manager name="applicationKM" key-store="applicationKS">
+                    <key-manager name="applicationKM" key-store="applicationKS" generate-self-signed-certificate-host="localhost">
                        <credential-reference clear-text="password"/>
                    </key-manager>
                </key-managers>
@@ -367,24 +366,25 @@
                </server-ssl-contexts>
            </tls>
        </subsystem>
-        <subsystem xmlns="urn:jboss:domain:infinispan:9.0">
+        <subsystem xmlns="urn:wildfly:health:1.0" security-enabled="false"/>
-            <cache-container name="ejb" default-cache="passivation" aliases="sfsb" module="org.wildfly.clustering.ejb.infinispan">
+        <subsystem xmlns="urn:jboss:domain:infinispan:12.0">
-                <local-cache name="passivation">
+            <cache-container name="ejb" default-cache="dist" aliases="sfsb" modules="org.wildfly.clustering.ejb.infinispan">
                <transport lock-timeout="60000"/>
                <distributed-cache name="dist">
                    <locking isolation="REPEATABLE_READ"/>
                    <transaction mode="BATCH"/>
-                    <file-store passivation="true" purge="false"/>
+                    <file-store/>
-                </local-cache>
+                </distributed-cache>
            </cache-container>
-            <cache-container name="keycloak" module="org.keycloak.keycloak-model-infinispan">
+            <cache-container name="keycloak" modules="org.keycloak.keycloak-model-infinispan">
                <transport lock-timeout="60000"/>
                <local-cache name="realms">
-                    <object-memory size="10000"/>
+                    <heap-memory size="10000"/>
                </local-cache>
                <local-cache name="users">
-                    <object-memory size="10000"/>
+                    <heap-memory size="10000"/>
                </local-cache>
-                <local-cache name="authenticationSessions"/>
+{% for cachename in [ "sessions", "offlineSessions", "clientSessions", "offlineClientSessions", "loginFailures", "actionTokens", "authenticationSessions" ] %}
                {% for cachename in [ "sessions", "offlineSessions", "clientSessions", "offlineClientSessions", "loginFailures", "actionTokens" ] %}
                <distributed-cache name="{{ cachename }}">
                    <remote-store cache="{{ cachename }}"
                                  remote-servers="remote-cache"
@@ -400,15 +400,15 @@
                        <property name="infinispan.client.hotrod.auth_password">{{ keycloak_remotecache.password }}</property>
                        <property name="infinispan.client.hotrod.auth_realm">{{ keycloak_remotecache.realm | default('default') }}</property>
                        <property name="infinispan.client.hotrod.auth_server_name">{{ keycloak_remotecache.server_name }}</property>
-                        <property name="infinispan.client.hotrod.sasl_mechanism">{{ keycloak_remotecache.sasl_mechanism | default('SCRAM-SHA-512') }}</property>
+                        <property name="infinispan.client.hotrod.sasl_mechanism">{{ keycloak_remotecache.sasl_mechanism }}</property>
-                        <property name="infinispan.client.hotrod.use_ssl">false</property>
+                        <property name="infinispan.client.hotrod.use_ssl">{{ keycloak_remotecache.use_ssl }}</property>
-                        <property name="infinispan.client.hotrod.trust_store_file_name">{{ keycloak_remotecache.trust_store_path | default('/etc/truststore/truststore.jks') }}</property>
+                        <property name="infinispan.client.hotrod.trust_store_file_name">{{ keycloak_remotecache.trust_store_path }}</property>
                        <property name="infinispan.client.hotrod.trust_store_type">JKS</property>
-                        <property name="infinispan.client.hotrod.trust_store_password">{{ keycloak_remotecache.trust_store_password | default("changeme") }}</property>
+                        <property name="infinispan.client.hotrod.trust_store_password">{{ keycloak_remotecache.trust_store_password }}</property>
                        <property name="infinispan.client.hotrod.client_intelligence">TOPOLOGY_AWARE</property>
                    </remote-store>
                </distributed-cache>
-                {% endfor %}
+{% endfor %}
                <replicated-cache name="work">
                    <remote-store cache="work"
                                  remote-servers="remote-cache"
@@ -424,56 +424,60 @@
                        <property name="infinispan.client.hotrod.auth_password">{{ keycloak_remotecache.password }}</property>
                        <property name="infinispan.client.hotrod.auth_realm">{{ keycloak_remotecache.realm | default('default') }}</property>
                        <property name="infinispan.client.hotrod.auth_server_name">{{ keycloak_remotecache.server_name }}</property>
-                        <property name="infinispan.client.hotrod.sasl_mechanism">{{ keycloak_remotecache.sasl_mechanism | default('SCRAM-SHA-512') }}</property>
+                        <property name="infinispan.client.hotrod.sasl_mechanism">{{ keycloak_remotecache.sasl_mechanism }}</property>
-                        <property name="infinispan.client.hotrod.use_ssl">false</property>
+                        <property name="infinispan.client.hotrod.use_ssl">{{ keycloak_remotecache.use_ssl }}</property>
-                        <property name="infinispan.client.hotrod.trust_store_file_name">{{ keycloak_remotecache.trust_store_path | default('/etc/truststore/truststore.jks') }}</property>
+                        <property name="infinispan.client.hotrod.trust_store_file_name">{{ keycloak_remotecache.trust_store_path }}</property>
                        <property name="infinispan.client.hotrod.trust_store_type">JKS</property>
-                        <property name="infinispan.client.hotrod.trust_store_password">{{ keycloak_remotecache.trust_store_password | default("changeme") }}</property>
+                        <property name="infinispan.client.hotrod.trust_store_password">{{ keycloak_remotecache.trust_store_password }}</property>
                        <property name="infinispan.client.hotrod.client_intelligence">TOPOLOGY_AWARE</property>
                    </remote-store>
                </replicated-cache>
                <local-cache name="authorization">
-                    <object-memory size="10000"/>
+                    <heap-memory size="10000"/>
                </local-cache>
                <local-cache name="keys">
-                    <object-memory size="1000"/>
+                    <heap-memory size="1000"/>
                    <expiration max-idle="3600000"/>
                </local-cache>
            </cache-container>
-            <cache-container name="server" default-cache="default" module="org.wildfly.clustering.server">
+            <cache-container name="server" default-cache="default" aliases="singleton cluster" modules="org.wildfly.clustering.server">
-                <local-cache name="default">
+                <transport lock-timeout="60000"/>
                <replicated-cache name="default">
                    <transaction mode="BATCH"/>
-                </local-cache>
+                </replicated-cache>
            </cache-container>
-            <cache-container name="web" default-cache="passivation" module="org.wildfly.clustering.web.infinispan">
+            <cache-container name="web" default-cache="dist" modules="org.wildfly.clustering.web.infinispan">
-                <local-cache name="passivation">
+                <transport lock-timeout="60000"/>
                <replicated-cache name="sso">
                    <locking isolation="REPEATABLE_READ"/>
                    <transaction mode="BATCH"/>
-                    <file-store passivation="true" purge="false"/>
+                </replicated-cache>
-                </local-cache>
+                <distributed-cache name="dist">
                <local-cache name="sso">
                    <locking isolation="REPEATABLE_READ"/>
                    <transaction mode="BATCH"/>
-                </local-cache>
+                    <file-store/>
-                <local-cache name="routing"/>
+                </distributed-cache>
                <distributed-cache name="routing"/>
            </cache-container>
-            <cache-container name="hibernate" module="org.infinispan.hibernate-cache">
+            <cache-container name="hibernate" modules="org.infinispan.hibernate-cache">
-                <local-cache name="entity">
+                <transport lock-timeout="60000"/>
                    <object-memory size="10000"/>
                    <expiration max-idle="100000"/>
                </local-cache>
                <local-cache name="local-query">
-                    <object-memory size="10000"/>
+                    <heap-memory size="10000"/>
                    <expiration max-idle="100000"/>
                </local-cache>
-                <local-cache name="timestamps"/>
+                <invalidation-cache name="entity">
                    <transaction mode="NON_XA"/>
                    <heap-memory size="10000"/>
                    <expiration max-idle="100000"/>
                </invalidation-cache>
                <replicated-cache name="timestamps"/>
            </cache-container>
        </subsystem>
        <subsystem xmlns="urn:jboss:domain:io:3.0">
            <worker name="default"/>
            <buffer-pool name="default"/>
        </subsystem>
-        <subsystem xmlns="urn:jboss:domain:jaxrs:1.0"/>
+        <subsystem xmlns="urn:jboss:domain:jaxrs:2.0"/>
        <subsystem xmlns="urn:jboss:domain:jca:5.0">
            <archive-validation enabled="true" fail-on-error="true" fail-on-warn="false"/>
            <bean-validation enabled="true"/>
@@ -493,7 +497,7 @@
            </default-workmanager>
            <cached-connection-manager/>
        </subsystem>
-        <subsystem xmlns="urn:jboss:domain:jgroups:7.0">
+        <subsystem xmlns="urn:jboss:domain:jgroups:8.0">
            <channels default="ee">
                <channel name="ee" stack="tcp" cluster="ejb"/>
            </channels>
@@ -530,7 +534,7 @@
            <remoting-connector/>
        </subsystem>
        <subsystem xmlns="urn:jboss:domain:jpa:1.1">
-            <jpa default-datasource="" default-extended-persistence-inheritance="DEEP"/>
+            <jpa default-extended-persistence-inheritance="DEEP"/>
        </subsystem>
        <subsystem xmlns="urn:jboss:domain:keycloak-server:1.1">
            <web-context>auth</web-context>
@@ -547,6 +551,15 @@
                <cacheTemplates>true</cacheTemplates>
                <dir>${jboss.home.dir}/themes</dir>
            </theme>
 {% if keycloak_ha_enabled %}
            <spi name="dblock">
                <provider name="jpa" enabled="true">
                    <properties>
                        <property name="lockWaitTimeout" value="900"/>
                    </properties>
                </provider>
            </spi>
 {% endif %}
            <spi name="eventsStore">
                <provider name="jpa" enabled="true">
                    <properties>
@@ -606,18 +619,19 @@
                <default-provider>default</default-provider>
                <provider name="default" enabled="true">
                    <properties>
-                        <property name="frontendUrl" value="${keycloak.frontendUrl:}"/>
+                        <property name="frontendUrl" value="{{ keycloak_modcluster.frontend_url }}"/>
-                        <property name="forceBackendUrlToFrontendUrl" value="false"/>
+                        <property name="forceBackendUrlToFrontendUrl" value="true"/>
                    </properties>
                </provider>
            </spi>
        </subsystem>
-        <subsystem xmlns="urn:jboss:domain:mail:3.0">
+        <subsystem xmlns="urn:jboss:domain:mail:4.0">
            <mail-session name="default" jndi-name="java:jboss/mail/Default">
                <smtp-server outbound-socket-binding-ref="mail-smtp"/>
            </mail-session>
        </subsystem>
-{% if keycloak_modcluster.enabled %}        
+        <subsystem xmlns="urn:wildfly:metrics:1.0" security-enabled="false" exposed-subsystems="*" prefix="${wildfly.metrics.prefix:jboss}"/>
 {% if keycloak_modcluster.enabled %}    
        <subsystem xmlns="urn:jboss:domain:modcluster:5.0">
            <proxy name="default" advertise-socket="modcluster" listener="ajp" proxies="proxy1">
                <dynamic-load-provider>
@@ -672,7 +686,7 @@
                </maximum-set>
            </deployment-permissions>
        </subsystem>
-        <subsystem xmlns="urn:jboss:domain:transactions:5.0">
+        <subsystem xmlns="urn:jboss:domain:transactions:6.0">
            <core-environment node-identifier="{{ inventory_hostname | default('${jboss.tx.node.id:1}') }}">
                <process-id>
                    <uuid/>
@@ -682,7 +696,7 @@
            <coordinator-environment statistics-enabled="${wildfly.transactions.statistics-enabled:${wildfly.statistics-enabled:false}}"/>
            <object-store path="tx-object-store" relative-to="jboss.server.data.dir"/>
        </subsystem>
-        <subsystem xmlns="urn:jboss:domain:undertow:10.0" default-server="default-server" default-virtual-host="default-host" default-servlet-container="default" default-security-domain="other" statistics-enabled="${wildfly.undertow.statistics-enabled:${wildfly.statistics-enabled:false}}">
+        <subsystem xmlns="urn:jboss:domain:undertow:12.0" default-server="default-server" default-virtual-host="default-host" default-servlet-container="default" default-security-domain="other" statistics-enabled="${wildfly.undertow.statistics-enabled:${wildfly.statistics-enabled:false}}">
            <buffer-cache name="default"/>
            <server name="default-server">
                <ajp-listener name="ajp" socket-binding="ajp"/>
@@ -712,7 +726,7 @@
        <interface name="management">
            <inet-address value="${jboss.bind.address.management:127.0.0.1}"/>
        </interface>
-        <interface name="jgroups">
+	    <interface name="jgroups">
 {% if ansible_default_ipv4 is defined %}
            <subnet-match value="{{ (ansible_default_ipv4.network + '/' + ansible_default_ipv4.netmask) | ipaddr('net') }}"/>
 {% else %}
@@ -724,12 +738,12 @@
        </interface>
    </interfaces>
    <socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
-        <socket-binding name="ajp" port="${jboss.ajp.port:8009}"/>
+        <socket-binding name="ajp" port="{{ keycloak_ajp_port }}"/>
-        <socket-binding name="http" port="${jboss.http.port:8080}"/>
+        <socket-binding name="http" port="{{ keycloak_http_port }}"/>
-        <socket-binding name="https" port="${jboss.https.port:8443}"/>
+        <socket-binding name="https" port="{{ keycloak_https_port }}"/>
-        <socket-binding name="management-http" interface="management" port="${jboss.management.http.port:9990}"/>
+        <socket-binding name="management-http" interface="management" port="{{ keycloak_management_http_port }}"/>
-        <socket-binding name="management-https" interface="management" port="${jboss.management.https.port:9993}"/>
+        <socket-binding name="management-https" interface="management" port="{{ keycloak_management_https_port }}"/>
-        <socket-binding name="jgroups-tcp" interface="jgroups" port="7600"/>
+        <socket-binding name="jgroups-tcp" interface="jgroups" port="{{ keycloak_jgroups_port }}"/>
        <socket-binding name="modcluster" multicast-address="${jboss.modcluster.multicast.address:224.0.1.105}" multicast-port="23364"/>
        <socket-binding name="txn-recovery-environment" port="4712"/>
        <socket-binding name="txn-status-manager" port="4713"/>
--- a/roles/keycloak/templates/standalone.xml.j2
+++ b/roles/keycloak/templates/standalone.xml.j2
@@ -1,6 +1,6 @@
 <?xml version='1.0' encoding='UTF-8'?>
-
+<!-- {{ ansible_managed }} -->
-<server xmlns="urn:jboss:domain:10.0">
+<server xmlns="urn:jboss:domain:16.0">
    <extensions>
        <extension module="org.jboss.as.clustering.infinispan"/>
        <extension module="org.jboss.as.connector"/>
@@ -22,10 +22,9 @@
        <extension module="org.wildfly.extension.bean-validation"/>
        <extension module="org.wildfly.extension.core-management"/>
        <extension module="org.wildfly.extension.elytron"/>
        <extension module="org.wildfly.extension.health"/>
        <extension module="org.wildfly.extension.io"/>
-        <extension module="org.wildfly.extension.microprofile.config-smallrye"/>
+        <extension module="org.wildfly.extension.metrics"/>
        <extension module="org.wildfly.extension.microprofile.health-smallrye"/>
        <extension module="org.wildfly.extension.microprofile.metrics-smallrye"/>
        <extension module="org.wildfly.extension.request-controller"/>
        <extension module="org.wildfly.extension.security.manager"/>
        <extension module="org.wildfly.extension.undertow"/>
@@ -129,7 +128,7 @@
        </subsystem>
        <subsystem xmlns="urn:jboss:domain:bean-validation:1.0"/>
        <subsystem xmlns="urn:jboss:domain:core-management:1.0"/>
-        <subsystem xmlns="urn:jboss:domain:datasources:5.0">
+        <subsystem xmlns="urn:jboss:domain:datasources:6.0">
            <datasources>
                <datasource jndi-name="java:jboss/datasources/ExampleDS" pool-name="ExampleDS" enabled="true" use-java-context="true" statistics-enabled="${wildfly.datasources.statistics-enabled:${wildfly.statistics-enabled:false}}">
                    <connection-url>jdbc:h2:mem:test;DB_CLOSE_DELAY=-1;DB_CLOSE_ON_EXIT=FALSE</connection-url>
@@ -140,14 +139,32 @@
                    </security>
                </datasource>
                <datasource jndi-name="java:jboss/datasources/KeycloakDS" pool-name="KeycloakDS" enabled="true" use-java-context="true" statistics-enabled="${wildfly.datasources.statistics-enabled:${wildfly.statistics-enabled:false}}">
 {% if keycloak_jdbc[keycloak_jdbc_engine].enabled %}
                    <connection-url>{{ keycloak_jdbc[keycloak_jdbc_engine].connection_url }}</connection-url>
                    <driver>{{ keycloak_jdbc[keycloak_jdbc_engine].driver_module_name }}</driver>
                    <pool>
                       <max-pool-size>20</max-pool-size>
                    </pool>
                    <security>
                        <user-name>{{ keycloak_jdbc[keycloak_jdbc_engine].db_user }}</user-name>
                        <password>{{ keycloak_jdbc[keycloak_jdbc_engine].db_password }}</password>
                    </security>
 {% else %}
                    <connection-url>jdbc:h2:${jboss.server.data.dir}/keycloak;AUTO_SERVER=TRUE</connection-url>
                    <driver>h2</driver>
                    <security>
                        <user-name>sa</user-name>
                        <password>sa</password>
                    </security>
 {% endif %}
                </datasource>
                <drivers>
 {% if keycloak_jdbc[keycloak_jdbc_engine].enabled %}
                    <driver name="{{ keycloak_jdbc[keycloak_jdbc_engine].driver_module_name }}" module="{{ keycloak_jdbc[keycloak_jdbc_engine].driver_module_name }}">
                        <driver-class>{{ keycloak_jdbc[keycloak_jdbc_engine].driver_class }}</driver-class>
                        <xa-datasource-class>{{ keycloak_jdbc[keycloak_jdbc_engine].xa_datasource_class }}</xa-datasource-class>
                    </driver>
 {% endif %}
                    <driver name="h2" module="com.h2database.h2">
                        <xa-datasource-class>org.h2.jdbcx.JdbcDataSource</xa-datasource-class>
                    </driver>
@@ -157,7 +174,7 @@
        <subsystem xmlns="urn:jboss:domain:deployment-scanner:2.0">
            <deployment-scanner path="deployments" relative-to="jboss.server.base.dir" scan-interval="5000" runtime-failure-causes-rollback="${jboss.deployment.scanner.rollback.on.failure:false}"/>
        </subsystem>
-        <subsystem xmlns="urn:jboss:domain:ee:4.0">
+        <subsystem xmlns="urn:jboss:domain:ee:6.0">
            <spec-descriptor-property-replacement>false</spec-descriptor-property-replacement>
            <concurrent>
                <context-services>
@@ -167,15 +184,15 @@
                    <managed-thread-factory name="default" jndi-name="java:jboss/ee/concurrency/factory/default" context-service="default"/>
                </managed-thread-factories>
                <managed-executor-services>
-                    <managed-executor-service name="default" jndi-name="java:jboss/ee/concurrency/executor/default" context-service="default" hung-task-threshold="60000" keepalive-time="5000"/>
+                    <managed-executor-service name="default" jndi-name="java:jboss/ee/concurrency/executor/default" context-service="default" hung-task-termination-period="0" hung-task-threshold="60000" keepalive-time="5000"/>
                </managed-executor-services>
                <managed-scheduled-executor-services>
-                    <managed-scheduled-executor-service name="default" jndi-name="java:jboss/ee/concurrency/scheduler/default" context-service="default" hung-task-threshold="60000" keepalive-time="3000"/>
+                    <managed-scheduled-executor-service name="default" jndi-name="java:jboss/ee/concurrency/scheduler/default" context-service="default" hung-task-termination-period="0" hung-task-threshold="60000" keepalive-time="3000"/>
                </managed-scheduled-executor-services>
            </concurrent>
            <default-bindings context-service="java:jboss/ee/concurrency/context/default" datasource="java:jboss/datasources/ExampleDS" managed-executor-service="java:jboss/ee/concurrency/executor/default" managed-scheduled-executor-service="java:jboss/ee/concurrency/scheduler/default" managed-thread-factory="java:jboss/ee/concurrency/factory/default"/>
        </subsystem>
-        <subsystem xmlns="urn:jboss:domain:ejb3:6.0">
+        <subsystem xmlns="urn:jboss:domain:ejb3:9.0">
            <session-bean>
                <stateless>
                    <bean-instance-pool-ref pool-name="slsb-strict-max-pool"/>
@@ -202,7 +219,7 @@
                    <file-data-store name="default-file-store" path="timer-service-data" relative-to="jboss.server.data.dir"/>
                </data-stores>
            </timer-service>
-            <remote connector-ref="http-remoting-connector" thread-pool-name="default">
+            <remote cluster="ejb" connectors="http-remoting-connector" thread-pool-name="default">
                <channel-creation-options>
                    <option name="MAX_OUTBOUND_MESSAGES" value="1234" type="remoting"/>
                </channel-creation-options>
@@ -218,130 +235,7 @@
            <statistics enabled="${wildfly.ejb3.statistics-enabled:${wildfly.statistics-enabled:false}}"/>
            <log-system-exceptions value="true"/>
        </subsystem>
-        <subsystem xmlns="urn:jboss:domain:io:3.0">
+        <subsystem xmlns="urn:wildfly:elytron:13.0" final-providers="combined-providers" disallowed-providers="OracleUcrypto">
            <worker name="default"/>
            <buffer-pool name="default"/>
        </subsystem>
        <subsystem xmlns="urn:jboss:domain:infinispan:9.0">
            <cache-container name="keycloak">
                <local-cache name="realms">
                    <object-memory size="10000"/>
                </local-cache>
                <local-cache name="users">
                    <object-memory size="10000"/>
                </local-cache>
                <local-cache name="sessions"/>
                <local-cache name="authenticationSessions"/>
                <local-cache name="offlineSessions"/>
                <local-cache name="clientSessions"/>
                <local-cache name="offlineClientSessions"/>
                <local-cache name="loginFailures"/>
                <local-cache name="work"/>
                <local-cache name="authorization">
                    <object-memory size="10000"/>
                </local-cache>
                <local-cache name="keys">
                    <object-memory size="1000"/>
                    <expiration max-idle="3600000"/>
                </local-cache>
                <local-cache name="actionTokens">
                    <object-memory size="-1"/>
                    <expiration max-idle="-1" interval="300000"/>
                </local-cache>
            </cache-container>
            <cache-container name="server" default-cache="default" module="org.wildfly.clustering.server">
                <local-cache name="default">
                    <transaction mode="BATCH"/>
                </local-cache>
            </cache-container>
            <cache-container name="web" default-cache="passivation" module="org.wildfly.clustering.web.infinispan">
                <local-cache name="passivation">
                    <locking isolation="REPEATABLE_READ"/>
                    <transaction mode="BATCH"/>
                    <file-store passivation="true" purge="false"/>
                </local-cache>
                <local-cache name="sso">
                    <locking isolation="REPEATABLE_READ"/>
                    <transaction mode="BATCH"/>
                </local-cache>
                <local-cache name="routing"/>
            </cache-container>
            <cache-container name="ejb" aliases="sfsb" default-cache="passivation" module="org.wildfly.clustering.ejb.infinispan">
                <local-cache name="passivation">
                    <locking isolation="REPEATABLE_READ"/>
                    <transaction mode="BATCH"/>
                    <file-store passivation="true" purge="false"/>
                </local-cache>
            </cache-container>
            <cache-container name="hibernate" module="org.infinispan.hibernate-cache">
                <local-cache name="entity">
                    <object-memory size="10000"/>
                    <expiration max-idle="100000"/>
                </local-cache>
                <local-cache name="local-query">
                    <object-memory size="10000"/>
                    <expiration max-idle="100000"/>
                </local-cache>
                <local-cache name="timestamps"/>
            </cache-container>
        </subsystem>
        <subsystem xmlns="urn:jboss:domain:jaxrs:1.0"/>
        <subsystem xmlns="urn:jboss:domain:jca:5.0">
            <archive-validation enabled="true" fail-on-error="true" fail-on-warn="false"/>
            <bean-validation enabled="true"/>
            <default-workmanager>
                <short-running-threads>
                    <core-threads count="50"/>
                    <queue-length count="50"/>
                    <max-threads count="50"/>
                    <keepalive-time time="10" unit="seconds"/>
                </short-running-threads>
                <long-running-threads>
                    <core-threads count="50"/>
                    <queue-length count="50"/>
                    <max-threads count="50"/>
                    <keepalive-time time="10" unit="seconds"/>
                </long-running-threads>
            </default-workmanager>
            <cached-connection-manager/>
        </subsystem>
        <subsystem xmlns="urn:jboss:domain:jmx:1.3">
            <expose-resolved-model/>
            <expose-expression-model/>
            <remoting-connector/>
        </subsystem>
        <subsystem xmlns="urn:jboss:domain:jpa:1.1">
            <jpa default-datasource="" default-extended-persistence-inheritance="DEEP"/>
        </subsystem>
        <subsystem xmlns="urn:jboss:domain:mail:3.0">
            <mail-session name="default" jndi-name="java:jboss/mail/Default">
                <smtp-server outbound-socket-binding-ref="mail-smtp"/>
            </mail-session>
        </subsystem>
 {% if keycloak_modcluster.enabled %}
        <subsystem xmlns="urn:jboss:domain:modcluster:5.0">
            <proxy name="default" advertise-socket="modcluster" listener="ajp" proxies="proxy1">
                <dynamic-load-provider>
                    <load-metric type="cpu"/>
                </dynamic-load-provider>
            </proxy>
        </subsystem>
 {% endif %}        
        <subsystem xmlns="urn:jboss:domain:naming:2.0">
            <remote-naming/>
        </subsystem>
        <subsystem xmlns="urn:jboss:domain:remoting:4.0">
            <http-connector name="http-remoting-connector" connector-ref="default" security-realm="ApplicationRealm"/>
        </subsystem>
        <subsystem xmlns="urn:jboss:domain:request-controller:1.0"/>
        <subsystem xmlns="urn:jboss:domain:security-manager:1.0">
            <deployment-permissions>
                <maximum-set>
                    <permission class="java.security.AllPermission"/>
                </maximum-set>
            </deployment-permissions>
        </subsystem>
        <subsystem xmlns="urn:wildfly:elytron:8.0" final-providers="combined-providers" disallowed-providers="OracleUcrypto">
            <providers>
                <aggregate-providers name="combined-providers">
                    <providers name="elytron"/>
@@ -399,6 +293,7 @@
                    <permission class-name="org.wildfly.extension.batch.jberet.deployment.BatchPermission" module="org.wildfly.extension.batch.jberet" target-name="*"/>
                    <permission class-name="org.wildfly.transaction.client.RemoteTransactionPermission" module="org.wildfly.transaction.client"/>
                    <permission class-name="org.jboss.ejb.client.RemoteEJBPermission" module="org.jboss.ejb-client"/>
                    <permission class-name="org.jboss.ejb.client.RemoteEJBPermission" module="org.jboss.ejb-client"/>
                </permission-set>
            </permission-sets>
            <http>
@@ -440,76 +335,126 @@
                </mechanism-provider-filtering-sasl-server-factory>
                <provider-sasl-server-factory name="global"/>
            </sasl>
            <tls>
                <key-stores>
                    <key-store name="applicationKS">
                        <credential-reference clear-text="password"/>
                        <implementation type="JKS"/>
                        <file path="application.keystore" relative-to="jboss.server.config.dir"/>
                    </key-store>
                </key-stores>
                <key-managers>
                    <key-manager name="applicationKM" key-store="applicationKS" generate-self-signed-certificate-host="localhost">
                        <credential-reference clear-text="password"/>
                    </key-manager>
                </key-managers>
                <server-ssl-contexts>
                    <server-ssl-context name="applicationSSC" key-manager="applicationKM"/>
                </server-ssl-contexts>
            </tls>
        </subsystem>
-        <subsystem xmlns="urn:jboss:domain:security:2.0">
+        <subsystem xmlns="urn:wildfly:health:1.0" security-enabled="false"/>
-            <security-domains>
+        <subsystem xmlns="urn:jboss:domain:infinispan:12.0">
-                <security-domain name="other" cache-type="default">
+            <cache-container name="ejb" default-cache="passivation" aliases="sfsb" modules="org.wildfly.clustering.ejb.infinispan">
-                    <authentication>
+                <local-cache name="passivation">
-                        <login-module code="Remoting" flag="optional">
+                    <locking isolation="REPEATABLE_READ"/>
-                            <module-option name="password-stacking" value="useFirstPass"/>
+                    <transaction mode="BATCH"/>
-                        </login-module>
+                    <file-store passivation="true" purge="false"/>
-                        <login-module code="RealmDirect" flag="required">
+                </local-cache>
-                            <module-option name="password-stacking" value="useFirstPass"/>
+            </cache-container>
-                        </login-module>
+            <cache-container name="keycloak" modules="org.keycloak.keycloak-model-infinispan">
-                    </authentication>
+                <local-cache name="realms">
-                </security-domain>
+                    <heap-memory size="10000"/>
-                <security-domain name="jboss-web-policy" cache-type="default">
+                </local-cache>
-                    <authorization>
+                <local-cache name="users">
-                        <policy-module code="Delegating" flag="required"/>
+                    <heap-memory size="10000"/>
-                    </authorization>
+                </local-cache>
-                </security-domain>
+                <local-cache name="sessions"/>
-                <security-domain name="jaspitest" cache-type="default">
+                <local-cache name="authenticationSessions"/>
-                    <authentication-jaspi>
+                <local-cache name="offlineSessions"/>
-                        <login-module-stack name="dummy">
+                <local-cache name="clientSessions"/>
-                            <login-module code="Dummy" flag="optional"/>
+                <local-cache name="offlineClientSessions"/>
-                        </login-module-stack>
+                <local-cache name="loginFailures"/>
-                        <auth-module code="Dummy"/>
+                <local-cache name="work"/>
-                    </authentication-jaspi>
+                <local-cache name="authorization">
-                </security-domain>
+                    <heap-memory size="10000"/>
-                <security-domain name="jboss-ejb-policy" cache-type="default">
+                </local-cache>
-                    <authorization>
+                <local-cache name="keys">
-                        <policy-module code="Delegating" flag="required"/>
+                    <heap-memory size="1000"/>
-                    </authorization>
+                    <expiration max-idle="3600000"/>
-                </security-domain>
+                </local-cache>
-            </security-domains>
+                <local-cache name="actionTokens">
                    <heap-memory size="-1"/>
                    <expiration interval="300000" max-idle="-1"/>
                </local-cache>
            </cache-container>
            <cache-container name="server" default-cache="default" modules="org.wildfly.clustering.server">
                <local-cache name="default">
                    <transaction mode="BATCH"/>
                </local-cache>
            </cache-container>
            <cache-container name="web" default-cache="passivation" modules="org.wildfly.clustering.web.infinispan">
                <local-cache name="passivation">
                    <locking isolation="REPEATABLE_READ"/>
                    <transaction mode="BATCH"/>
                    <file-store passivation="true" purge="false"/>
                </local-cache>
                <local-cache name="sso">
                    <locking isolation="REPEATABLE_READ"/>
                    <transaction mode="BATCH"/>
                </local-cache>
                <local-cache name="routing"/>
            </cache-container>
            <cache-container name="hibernate" modules="org.infinispan.hibernate-cache">
                <local-cache name="entity">
                    <heap-memory size="10000"/>
                    <expiration max-idle="100000"/>
                </local-cache>
                <local-cache name="local-query">
                    <heap-memory size="10000"/>
                    <expiration max-idle="100000"/>
                </local-cache>
                <local-cache name="timestamps"/>
            </cache-container>
        </subsystem>
-        <subsystem xmlns="urn:jboss:domain:transactions:5.0">
+        <subsystem xmlns="urn:jboss:domain:io:3.0">
-            <core-environment node-identifier="${jboss.tx.node.id:1}">
+            <worker name="default"/>
-                <process-id>
+            <buffer-pool name="default"/>
                    <uuid/>
                </process-id>
            </core-environment>
            <recovery-environment socket-binding="txn-recovery-environment" status-socket-binding="txn-status-manager"/>
            <coordinator-environment statistics-enabled="${wildfly.transactions.statistics-enabled:${wildfly.statistics-enabled:false}}"/>
            <object-store path="tx-object-store" relative-to="jboss.server.data.dir"/>
        </subsystem>
-        <subsystem xmlns="urn:jboss:domain:weld:4.0"/>
+        <subsystem xmlns="urn:jboss:domain:jaxrs:2.0"/>
-        <subsystem xmlns="urn:wildfly:microprofile-config-smallrye:1.0"/>
+        <subsystem xmlns="urn:jboss:domain:jca:5.0">
-        <subsystem xmlns="urn:wildfly:microprofile-health-smallrye:2.0" security-enabled="false" empty-liveness-checks-status="${env.MP_HEALTH_EMPTY_LIVENESS_CHECKS_STATUS:UP}" empty-readiness-checks-status="${env.MP_HEALTH_EMPTY_READINESS_CHECKS_STATUS:UP}"/>
+            <archive-validation enabled="true" fail-on-error="true" fail-on-warn="false"/>
-        <subsystem xmlns="urn:wildfly:microprofile-metrics-smallrye:2.0" security-enabled="false" exposed-subsystems="*" prefix="${wildfly.metrics.prefix:wildfly}"/>
+            <bean-validation enabled="true"/>
-        <subsystem xmlns="urn:jboss:domain:undertow:10.0" default-server="default-server" default-virtual-host="default-host" default-servlet-container="default" default-security-domain="other" statistics-enabled="${wildfly.undertow.statistics-enabled:${wildfly.statistics-enabled:false}}">
+            <default-workmanager>
-            <buffer-cache name="default"/>
+                <short-running-threads>
-            <server name="default-server">
+                    <core-threads count="50"/>
-                <ajp-listener name="ajp" socket-binding="ajp"/>
+                    <queue-length count="50"/>
-                <http-listener name="default" socket-binding="http" redirect-socket="https" enable-http2="true"/>
+                    <max-threads count="50"/>
-                <https-listener name="https" socket-binding="https" security-realm="ApplicationRealm" enable-http2="true"/>
+                    <keepalive-time time="10" unit="seconds"/>
-                <host name="default-host" alias="localhost">
+                </short-running-threads>
-                    <location name="/" handler="welcome-content"/>
+                <long-running-threads>
-                    <http-invoker security-realm="ApplicationRealm"/>
+                    <core-threads count="50"/>
-                </host>
+                    <queue-length count="50"/>
-            </server>
+                    <max-threads count="50"/>
-            <servlet-container name="default">
+                    <keepalive-time time="10" unit="seconds"/>
-                <jsp-config/>
+                </long-running-threads>
-                <websockets/>
+            </default-workmanager>
-            </servlet-container>
+            <cached-connection-manager/>
-            <handlers>
+        </subsystem>
-                <file name="welcome-content" path="${jboss.home.dir}/welcome-content"/>
+        <subsystem xmlns="urn:jboss:domain:jmx:1.3">
-            </handlers>
+            <expose-resolved-model/>
            <expose-expression-model/>
            <remoting-connector/>
        </subsystem>
        <subsystem xmlns="urn:jboss:domain:jpa:1.1">
            <jpa default-extended-persistence-inheritance="DEEP"/>
        </subsystem>
        <subsystem xmlns="urn:jboss:domain:keycloak-server:1.1">
            <web-context>auth</web-context>
            <providers>
-                <provider>classpath:${jboss.home.dir}/providers/*</provider>
+                <provider>
                    classpath:${jboss.home.dir}/providers/*
                </provider>
            </providers>
            <master-realm-name>master</master-realm-name>
            <scheduled-task-interval>900</scheduled-task-interval>
@@ -519,6 +464,15 @@
                <cacheTemplates>true</cacheTemplates>
                <dir>${jboss.home.dir}/themes</dir>
            </theme>
 {% if keycloak_ha_enabled %}
            <spi name="dblock">
                <provider name="jpa" enabled="true">
                    <properties>
                        <property name="lockWaitTimeout" value="900"/>
                    </properties>
                </provider>
            </spi>
 {% endif %}
            <spi name="eventsStore">
                <provider name="jpa" enabled="true">
                    <properties>
@@ -578,12 +532,103 @@
                <default-provider>default</default-provider>
                <provider name="default" enabled="true">
                    <properties>
-                        <property name="frontendUrl" value="${keycloak.frontendUrl:}"/>
+                        <property name="frontendUrl" value="{{ keycloak_modcluster.frontend_url }}"/>
-                        <property name="forceBackendUrlToFrontendUrl" value="false"/>
+                        <property name="forceBackendUrlToFrontendUrl" value="true"/>
                    </properties>
                </provider>
            </spi>
        </subsystem>
        <subsystem xmlns="urn:jboss:domain:mail:4.0">
            <mail-session name="default" jndi-name="java:jboss/mail/Default">
                <smtp-server outbound-socket-binding-ref="mail-smtp"/>
            </mail-session>
        </subsystem>
        <subsystem xmlns="urn:wildfly:metrics:1.0" security-enabled="false" exposed-subsystems="*" prefix="${wildfly.metrics.prefix:jboss}"/>
 {% if keycloak_modcluster.enabled %}        
        <subsystem xmlns="urn:jboss:domain:modcluster:5.0">
            <proxy name="default" advertise-socket="modcluster" listener="ajp" proxies="proxy1">
                <dynamic-load-provider>
                    <load-metric type="cpu"/>
                </dynamic-load-provider>
            </proxy>
        </subsystem>
 {% endif %}        
        <subsystem xmlns="urn:jboss:domain:naming:2.0">
            <remote-naming/>
        </subsystem>
        <subsystem xmlns="urn:jboss:domain:remoting:4.0">
            <http-connector name="http-remoting-connector" connector-ref="default" security-realm="ApplicationRealm"/>
        </subsystem>
        <subsystem xmlns="urn:jboss:domain:request-controller:1.0"/>
        <subsystem xmlns="urn:jboss:domain:security:2.0">
            <security-domains>
                <security-domain name="other" cache-type="default">
                    <authentication>
                        <login-module code="Remoting" flag="optional">
                            <module-option name="password-stacking" value="useFirstPass"/>
                        </login-module>
                        <login-module code="RealmDirect" flag="required">
                            <module-option name="password-stacking" value="useFirstPass"/>
                        </login-module>
                    </authentication>
                </security-domain>
                <security-domain name="jboss-web-policy" cache-type="default">
                    <authorization>
                        <policy-module code="Delegating" flag="required"/>
                    </authorization>
                </security-domain>
                <security-domain name="jaspitest" cache-type="default">
                    <authentication-jaspi>
                        <login-module-stack name="dummy">
                            <login-module code="Dummy" flag="optional"/>
                        </login-module-stack>
                        <auth-module code="Dummy"/>
                    </authentication-jaspi>
                </security-domain>
                <security-domain name="jboss-ejb-policy" cache-type="default">
                    <authorization>
                        <policy-module code="Delegating" flag="required"/>
                    </authorization>
                </security-domain>
            </security-domains>
        </subsystem>
        <subsystem xmlns="urn:jboss:domain:security-manager:1.0">
            <deployment-permissions>
                <maximum-set>
                    <permission class="java.security.AllPermission"/>
                </maximum-set>
            </deployment-permissions>
        </subsystem>
        <subsystem xmlns="urn:jboss:domain:transactions:6.0">
            <core-environment node-identifier="${jboss.tx.node.id:1}">
                <process-id>
                    <uuid/>
                </process-id>
            </core-environment>
            <recovery-environment socket-binding="txn-recovery-environment" status-socket-binding="txn-status-manager"/>
            <coordinator-environment statistics-enabled="${wildfly.transactions.statistics-enabled:${wildfly.statistics-enabled:false}}"/>
            <object-store path="tx-object-store" relative-to="jboss.server.data.dir"/>
        </subsystem>
        <subsystem xmlns="urn:jboss:domain:undertow:12.0" default-server="default-server" default-virtual-host="default-host" default-servlet-container="default" default-security-domain="other" statistics-enabled="${wildfly.undertow.statistics-enabled:${wildfly.statistics-enabled:false}}">
            <buffer-cache name="default"/>
            <server name="default-server">
                <ajp-listener name="ajp" socket-binding="ajp"/>
                <http-listener name="default" socket-binding="http" redirect-socket="https" enable-http2="true"/>
                <https-listener name="https" socket-binding="https" security-realm="ApplicationRealm" enable-http2="true"/>
                <host name="default-host" alias="localhost">
                    <location name="/" handler="welcome-content"/>
                    <http-invoker security-realm="ApplicationRealm"/>
                </host>
            </server>
            <servlet-container name="default">
                <jsp-config/>
                <websockets/>
            </servlet-container>
            <handlers>
                <file name="welcome-content" path="${jboss.home.dir}/welcome-content"/>
            </handlers>
        </subsystem>
        <subsystem xmlns="urn:jboss:domain:weld:4.0"/>
    </profile>
    <interfaces>
        <interface name="management">
@@ -594,18 +639,18 @@
        </interface>
    </interfaces>
    <socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
-        <socket-binding name="ajp" port="${jboss.ajp.port:8009}"/>
+        <socket-binding name="ajp" port="{{ keycloak_ajp_port }}"/>
-        <socket-binding name="http" port="${jboss.http.port:8080}"/>
+        <socket-binding name="http" port="{{ keycloak_http_port }}"/>
-        <socket-binding name="https" port="${jboss.https.port:8443}"/>
+        <socket-binding name="https" port="{{ keycloak_https_port }}"/>
-        <socket-binding name="management-http" interface="management" port="${jboss.management.http.port:9990}"/>
+        <socket-binding name="management-http" interface="management" port="{{ keycloak_management_http_port }}"/>
-        <socket-binding name="management-https" interface="management" port="${jboss.management.https.port:9993}"/>
+        <socket-binding name="management-https" interface="management" port="{{ keycloak_management_https_port }}"/>
        <socket-binding name="modcluster" multicast-address="${jboss.modcluster.multicast.address:224.0.1.105}" multicast-port="23364"/>
        <socket-binding name="txn-recovery-environment" port="4712"/>
        <socket-binding name="txn-status-manager" port="4713"/>
        <outbound-socket-binding name="mail-smtp">
-            <remote-destination host="localhost" port="25"/>
+            <remote-destination host="${jboss.mail.server.host:localhost}" port="${jboss.mail.server.port:25}"/>
        </outbound-socket-binding>
-{% if keycloak_modcluster.enabled %}
+{% if keycloak_modcluster.enabled %}        
        <outbound-socket-binding name="proxy1">
            <remote-destination host="{{ keycloak_modcluster.reverse_proxy_url | default('localhost') }}" port="6666"/>
        </outbound-socket-binding>
--- a/roles/keycloak/vars/main.yml
+++ b/roles/keycloak/vars/main.yml
@@ -4,11 +4,22 @@
 keycloak_admin_password:
 # internal variables below
 rhsso_rhn_ids:
  '7.5.0': '101971'
  '7.5.1': '103836'
 # locations
 keycloak_url: "http://{{ keycloak_host }}:{{ keycloak_http_port }}"
 keycloak_management_url: "http://{{ keycloak_host }}:{{ keycloak_management_http_port }}"
 keycloak:
  home: "{{ keycloak_jboss_home }}"
  config_dir: "{{ keycloak_config_dir }}"
  bundle: "{{ keycloak_rhsso_archive if keycloak_rhsso_enable else keycloak_archive }}"
  service_name: "{{ 'rhsso' if keycloak_rhsso_enable else 'keycloak' }}"
  health_url: "{{ keycloak_management_url }}/health"
 # database
 keycloak_jdbc:
  postgres:
@@ -55,6 +66,7 @@ keycloak_jdbc:
 keycloak_modcluster:
  enabled: "{{ keycloak_ha_enabled }}"
  reverse_proxy_url: "{{ keycloak_modcluster_url }}"
  frontend_url: "{{ keycloak_frontend_url }}"
 # infinispan
 keycloak_remotecache:
--- a/roles/keycloak_realm/README.md
+++ b/roles/keycloak_realm/README.md
@@ -14,6 +14,8 @@ Role Defaults
 |`keycloak_http_port` | HTTP port | `8080` |
 |`keycloak_https_port` | TLS HTTP port | `8443` |
 |`keycloak_auth_realm` | Name of the main authentication realm | `master` |
 |`keycloak_rhsso_enable` | Define service is an upstream(Keycloak) or RHSSO | `master` |
 Role Variables
@@ -35,10 +37,29 @@ The following variables are available for creating clients:
 |`keycloak_client_default_roles` | List of default role name for clients | `[]` |
 |`keycloak_client_users` | List of user/role mappings for a client | `[]` |
 The following variable are available for creating user federation:
 | Variable | Description | Default |
 |:---------|:------------|:---------|
 |`keycloak_user_federation` | List of _keycloak_user_federation_ for the realm | `[]` |
 Variable formats
 ----------------
 * `keycloak_user_federation`, a list of:
 ```yaml
    - realm:  <name of the realm in which user federation should be configured, required>
      name: <name of the user federation provider, required>
      provider_id: <Type of the user federation provider, required>
      provider_type: < Provider Type, default is set to org.keycloak.storage.UserStorageProvider>
      config: <Dictionary of supported configuration values, required>
      mappers: <List of supported configuration values, required>
 ```
 Refer to [docs](https://docs.ansible.com/ansible/latest/collections/community/general/keycloak_user_federation_module.html) for information on supported variables.
 * `keycloak_clients`, a list of:
 ```yaml
@@ -71,7 +92,6 @@ Variable formats
 For a comprehensive example, refer to the [playbook](playbooks/keycloak.yml).
 Example Playbook
 ----------------
--- a/roles/keycloak_realm/defaults/main.yml
+++ b/roles/keycloak_realm/defaults/main.yml
@@ -9,6 +9,9 @@ keycloak_admin_user: admin
 keycloak_auth_realm: master
 keycloak_auth_client: admin-cli
 ### List of Keycloak User Federation
 keycloak_user_federation: []
 ### Keycloak realm client defaults
 # list of clients to create in the realm
 #
--- a/roles/keycloak_realm/tasks/main.yml
+++ b/roles/keycloak_realm/tasks/main.yml
@@ -34,24 +34,36 @@
    status_code: 201
  when: keycloak_realm_exists.status == 404
- name: Create Client
+- name: Create or update a Keycloak client
  community.general.keycloak_client:
    auth_client_id: "{{ keycloak_auth_client }}"
    auth_keycloak_url: "{{ keycloak_url }}/auth"
    auth_realm: "{{ keycloak_auth_realm }}"
    auth_username: "{{ keycloak_admin_user }}"
    auth_password: "{{ keycloak_admin_password }}"
    client_id: "{{ item.name }}"
    realm: "{{ item.realm }}"
    default_roles: "{{ item.roles | default(omit) }}"
    client_id: "{{ item.client_id | default(omit) }}"
    id: "{{ item.id | default(omit) }}"
    name: "{{ item.name | default(omit) }}"
    description: "{{ item.description | default(omit) }}"
    root_url: "{{ item.root_url | default('') }}"
-    redirect_uris: "{{ demo_app_redirect_uris | default([]) }}"
+    admin_url: "{{ item.admin_url | default('') }}"
-    public_client: "{{ item.public_client | default(False) }}"
+    base_url: "{{ item.base_url | default('') }}"
    enabled: "{{ item.enabled | default(True) }}"
    redirect_uris: "{{ item.redirect_uris | default(omit) }}"
    web_origins: "{{ item.web_origins | default('+') }}"
    bearer_only: "{{ item.bearer_only | default(omit) }}"
    standard_flow_enabled: "{{ item.standard_flow_enabled | default(omit) }}"
    implicit_flow_enabled: "{{ item.implicit_flow_enabled | default(omit) }}"
    direct_access_grants_enabled: "{{ item.direct_access_grants_enabled | default(omit) }}"
    service_accounts_enabled: "{{ item.service_accounts_enabled | default(omit) }}"
    public_client: "{{ item.public_client | default(False) }}"
    protocol: "{{ item.protocol | default(omit) }}"
    state: present
  register: create_client_result
  loop: "{{ keycloak_clients | flatten }}"
-  when: item.name|length > 0
+  when: (item.name is defined and item.client_id is defined) or (item.name is defined and item.id is defined)
 - name: Create client roles
  include_tasks: manage_client_roles.yml
@@ -64,4 +76,5 @@
  include_tasks: manage_client_users.yml
  loop: "{{ keycloak_clients | flatten }}"
  loop_control:
-    loop_var: client
+    loop_var: client
  when: "'users' in keycloak_clients"
--- a/roles/keycloak_realm/tasks/manage_client_roles.yml
+++ b/roles/keycloak_realm/tasks/manage_client_roles.yml
@@ -10,3 +10,4 @@
    auth_password: "{{ keycloak_admin_password }}"
    state: present
  loop: "{{ client.roles | flatten }}"
  when: "'roles' in client"
--- a/roles/keycloak_realm/vars/main.yml
+++ b/roles/keycloak_realm/vars/main.yml
@@ -13,4 +13,4 @@ keycloak_clients:
 # other settings
 keycloak_url: "http://{{ keycloak_host }}:{{ keycloak_http_port }}"
 keycloak_management_url: "http://{{ keycloak_host }}:{{ keycloak_management_http_port }}"
-keycloak_rhsso_enable: "{{ True if rhsso_rhn_id is defined else False }}"
+keycloak_rhsso_enable: False
Author	SHA1	Message	Date
Guido Grazioli	47751a2f39	Merge pull request #9 from guidograzioli/prerelease_0.2.0 Prerelease 0.2.0	2022-01-28 15:45:49 +01:00
Guido Grazioli	b73f187930	fix: unpack archive only if needed	2022-01-28 15:18:49 +01:00
Guido Grazioli	99c14a79da	fix: prefix match for alternate url download	2022-01-28 14:46:12 +01:00
Guido Grazioli	eaea4567cf	Bump to 0.2.0	2022-01-27 16:34:52 +01:00
Guido Grazioli	dbad4ea086	Update documentation	2022-01-27 16:34:06 +01:00
Guido Grazioli	c5ee73cffc	gitignore locally downloaded archives	2022-01-27 15:38:04 +01:00
Guido Grazioli	6a28da3736	simplify download logic, merge remaining install tasks	2022-01-27 15:38:03 +01:00
Guido Grazioli	0f02037746	move health url fact to variables	2022-01-27 15:38:03 +01:00
Guido Grazioli	8882b36c83	fix: template ports	2022-01-27 15:38:03 +01:00
Guido Grazioli	8895bc8e1f	remove unused vars, document used vars	2022-01-27 15:38:03 +01:00
Guido Grazioli	34c18888c9	add ansible_managed macro to templates	2022-01-27 15:38:03 +01:00
Guido Grazioli	906ba3c577	refactor offline install, rhsso patch install	2022-01-27 15:38:03 +01:00
Guido Grazioli	11fb2cc43b	rework docs, add python requirements	2022-01-27 15:38:03 +01:00
Guido Grazioli	44f0952afe	setup demo repository triggers	2022-01-27 15:38:02 +01:00
Guido Grazioli	82fb60509b	Merge pull request #8 from motaparthipavankumar/create-clients-enhancement Client Creation Enhancement	2022-01-27 15:34:55 +01:00
root	2324d4070e	Addressed review comments	2022-01-27 08:17:30 -06:00
Guido Grazioli	73a98ccfa6	Start work on v0.1.9	2022-01-20 21:04:37 +01:00
Guido Grazioli	3df7a1a2e1	fix: dblock for db migration / fix: ejb dist caches	2022-01-20 20:56:49 +01:00
root	0fdd89d571	Updated keycloak_realm/tasks/manage_client_roles.yml	2022-01-19 11:41:20 -06:00
Guido Grazioli	4a28e1914e	Open jgroups port in firewall	2022-01-19 17:23:42 +01:00
root	bd84d99fd1	Updated keycloak_realm/tasks/main.yml	2022-01-19 10:14:00 -06:00
root	249e1840bb	Updated molecule	2022-01-19 10:14:00 -06:00
root	8da1483354	Client Creation Enhancement	2022-01-19 10:13:55 -06:00
Guido Grazioli	18e002bf27	Merge pull request #7 from motaparthipavankumar/stable Local/Remote Source Support & User Federation Implementation	2022-01-19 17:08:28 +01:00
Pavan Kumar Motaparthi	a309f7caae	Merge branch 'ansible-middleware:main' into stable	2022-01-18 17:03:54 -06:00
Pavan Kumar Motaparthi	a1f483afe9	Merge pull request #4 from motaparthipavankumar/keycloak-realm-enhancement User Federation changes	2022-01-18 11:23:00 -06:00
Pavan Kumar Motaparthi	59618c7c0c	Merge pull request #3 from motaparthipavankumar/local-source-support Local path & source URL installation support	2022-01-18 11:22:44 -06:00
root	247d8b8a22	User Federation changes	2022-01-17 15:53:16 -06:00
root	ce26ceeed0	Code review comments	2022-01-14 13:54:10 -06:00
Pavan Kumar Motaparthi	7b376e0681	Update README.md Co-authored-by: Andrew Block <andy.block@gmail.com>	2022-01-14 09:42:29 -06:00
Pavan Kumar Motaparthi	9113cfe886	Update README.md Co-authored-by: Andrew Block <andy.block@gmail.com>	2022-01-14 09:42:23 -06:00
Guido Grazioli	f1eec2596d	Start work on v0.1.8	2022-01-14 14:14:38 +01:00
Guido Grazioli	ff77535293	Merge pull request #6 from ansible-middleware/keycloak_update_15_0_2 Keycloak update 15 0 2	2022-01-14 11:35:23 +01:00
Guido Grazioli	d4634fcebc	update new download location	2022-01-14 11:10:08 +01:00
Guido Grazioli	d7597771cf	Drop service logfile, symlink log directory instead	2022-01-14 10:14:24 +01:00
Guido Grazioli	94aecfcd87	Rename/merge templates and update install task	2022-01-14 10:09:10 +01:00
Guido Grazioli	7a989f7771	Move former templates and update docs	2022-01-14 10:06:43 +01:00
Guido Grazioli	5fa9243bcd	fix: keycloak_frontend_url needs scheme	2022-01-14 09:54:26 +01:00
Guido Grazioli	1b44b47d1c	Revert layout for collection sanity checks	2022-01-13 20:16:44 +01:00
Guido Grazioli	8a9cb79fa4	Update CI ansible collection download path	2022-01-13 20:08:41 +01:00
Guido Grazioli	4294746263	Update molecule dependency task to force correct path	2022-01-13 17:52:21 +01:00
Guido Grazioli	bcd82a5ae5	Add variable for frontendUrl (for revproxy scenario)	2022-01-13 17:38:11 +01:00
root	ef81faefdf	Download source via url	2022-01-12 09:13:53 -06:00
root	4217ba6e7f	Local path installation support	2022-01-11 09:28:02 -06:00
Guido Grazioli	ead4688ce6	Start work on v0.1.7	2022-01-10 17:50:28 +01:00
Guido Grazioli	406075df89	Bump and update README	2022-01-10 17:49:23 +01:00
Guido Grazioli	26be376b5c	Template preferIPv4Stack, add health check after handler	2022-01-10 17:37:14 +01:00
Guido Grazioli	3cd69821c0	Bump version, document python3 netaddr dependency	2022-01-10 14:26:54 +01:00
Guido Grazioli	eba0d84a2b	Add health port to keycloak-ispn, polish templates	2022-01-10 14:21:39 +01:00