keycloak-aplcache

diff --git a/broker/saml/src/main/java/org/keycloak/broker/saml/SAMLEndpoint.java b/broker/saml/src/main/java/org/keycloak/broker/saml/SAMLEndpoint.java
index 8e4d163..24b56bb 100755
--- a/broker/saml/src/main/java/org/keycloak/broker/saml/SAMLEndpoint.java
+++ b/broker/saml/src/main/java/org/keycloak/broker/saml/SAMLEndpoint.java
@@ -240,6 +240,7 @@ public class SAMLEndpoint {
                         .relayState(relayState);
             if (config.isWantAuthnRequestsSigned()) {
                 binding.signWith(realm.getPrivateKey(), realm.getPublicKey(), realm.getCertificate())
+                        .signatureAlgorithm(provider.getSignatureAlgorithm())
                         .signDocument();
             }
             try {

diff --git a/broker/saml/src/main/java/org/keycloak/broker/saml/SAMLIdentityProvider.java b/broker/saml/src/main/java/org/keycloak/broker/saml/SAMLIdentityProvider.java
index 6d87d96..e28aa97 100755
--- a/broker/saml/src/main/java/org/keycloak/broker/saml/SAMLIdentityProvider.java
+++ b/broker/saml/src/main/java/org/keycloak/broker/saml/SAMLIdentityProvider.java
@@ -37,6 +37,7 @@ import org.keycloak.protocol.saml.JaxrsSAML2BindingBuilder;
 import org.keycloak.saml.SAML2AuthnRequestBuilder;
 import org.keycloak.saml.SAML2LogoutRequestBuilder;
 import org.keycloak.saml.SAML2NameIDPolicyBuilder;
+import org.keycloak.saml.SignatureAlgorithm;
 import org.keycloak.saml.common.constants.GeneralConstants;
 import org.keycloak.saml.common.constants.JBossSAMLURIConstants;
 
@@ -108,6 +109,7 @@ public class SAMLIdentityProvider extends AbstractIdentityProvider<SAMLIdentityP
                 KeyPair keypair = new KeyPair(publicKey, privateKey);
 
                 binding.signWith(keypair);
+                binding.signatureAlgorithm(getSignatureAlgorithm());
                 binding.signDocument();
             }
 
@@ -201,6 +203,7 @@ public class SAMLIdentityProvider extends AbstractIdentityProvider<SAMLIdentityP
                 .relayState(userSession.getId());
         if (getConfig().isWantAuthnRequestsSigned()) {
             binding.signWith(realm.getPrivateKey(), realm.getPublicKey(), realm.getCertificate())
+                    .signatureAlgorithm(getSignatureAlgorithm())
                     .signDocument();
         }
         return binding;
@@ -250,4 +253,14 @@ public class SAMLIdentityProvider extends AbstractIdentityProvider<SAMLIdentityP
                 "</EntityDescriptor>\n";
         return Response.ok(descriptor, MediaType.APPLICATION_XML_TYPE).build();
     }
+
+    public SignatureAlgorithm getSignatureAlgorithm() {
+        String alg = getConfig().getSignatureAlgorithm();
+        if (alg != null) {
+            SignatureAlgorithm algorithm = SignatureAlgorithm.valueOf(alg);
+            if (algorithm != null) return algorithm;
+        }
+        return SignatureAlgorithm.RSA_SHA256;
+    }
+
 }

diff --git a/broker/saml/src/main/java/org/keycloak/broker/saml/SAMLIdentityProviderConfig.java b/broker/saml/src/main/java/org/keycloak/broker/saml/SAMLIdentityProviderConfig.java
index ad11be3..6ab3963 100755
--- a/broker/saml/src/main/java/org/keycloak/broker/saml/SAMLIdentityProviderConfig.java
+++ b/broker/saml/src/main/java/org/keycloak/broker/saml/SAMLIdentityProviderConfig.java
@@ -87,6 +87,14 @@ public class SAMLIdentityProviderConfig extends IdentityProviderModel {
         getConfig().put("wantAuthnRequestsSigned", String.valueOf(wantAuthnRequestsSigned));
     }
 
+    public String getSignatureAlgorithm() {
+        return getConfig().get("signatureAlgorithm");
+    }
+
+    public void setSignatureAlgorithm(String signatureAlgorithm) {
+        getConfig().put("signatureAlgorithm", signatureAlgorithm);
+    }
+
     public String getEncryptionPublicKey() {
         return getConfig().get("encryptionPublicKey");
     }

diff --git a/connections/jpa/pom.xml b/connections/jpa/pom.xml
index b36b850..0a99ed2 100755
--- a/connections/jpa/pom.xml
+++ b/connections/jpa/pom.xml
@@ -24,7 +24,7 @@
         </dependency>
         <dependency>
             <groupId>org.hibernate.javax.persistence</groupId>
-            <artifactId>hibernate-jpa-2.1-api</artifactId>
+            <artifactId>${hibernate.javax.persistence.artifactId}</artifactId>
             <scope>provided</scope>
         </dependency>
         <dependency>

diff --git a/connections/jpa/src/main/resources/META-INF/persistence.xml b/connections/jpa/src/main/resources/META-INF/persistence.xml
index 7a55d1e..f8f33be 100755
--- a/connections/jpa/src/main/resources/META-INF/persistence.xml
+++ b/connections/jpa/src/main/resources/META-INF/persistence.xml
@@ -29,6 +29,8 @@
         <class>org.keycloak.models.jpa.entities.AuthenticationExecutionEntity</class>
         <class>org.keycloak.models.jpa.entities.AuthenticatorConfigEntity</class>
         <class>org.keycloak.models.jpa.entities.RequiredActionProviderEntity</class>
+        <class>org.keycloak.models.jpa.entities.OfflineUserSessionEntity</class>
+        <class>org.keycloak.models.jpa.entities.OfflineClientSessionEntity</class>
 
         <!-- JpaAuditProviders -->
         <class>org.keycloak.events.jpa.EventEntity</class>

diff --git a/connections/jpa-liquibase/src/main/resources/META-INF/jpa-changelog-1.6.0.xml b/connections/jpa-liquibase/src/main/resources/META-INF/jpa-changelog-1.6.0.xml
new file mode 100644
index 0000000..24902d5
--- /dev/null
+++ b/connections/jpa-liquibase/src/main/resources/META-INF/jpa-changelog-1.6.0.xml
@@ -0,0 +1,44 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<databaseChangeLog xmlns="http://www.liquibase.org/xml/ns/dbchangelog" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.liquibase.org/xml/ns/dbchangelog http://www.liquibase.org/xml/ns/dbchangelog/dbchangelog-3.1.xsd">
+    <changeSet author="mposolda@redhat.com" id="1.6.0">
+
+        <addColumn tableName="KEYCLOAK_ROLE">
+            <column name="SCOPE_PARAM_REQUIRED" type="BOOLEAN" defaultValueBoolean="false">
+                <constraints nullable="false"/>
+            </column>
+        </addColumn>
+
+        <createTable tableName="OFFLINE_USER_SESSION">
+            <column name="USER_ID" type="VARCHAR(36)">
+                <constraints nullable="false"/>
+            </column>
+            <column name="USER_SESSION_ID" type="VARCHAR(36)">
+                <constraints nullable="false"/>
+            </column>
+            <column name="DATA" type="CLOB"/>
+        </createTable>
+
+        <createTable tableName="OFFLINE_CLIENT_SESSION">
+            <column name="USER_ID" type="VARCHAR(36)">
+                <constraints nullable="false"/>
+            </column>
+            <column name="CLIENT_SESSION_ID" type="VARCHAR(36)">
+                <constraints nullable="false"/>
+            </column>
+            <column name="USER_SESSION_ID" type="VARCHAR(36)">
+                <constraints nullable="false"/>
+            </column>
+            <column name="CLIENT_ID" type="VARCHAR(36)">
+                <constraints nullable="false"/>
+            </column>
+            <column name="DATA" type="CLOB"/>
+        </createTable>
+
+        <addPrimaryKey columnNames="USER_SESSION_ID" constraintName="CONSTRAINT_OFFLINE_US_SES_PK" tableName="OFFLINE_USER_SESSION"/>
+        <addPrimaryKey columnNames="CLIENT_SESSION_ID" constraintName="CONSTRAINT_OFFLINE_CL_SES_PK" tableName="OFFLINE_CLIENT_SESSION"/>
+        <addForeignKeyConstraint baseColumnNames="USER_ID" baseTableName="OFFLINE_USER_SESSION" constraintName="FK_OFFLINE_US_SES_USER" referencedColumnNames="ID" referencedTableName="USER_ENTITY"/>
+        <addForeignKeyConstraint baseColumnNames="USER_ID" baseTableName="OFFLINE_CLIENT_SESSION" constraintName="FK_OFFLINE_CL_SES_USER" referencedColumnNames="ID" referencedTableName="USER_ENTITY"/>
+        <addForeignKeyConstraint baseColumnNames="USER_SESSION_ID" baseTableName="OFFLINE_CLIENT_SESSION" constraintName="FK_OFFLINE_CL_US_SES" referencedColumnNames="USER_SESSION_ID" referencedTableName="OFFLINE_USER_SESSION"/>
+
+    </changeSet>
+</databaseChangeLog>
\ No newline at end of file

diff --git a/connections/jpa-liquibase/src/main/resources/META-INF/jpa-changelog-master.xml b/connections/jpa-liquibase/src/main/resources/META-INF/jpa-changelog-master.xml
index ca5d0e9..6cd96c6 100755
--- a/connections/jpa-liquibase/src/main/resources/META-INF/jpa-changelog-master.xml
+++ b/connections/jpa-liquibase/src/main/resources/META-INF/jpa-changelog-master.xml
@@ -9,4 +9,5 @@
     <include file="META-INF/jpa-changelog-1.3.0.xml"/>
     <include file="META-INF/jpa-changelog-1.4.0.xml"/>
     <include file="META-INF/jpa-changelog-1.5.0.xml"/>
+    <include file="META-INF/jpa-changelog-1.6.0.xml"/>
 </databaseChangeLog>

diff --git a/connections/mongo/src/main/java/org/keycloak/connections/mongo/DefaultMongoConnectionFactoryProvider.java b/connections/mongo/src/main/java/org/keycloak/connections/mongo/DefaultMongoConnectionFactoryProvider.java
index 423bf3e..90e8c98 100755
--- a/connections/mongo/src/main/java/org/keycloak/connections/mongo/DefaultMongoConnectionFactoryProvider.java
+++ b/connections/mongo/src/main/java/org/keycloak/connections/mongo/DefaultMongoConnectionFactoryProvider.java
@@ -48,6 +48,8 @@ public class DefaultMongoConnectionFactoryProvider implements MongoConnectionPro
             "org.keycloak.models.entities.AuthenticationFlowEntity",
             "org.keycloak.models.entities.AuthenticatorConfigEntity",
             "org.keycloak.models.entities.RequiredActionProviderEntity",
+            "org.keycloak.models.entities.OfflineUserSessionEntity",
+            "org.keycloak.models.entities.OfflineClientSessionEntity",
     };
 
     private static final Logger logger = Logger.getLogger(DefaultMongoConnectionFactoryProvider.class);

diff --git a/core/pom.xml b/core/pom.xml
index e470755..7ea016a 100755
--- a/core/pom.xml
+++ b/core/pom.xml
@@ -29,27 +29,22 @@
         <dependency>
             <groupId>org.bouncycastle</groupId>
             <artifactId>bcprov-jdk15on</artifactId>
-            <scope>provided</scope>
         </dependency>
         <dependency>
             <groupId>org.bouncycastle</groupId>
             <artifactId>bcpkix-jdk15on</artifactId>
-            <scope>provided</scope>
         </dependency>
         <dependency>
             <groupId>net.iharder</groupId>
             <artifactId>base64</artifactId>
-            <scope>provided</scope>
         </dependency>
         <dependency>
             <groupId>org.codehaus.jackson</groupId>
             <artifactId>jackson-core-asl</artifactId>
-            <scope>provided</scope>
         </dependency>
         <dependency>
             <groupId>org.codehaus.jackson</groupId>
             <artifactId>jackson-mapper-asl</artifactId>
-            <scope>provided</scope>
         </dependency>
         <dependency>
             <groupId>junit</groupId>

diff --git a/core/src/main/java/org/keycloak/OAuth2Constants.java b/core/src/main/java/org/keycloak/OAuth2Constants.java
index e17d21f..022dadd 100644
--- a/core/src/main/java/org/keycloak/OAuth2Constants.java
+++ b/core/src/main/java/org/keycloak/OAuth2Constants.java
@@ -38,6 +38,9 @@ public interface OAuth2Constants {
     // https://tools.ietf.org/html/draft-jones-oauth-jwt-bearer-03#section-2.2
     String CLIENT_ASSERTION_TYPE_JWT = "urn:ietf:params:oauth:client-assertion-type:jwt-bearer";
 
+    // http://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess
+    String OFFLINE_ACCESS = "offline_access";
+
 }
 
 

diff --git a/core/src/main/java/org/keycloak/representations/idm/AuthenticationExecutionRepresentation.java b/core/src/main/java/org/keycloak/representations/idm/AuthenticationExecutionRepresentation.java
index 643170f..0ccdd07 100755
--- a/core/src/main/java/org/keycloak/representations/idm/AuthenticationExecutionRepresentation.java
+++ b/core/src/main/java/org/keycloak/representations/idm/AuthenticationExecutionRepresentation.java
@@ -8,7 +8,6 @@ import java.util.Comparator;
 * @version $Revision: 1 $
 */
 public class AuthenticationExecutionRepresentation implements Serializable {
-    private static final long serialVersionUID = 1L;
 
     private String authenticatorConfig;
     private String authenticator;

diff --git a/core/src/main/java/org/keycloak/representations/idm/AuthenticationFlowRepresentation.java b/core/src/main/java/org/keycloak/representations/idm/AuthenticationFlowRepresentation.java
index f8ba6a8..d91e1e6 100755
--- a/core/src/main/java/org/keycloak/representations/idm/AuthenticationFlowRepresentation.java
+++ b/core/src/main/java/org/keycloak/representations/idm/AuthenticationFlowRepresentation.java
@@ -8,7 +8,6 @@ import java.util.List;
  * @version $Revision: 1 $
  */
 public class AuthenticationFlowRepresentation implements Serializable {
-    private static final long serialVersionUID = 1L;
 
     private String alias;
     private String description;

diff --git a/core/src/main/java/org/keycloak/representations/idm/AuthenticatorConfigRepresentation.java b/core/src/main/java/org/keycloak/representations/idm/AuthenticatorConfigRepresentation.java
index 1f0b3ad..9bd5ad1 100755
--- a/core/src/main/java/org/keycloak/representations/idm/AuthenticatorConfigRepresentation.java
+++ b/core/src/main/java/org/keycloak/representations/idm/AuthenticatorConfigRepresentation.java
@@ -9,7 +9,6 @@ import java.util.Map;
 * @version $Revision: 1 $
 */
 public class AuthenticatorConfigRepresentation implements Serializable {
-    private static final long serialVersionUID = 1L;
 
     private String alias;
     private Map<String, String> config = new HashMap<String, String>();

diff --git a/core/src/main/java/org/keycloak/representations/idm/RoleRepresentation.java b/core/src/main/java/org/keycloak/representations/idm/RoleRepresentation.java
index c335ab4..4100785 100755
--- a/core/src/main/java/org/keycloak/representations/idm/RoleRepresentation.java
+++ b/core/src/main/java/org/keycloak/representations/idm/RoleRepresentation.java
@@ -12,6 +12,7 @@ public class RoleRepresentation {
     protected String id;
     protected String name;
     protected String description;
+    protected Boolean scopeParamRequired;
     protected boolean composite;
     protected Composites composites;
 
@@ -46,9 +47,10 @@ public class RoleRepresentation {
     public RoleRepresentation() {
     }
 
-    public RoleRepresentation(String name, String description) {
+    public RoleRepresentation(String name, String description, boolean scopeParamRequired) {
         this.name = name;
         this.description = description;
+        this.scopeParamRequired = scopeParamRequired;
     }
 
     public String getId() {
@@ -75,6 +77,14 @@ public class RoleRepresentation {
         this.description = description;
     }
 
+    public Boolean isScopeParamRequired() {
+        return scopeParamRequired;
+    }
+
+    public void setScopeParamRequired(Boolean scopeParamRequired) {
+        this.scopeParamRequired = scopeParamRequired;
+    }
+
     public Composites getComposites() {
         return composites;
     }

diff --git a/core/src/main/java/org/keycloak/representations/RefreshToken.java b/core/src/main/java/org/keycloak/representations/RefreshToken.java
index 7bc1edf..ff1ce68 100755
--- a/core/src/main/java/org/keycloak/representations/RefreshToken.java
+++ b/core/src/main/java/org/keycloak/representations/RefreshToken.java
@@ -1,6 +1,7 @@
 package org.keycloak.representations;
 
 import org.codehaus.jackson.annotate.JsonProperty;
+import org.keycloak.util.RefreshTokenUtil;
 
 import java.util.HashMap;
 import java.util.Map;
@@ -11,9 +12,8 @@ import java.util.Map;
  */
 public class RefreshToken extends AccessToken {
 
-
     private RefreshToken() {
-        type("REFRESH");
+        type(RefreshTokenUtil.TOKEN_TYPE_REFRESH);
     }
 
     /**

diff --git a/core/src/main/java/org/keycloak/util/RefreshTokenUtil.java b/core/src/main/java/org/keycloak/util/RefreshTokenUtil.java
new file mode 100644
index 0000000..0a759a5
--- /dev/null
+++ b/core/src/main/java/org/keycloak/util/RefreshTokenUtil.java
@@ -0,0 +1,62 @@
+package org.keycloak.util;
+
+import java.io.IOException;
+
+import org.keycloak.OAuth2Constants;
+import org.keycloak.representations.RefreshToken;
+
+/**
+ * @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
+ */
+public class RefreshTokenUtil {
+
+    public static final String TOKEN_TYPE_REFRESH = "REFRESH";
+
+    public static final String TOKEN_TYPE_OFFLINE = "OFFLINE";
+
+    public static boolean isOfflineTokenRequested(String scopeParam) {
+        if (scopeParam == null) {
+            return false;
+        }
+
+        String[] scopes = scopeParam.split(" ");
+        for (String scope : scopes) {
+            if (OAuth2Constants.OFFLINE_ACCESS.equals(scope)) {
+                return true;
+            }
+        }
+        return false;
+    }
+
+
+    /**
+     * Return refresh token or offline otkne
+     *
+     * @param decodedToken
+     * @return
+     */
+    public static RefreshToken getRefreshToken(byte[] decodedToken) throws IOException {
+        return JsonSerialization.readValue(decodedToken, RefreshToken.class);
+    }
+
+    private static RefreshToken getRefreshToken(String refreshToken) throws IOException {
+        byte[] decodedToken = Base64Url.decode(refreshToken);
+        return getRefreshToken(decodedToken);
+    }
+
+    /**
+     * Return true if given refreshToken represents offline token
+     *
+     * @param refreshToken
+     * @return
+     */
+    public static boolean isOfflineToken(String refreshToken) {
+        try {
+            RefreshToken token = getRefreshToken(refreshToken);
+            return token.getType().equals(TOKEN_TYPE_OFFLINE);
+        } catch (IOException ioe) {
+            throw new RuntimeException(ioe);
+        }
+    }
+
+}

diff --git a/distribution/docs-dist/pom.xml b/distribution/docs-dist/pom.xml
index 1f1ce1d..fdee7b4 100755
--- a/distribution/docs-dist/pom.xml
+++ b/distribution/docs-dist/pom.xml
@@ -14,12 +14,40 @@
     <description/>
 
     <dependencies>
+        <dependency>
+            <groupId>org.keycloak</groupId>
+            <artifactId>keycloak-dependencies-server-all</artifactId>
+            <type>pom</type>
+        </dependency>
     </dependencies>
+
     <build>
         <finalName>keycloak-docs-${project.version}</finalName>
         <plugins>
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-javadoc-plugin</artifactId>
+                <configuration>
+                    <minmemory>128m</minmemory>
+                    <maxmemory>1024m</maxmemory>
+                    <dependencySourceIncludes>
+                        <dependencySourceInclude>org.keycloak:*</dependencySourceInclude>
+                    </dependencySourceIncludes>
+                    <includeDependencySources>true</includeDependencySources>
+                    <includeTransitiveDependencySources>true</includeTransitiveDependencySources>
+                </configuration>
+                <executions>
+                    <execution>
+                        <id>aggregate-javadoc</id>
+                        <phase>compile</phase>
+                        <goals>
+                            <goal>javadoc</goal>
+                        </goals>
+                    </execution>
+                </executions>
+            </plugin>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-deploy-plugin</artifactId>
                 <configuration>
                     <skip>true</skip>

diff --git a/docbook/reference/en/en-US/modules/auth-spi.xml b/docbook/reference/en/en-US/modules/auth-spi.xml
index ff7f061..10cb89d 100755
--- a/docbook/reference/en/en-US/modules/auth-spi.xml
+++ b/docbook/reference/en/en-US/modules/auth-spi.xml
@@ -898,7 +898,7 @@ public class SecretQuestionRequiredActionFactory implements RequiredActionFactor
 }
 ]]></programlisting>
 
-                                where the <literal>mysecret</literal> needs to be replaced with the real value of client secret. You can obtain it from client admin console.
+                                where the <literal>mysecret</literal> needs to be replaced with the real value of client secret. You can obtain it from admin console from client configuration.
                             </para>
                         </listitem>
                     </varlistentry>
@@ -906,7 +906,7 @@ public class SecretQuestionRequiredActionFactory implements RequiredActionFactor
                         <term>Authentication with signed JWT</term>
                         <listitem>
                             <para>
-                                This is based on the <ulink url="https://tools.ietf.org/html/draft-jones-oauth-jwt-bearer-03">JWT Bearer Token Profiles for OAuth 2.0</ulink> specification.
+                                This is based on the <ulink url="https://tools.ietf.org/html/rfc7523">JWT Bearer Token Profiles for OAuth 2.0</ulink> specification.
                                 The client/adapter generates the <ulink url="https://tools.ietf.org/html/rfc7519">JWT</ulink> and signs it with his private key.
                                 The Keycloak then verifies the signed JWT with the client's public key and authenticates client based on it.
                             </para>

diff --git a/events/api/src/main/java/org/keycloak/events/Details.java b/events/api/src/main/java/org/keycloak/events/Details.java
index b7ec677..b9c5338 100755
--- a/events/api/src/main/java/org/keycloak/events/Details.java
+++ b/events/api/src/main/java/org/keycloak/events/Details.java
@@ -20,6 +20,7 @@ public interface Details {
     String REMEMBER_ME = "remember_me";
     String TOKEN_ID = "token_id";
     String REFRESH_TOKEN_ID = "refresh_token_id";
+    String REFRESH_TOKEN_TYPE = "refresh_token_type";
     String VALIDATE_ACCESS_TOKEN = "validate_access_token";
     String UPDATED_REFRESH_TOKEN_ID = "updated_refresh_token_id";
     String NODE_HOST = "node_host";

diff --git a/events/jpa/pom.xml b/events/jpa/pom.xml
index d6e7e9e..9fbd1d8 100755
--- a/events/jpa/pom.xml
+++ b/events/jpa/pom.xml
@@ -35,7 +35,7 @@
         </dependency>
         <dependency>
             <groupId>org.hibernate.javax.persistence</groupId>
-            <artifactId>hibernate-jpa-2.1-api</artifactId>
+            <artifactId>${hibernate.javax.persistence.artifactId}</artifactId>
             <scope>provided</scope>
         </dependency>
         <dependency>

diff --git a/examples/fuse/cxf-jaxws/src/main/java/org/keycloak/example/ws/UnknownProductFault.java b/examples/fuse/cxf-jaxws/src/main/java/org/keycloak/example/ws/UnknownProductFault.java
index 671b71e..d9aa035 100644
--- a/examples/fuse/cxf-jaxws/src/main/java/org/keycloak/example/ws/UnknownProductFault.java
+++ b/examples/fuse/cxf-jaxws/src/main/java/org/keycloak/example/ws/UnknownProductFault.java
@@ -4,7 +4,6 @@ import javax.xml.ws.WebFault;
 
 @WebFault(name = "UnknownProductFault")
 public class UnknownProductFault extends Exception {
-    public static final long serialVersionUID = 20081110144906L;
 
     private org.keycloak.example.ws.types.UnknownProductFault unknownProductFault;
 

diff --git a/forms/account-freemarker/src/main/java/org/keycloak/account/freemarker/model/ApplicationsBean.java b/forms/account-freemarker/src/main/java/org/keycloak/account/freemarker/model/ApplicationsBean.java
index 9d9035a..371b5d0 100644
--- a/forms/account-freemarker/src/main/java/org/keycloak/account/freemarker/model/ApplicationsBean.java
+++ b/forms/account-freemarker/src/main/java/org/keycloak/account/freemarker/model/ApplicationsBean.java
@@ -1,5 +1,6 @@
 package org.keycloak.account.freemarker.model;
 
+import java.util.ArrayList;
 import java.util.LinkedList;
 import java.util.List;
 import java.util.Set;
@@ -11,6 +12,7 @@ import org.keycloak.models.RealmModel;
 import org.keycloak.models.RoleModel;
 import org.keycloak.models.UserModel;
 import org.keycloak.protocol.oidc.TokenManager;
+import org.keycloak.services.offline.OfflineTokenUtils;
 import org.keycloak.util.MultivaluedHashMap;
 
 /**
@@ -21,6 +23,9 @@ public class ApplicationsBean {
     private List<ApplicationEntry> applications = new LinkedList<ApplicationEntry>();
 
     public ApplicationsBean(RealmModel realm, UserModel user) {
+
+        Set<ClientModel> offlineClients = OfflineTokenUtils.findClientsWithOfflineToken(realm, user);
+
         List<ClientModel> realmClients = realm.getClients();
         for (ClientModel client : realmClients) {
             // Don't show bearerOnly clients
@@ -28,7 +33,7 @@ public class ApplicationsBean {
                 continue;
             }
 
-            Set<RoleModel> availableRoles = TokenManager.getAccess(null, client, user);
+            Set<RoleModel> availableRoles = TokenManager.getAccess(null, false, client, user);
             // Don't show applications, which user doesn't have access into (any available roles)
             if (availableRoles.isEmpty()) {
                 continue;
@@ -52,7 +57,13 @@ public class ApplicationsBean {
                 }
             }
 
-            ApplicationEntry appEntry = new ApplicationEntry(realmRolesAvailable, resourceRolesAvailable, realmRolesGranted, resourceRolesGranted, client, claimsGranted);
+            List<String> additionalGrants = new ArrayList<>();
+            if (offlineClients.contains(client)) {
+                additionalGrants.add("${offlineToken}");
+            }
+
+            ApplicationEntry appEntry = new ApplicationEntry(realmRolesAvailable, resourceRolesAvailable, realmRolesGranted, resourceRolesGranted, client,
+                    claimsGranted, additionalGrants);
             applications.add(appEntry);
         }
     }
@@ -82,16 +93,18 @@ public class ApplicationsBean {
         private final MultivaluedHashMap<String, ClientRoleEntry> resourceRolesGranted;
         private final ClientModel client;
         private final List<String> claimsGranted;
+        private final List<String> additionalGrants;
 
         public ApplicationEntry(List<RoleModel> realmRolesAvailable, MultivaluedHashMap<String, ClientRoleEntry> resourceRolesAvailable,
                                 List<RoleModel> realmRolesGranted, MultivaluedHashMap<String, ClientRoleEntry> resourceRolesGranted,
-                                ClientModel client, List<String> claimsGranted) {
+                                ClientModel client, List<String> claimsGranted, List<String> additionalGrants) {
             this.realmRolesAvailable = realmRolesAvailable;
             this.resourceRolesAvailable = resourceRolesAvailable;
             this.realmRolesGranted = realmRolesGranted;
             this.resourceRolesGranted = resourceRolesGranted;
             this.client = client;
             this.claimsGranted = claimsGranted;
+            this.additionalGrants = additionalGrants;
         }
 
         public List<RoleModel> getRealmRolesAvailable() {
@@ -118,6 +131,9 @@ public class ApplicationsBean {
             return claimsGranted;
         }
 
+        public List<String> getAdditionalGrants() {
+            return additionalGrants;
+        }
     }
 
     // Same class used in OAuthGrantBean as well. Maybe should be merged into common-freemarker...

diff --git a/forms/common-themes/src/main/resources/theme/base/account/applications.ftl b/forms/common-themes/src/main/resources/theme/base/account/applications.ftl
index 4e01c02..b2bbdf2 100755
--- a/forms/common-themes/src/main/resources/theme/base/account/applications.ftl
+++ b/forms/common-themes/src/main/resources/theme/base/account/applications.ftl
@@ -18,6 +18,7 @@
                 <td>${msg("availablePermissions")}</td>
                 <td>${msg("grantedPermissions")}</td>
                 <td>${msg("grantedPersonalInfo")}</td>
+                <td>${msg("additionalGrants")}</td>
                 <td>${msg("action")}</td>
               </tr>
             </thead>
@@ -76,7 +77,13 @@
                     </td>
 
                     <td>
-                        <#if application.client.consentRequired && application.claimsGranted?has_content>
+                       <#list application.additionalGrants as grant>
+                            ${advancedMsg(grant)}<#if grant_has_next>, </#if>
+                        </#list>
+                    </td>
+
+                    <td>
+                        <#if (application.client.consentRequired && application.claimsGranted?has_content) || application.additionalGrants?has_content>
                             <button type='submit' class='${properties.kcButtonClass!} ${properties.kcButtonPrimaryClass!}' id='revoke-${application.client.clientId}' name='clientId' value="${application.client.id}">${msg("revoke")}</button>
                         </#if>
                     </td>

diff --git a/forms/common-themes/src/main/resources/theme/base/account/messages/messages_en.properties b/forms/common-themes/src/main/resources/theme/base/account/messages/messages_en.properties
index 2c3b8c7..23a112d 100755
--- a/forms/common-themes/src/main/resources/theme/base/account/messages/messages_en.properties
+++ b/forms/common-themes/src/main/resources/theme/base/account/messages/messages_en.properties
@@ -52,6 +52,7 @@ role_manage-events=Manage events
 role_view-profile=View profile
 role_manage-account=Manage account
 role_read-token=Read token
+role_offline-access=Offline access
 client_account=Account
 client_security-admin-console=Security Admin Console
 client_realm-management=Realm Management
@@ -85,9 +86,11 @@ application=Application
 availablePermissions=Available Permissions
 grantedPermissions=Granted Permissions
 grantedPersonalInfo=Granted Personal Info
+additionalGrants=Additional Grants
 action=Action
 inResource=in
 fullAccess=Full Access
+offlineToken=Offline Token
 revoke=Revoke Grant
 
 configureAuthenticators=Configured Authenticators

diff --git a/forms/common-themes/src/main/resources/theme/base/admin/resources/js/app.js b/forms/common-themes/src/main/resources/theme/base/admin/resources/js/app.js
index 903131d..756c89e 100755
--- a/forms/common-themes/src/main/resources/theme/base/admin/resources/js/app.js
+++ b/forms/common-themes/src/main/resources/theme/base/admin/resources/js/app.js
@@ -2036,3 +2036,26 @@ module.directive( 'kcOpen', function ( $location ) {
         });
     };
 });
+
+module.directive('kcOnReadFile', function ($parse) {
+    console.debug('kcOnReadFile');
+    return {
+        restrict: 'A',
+        scope: false,
+        link: function(scope, element, attrs) {
+            var fn = $parse(attrs.kcOnReadFile);
+
+            element.on('change', function(onChangeEvent) {
+                var reader = new FileReader();
+
+                reader.onload = function(onLoadEvent) {
+                    scope.$apply(function() {
+                        fn(scope, {$fileContent:onLoadEvent.target.result});
+                    });
+                };
+
+                reader.readAsText((onChangeEvent.srcElement || onChangeEvent.target).files[0]);
+            });
+        }
+    };
+});

diff --git a/forms/common-themes/src/main/resources/theme/base/admin/resources/js/controllers/realm.js b/forms/common-themes/src/main/resources/theme/base/admin/resources/js/controllers/realm.js
index 4027a85..15dc679 100755
--- a/forms/common-themes/src/main/resources/theme/base/admin/resources/js/controllers/realm.js
+++ b/forms/common-themes/src/main/resources/theme/base/admin/resources/js/controllers/realm.js
@@ -155,7 +155,7 @@ module.controller('RealmDropdownCtrl', function($scope, Realm, Current, Auth, $l
     }
 });
 
-module.controller('RealmCreateCtrl', function($scope, Current, Realm, $upload, $http, WhoAmI, $location, Dialog, Notifications, Auth) {
+module.controller('RealmCreateCtrl', function($scope, Current, Realm, $upload, $http, WhoAmI, $location, $route, Dialog, Notifications, Auth, $modal) {
     console.log('RealmCreateCtrl');
 
     Current.realm = null;
@@ -169,55 +169,21 @@ module.controller('RealmCreateCtrl', function($scope, Current, Realm, $upload, $
 
     var oldCopy = angular.copy($scope.realm);
 
-    $scope.onFileSelect = function($files) {
-        $scope.files = $files;
+    $scope.importFile = function($fileContent){
+        $scope.realm = angular.copy(JSON.parse($fileContent));
+        $scope.importing = true;
     };
 
-    $scope.clearFileSelect = function() {
-        $scope.files = null;
-    }
-
-    $scope.uploadFile = function() {
-        //$files: an array of files selected, each file has name, size, and type.
-        for (var i = 0; i < $scope.files.length; i++) {
-            var $file = $scope.files[i];
-            $scope.upload = $upload.upload({
-                url: authUrl + '/admin/realms', //upload.php script, node.js route, or servlet url
-                // method: POST or PUT,
-                // headers: {'headerKey': 'headerValue'}, withCredential: true,
-                data: {myObj: ""},
-                file: $file
-                /* set file formData name for 'Content-Desposition' header. Default: 'file' */
-                //fileFormDataName: myFile,
-                /* customize how data is added to formData. See #40#issuecomment-28612000 for example */
-                //formDataAppender: function(formData, key, val){}
-            }).progress(function(evt) {
-                    console.log('percent: ' + parseInt(100.0 * evt.loaded / evt.total));
-                }).success(function(data, status, headers) {
-                    Realm.query(function(data) {
-                        Current.realms = data;
-
-
-                        WhoAmI.get(function(user) {
-                            Auth.user = user;
-
-                            Notifications.success("The realm has been uploaded.");
-
-                            var location = headers('Location');
-                            if (location) {
-                                $location.url("/realms/" + location.substring(location.lastIndexOf('/') + 1));
-                            } else {
-                                $location.url("/realms");
-                            }
-                        });
-                    });
-                })
-            .error(function() {
-                    Notifications.error("The realm can not be uploaded. Please verify the file.");
-
-                });
-            //.then(success, error, progress);
-        }
+    $scope.viewImportDetails = function() {
+        $modal.open({
+            templateUrl: resourceUrl + '/partials/modal/view-object.html',
+            controller: 'ObjectModalCtrl',
+            resolve: {
+                object: function () {
+                    return $scope.realm;
+                }
+            }
+        })
     };
 
     $scope.$watch('realm', function() {
@@ -226,6 +192,12 @@ module.controller('RealmCreateCtrl', function($scope, Current, Realm, $upload, $
         }
     }, true);
 
+    $scope.$watch('realm.realm', function() {
+	if (create) {
+	    $scope.realm.id = $scope.realm.realm;
+	}
+    }, true);
+
     $scope.save = function() {
         var realmCopy = angular.copy($scope.realm);
         Realm.create(realmCopy, function() {
@@ -243,10 +215,17 @@ module.controller('RealmCreateCtrl', function($scope, Current, Realm, $upload, $
     };
 
     $scope.cancel = function() {
-        window.history.back();
+        $location.url("/");
     };
+
+    $scope.reset = function() {
+        $route.reload();
+    }
 });
 
+module.controller('ObjectModalCtrl', function($scope, object) {
+    $scope.object = object;
+});
 
 module.controller('RealmDetailCtrl', function($scope, Current, Realm, realm, serverInfo, $http, $location, Dialog, Notifications, WhoAmI, Auth) {
     $scope.createRealm = !realm.realm;
@@ -693,10 +672,17 @@ module.controller('RealmIdentityProviderCtrl', function($scope, $filter, $upload
 
             }
         ];
+        $scope.signatureAlgorithms = [
+            "RSA_SHA1",
+            "RSA_SHA256",
+            "RSA_SHA512",
+            "DSA_SHA1"
+        ];
         if (instance && instance.alias) {
 
         } else {
             $scope.identityProvider.config.nameIDPolicyFormat = $scope.nameIdFormats[0].format;
+            $scope.identityProvider.config.signatureAlgorithm = $scope.signatureAlgorithms[1];
             $scope.identityProvider.updateProfileFirstLoginMode = "off";
         }
     }

diff --git a/forms/common-themes/src/main/resources/theme/base/admin/resources/partials/client-role-detail.html b/forms/common-themes/src/main/resources/theme/base/admin/resources/partials/client-role-detail.html
index c0ce766..f93c96e 100755
--- a/forms/common-themes/src/main/resources/theme/base/admin/resources/partials/client-role-detail.html
+++ b/forms/common-themes/src/main/resources/theme/base/admin/resources/partials/client-role-detail.html
@@ -32,6 +32,13 @@
                                                            required> -->
                 </div>
             </div>
+            <div class="form-group">
+                <label class="col-md-2 control-label" for="scopeParamRequired">Scope Param Required </label>
+                <kc-tooltip>This role will be granted just if scope parameter with role name is used during authorization/token request.</kc-tooltip>
+                <div class="col-md-6">
+                    <input ng-model="role.scopeParamRequired" name="scopeParamRequired" id="scopeParamRequired" onoffswitch />
+                </div>
+            </div>
             <div class="form-group clearfix block" data-ng-hide="create">
                 <label class="col-md-2 control-label" for="compositeSwitch" class="control-label">Composite Roles</label>
                 <div class="col-md-6">

diff --git a/forms/common-themes/src/main/resources/theme/base/admin/resources/partials/modal/view-object.html b/forms/common-themes/src/main/resources/theme/base/admin/resources/partials/modal/view-object.html
new file mode 100644
index 0000000..ee50aee
--- /dev/null
+++ b/forms/common-themes/src/main/resources/theme/base/admin/resources/partials/modal/view-object.html
@@ -0,0 +1,3 @@
+<div style="padding: 20px 20px 10px 20px">
+	<pre ng-bind = "{{object}} | json"></pre>
+</div>
\ No newline at end of file

diff --git a/forms/common-themes/src/main/resources/theme/base/admin/resources/partials/password-policy.html b/forms/common-themes/src/main/resources/theme/base/admin/resources/partials/password-policy.html
index 2da9b0d..58942ce 100755
--- a/forms/common-themes/src/main/resources/theme/base/admin/resources/partials/password-policy.html
+++ b/forms/common-themes/src/main/resources/theme/base/admin/resources/partials/password-policy.html
@@ -34,7 +34,7 @@
                            placeholder="No value assigned" min="1" required>
                 </td>
                 <td class="kc-action-cell">
-                    <button class="btn btn-default btn-block btn-sm" ng-click="removePolicy($index)">Delete</button>
+                    <button type="button" class="btn btn-default btn-block btn-sm" ng-click="removePolicy($index)">Delete</button>
                 </td>
             </tr>
             </tbody>

diff --git a/forms/common-themes/src/main/resources/theme/base/admin/resources/partials/realm-create.html b/forms/common-themes/src/main/resources/theme/base/admin/resources/partials/realm-create.html
index 630188d..4ac36fd 100755
--- a/forms/common-themes/src/main/resources/theme/base/admin/resources/partials/realm-create.html
+++ b/forms/common-themes/src/main/resources/theme/base/admin/resources/partials/realm-create.html
@@ -1,29 +1,22 @@
 <div class="col-sm-9 col-md-10 col-sm-push-3 col-md-push-2">
+
     <form class="form-horizontal" name="realmForm" novalidate>
         <fieldset>
-            <legend><span class="text">Import Realm</span></legend>
+            <legend><span class="text">Create Realm</span></legend>
             <div class="form-group">
-                <label for="import-file" class="col-sm-2 control-label">Import JSON File </label>
-                <div class="col-md-6">
-                    <div class="controls kc-button-input-file" data-ng-show="!files || files.length == 0">
-                        <label for="import-file" class="btn btn-default">Select file <i class="pficon pficon-import"></i></label>
-                        <input id="import-file" type="file" class="hidden" ng-file-select="onFileSelect($files)">
-                    </div>
-                    <span class="kc-uploaded-file" data-ng-show="files.length > 0">{{files[0].name}}</span>
+                <label for="name" class="col-sm-2 control-label">Import</label>
+
+                <div class="col-md-6" data-ng-hide="importing">
+                    <label for="import-file" class="btn btn-default">Select file <i class="pficon pficon-import"></i></label>
+                    <input id="import-file" type="file" class="hidden" kc-on-read-file="importFile($fileContent)">
                 </div>
-            </div>
-            <div class="form-group">
-                <div class="col-md-10 col-md-offset-2">
-                    <button type="submit" data-ng-disabled="files.length == 0" data-ng-click="uploadFile()" class="btn btn-primary">Upload</button>
-                    <button type="submit" data-ng-disabled="files.length == 0" data-ng-click="clearFileSelect()" class="btn btn-default">Cancel</button>
+
+                <div class="col-md-6" data-ng-show="importing">
+                    <button class="btn btn-default" data-ng-click="viewImportDetails()">View details</button>
+                    <button class="btn btn-default" data-ng-click="reset()">Clear import</button>
                 </div>
             </div>
-        </fieldset>
-    </form>
 
-    <form class="form-horizontal" name="realmForm" novalidate>
-        <fieldset>
-            <legend><span class="text">Create Realm</span></legend>
             <div class="form-group">
                 <label for="name" class="col-sm-2 control-label">Name <span class="required">*</span></label>
 
@@ -42,6 +35,7 @@
         <div class="form-group">
             <div class="col-md-10 col-md-offset-2">
                 <button kc-save data-ng-disabled="!changed">Create</button>
+                <button kc-cancel data-ng-click="cancel()">Cancel</button>
             </div>
         </div>
     </form>

diff --git a/forms/common-themes/src/main/resources/theme/base/admin/resources/partials/realm-identity-provider-saml.html b/forms/common-themes/src/main/resources/theme/base/admin/resources/partials/realm-identity-provider-saml.html
index 1723919..5387826 100755
--- a/forms/common-themes/src/main/resources/theme/base/admin/resources/partials/realm-identity-provider-saml.html
+++ b/forms/common-themes/src/main/resources/theme/base/admin/resources/partials/realm-identity-provider-saml.html
@@ -135,6 +135,18 @@
                 </div>
                 <kc-tooltip> Indicates whether the identity provider expects signed a AuthnRequest.</kc-tooltip>
             </div>
+            <div class="form-group" data-ng-show="identityProvider.config.wantAuthnRequestsSigned == 'true'">
+                <label class="col-md-2 control-label" for="signatureAlgorithm">Signature Algorithm</label>
+                <div class="col-sm-6">
+                    <div>
+                        <select class="form-control" id="signatureAlgorithm"
+                                ng-model="identityProvider.config.signatureAlgorithm"
+                                ng-options="alg for alg in signatureAlgorithms">
+                        </select>
+                    </div>
+                </div>
+                <kc-tooltip>The signature algorithm to use to sign documents.</kc-tooltip>
+            </div>
             <div class="form-group">
                 <label class="col-md-2 control-label" for="forceAuthn">Force Authentication</label>
                 <div class="col-md-6">

diff --git a/forms/common-themes/src/main/resources/theme/base/admin/resources/partials/role-detail.html b/forms/common-themes/src/main/resources/theme/base/admin/resources/partials/role-detail.html
index 49d09c8..6bf854e 100755
--- a/forms/common-themes/src/main/resources/theme/base/admin/resources/partials/role-detail.html
+++ b/forms/common-themes/src/main/resources/theme/base/admin/resources/partials/role-detail.html
@@ -28,6 +28,13 @@
                     <textarea class="form-control" rows="5" cols="50" id="description" name="description" data-ng-model="role.description"></textarea>
                 </div>
             </div>
+            <div class="form-group">
+                <label class="col-md-2 control-label" for="scopeParamRequired">Scope Param Required </label>
+                <kc-tooltip>This role will be granted just if scope parameter with role name is used during authorization/token request.</kc-tooltip>
+                <div class="col-md-6">
+                    <input ng-model="role.scopeParamRequired" name="scopeParamRequired" id="scopeParamRequired" onoffswitch />
+                </div>
+            </div>
             <div class="form-group" data-ng-hide="create">
                 <label class="col-md-2 control-label" for="compositeSwitch" class="control-label">Composite Roles</label>
                 <div class="col-md-6">

diff --git a/forms/common-themes/src/main/resources/theme/base/login/login-update-profile.ftl b/forms/common-themes/src/main/resources/theme/base/login/login-update-profile.ftl
index 2257508..584bea3 100755
--- a/forms/common-themes/src/main/resources/theme/base/login/login-update-profile.ftl
+++ b/forms/common-themes/src/main/resources/theme/base/login/login-update-profile.ftl
@@ -6,6 +6,16 @@
         ${msg("loginProfileTitle")}
     <#elseif section = "form">
         <form id="kc-update-profile-form" class="${properties.kcFormClass!}" action="${url.loginAction}" method="post">
+            <#if realm.editUsernameAllowed>
+                <div class="${properties.kcFormGroupClass!} ${messagesPerField.printIfExists('username',properties.kcFormGroupErrorClass!)}">
+                    <div class="${properties.kcLabelWrapperClass!}">
+                        <label for="username" class="${properties.kcLabelClass!}">${msg("username")}</label>
+                    </div>
+                    <div class="${properties.kcInputWrapperClass!}">
+                        <input type="text" id="username" name="username" value="${(user.username!'')?html}" class="${properties.kcInputClass!}"/>
+                    </div>
+                </div>
+            </#if>
             <div class="${properties.kcFormGroupClass!} ${messagesPerField.printIfExists('email',properties.kcFormGroupErrorClass!)}">
                 <div class="${properties.kcLabelWrapperClass!}">
                     <label for="email" class="${properties.kcLabelClass!}">${msg("email")}</label>

diff --git a/forms/common-themes/src/main/resources/theme/base/login/messages/messages_en.properties b/forms/common-themes/src/main/resources/theme/base/login/messages/messages_en.properties
index 3dfb8ea..94b0627 100644
--- a/forms/common-themes/src/main/resources/theme/base/login/messages/messages_en.properties
+++ b/forms/common-themes/src/main/resources/theme/base/login/messages/messages_en.properties
@@ -104,6 +104,7 @@ role_manage-events=Manage events
 role_view-profile=View profile
 role_manage-account=Manage account
 role_read-token=Read token
+role_offline-access=Offline access
 client_account=Account
 client_security-admin-console=Security Admin Console
 client_realm-management=Realm Management

diff --git a/forms/login-freemarker/src/main/java/org/keycloak/login/freemarker/model/ProfileBean.java b/forms/login-freemarker/src/main/java/org/keycloak/login/freemarker/model/ProfileBean.java
index 6f73cc5..e730c14 100755
--- a/forms/login-freemarker/src/main/java/org/keycloak/login/freemarker/model/ProfileBean.java
+++ b/forms/login-freemarker/src/main/java/org/keycloak/login/freemarker/model/ProfileBean.java
@@ -70,6 +70,8 @@ public class ProfileBean {
 
     }
 
+    public String getUsername() { return formData != null ? formData.getFirst("username") : user.getUsername(); }
+
     public String getFirstName() {
         return formData != null ? formData.getFirst("firstName") : user.getFirstName();
     }

diff --git a/forms/login-freemarker/src/main/java/org/keycloak/login/freemarker/model/RealmBean.java b/forms/login-freemarker/src/main/java/org/keycloak/login/freemarker/model/RealmBean.java
index b161ad2..e6ae21d 100755
--- a/forms/login-freemarker/src/main/java/org/keycloak/login/freemarker/model/RealmBean.java
+++ b/forms/login-freemarker/src/main/java/org/keycloak/login/freemarker/model/RealmBean.java
@@ -66,6 +66,10 @@ public class RealmBean {
         return realm.isInternationalizationEnabled();
     }
 
+    public boolean isEditUsernameAllowed() {
+        return realm.isEditUsernameAllowed();
+    }
+
     public boolean isPassword() {
         for (RequiredCredentialModel r : realm.getRequiredCredentials()) {
             if (r.getType().equals(CredentialRepresentation.PASSWORD)) {

diff --git a/integration/adapter-core/src/main/java/org/keycloak/adapters/authentication/ClientCredentialsProvider.java b/integration/adapter-core/src/main/java/org/keycloak/adapters/authentication/ClientCredentialsProvider.java
index 80a0c4d..2c6a92d 100644
--- a/integration/adapter-core/src/main/java/org/keycloak/adapters/authentication/ClientCredentialsProvider.java
+++ b/integration/adapter-core/src/main/java/org/keycloak/adapters/authentication/ClientCredentialsProvider.java
@@ -14,7 +14,7 @@ import org.keycloak.adapters.KeycloakDeployment;
  *
  * You must specify a file
  * META-INF/services/org.keycloak.adapters.authentication.ClientCredentialsProvider in the WAR that this class is contained in (or in the JAR that is attached to the WEB-INF/lib or as jboss module
- * if you want to share the implementation among more WARs). This file must have the fully qualified class name of all your ClientAuthenticatorFactory classes
+ * if you want to share the implementation among more WARs).
  *
  * NOTE: The SPI is not finished and method signatures are still subject to change in future versions (for example to support
  * authentication with client certificate)

diff --git a/integration/adapter-core/src/main/java/org/keycloak/adapters/authentication/JWTClientCredentialsProvider.java b/integration/adapter-core/src/main/java/org/keycloak/adapters/authentication/JWTClientCredentialsProvider.java
index d68c7cb..1c8907e 100644
--- a/integration/adapter-core/src/main/java/org/keycloak/adapters/authentication/JWTClientCredentialsProvider.java
+++ b/integration/adapter-core/src/main/java/org/keycloak/adapters/authentication/JWTClientCredentialsProvider.java
@@ -13,7 +13,7 @@ import org.keycloak.util.Time;
 
 /**
  * Client authentication based on JWT signed by client private key .
- * See <a href="https://tools.ietf.org/html/draft-jones-oauth-jwt-bearer-03">specs</a> for more details.
+ * See <a href="https://tools.ietf.org/html/rfc7519">specs</a> for more details.
  *
  * @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
  */

diff --git a/integration/adapter-core/src/main/java/org/keycloak/adapters/jaas/RolePrincipal.java b/integration/adapter-core/src/main/java/org/keycloak/adapters/jaas/RolePrincipal.java
index a4e4423..d578c81 100644
--- a/integration/adapter-core/src/main/java/org/keycloak/adapters/jaas/RolePrincipal.java
+++ b/integration/adapter-core/src/main/java/org/keycloak/adapters/jaas/RolePrincipal.java
@@ -8,7 +8,6 @@ import java.security.Principal;
  */
 public class RolePrincipal implements Principal, Serializable {
 
-    private static final long serialVersionUID = -5538962177019315447L;
     private String roleName = null;
 
     public RolePrincipal(String roleName) {

diff --git a/integration/adapter-core/src/main/java/org/keycloak/adapters/OAuthRequestAuthenticator.java b/integration/adapter-core/src/main/java/org/keycloak/adapters/OAuthRequestAuthenticator.java
index 1dfe41d..d077d7d 100755
--- a/integration/adapter-core/src/main/java/org/keycloak/adapters/OAuthRequestAuthenticator.java
+++ b/integration/adapter-core/src/main/java/org/keycloak/adapters/OAuthRequestAuthenticator.java
@@ -134,6 +134,9 @@ public class OAuthRequestAuthenticator {
         String idpHint = getQueryParamValue(AdapterConstants.KC_IDP_HINT);
         url = UriUtils.stripQueryParam(url, AdapterConstants.KC_IDP_HINT);
 
+        String scope = getQueryParamValue(OAuth2Constants.SCOPE);
+        url = UriUtils.stripQueryParam(url, OAuth2Constants.SCOPE);
+
         KeycloakUriBuilder redirectUriBuilder = deployment.getAuthUrl().clone()
                 .queryParam(OAuth2Constants.RESPONSE_TYPE, OAuth2Constants.CODE)
                 .queryParam(OAuth2Constants.CLIENT_ID, deployment.getResourceName())
@@ -146,6 +149,9 @@ public class OAuthRequestAuthenticator {
         if (idpHint != null && idpHint.length() > 0) {
             redirectUriBuilder.queryParam(AdapterConstants.KC_IDP_HINT,idpHint);
         }
+        if (scope != null && scope.length() > 0) {
+            redirectUriBuilder.queryParam(OAuth2Constants.SCOPE, scope);
+        }
 
         return redirectUriBuilder.build().toString();
     }

diff --git a/integration/adapter-core/src/main/java/org/keycloak/adapters/RefreshableKeycloakSecurityContext.java b/integration/adapter-core/src/main/java/org/keycloak/adapters/RefreshableKeycloakSecurityContext.java
index 52668de..b938a0b 100755
--- a/integration/adapter-core/src/main/java/org/keycloak/adapters/RefreshableKeycloakSecurityContext.java
+++ b/integration/adapter-core/src/main/java/org/keycloak/adapters/RefreshableKeycloakSecurityContext.java
@@ -117,7 +117,12 @@ public class RefreshableKeycloakSecurityContext extends KeycloakSecurityContext 
         }
 
         this.token = token;
-        this.refreshToken = response.getRefreshToken();
+        if (response.getRefreshToken() != null) {
+            if (log.isTraceEnabled()) {
+                log.trace("Setup new refresh token to the security context");
+            }
+            this.refreshToken = response.getRefreshToken();
+        }
         this.tokenString = tokenString;
         tokenStore.refreshCallback(this);
         return true;

diff --git a/integration/js/src/main/resources/keycloak.js b/integration/js/src/main/resources/keycloak.js
index 46d3b18..f384e7b 100755
--- a/integration/js/src/main/resources/keycloak.js
+++ b/integration/js/src/main/resources/keycloak.js
@@ -164,6 +164,10 @@
                 url += '&kc_idp_hint=' + options.idpHint;
             }
 
+            if (options && options.scope) {
+                url += '&scope=' + options.scope;
+            }
+
             return url;
         }
 

diff --git a/integration/tomcat/tomcat-adapter-spi/src/main/java/org/keycloak/adapters/tomcat/SimpleGroup.java b/integration/tomcat/tomcat-adapter-spi/src/main/java/org/keycloak/adapters/tomcat/SimpleGroup.java
index 53bb52c..109ffe1 100755
--- a/integration/tomcat/tomcat-adapter-spi/src/main/java/org/keycloak/adapters/tomcat/SimpleGroup.java
+++ b/integration/tomcat/tomcat-adapter-spi/src/main/java/org/keycloak/adapters/tomcat/SimpleGroup.java
@@ -8,7 +8,6 @@ import java.util.HashSet;
 import java.util.Set;
 
 public class SimpleGroup extends SimplePrincipal implements Group {
-    private static final long serialVersionUID = 3273437693505893786L;
     private final Set<Principal> members = new HashSet<Principal>();
 
     /**

diff --git a/integration/tomcat/tomcat-adapter-spi/src/main/java/org/keycloak/adapters/tomcat/SimplePrincipal.java b/integration/tomcat/tomcat-adapter-spi/src/main/java/org/keycloak/adapters/tomcat/SimplePrincipal.java
index ada37d7..29f46ec 100755
--- a/integration/tomcat/tomcat-adapter-spi/src/main/java/org/keycloak/adapters/tomcat/SimplePrincipal.java
+++ b/integration/tomcat/tomcat-adapter-spi/src/main/java/org/keycloak/adapters/tomcat/SimplePrincipal.java
@@ -14,7 +14,6 @@ import java.security.Principal;
 public class SimplePrincipal implements Principal, Serializable {
 
     /** SimplePrincipal.java */
-    private static final long serialVersionUID = -5645357206342793145L;
 
     /** The unique identifier for this principal. */
     private final String name;

diff --git a/misc/ReleaseProcess.md b/misc/ReleaseProcess.md
index 9a0e3d4..1fa620b 100644
--- a/misc/ReleaseProcess.md
+++ b/misc/ReleaseProcess.md
@@ -7,31 +7,21 @@
 
 ## Release
 
-*Releasing currently requires using JDK 7 due to a bug in JAX-RS Doclets*
-
 ### Clone from GitHub
 
     # git clone https://github.com/keycloak/keycloak.git
     # cd keycloak
 
-### Update version
-
-    # mvn versions:set -DnewVersion=$VERSION -DgenerateBackupPoms=false -Pjboss-release
+### Prepare the release
 
-### Build
+    # mvn -Pjboss-release release:prepare
 
-    # mvn install install -Pdistribution
-    # mvn install -Pjboss-release -DskipTests
+### Perform the release
 
-### Tag
-
-    # git tag $VERSION
-    # git push --tags
+    # mvn -Pjboss-release release:perform
 
 ### Deploy to Nexus
 
-    # mvn deploy -DskipTests -Pjboss-release
-
 Then login to Nexus and release the maven uploads in the staging area. Artifacts will eventually be synced to Maven Central, but this can take up to 24 hours.
 
 ### Upload
@@ -51,7 +41,6 @@ Upload all artifacts to downloads.jboss.org (see https://mojo.redhat.com/docs/DO
     # git tag $VERSION
     # git push --tags
 
-
 ## After Release
 
 ### Update Bower

diff --git a/model/api/src/main/java/org/keycloak/migration/MigrationModel.java b/model/api/src/main/java/org/keycloak/migration/MigrationModel.java
index 792822e..beb2f98 100755
--- a/model/api/src/main/java/org/keycloak/migration/MigrationModel.java
+++ b/model/api/src/main/java/org/keycloak/migration/MigrationModel.java
@@ -11,7 +11,7 @@ public interface MigrationModel {
     /**
      * Must have the form of major.minor.micro as the version is parsed and numbers are compared
      */
-    public static final String LATEST_VERSION = "1.5.0";
+    public static final String LATEST_VERSION = "1.6.0";
 
     String getStoredVersion();
     void setStoredVersion(String version);

diff --git a/model/api/src/main/java/org/keycloak/migration/MigrationModelManager.java b/model/api/src/main/java/org/keycloak/migration/MigrationModelManager.java
index 61b6244..e5c9484 100755
--- a/model/api/src/main/java/org/keycloak/migration/MigrationModelManager.java
+++ b/model/api/src/main/java/org/keycloak/migration/MigrationModelManager.java
@@ -4,6 +4,7 @@ import org.jboss.logging.Logger;
 import org.keycloak.migration.migrators.MigrateTo1_3_0;
 import org.keycloak.migration.migrators.MigrateTo1_4_0;
 import org.keycloak.migration.migrators.MigrateTo1_5_0;
+import org.keycloak.migration.migrators.MigrateTo1_6_0;
 import org.keycloak.migration.migrators.MigrationTo1_2_0_CR1;
 import org.keycloak.models.KeycloakSession;
 
@@ -47,6 +48,12 @@ public class MigrationModelManager {
             }
             new MigrateTo1_5_0().migrate(session);
         }
+        if (stored == null || stored.lessThan(MigrateTo1_6_0.VERSION)) {
+            if (stored != null) {
+                logger.debug("Migrating older model to 1.6.0 updates");
+            }
+            new MigrateTo1_6_0().migrate(session);
+        }
 
         model.setStoredVersion(MigrationModel.LATEST_VERSION);
     }

diff --git a/model/api/src/main/java/org/keycloak/migration/migrators/MigrateTo1_6_0.java b/model/api/src/main/java/org/keycloak/migration/migrators/MigrateTo1_6_0.java
new file mode 100644
index 0000000..8010586
--- /dev/null
+++ b/model/api/src/main/java/org/keycloak/migration/migrators/MigrateTo1_6_0.java
@@ -0,0 +1,25 @@
+package org.keycloak.migration.migrators;
+
+import java.util.List;
+
+import org.keycloak.migration.ModelVersion;
+import org.keycloak.models.KeycloakSession;
+import org.keycloak.models.RealmModel;
+import org.keycloak.models.utils.KeycloakModelUtils;
+
+/**
+ * @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
+ */
+public class MigrateTo1_6_0 {
+
+    public static final ModelVersion VERSION = new ModelVersion("1.6.0");
+
+    public void migrate(KeycloakSession session) {
+        List<RealmModel> realms = session.realms().getRealms();
+        for (RealmModel realm : realms) {
+            KeycloakModelUtils.setupOfflineTokens(realm);
+        }
+
+    }
+
+}

diff --git a/model/api/src/main/java/org/keycloak/migration/migrators/MigrationTo1_2_0_CR1.java b/model/api/src/main/java/org/keycloak/migration/migrators/MigrationTo1_2_0_CR1.java
index c9e10ad..1aa4929 100755
--- a/model/api/src/main/java/org/keycloak/migration/migrators/MigrationTo1_2_0_CR1.java
+++ b/model/api/src/main/java/org/keycloak/migration/migrators/MigrationTo1_2_0_CR1.java
@@ -5,6 +5,7 @@ import org.keycloak.models.ClientModel;
 import org.keycloak.models.Constants;
 import org.keycloak.models.KeycloakSession;
 import org.keycloak.models.RealmModel;
+import org.keycloak.models.RoleModel;
 import org.keycloak.models.utils.KeycloakModelUtils;
 
 import java.util.List;
@@ -26,7 +27,9 @@ public class MigrationTo1_2_0_CR1 {
             client.setFullScopeAllowed(false);
 
             for (String role : Constants.BROKER_SERVICE_ROLES) {
-                client.addRole(role).setDescription("${role_"+ role.toLowerCase().replaceAll("_", "-") +"}");
+                RoleModel roleModel = client.addRole(role);
+                roleModel.setDescription("${role_" + role.toLowerCase().replaceAll("_", "-") + "}");
+                roleModel.setScopeParamRequired(false);
             }
         }
     }

diff --git a/model/api/src/main/java/org/keycloak/models/AuthenticationExecutionModel.java b/model/api/src/main/java/org/keycloak/models/AuthenticationExecutionModel.java
index acb3975..04c24a9 100755
--- a/model/api/src/main/java/org/keycloak/models/AuthenticationExecutionModel.java
+++ b/model/api/src/main/java/org/keycloak/models/AuthenticationExecutionModel.java
@@ -8,7 +8,6 @@ import java.io.Serializable;
 * @version $Revision: 1 $
 */
 public class AuthenticationExecutionModel implements Serializable {
-    private static final long serialVersionUID = 1L;
 
     public static class ExecutionComparator implements Comparator<AuthenticationExecutionModel> {
         public static final ExecutionComparator SINGLETON = new ExecutionComparator();

diff --git a/model/api/src/main/java/org/keycloak/models/AuthenticationFlowModel.java b/model/api/src/main/java/org/keycloak/models/AuthenticationFlowModel.java
index f538d30..1db5970 100755
--- a/model/api/src/main/java/org/keycloak/models/AuthenticationFlowModel.java
+++ b/model/api/src/main/java/org/keycloak/models/AuthenticationFlowModel.java
@@ -7,7 +7,6 @@ import java.io.Serializable;
  * @version $Revision: 1 $
  */
 public class AuthenticationFlowModel implements Serializable {
-    private static final long serialVersionUID = 1L;
 
     private String id;
     private String alias;

diff --git a/model/api/src/main/java/org/keycloak/models/AuthenticatorConfigModel.java b/model/api/src/main/java/org/keycloak/models/AuthenticatorConfigModel.java
index 9e7f46d..22e3cfa 100755
--- a/model/api/src/main/java/org/keycloak/models/AuthenticatorConfigModel.java
+++ b/model/api/src/main/java/org/keycloak/models/AuthenticatorConfigModel.java
@@ -9,7 +9,6 @@ import java.util.Map;
 * @version $Revision: 1 $
 */
 public class AuthenticatorConfigModel implements Serializable {
-    private static final long serialVersionUID = 1L;
 
     private String id;
     private String alias;

diff --git a/model/api/src/main/java/org/keycloak/models/Constants.java b/model/api/src/main/java/org/keycloak/models/Constants.java
index b1adbfa..5fe3189 100755
--- a/model/api/src/main/java/org/keycloak/models/Constants.java
+++ b/model/api/src/main/java/org/keycloak/models/Constants.java
@@ -1,5 +1,7 @@
 package org.keycloak.models;
 
+import org.keycloak.OAuth2Constants;
+
 /**
  * @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
  * @version $Revision: 1 $
@@ -16,4 +18,5 @@ public interface Constants {
     String INSTALLED_APP_URL = "http://localhost";
     String READ_TOKEN_ROLE = "read-token";
     String[] BROKER_SERVICE_ROLES = {READ_TOKEN_ROLE};
+    String OFFLINE_ACCESS_ROLE = OAuth2Constants.OFFLINE_ACCESS;
 }

diff --git a/model/api/src/main/java/org/keycloak/models/entities/OfflineClientSessionEntity.java b/model/api/src/main/java/org/keycloak/models/entities/OfflineClientSessionEntity.java
new file mode 100644
index 0000000..69ad60b
--- /dev/null
+++ b/model/api/src/main/java/org/keycloak/models/entities/OfflineClientSessionEntity.java
@@ -0,0 +1,35 @@
+package org.keycloak.models.entities;
+
+/**
+ * @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
+ */
+public class OfflineClientSessionEntity {
+
+    private String clientSessionId;
+    private String clientId;
+    private String data;
+
+    public String getClientSessionId() {
+        return clientSessionId;
+    }
+
+    public void setClientSessionId(String clientSessionId) {
+        this.clientSessionId = clientSessionId;
+    }
+
+    public String getClientId() {
+        return clientId;
+    }
+
+    public void setClientId(String clientId) {
+        this.clientId = clientId;
+    }
+
+    public String getData() {
+        return data;
+    }
+
+    public void setData(String data) {
+        this.data = data;
+    }
+}

diff --git a/model/api/src/main/java/org/keycloak/models/entities/OfflineUserSessionEntity.java b/model/api/src/main/java/org/keycloak/models/entities/OfflineUserSessionEntity.java
new file mode 100644
index 0000000..e785898
--- /dev/null
+++ b/model/api/src/main/java/org/keycloak/models/entities/OfflineUserSessionEntity.java
@@ -0,0 +1,37 @@
+package org.keycloak.models.entities;
+
+import java.util.List;
+
+/**
+ * @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
+ */
+public class OfflineUserSessionEntity {
+
+    private String userSessionId;
+    private String data;
+    private List<OfflineClientSessionEntity> offlineClientSessions;
+
+    public String getUserSessionId() {
+        return userSessionId;
+    }
+
+    public void setUserSessionId(String userSessionId) {
+        this.userSessionId = userSessionId;
+    }
+
+    public String getData() {
+        return data;
+    }
+
+    public void setData(String data) {
+        this.data = data;
+    }
+
+    public List<OfflineClientSessionEntity> getOfflineClientSessions() {
+        return offlineClientSessions;
+    }
+
+    public void setOfflineClientSessions(List<OfflineClientSessionEntity> offlineClientSessions) {
+        this.offlineClientSessions = offlineClientSessions;
+    }
+}

diff --git a/model/api/src/main/java/org/keycloak/models/entities/RoleEntity.java b/model/api/src/main/java/org/keycloak/models/entities/RoleEntity.java
index a610d39..4b4551e 100644
--- a/model/api/src/main/java/org/keycloak/models/entities/RoleEntity.java
+++ b/model/api/src/main/java/org/keycloak/models/entities/RoleEntity.java
@@ -9,6 +9,7 @@ public class RoleEntity extends AbstractIdentifiableEntity {
 
     private String name;
     private String description;
+    private boolean scopeParamRequired;
 
     private List<String> compositeRoleIds;
 
@@ -31,6 +32,14 @@ public class RoleEntity extends AbstractIdentifiableEntity {
         this.description = description;
     }
 
+    public boolean isScopeParamRequired() {
+        return scopeParamRequired;
+    }
+
+    public void setScopeParamRequired(boolean scopeParamRequired) {
+        this.scopeParamRequired = scopeParamRequired;
+    }
+
     public List<String> getCompositeRoleIds() {
         return compositeRoleIds;
     }

diff --git a/model/api/src/main/java/org/keycloak/models/entities/UserEntity.java b/model/api/src/main/java/org/keycloak/models/entities/UserEntity.java
index 8c82a8e..66020db 100755
--- a/model/api/src/main/java/org/keycloak/models/entities/UserEntity.java
+++ b/model/api/src/main/java/org/keycloak/models/entities/UserEntity.java
@@ -28,6 +28,7 @@ public class UserEntity extends AbstractIdentifiableEntity {
     private List<FederatedIdentityEntity> federatedIdentities;
     private String federationLink;
     private String serviceAccountClientLink;
+    private List<OfflineUserSessionEntity> offlineUserSessions;
 
     public String getUsername() {
         return username;
@@ -157,5 +158,13 @@ public class UserEntity extends AbstractIdentifiableEntity {
     public void setServiceAccountClientLink(String serviceAccountClientLink) {
         this.serviceAccountClientLink = serviceAccountClientLink;
     }
+
+    public List<OfflineUserSessionEntity> getOfflineUserSessions() {
+        return offlineUserSessions;
+    }
+
+    public void setOfflineUserSessions(List<OfflineUserSessionEntity> offlineUserSessions) {
+        this.offlineUserSessions = offlineUserSessions;
+    }
 }
 

diff --git a/model/api/src/main/java/org/keycloak/models/IdentityProviderMapperModel.java b/model/api/src/main/java/org/keycloak/models/IdentityProviderMapperModel.java
index e3acf7f..781268e 100755
--- a/model/api/src/main/java/org/keycloak/models/IdentityProviderMapperModel.java
+++ b/model/api/src/main/java/org/keycloak/models/IdentityProviderMapperModel.java
@@ -10,7 +10,6 @@ import java.util.Map;
  * @version $Revision: 1 $
  */
 public class IdentityProviderMapperModel implements Serializable {
-    private static final long serialVersionUID = 1L;
 
     protected String id;
     protected String name;

diff --git a/model/api/src/main/java/org/keycloak/models/IdentityProviderModel.java b/model/api/src/main/java/org/keycloak/models/IdentityProviderModel.java
index 363ae52..fa3eb71 100755
--- a/model/api/src/main/java/org/keycloak/models/IdentityProviderModel.java
+++ b/model/api/src/main/java/org/keycloak/models/IdentityProviderModel.java
@@ -30,7 +30,6 @@ import org.keycloak.representations.idm.IdentityProviderRepresentation;
  * @author Pedro Igor
  */
 public class IdentityProviderModel implements Serializable {
-    private static final long serialVersionUID = 1L;
 
     private String internalId;
 

diff --git a/model/api/src/main/java/org/keycloak/models/ImpersonationConstants.java b/model/api/src/main/java/org/keycloak/models/ImpersonationConstants.java
index 274e7a6..54f212a 100755
--- a/model/api/src/main/java/org/keycloak/models/ImpersonationConstants.java
+++ b/model/api/src/main/java/org/keycloak/models/ImpersonationConstants.java
@@ -26,6 +26,7 @@ public class ImpersonationConstants {
         if (realmAdminApp.getRole(IMPERSONATION_ROLE) != null) return;
         RoleModel impersonationRole = realmAdminApp.addRole(IMPERSONATION_ROLE);
         impersonationRole.setDescription("${role_" + IMPERSONATION_ROLE + "}");
+        impersonationRole.setScopeParamRequired(false);
         adminRole.addCompositeRole(impersonationRole);
     }
 
@@ -36,6 +37,7 @@ public class ImpersonationConstants {
         if (realmAdminApp.getRole(IMPERSONATION_ROLE) != null) return;
         RoleModel impersonationRole = realmAdminApp.addRole(IMPERSONATION_ROLE);
         impersonationRole.setDescription("${role_" + IMPERSONATION_ROLE + "}");
+        impersonationRole.setScopeParamRequired(false);
         RoleModel adminRole = realmAdminApp.getRole(AdminRoles.REALM_ADMIN);
         adminRole.addCompositeRole(impersonationRole);
     }

diff --git a/model/api/src/main/java/org/keycloak/models/OfflineClientSessionModel.java b/model/api/src/main/java/org/keycloak/models/OfflineClientSessionModel.java
new file mode 100644
index 0000000..47ae23a
--- /dev/null
+++ b/model/api/src/main/java/org/keycloak/models/OfflineClientSessionModel.java
@@ -0,0 +1,44 @@
+package org.keycloak.models;
+
+/**
+ * @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
+ */
+public class OfflineClientSessionModel {
+
+    private String clientSessionId;
+    private String userSessionId;
+    private String clientId;
+    private String data;
+
+    public String getClientSessionId() {
+        return clientSessionId;
+    }
+
+    public void setClientSessionId(String clientSessionId) {
+        this.clientSessionId = clientSessionId;
+    }
+
+    public String getUserSessionId() {
+        return userSessionId;
+    }
+
+    public void setUserSessionId(String userSessionId) {
+        this.userSessionId = userSessionId;
+    }
+
+    public String getClientId() {
+        return clientId;
+    }
+
+    public void setClientId(String clientId) {
+        this.clientId = clientId;
+    }
+
+    public String getData() {
+        return data;
+    }
+
+    public void setData(String data) {
+        this.data = data;
+    }
+}

diff --git a/model/api/src/main/java/org/keycloak/models/OfflineUserSessionModel.java b/model/api/src/main/java/org/keycloak/models/OfflineUserSessionModel.java
new file mode 100644
index 0000000..9907783
--- /dev/null
+++ b/model/api/src/main/java/org/keycloak/models/OfflineUserSessionModel.java
@@ -0,0 +1,26 @@
+package org.keycloak.models;
+
+/**
+ * @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
+ */
+public class OfflineUserSessionModel {
+
+    private String userSessionId;
+    private String data;
+
+    public String getUserSessionId() {
+        return userSessionId;
+    }
+
+    public void setUserSessionId(String userSessionId) {
+        this.userSessionId = userSessionId;
+    }
+
+    public String getData() {
+        return data;
+    }
+
+    public void setData(String data) {
+        this.data = data;
+    }
+}

diff --git a/model/api/src/main/java/org/keycloak/models/PasswordPolicy.java b/model/api/src/main/java/org/keycloak/models/PasswordPolicy.java
index 5bdae2c..aff7d37 100755
--- a/model/api/src/main/java/org/keycloak/models/PasswordPolicy.java
+++ b/model/api/src/main/java/org/keycloak/models/PasswordPolicy.java
@@ -15,7 +15,6 @@ import java.util.regex.Pattern;
  * @author <a href="mailto:sthorger@redhat.com">Stian Thorgersen</a>
  */
 public class PasswordPolicy implements Serializable {
-    private static final long serialVersionUID = 1L;
 
     public static final String INVALID_PASSWORD_MIN_LENGTH_MESSAGE = "invalidPasswordMinLengthMessage";
     public static final String INVALID_PASSWORD_MIN_DIGITS_MESSAGE = "invalidPasswordMinDigitsMessage";

diff --git a/model/api/src/main/java/org/keycloak/models/ProtocolMapperModel.java b/model/api/src/main/java/org/keycloak/models/ProtocolMapperModel.java
index 60d528b..06f264b 100755
--- a/model/api/src/main/java/org/keycloak/models/ProtocolMapperModel.java
+++ b/model/api/src/main/java/org/keycloak/models/ProtocolMapperModel.java
@@ -10,7 +10,6 @@ import java.util.Map;
  * @version $Revision: 1 $
  */
 public class ProtocolMapperModel implements Serializable {
-    private static final long serialVersionUID = 1L;
 
     protected String id;
     protected String name;

diff --git a/model/api/src/main/java/org/keycloak/models/RequiredCredentialModel.java b/model/api/src/main/java/org/keycloak/models/RequiredCredentialModel.java
index 84cf92c..2aea1e2 100755
--- a/model/api/src/main/java/org/keycloak/models/RequiredCredentialModel.java
+++ b/model/api/src/main/java/org/keycloak/models/RequiredCredentialModel.java
@@ -10,7 +10,6 @@ import java.util.Map;
  * @version $Revision: 1 $
  */
 public class RequiredCredentialModel implements Serializable {
-    private static final long serialVersionUID = 1L;
 
     protected String type;
     protected boolean input;

diff --git a/model/api/src/main/java/org/keycloak/models/RoleModel.java b/model/api/src/main/java/org/keycloak/models/RoleModel.java
index c296795..9904a16 100755
--- a/model/api/src/main/java/org/keycloak/models/RoleModel.java
+++ b/model/api/src/main/java/org/keycloak/models/RoleModel.java
@@ -17,6 +17,10 @@ public interface RoleModel {
 
     void setName(String name);
 
+    boolean isScopeParamRequired();
+
+    void setScopeParamRequired(boolean scopeParamRequired);
+
     boolean isComposite();
 
     void addCompositeRole(RoleModel role);

diff --git a/model/api/src/main/java/org/keycloak/models/UserFederationMapperModel.java b/model/api/src/main/java/org/keycloak/models/UserFederationMapperModel.java
index ea08a58..e63ed2c 100644
--- a/model/api/src/main/java/org/keycloak/models/UserFederationMapperModel.java
+++ b/model/api/src/main/java/org/keycloak/models/UserFederationMapperModel.java
@@ -7,7 +7,6 @@ import java.util.Map;
  * @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
  */
 public class UserFederationMapperModel implements Serializable {
-    private static final long serialVersionUID = 1L;
 
     protected String id;
     protected String name;

diff --git a/model/api/src/main/java/org/keycloak/models/UserFederationProviderModel.java b/model/api/src/main/java/org/keycloak/models/UserFederationProviderModel.java
index 4f5feda..9780766 100755
--- a/model/api/src/main/java/org/keycloak/models/UserFederationProviderModel.java
+++ b/model/api/src/main/java/org/keycloak/models/UserFederationProviderModel.java
@@ -11,7 +11,6 @@ import java.util.Map;
  * @author <a href="mailto:bburke@redhat.com">Bill Burke</a>
  */
 public class UserFederationProviderModel implements Serializable {
-    private static final long serialVersionUID = 1L;
 
     private String id;
     private String providerName;

diff --git a/model/api/src/main/java/org/keycloak/models/UserModel.java b/model/api/src/main/java/org/keycloak/models/UserModel.java
index 3282e61..51e8fc4 100755
--- a/model/api/src/main/java/org/keycloak/models/UserModel.java
+++ b/model/api/src/main/java/org/keycloak/models/UserModel.java
@@ -1,5 +1,6 @@
 package org.keycloak.models;
 
+import java.util.Collection;
 import java.util.List;
 import java.util.Map;
 import java.util.Set;
@@ -113,6 +114,15 @@ public interface UserModel {
     void updateConsent(UserConsentModel consent);
     boolean revokeConsentForClient(String clientInternalId);
 
+    void addOfflineUserSession(OfflineUserSessionModel offlineUserSession);
+    OfflineUserSessionModel getOfflineUserSession(String userSessionId);
+    Collection<OfflineUserSessionModel> getOfflineUserSessions();
+    boolean removeOfflineUserSession(String userSessionId);
+    void addOfflineClientSession(OfflineClientSessionModel offlineClientSession);
+    OfflineClientSessionModel getOfflineClientSession(String clientSessionId);
+    Collection<OfflineClientSessionModel> getOfflineClientSessions();
+    boolean removeOfflineClientSession(String clientSessionId);
+
     public static enum RequiredAction {
         VERIFY_EMAIL, UPDATE_PROFILE, CONFIGURE_TOTP, UPDATE_PASSWORD
     }

diff --git a/model/api/src/main/java/org/keycloak/models/UserSessionModel.java b/model/api/src/main/java/org/keycloak/models/UserSessionModel.java
index ff3f19a..12ebd70 100755
--- a/model/api/src/main/java/org/keycloak/models/UserSessionModel.java
+++ b/model/api/src/main/java/org/keycloak/models/UserSessionModel.java
@@ -40,6 +40,7 @@ public interface UserSessionModel {
     public String getNote(String name);
     public void setNote(String name, String value);
     public void removeNote(String name);
+    public Map<String, String> getNotes();
 
     State getState();
     void setState(State state);

diff --git a/model/api/src/main/java/org/keycloak/models/utils/KeycloakModelUtils.java b/model/api/src/main/java/org/keycloak/models/utils/KeycloakModelUtils.java
index b64ebb0..846269e 100755
--- a/model/api/src/main/java/org/keycloak/models/utils/KeycloakModelUtils.java
+++ b/model/api/src/main/java/org/keycloak/models/utils/KeycloakModelUtils.java
@@ -4,6 +4,7 @@ import org.bouncycastle.openssl.PEMWriter;
 import org.keycloak.constants.KerberosConstants;
 import org.keycloak.constants.ServiceAccountConstants;
 import org.keycloak.models.ClientModel;
+import org.keycloak.models.Constants;
 import org.keycloak.models.KeycloakSession;
 import org.keycloak.models.KeycloakSessionFactory;
 import org.keycloak.models.KeycloakSessionTask;
@@ -360,4 +361,13 @@ public final class KeycloakModelUtils {
     public static String toLowerCaseSafe(String str) {
         return str==null ? null : str.toLowerCase();
     }
+
+    public static void setupOfflineTokens(RealmModel realm) {
+        if (realm.getRole(Constants.OFFLINE_ACCESS_ROLE) == null) {
+            RoleModel role = realm.addRole(Constants.OFFLINE_ACCESS_ROLE);
+            role.setDescription("${role_offline-access}");
+            role.setScopeParamRequired(true);
+            realm.addDefaultRole(Constants.OFFLINE_ACCESS_ROLE);
+        }
+    }
 }

diff --git a/model/api/src/main/java/org/keycloak/models/utils/ModelToRepresentation.java b/model/api/src/main/java/org/keycloak/models/utils/ModelToRepresentation.java
index bf2360e..b71fce9 100755
--- a/model/api/src/main/java/org/keycloak/models/utils/ModelToRepresentation.java
+++ b/model/api/src/main/java/org/keycloak/models/utils/ModelToRepresentation.java
@@ -89,6 +89,7 @@ public class ModelToRepresentation {
         rep.setId(role.getId());
         rep.setName(role.getName());
         rep.setDescription(role.getDescription());
+        rep.setScopeParamRequired(role.isScopeParamRequired());
         rep.setComposite(role.isComposite());
         return rep;
     }

diff --git a/model/api/src/main/java/org/keycloak/models/utils/RepresentationToModel.java b/model/api/src/main/java/org/keycloak/models/utils/RepresentationToModel.java
index 811655b..77ae66e 100755
--- a/model/api/src/main/java/org/keycloak/models/utils/RepresentationToModel.java
+++ b/model/api/src/main/java/org/keycloak/models/utils/RepresentationToModel.java
@@ -181,6 +181,8 @@ public class RepresentationToModel {
                         // Application role may already exists (for example if it is defaultRole)
                         RoleModel role = roleRep.getId()!=null ? client.addRole(roleRep.getId(), roleRep.getName()) : client.addRole(roleRep.getName());
                         role.setDescription(roleRep.getDescription());
+                        boolean scopeParamRequired = roleRep.isScopeParamRequired()==null ? false : roleRep.isScopeParamRequired();
+                        role.setScopeParamRequired(scopeParamRequired);
                     }
                 }
             }
@@ -633,6 +635,8 @@ public class RepresentationToModel {
     public static void createRole(RealmModel newRealm, RoleRepresentation roleRep) {
         RoleModel role = roleRep.getId()!=null ? newRealm.addRole(roleRep.getId(), roleRep.getName()) : newRealm.addRole(roleRep.getName());
         if (roleRep.getDescription() != null) role.setDescription(roleRep.getDescription());
+        boolean scopeParamRequired = roleRep.isScopeParamRequired() == null ? false : roleRep.isScopeParamRequired();
+        role.setScopeParamRequired(scopeParamRequired);
     }
 
     private static void addComposites(RoleModel role, RoleRepresentation roleRep, RealmModel realm) {

diff --git a/model/api/src/main/java/org/keycloak/models/utils/UserModelDelegate.java b/model/api/src/main/java/org/keycloak/models/utils/UserModelDelegate.java
index 4cd162b..f727c75 100755
--- a/model/api/src/main/java/org/keycloak/models/utils/UserModelDelegate.java
+++ b/model/api/src/main/java/org/keycloak/models/utils/UserModelDelegate.java
@@ -1,12 +1,15 @@
 package org.keycloak.models.utils;
 
 import org.keycloak.models.ClientModel;
+import org.keycloak.models.OfflineClientSessionModel;
+import org.keycloak.models.OfflineUserSessionModel;
 import org.keycloak.models.UserConsentModel;
 import org.keycloak.models.RoleModel;
 import org.keycloak.models.UserCredentialModel;
 import org.keycloak.models.UserCredentialValueModel;
 import org.keycloak.models.UserModel;
 
+import java.util.Collection;
 import java.util.List;
 import java.util.Map;
 import java.util.Set;
@@ -255,4 +258,44 @@ public class UserModelDelegate implements UserModel {
     public void setCreatedTimestamp(Long timestamp){
         delegate.setCreatedTimestamp(timestamp);
     }
+
+    @Override
+    public void addOfflineUserSession(OfflineUserSessionModel userSession) {
+        delegate.addOfflineUserSession(userSession);
+    }
+
+    @Override
+    public OfflineUserSessionModel getOfflineUserSession(String userSessionId) {
+        return delegate.getOfflineUserSession(userSessionId);
+    }
+
+    @Override
+    public Collection<OfflineUserSessionModel> getOfflineUserSessions() {
+        return delegate.getOfflineUserSessions();
+    }
+
+    @Override
+    public boolean removeOfflineUserSession(String userSessionId) {
+        return delegate.removeOfflineUserSession(userSessionId);
+    }
+
+    @Override
+    public void addOfflineClientSession(OfflineClientSessionModel clientSession) {
+        delegate.addOfflineClientSession(clientSession);
+    }
+
+    @Override
+    public OfflineClientSessionModel getOfflineClientSession(String clientSessionId) {
+        return delegate.getOfflineClientSession(clientSessionId);
+    }
+
+    @Override
+    public Collection<OfflineClientSessionModel> getOfflineClientSessions() {
+        return delegate.getOfflineClientSessions();
+    }
+
+    @Override
+    public boolean removeOfflineClientSession(String clientSessionId) {
+        return delegate.removeOfflineClientSession(clientSessionId);
+    }
 }

diff --git a/model/file/src/main/java/org/keycloak/models/file/adapter/RoleAdapter.java b/model/file/src/main/java/org/keycloak/models/file/adapter/RoleAdapter.java
index 9448def..7706459 100755
--- a/model/file/src/main/java/org/keycloak/models/file/adapter/RoleAdapter.java
+++ b/model/file/src/main/java/org/keycloak/models/file/adapter/RoleAdapter.java
@@ -89,6 +89,16 @@ public class RoleAdapter implements RoleModel {
     }
 
     @Override
+    public boolean isScopeParamRequired() {
+        return role.isScopeParamRequired();
+    }
+
+    @Override
+    public void setScopeParamRequired(boolean scopeParamRequired) {
+        role.setScopeParamRequired(scopeParamRequired);
+    }
+
+    @Override
     public boolean isComposite() {
         return role.getCompositeRoleIds() != null && role.getCompositeRoleIds().size() > 0;
     }

diff --git a/model/file/src/main/java/org/keycloak/models/file/adapter/UserAdapter.java b/model/file/src/main/java/org/keycloak/models/file/adapter/UserAdapter.java
index 7461cbd..d89ce63 100755
--- a/model/file/src/main/java/org/keycloak/models/file/adapter/UserAdapter.java
+++ b/model/file/src/main/java/org/keycloak/models/file/adapter/UserAdapter.java
@@ -22,7 +22,10 @@ import org.keycloak.models.ClientModel;
 import static org.keycloak.models.utils.Pbkdf2PasswordEncoder.getSalt;
 
 import org.keycloak.models.ModelDuplicateException;
+import org.keycloak.models.ModelException;
 import org.keycloak.models.OTPPolicy;
+import org.keycloak.models.OfflineClientSessionModel;
+import org.keycloak.models.OfflineUserSessionModel;
 import org.keycloak.models.UserConsentModel;
 import org.keycloak.models.PasswordPolicy;
 import org.keycloak.models.RealmModel;
@@ -32,6 +35,8 @@ import org.keycloak.models.UserCredentialValueModel;
 import org.keycloak.models.UserModel;
 import org.keycloak.models.entities.CredentialEntity;
 import org.keycloak.models.entities.FederatedIdentityEntity;
+import org.keycloak.models.entities.OfflineClientSessionEntity;
+import org.keycloak.models.entities.OfflineUserSessionEntity;
 import org.keycloak.models.entities.RoleEntity;
 import org.keycloak.models.entities.UserEntity;
 import org.keycloak.models.utils.KeycloakModelUtils;
@@ -39,6 +44,7 @@ import org.keycloak.models.utils.Pbkdf2PasswordEncoder;
 import org.keycloak.util.Time;
 
 import java.util.ArrayList;
+import java.util.Collection;
 import java.util.Collections;
 import java.util.Comparator;
 import java.util.HashMap;
@@ -216,7 +222,7 @@ public class UserAdapter implements UserModel, Comparable {
 
     @Override
     public Map<String, List<String>> getAttributes() {
-        return user.getAttributes()==null ? Collections.<String, List<String>>emptyMap() : Collections.unmodifiableMap((Map)user.getAttributes());
+        return user.getAttributes()==null ? Collections.<String, List<String>>emptyMap() : Collections.unmodifiableMap((Map) user.getAttributes());
     }
 
     @Override
@@ -569,6 +575,142 @@ public class UserAdapter implements UserModel, Comparable {
     }
 
     @Override
+    public void addOfflineUserSession(OfflineUserSessionModel userSession) {
+        if (user.getOfflineUserSessions() == null) {
+            user.setOfflineUserSessions(new ArrayList<OfflineUserSessionEntity>());
+        }
+
+        if (getUserSessionEntityById(userSession.getUserSessionId()) != null) {
+            throw new ModelDuplicateException("User session already exists with id " + userSession.getUserSessionId() + " for user " + user.getUsername());
+        }
+
+        OfflineUserSessionEntity entity = new OfflineUserSessionEntity();
+        entity.setUserSessionId(userSession.getUserSessionId());
+        entity.setData(userSession.getData());
+        entity.setOfflineClientSessions(new ArrayList<OfflineClientSessionEntity>());
+        user.getOfflineUserSessions().add(entity);
+    }
+
+    @Override
+    public OfflineUserSessionModel getOfflineUserSession(String userSessionId) {
+        OfflineUserSessionEntity entity = getUserSessionEntityById(userSessionId);
+        return entity==null ? null : toModel(entity);
+    }
+
+    @Override
+    public Collection<OfflineUserSessionModel> getOfflineUserSessions() {
+        if (user.getOfflineUserSessions()==null) {
+            return Collections.emptyList();
+        } else {
+            List<OfflineUserSessionModel> result = new ArrayList<>();
+            for (OfflineUserSessionEntity entity : user.getOfflineUserSessions()) {
+                result.add(toModel(entity));
+            }
+            return result;
+        }
+    }
+
+    private OfflineUserSessionModel toModel(OfflineUserSessionEntity entity) {
+        OfflineUserSessionModel model = new OfflineUserSessionModel();
+        model.setUserSessionId(entity.getUserSessionId());
+        model.setData(entity.getData());
+        return model;
+    }
+
+    @Override
+    public boolean removeOfflineUserSession(String userSessionId) {
+        OfflineUserSessionEntity entity = getUserSessionEntityById(userSessionId);
+        if (entity != null) {
+            user.getOfflineUserSessions().remove(entity);
+            return true;
+        } else {
+            return false;
+        }
+    }
+
+    private OfflineUserSessionEntity getUserSessionEntityById(String userSessionId) {
+        if (user.getOfflineUserSessions() != null) {
+            for (OfflineUserSessionEntity entity : user.getOfflineUserSessions()) {
+                if (entity.getUserSessionId().equals(userSessionId)) {
+                    return entity;
+                }
+            }
+        }
+        return null;
+    }
+
+    @Override
+    public void addOfflineClientSession(OfflineClientSessionModel clientSession) {
+        OfflineUserSessionEntity userSessionEntity = getUserSessionEntityById(clientSession.getUserSessionId());
+        if (userSessionEntity == null) {
+            throw new ModelException("OfflineUserSession with ID " + clientSession.getUserSessionId() + " doesn't exist for user " + user.getUsername());
+        }
+
+        OfflineClientSessionEntity clEntity = new OfflineClientSessionEntity();
+        clEntity.setClientSessionId(clientSession.getClientSessionId());
+        clEntity.setClientId(clientSession.getClientId());
+        clEntity.setData(clientSession.getData());
+
+        userSessionEntity.getOfflineClientSessions().add(clEntity);
+    }
+
+    @Override
+    public OfflineClientSessionModel getOfflineClientSession(String clientSessionId) {
+        if (user.getOfflineUserSessions() != null) {
+            for (OfflineUserSessionEntity userSession : user.getOfflineUserSessions()) {
+                for (OfflineClientSessionEntity clSession : userSession.getOfflineClientSessions()) {
+                    if (clSession.getClientSessionId().equals(clientSessionId)) {
+                        return toModel(clSession, userSession.getUserSessionId());
+                    }
+                }
+            }
+        }
+
+        return null;
+    }
+
+    private OfflineClientSessionModel toModel(OfflineClientSessionEntity cls, String userSessionId) {
+        OfflineClientSessionModel model = new OfflineClientSessionModel();
+        model.setClientSessionId(cls.getClientSessionId());
+        model.setClientId(cls.getClientId());
+        model.setData(cls.getData());
+        model.setUserSessionId(userSessionId);
+        return model;
+    }
+
+    @Override
+    public Collection<OfflineClientSessionModel> getOfflineClientSessions() {
+        List<OfflineClientSessionModel> result = new ArrayList<>();
+
+        if (user.getOfflineUserSessions() != null) {
+            for (OfflineUserSessionEntity userSession : user.getOfflineUserSessions()) {
+                for (OfflineClientSessionEntity clSession : userSession.getOfflineClientSessions()) {
+                    result.add(toModel(clSession, userSession.getUserSessionId()));
+                }
+            }
+        }
+
+        return result;
+    }
+
+    @Override
+    public boolean removeOfflineClientSession(String clientSessionId) {
+        if (user.getOfflineUserSessions() != null) {
+            for (OfflineUserSessionEntity userSession : user.getOfflineUserSessions()) {
+                for (OfflineClientSessionEntity clSession : userSession.getOfflineClientSessions()) {
+                    if (clSession.getClientSessionId().equals(clientSessionId)) {
+                        userSession.getOfflineClientSessions().remove(clSession);
+                        return true;
+                    }
+                }
+            }
+        }
+
+        return false;
+    }
+
+
+    @Override
     public boolean equals(Object o) {
         if (this == o) return true;
         if (o == null || !(o instanceof UserModel)) return false;

diff --git a/model/invalidation-cache/infinispan/src/main/java/org/keycloak/models/cache/infinispan/DefaultCacheUserProvider.java b/model/invalidation-cache/infinispan/src/main/java/org/keycloak/models/cache/infinispan/DefaultCacheUserProvider.java
index 68b31ed..df7c144 100644
--- a/model/invalidation-cache/infinispan/src/main/java/org/keycloak/models/cache/infinispan/DefaultCacheUserProvider.java
+++ b/model/invalidation-cache/infinispan/src/main/java/org/keycloak/models/cache/infinispan/DefaultCacheUserProvider.java
@@ -319,6 +319,7 @@ public class DefaultCacheUserProvider implements CacheUserProvider {
 
     @Override
     public void preRemove(RealmModel realm, ClientModel client) {
+        realmInvalidations.add(realm.getId()); // easier to just invalidate whole realm
         getDelegate().preRemove(realm, client);
     }
 

diff --git a/model/invalidation-cache/infinispan/src/main/java/org/keycloak/models/cache/infinispan/RoleAdapter.java b/model/invalidation-cache/infinispan/src/main/java/org/keycloak/models/cache/infinispan/RoleAdapter.java
index 536c2ef..861c252 100755
--- a/model/invalidation-cache/infinispan/src/main/java/org/keycloak/models/cache/infinispan/RoleAdapter.java
+++ b/model/invalidation-cache/infinispan/src/main/java/org/keycloak/models/cache/infinispan/RoleAdapter.java
@@ -60,6 +60,18 @@ public class RoleAdapter implements RoleModel {
     }
 
     @Override
+    public boolean isScopeParamRequired() {
+        if (updated != null) return updated.isScopeParamRequired();
+        return cached.isScopeParamRequired();
+    }
+
+    @Override
+    public void setScopeParamRequired(boolean scopeParamRequired) {
+        getDelegateForUpdate();
+        updated.setScopeParamRequired(scopeParamRequired);
+    }
+
+    @Override
     public String getId() {
         if (updated != null) return updated.getId();
         return cached.getId();

diff --git a/model/invalidation-cache/infinispan/src/main/java/org/keycloak/models/cache/infinispan/UserAdapter.java b/model/invalidation-cache/infinispan/src/main/java/org/keycloak/models/cache/infinispan/UserAdapter.java
index 5a74b01..769f1b4 100755
--- a/model/invalidation-cache/infinispan/src/main/java/org/keycloak/models/cache/infinispan/UserAdapter.java
+++ b/model/invalidation-cache/infinispan/src/main/java/org/keycloak/models/cache/infinispan/UserAdapter.java
@@ -348,4 +348,52 @@ public class UserAdapter implements UserModel {
         getDelegateForUpdate();
         return updated.revokeConsentForClient(clientId);
     }
+
+    @Override
+    public void addOfflineUserSession(OfflineUserSessionModel userSession) {
+        getDelegateForUpdate();
+        updated.addOfflineUserSession(userSession);
+    }
+
+    @Override
+    public OfflineUserSessionModel getOfflineUserSession(String userSessionId) {
+        if (updated != null) return updated.getOfflineUserSession(userSessionId);
+        return cached.getOfflineUserSessions().get(userSessionId);
+    }
+
+    @Override
+    public Collection<OfflineUserSessionModel> getOfflineUserSessions() {
+        if (updated != null) return updated.getOfflineUserSessions();
+        return cached.getOfflineUserSessions().values();
+    }
+
+    @Override
+    public boolean removeOfflineUserSession(String userSessionId) {
+        getDelegateForUpdate();
+        return updated.removeOfflineUserSession(userSessionId);
+    }
+
+    @Override
+    public void addOfflineClientSession(OfflineClientSessionModel clientSession) {
+        getDelegateForUpdate();
+        updated.addOfflineClientSession(clientSession);
+    }
+
+    @Override
+    public OfflineClientSessionModel getOfflineClientSession(String clientSessionId) {
+        if (updated != null) return updated.getOfflineClientSession(clientSessionId);
+        return cached.getOfflineClientSessions().get(clientSessionId);
+    }
+
+    @Override
+    public Collection<OfflineClientSessionModel> getOfflineClientSessions() {
+        if (updated != null) return updated.getOfflineClientSessions();
+        return cached.getOfflineClientSessions().values();
+    }
+
+    @Override
+    public boolean removeOfflineClientSession(String clientSessionId) {
+        getDelegateForUpdate();
+        return updated.removeOfflineClientSession(clientSessionId);
+    }
 }

diff --git a/model/invalidation-cache/model-adapters/src/main/java/org/keycloak/models/cache/entities/CachedClient.java b/model/invalidation-cache/model-adapters/src/main/java/org/keycloak/models/cache/entities/CachedClient.java
index 25749c3..11447d0 100755
--- a/model/invalidation-cache/model-adapters/src/main/java/org/keycloak/models/cache/entities/CachedClient.java
+++ b/model/invalidation-cache/model-adapters/src/main/java/org/keycloak/models/cache/entities/CachedClient.java
@@ -21,7 +21,6 @@ import java.util.TreeMap;
  * @version $Revision: 1 $
  */
 public class CachedClient implements Serializable {
-    private static final long serialVersionUID = 1L;
 
     private String id;
     private String clientId;

diff --git a/model/invalidation-cache/model-adapters/src/main/java/org/keycloak/models/cache/entities/CachedClientRole.java b/model/invalidation-cache/model-adapters/src/main/java/org/keycloak/models/cache/entities/CachedClientRole.java
index da97671..cc1a207 100755
--- a/model/invalidation-cache/model-adapters/src/main/java/org/keycloak/models/cache/entities/CachedClientRole.java
+++ b/model/invalidation-cache/model-adapters/src/main/java/org/keycloak/models/cache/entities/CachedClientRole.java
@@ -9,8 +9,6 @@ import org.keycloak.models.RoleModel;
  */
 public class CachedClientRole extends CachedRole {
 
-    private static final long serialVersionUID = 1L;
-
     private final String idClient;
 
     public CachedClientRole(String idClient, RoleModel model, RealmModel realm) {

diff --git a/model/invalidation-cache/model-adapters/src/main/java/org/keycloak/models/cache/entities/CachedRealm.java b/model/invalidation-cache/model-adapters/src/main/java/org/keycloak/models/cache/entities/CachedRealm.java
index 3d96870..27bab74 100755
--- a/model/invalidation-cache/model-adapters/src/main/java/org/keycloak/models/cache/entities/CachedRealm.java
+++ b/model/invalidation-cache/model-adapters/src/main/java/org/keycloak/models/cache/entities/CachedRealm.java
@@ -33,7 +33,6 @@ import java.util.Set;
  * @version $Revision: 1 $
  */
 public class CachedRealm implements Serializable {
-    private static final long serialVersionUID = 1L;
 
     private String id;
     private String name;

diff --git a/model/invalidation-cache/model-adapters/src/main/java/org/keycloak/models/cache/entities/CachedRole.java b/model/invalidation-cache/model-adapters/src/main/java/org/keycloak/models/cache/entities/CachedRole.java
index 3fb7332..1bbaa5c 100755
--- a/model/invalidation-cache/model-adapters/src/main/java/org/keycloak/models/cache/entities/CachedRole.java
+++ b/model/invalidation-cache/model-adapters/src/main/java/org/keycloak/models/cache/entities/CachedRole.java
@@ -13,12 +13,11 @@ import java.util.Set;
  */
 public class CachedRole implements Serializable {
 
-    private static final long serialVersionUID = 1L;
-
     final protected String id;
     final protected String name;
     final protected String realm;
     final protected String description;
+    final protected Boolean scopeParamRequired;
     final protected boolean composite;
     final protected Set<String> composites = new HashSet<String>();
 
@@ -27,6 +26,7 @@ public class CachedRole implements Serializable {
         description = model.getDescription();
         id = model.getId();
         name = model.getName();
+        scopeParamRequired = model.isScopeParamRequired();
         this.realm = realm.getId();
         if (composite) {
             for (RoleModel child : model.getComposites()) {
@@ -52,6 +52,10 @@ public class CachedRole implements Serializable {
         return description;
     }
 
+    public Boolean isScopeParamRequired() {
+        return scopeParamRequired;
+    }
+
     public boolean isComposite() {
         return composite;
     }

diff --git a/model/invalidation-cache/model-adapters/src/main/java/org/keycloak/models/cache/entities/CachedUser.java b/model/invalidation-cache/model-adapters/src/main/java/org/keycloak/models/cache/entities/CachedUser.java
index 9757c63..d38b6f9 100755
--- a/model/invalidation-cache/model-adapters/src/main/java/org/keycloak/models/cache/entities/CachedUser.java
+++ b/model/invalidation-cache/model-adapters/src/main/java/org/keycloak/models/cache/entities/CachedUser.java
@@ -1,5 +1,7 @@
 package org.keycloak.models.cache.entities;
 
+import org.keycloak.models.OfflineClientSessionModel;
+import org.keycloak.models.OfflineUserSessionModel;
 import org.keycloak.models.RealmModel;
 import org.keycloak.models.RoleModel;
 import org.keycloak.models.UserCredentialValueModel;
@@ -7,9 +9,11 @@ import org.keycloak.models.UserModel;
 import org.keycloak.util.MultivaluedHashMap;
 
 import java.io.Serializable;
+import java.util.HashMap;
 import java.util.HashSet;
 import java.util.LinkedList;
 import java.util.List;
+import java.util.Map;
 import java.util.Set;
 
 /**
@@ -33,6 +37,8 @@ public class CachedUser implements Serializable {
     private MultivaluedHashMap<String, String> attributes = new MultivaluedHashMap<>();
     private Set<String> requiredActions = new HashSet<>();
     private Set<String> roleMappings = new HashSet<String>();
+    private Map<String, OfflineUserSessionModel> offlineUserSessions = new HashMap<>();
+    private Map<String, OfflineClientSessionModel> offlineClientSessions = new HashMap<>();
 
     public CachedUser(RealmModel realm, UserModel user) {
         this.id = user.getId();
@@ -53,6 +59,12 @@ public class CachedUser implements Serializable {
         for (RoleModel role : user.getRoleMappings()) {
             roleMappings.add(role.getId());
         }
+        for (OfflineUserSessionModel offlineSession : user.getOfflineUserSessions()) {
+            offlineUserSessions.put(offlineSession.getUserSessionId(), offlineSession);
+        }
+        for (OfflineClientSessionModel offlineSession : user.getOfflineClientSessions()) {
+            offlineClientSessions.put(offlineSession.getClientSessionId(), offlineSession);
+        }
     }
 
     public String getId() {
@@ -118,4 +130,12 @@ public class CachedUser implements Serializable {
     public String getServiceAccountClientLink() {
         return serviceAccountClientLink;
     }
+
+    public Map<String, OfflineUserSessionModel> getOfflineUserSessions() {
+        return offlineUserSessions;
+    }
+
+    public Map<String, OfflineClientSessionModel> getOfflineClientSessions() {
+        return offlineClientSessions;
+    }
 }

diff --git a/model/jpa/pom.xml b/model/jpa/pom.xml
index f4f9eec..4013fca 100755
--- a/model/jpa/pom.xml
+++ b/model/jpa/pom.xml
@@ -17,17 +17,14 @@
         <dependency>
             <groupId>org.bouncycastle</groupId>
             <artifactId>bcprov-jdk15on</artifactId>
-            <scope>provided</scope>
         </dependency>
         <dependency>
             <groupId>net.iharder</groupId>
             <artifactId>base64</artifactId>
-            <scope>provided</scope>
         </dependency>
         <dependency>
             <groupId>org.keycloak</groupId>
             <artifactId>keycloak-core</artifactId>
-            <scope>provided</scope>
         </dependency>
         <dependency>
             <groupId>org.keycloak</groupId>
@@ -44,18 +41,15 @@
         </dependency>
         <dependency>
             <groupId>org.hibernate.javax.persistence</groupId>
-            <artifactId>hibernate-jpa-2.1-api</artifactId>
-            <scope>provided</scope>
+            <artifactId>${hibernate.javax.persistence.artifactId}</artifactId>
         </dependency>
         <dependency>
             <groupId>org.hibernate</groupId>
             <artifactId>hibernate-entitymanager</artifactId>
-            <scope>provided</scope>
         </dependency>
         <dependency>
             <groupId>org.jboss.resteasy</groupId>
             <artifactId>resteasy-jaxrs</artifactId>
-            <scope>provided</scope>
             <exclusions>
                 <exclusion>
                     <groupId>log4j</groupId>

diff --git a/model/jpa/src/main/java/org/keycloak/models/jpa/entities/OfflineClientSessionEntity.java b/model/jpa/src/main/java/org/keycloak/models/jpa/entities/OfflineClientSessionEntity.java
new file mode 100644
index 0000000..23081c4
--- /dev/null
+++ b/model/jpa/src/main/java/org/keycloak/models/jpa/entities/OfflineClientSessionEntity.java
@@ -0,0 +1,81 @@
+package org.keycloak.models.jpa.entities;
+
+import javax.persistence.Column;
+import javax.persistence.Entity;
+import javax.persistence.FetchType;
+import javax.persistence.Id;
+import javax.persistence.JoinColumn;
+import javax.persistence.ManyToOne;
+import javax.persistence.NamedQueries;
+import javax.persistence.NamedQuery;
+import javax.persistence.Table;
+
+/**
+ * @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
+ */
+@NamedQueries({
+        @NamedQuery(name="deleteOfflineClientSessionsByRealm", query="delete from OfflineClientSessionEntity sess where sess.user IN (select u from UserEntity u where u.realmId=:realmId)"),
+        @NamedQuery(name="deleteOfflineClientSessionsByRealmAndLink", query="delete from OfflineClientSessionEntity sess where sess.user IN (select u from UserEntity u where u.realmId=:realmId and u.federationLink=:link)"),
+        @NamedQuery(name="deleteOfflineClientSessionsByClient", query="delete from OfflineClientSessionEntity sess where sess.clientId=:clientId")
+})
+@Table(name="OFFLINE_CLIENT_SESSION")
+@Entity
+public class OfflineClientSessionEntity {
+
+    @Id
+    @Column(name="CLIENT_SESSION_ID", length = 36)
+    protected String clientSessionId;
+
+    @Column(name="USER_SESSION_ID", length = 36)
+    protected String userSessionId;
+
+    @Column(name="CLIENT_ID", length = 36)
+    protected String clientId;
+
+    @ManyToOne(fetch = FetchType.LAZY)
+    @JoinColumn(name="USER_ID")
+    protected UserEntity user;
+
+    @Column(name="DATA")
+    protected String data;
+
+    public String getClientSessionId() {
+        return clientSessionId;
+    }
+
+    public void setClientSessionId(String clientSessionId) {
+        this.clientSessionId = clientSessionId;
+    }
+
+    public String getUserSessionId() {
+        return userSessionId;
+    }
+
+    public void setUserSessionId(String userSessionId) {
+        this.userSessionId = userSessionId;
+    }
+
+    public String getClientId() {
+        return clientId;
+    }
+
+    public void setClientId(String clientId) {
+        this.clientId = clientId;
+    }
+
+    public UserEntity getUser() {
+        return user;
+    }
+
+    public void setUser(UserEntity user) {
+        this.user = user;
+    }
+
+    public String getData() {
+        return data;
+    }
+
+    public void setData(String data) {
+        this.data = data;
+    }
+}

diff --git a/model/jpa/src/main/java/org/keycloak/models/jpa/entities/OfflineUserSessionEntity.java b/model/jpa/src/main/java/org/keycloak/models/jpa/entities/OfflineUserSessionEntity.java
new file mode 100644
index 0000000..d2726fa
--- /dev/null
+++ b/model/jpa/src/main/java/org/keycloak/models/jpa/entities/OfflineUserSessionEntity.java
@@ -0,0 +1,59 @@
+package org.keycloak.models.jpa.entities;
+
+import javax.persistence.Column;
+import javax.persistence.Entity;
+import javax.persistence.FetchType;
+import javax.persistence.Id;
+import javax.persistence.JoinColumn;
+import javax.persistence.ManyToOne;
+import javax.persistence.NamedQueries;
+import javax.persistence.NamedQuery;
+import javax.persistence.Table;
+
+/**
+ * @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
+ */
+@NamedQueries({
+        @NamedQuery(name="deleteOfflineUserSessionsByRealm", query="delete from OfflineUserSessionEntity sess where sess.user IN (select u from UserEntity u where u.realmId=:realmId)"),
+        @NamedQuery(name="deleteOfflineUserSessionsByRealmAndLink", query="delete from OfflineUserSessionEntity sess where sess.user IN (select u from UserEntity u where u.realmId=:realmId and u.federationLink=:link)"),
+        @NamedQuery(name="deleteDetachedOfflineUserSessions", query="delete from OfflineUserSessionEntity sess where sess.userSessionId NOT IN (select c.userSessionId from OfflineClientSessionEntity c)")
+})
+@Table(name="OFFLINE_USER_SESSION")
+@Entity
+public class OfflineUserSessionEntity {
+
+    @Id
+    @Column(name="USER_SESSION_ID", length = 36)
+    protected String userSessionId;
+
+    @ManyToOne(fetch = FetchType.LAZY)
+    @JoinColumn(name="USER_ID")
+    protected UserEntity user;
+
+    @Column(name="DATA")
+    protected String data;
+
+    public String getUserSessionId() {
+        return userSessionId;
+    }
+
+    public void setUserSessionId(String userSessionId) {
+        this.userSessionId = userSessionId;
+    }
+
+    public UserEntity getUser() {
+        return user;
+    }
+
+    public void setUser(UserEntity user) {
+        this.user = user;
+    }
+
+    public String getData() {
+        return data;
+    }
+
+    public void setData(String data) {
+        this.data = data;
+    }
+}

diff --git a/model/jpa/src/main/java/org/keycloak/models/jpa/entities/RoleEntity.java b/model/jpa/src/main/java/org/keycloak/models/jpa/entities/RoleEntity.java
index 4c9edb7..437867e 100755
--- a/model/jpa/src/main/java/org/keycloak/models/jpa/entities/RoleEntity.java
+++ b/model/jpa/src/main/java/org/keycloak/models/jpa/entities/RoleEntity.java
@@ -37,6 +37,8 @@ public class RoleEntity {
     private String name;
     @Column(name = "DESCRIPTION")
     private String description;
+    @Column(name = "SCOPE_PARAM_REQUIRED")
+    private boolean scopeParamRequired;
 
     // hax! couldn't get constraint to work properly
     @Column(name = "REALM_ID")
@@ -93,6 +95,14 @@ public class RoleEntity {
         this.description = description;
     }
 
+    public boolean isScopeParamRequired() {
+        return scopeParamRequired;
+    }
+
+    public void setScopeParamRequired(boolean scopeParamRequired) {
+        this.scopeParamRequired = scopeParamRequired;
+    }
+
     public Collection<RoleEntity> getCompositeRoles() {
         return compositeRoles;
     }

diff --git a/model/jpa/src/main/java/org/keycloak/models/jpa/entities/UserEntity.java b/model/jpa/src/main/java/org/keycloak/models/jpa/entities/UserEntity.java
index 2da1641..24d23db 100755
--- a/model/jpa/src/main/java/org/keycloak/models/jpa/entities/UserEntity.java
+++ b/model/jpa/src/main/java/org/keycloak/models/jpa/entities/UserEntity.java
@@ -3,9 +3,13 @@ package org.keycloak.models.jpa.entities;
 import org.keycloak.models.utils.KeycloakModelUtils;
 
 import javax.persistence.CascadeType;
+import javax.persistence.CollectionTable;
 import javax.persistence.Column;
+import javax.persistence.ElementCollection;
 import javax.persistence.Entity;
 import javax.persistence.Id;
+import javax.persistence.JoinColumn;
+import javax.persistence.MapKeyColumn;
 import javax.persistence.NamedQueries;
 import javax.persistence.NamedQuery;
 import javax.persistence.OneToMany;
@@ -14,6 +18,8 @@ import javax.persistence.UniqueConstraint;
 
 import java.util.ArrayList;
 import java.util.Collection;
+import java.util.HashMap;
+import java.util.Map;
 
 /**
  * @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
@@ -83,6 +89,12 @@ public class UserEntity {
     @Column(name="SERVICE_ACCOUNT_CLIENT_LINK")
     protected String serviceAccountClientLink;
 
+    @OneToMany(cascade = CascadeType.REMOVE, orphanRemoval = true, mappedBy="user")
+    protected Collection<OfflineUserSessionEntity> offlineUserSessions = new ArrayList<>();
+
+    @OneToMany(cascade = CascadeType.REMOVE, orphanRemoval = true, mappedBy="user")
+    protected Collection<OfflineClientSessionEntity> offlineClientSessions = new ArrayList<>();
+
     public String getId() {
         return id;
     }
@@ -212,6 +224,22 @@ public class UserEntity {
         this.serviceAccountClientLink = serviceAccountClientLink;
     }
 
+    public Collection<OfflineUserSessionEntity> getOfflineUserSessions() {
+        return offlineUserSessions;
+    }
+
+    public void setOfflineUserSessions(Collection<OfflineUserSessionEntity> offlineUserSessions) {
+        this.offlineUserSessions = offlineUserSessions;
+    }
+
+    public Collection<OfflineClientSessionEntity> getOfflineClientSessions() {
+        return offlineClientSessions;
+    }
+
+    public void setOfflineClientSessions(Collection<OfflineClientSessionEntity> offlineClientSessions) {
+        this.offlineClientSessions = offlineClientSessions;
+    }
+
     @Override
     public boolean equals(Object o) {
         if (this == o) return true;

diff --git a/model/jpa/src/main/java/org/keycloak/models/jpa/JpaUserProvider.java b/model/jpa/src/main/java/org/keycloak/models/jpa/JpaUserProvider.java
index d92e93d..8cee4ea 100755
--- a/model/jpa/src/main/java/org/keycloak/models/jpa/JpaUserProvider.java
+++ b/model/jpa/src/main/java/org/keycloak/models/jpa/JpaUserProvider.java
@@ -169,6 +169,10 @@ public class JpaUserProvider implements UserProvider {
                 .setParameter("realmId", realm.getId()).executeUpdate();
         num = em.createNamedQuery("deleteUserAttributesByRealm")
                 .setParameter("realmId", realm.getId()).executeUpdate();
+        num = em.createNamedQuery("deleteOfflineClientSessionsByRealm")
+                .setParameter("realmId", realm.getId()).executeUpdate();
+        num = em.createNamedQuery("deleteOfflineUserSessionsByRealm")
+                .setParameter("realmId", realm.getId()).executeUpdate();
         num = em.createNamedQuery("deleteUsersByRealm")
                 .setParameter("realmId", realm.getId()).executeUpdate();
     }
@@ -195,6 +199,14 @@ public class JpaUserProvider implements UserProvider {
                 .setParameter("realmId", realm.getId())
                 .setParameter("link", link.getId())
                 .executeUpdate();
+        num = em.createNamedQuery("deleteOfflineClientSessionsByRealmAndLink")
+                .setParameter("realmId", realm.getId())
+                .setParameter("link", link.getId())
+                .executeUpdate();
+        num = em.createNamedQuery("deleteOfflineUserSessionsByRealmAndLink")
+                .setParameter("realmId", realm.getId())
+                .setParameter("link", link.getId())
+                .executeUpdate();
         num = em.createNamedQuery("deleteUsersByRealmAndLink")
                 .setParameter("realmId", realm.getId())
                 .setParameter("link", link.getId())
@@ -212,6 +224,8 @@ public class JpaUserProvider implements UserProvider {
         em.createNamedQuery("deleteUserConsentProtMappersByClient").setParameter("clientId", client.getId()).executeUpdate();
         em.createNamedQuery("deleteUserConsentRolesByClient").setParameter("clientId", client.getId()).executeUpdate();
         em.createNamedQuery("deleteUserConsentsByClient").setParameter("clientId", client.getId()).executeUpdate();
+        em.createNamedQuery("deleteOfflineClientSessionsByClient").setParameter("clientId", client.getId()).executeUpdate();
+        em.createNamedQuery("deleteDetachedOfflineUserSessions").executeUpdate();
     }
 
     @Override

diff --git a/model/jpa/src/main/java/org/keycloak/models/jpa/RoleAdapter.java b/model/jpa/src/main/java/org/keycloak/models/jpa/RoleAdapter.java
index 4ab8d33..0e49d59 100755
--- a/model/jpa/src/main/java/org/keycloak/models/jpa/RoleAdapter.java
+++ b/model/jpa/src/main/java/org/keycloak/models/jpa/RoleAdapter.java
@@ -50,6 +50,16 @@ public class RoleAdapter implements RoleModel {
     }
 
     @Override
+    public boolean isScopeParamRequired() {
+        return role.isScopeParamRequired();
+    }
+
+    @Override
+    public void setScopeParamRequired(boolean scopeParamRequired) {
+        role.setScopeParamRequired(scopeParamRequired);
+    }
+
+    @Override
     public String getId() {
         return role.getId();
     }

diff --git a/model/jpa/src/main/java/org/keycloak/models/jpa/UserAdapter.java b/model/jpa/src/main/java/org/keycloak/models/jpa/UserAdapter.java
index 67def6b..bdcf1f1 100755
--- a/model/jpa/src/main/java/org/keycloak/models/jpa/UserAdapter.java
+++ b/model/jpa/src/main/java/org/keycloak/models/jpa/UserAdapter.java
@@ -2,6 +2,8 @@ package org.keycloak.models.jpa;
 
 import org.keycloak.models.ClientModel;
 import org.keycloak.models.OTPPolicy;
+import org.keycloak.models.OfflineClientSessionModel;
+import org.keycloak.models.OfflineUserSessionModel;
 import org.keycloak.models.ProtocolMapperModel;
 import org.keycloak.models.UserConsentModel;
 import org.keycloak.models.ModelDuplicateException;
@@ -14,6 +16,8 @@ import org.keycloak.models.UserCredentialModel;
 import org.keycloak.models.UserCredentialValueModel;
 import org.keycloak.models.UserModel;
 import org.keycloak.models.jpa.entities.CredentialEntity;
+import org.keycloak.models.jpa.entities.OfflineClientSessionEntity;
+import org.keycloak.models.jpa.entities.OfflineUserSessionEntity;
 import org.keycloak.models.jpa.entities.UserConsentEntity;
 import org.keycloak.models.jpa.entities.UserConsentProtocolMapperEntity;
 import org.keycloak.models.jpa.entities.UserConsentRoleEntity;
@@ -37,6 +41,7 @@ import java.util.Collection;
 import java.util.HashMap;
 import java.util.HashSet;
 import java.util.Iterator;
+import java.util.LinkedList;
 import java.util.List;
 import java.util.Map;
 import java.util.Set;
@@ -751,6 +756,124 @@ public class UserAdapter implements UserModel {
     }
 
     @Override
+    public void addOfflineUserSession(OfflineUserSessionModel offlineSession) {
+        OfflineUserSessionEntity entity = new OfflineUserSessionEntity();
+        entity.setUser(user);
+        entity.setUserSessionId(offlineSession.getUserSessionId());
+        entity.setData(offlineSession.getData());
+        em.persist(entity);
+        user.getOfflineUserSessions().add(entity);
+        em.flush();
+    }
+
+    @Override
+    public OfflineUserSessionModel getOfflineUserSession(String userSessionId) {
+        for (OfflineUserSessionEntity entity : user.getOfflineUserSessions()) {
+            if (entity.getUserSessionId().equals(userSessionId)) {
+                return toModel(entity);
+            }
+        }
+        return null;
+    }
+
+    private OfflineUserSessionModel toModel(OfflineUserSessionEntity entity) {
+        OfflineUserSessionModel model = new OfflineUserSessionModel();
+        model.setUserSessionId(entity.getUserSessionId());
+        model.setData(entity.getData());
+        return model;
+    }
+
+    @Override
+    public Collection<OfflineUserSessionModel> getOfflineUserSessions() {
+        List<OfflineUserSessionModel> result = new LinkedList<>();
+        for (OfflineUserSessionEntity entity : user.getOfflineUserSessions()) {
+            result.add(toModel(entity));
+        }
+        return result;
+    }
+
+    @Override
+    public boolean removeOfflineUserSession(String userSessionId) {
+        OfflineUserSessionEntity found = null;
+        for (OfflineUserSessionEntity session : user.getOfflineUserSessions()) {
+            if (session.getUserSessionId().equals(userSessionId)) {
+                found = session;
+                break;
+            }
+        }
+
+        if (found == null) {
+            return false;
+        } else {
+            user.getOfflineUserSessions().remove(found);
+            em.remove(found);
+            em.flush();
+            return true;
+        }
+    }
+
+    @Override
+    public void addOfflineClientSession(OfflineClientSessionModel clientSession) {
+        OfflineClientSessionEntity entity = new OfflineClientSessionEntity();
+        entity.setUser(user);
+        entity.setClientSessionId(clientSession.getClientSessionId());
+        entity.setUserSessionId(clientSession.getUserSessionId());
+        entity.setClientId(clientSession.getClientId());
+        entity.setData(clientSession.getData());
+        em.persist(entity);
+        user.getOfflineClientSessions().add(entity);
+        em.flush();
+    }
+
+    @Override
+    public OfflineClientSessionModel getOfflineClientSession(String clientSessionId) {
+        for (OfflineClientSessionEntity entity : user.getOfflineClientSessions()) {
+            if (entity.getClientSessionId().equals(clientSessionId)) {
+                return toModel(entity);
+            }
+        }
+        return null;
+    }
+
+    private OfflineClientSessionModel toModel(OfflineClientSessionEntity entity) {
+        OfflineClientSessionModel model = new OfflineClientSessionModel();
+        model.setClientSessionId(entity.getClientSessionId());
+        model.setClientId(entity.getClientId());
+        model.setUserSessionId(entity.getUserSessionId());
+        model.setData(entity.getData());
+        return model;
+    }
+
+    @Override
+    public Collection<OfflineClientSessionModel> getOfflineClientSessions() {
+        List<OfflineClientSessionModel> result = new LinkedList<>();
+        for (OfflineClientSessionEntity entity : user.getOfflineClientSessions()) {
+            result.add(toModel(entity));
+        }
+        return result;
+    }
+
+    @Override
+    public boolean removeOfflineClientSession(String clientSessionId) {
+        OfflineClientSessionEntity found = null;
+        for (OfflineClientSessionEntity session : user.getOfflineClientSessions()) {
+            if (session.getClientSessionId().equals(clientSessionId)) {
+                found = session;
+                break;
+            }
+        }
+
+        if (found == null) {
+            return false;
+        } else {
+            user.getOfflineClientSessions().remove(found);
+            em.remove(found);
+            em.flush();
+            return true;
+        }
+    }
+
+    @Override
     public boolean equals(Object o) {
         if (this == o) return true;
         if (o == null || !(o instanceof UserModel)) return false;

diff --git a/model/mongo/src/main/java/org/keycloak/models/mongo/keycloak/adapters/MongoUserProvider.java b/model/mongo/src/main/java/org/keycloak/models/mongo/keycloak/adapters/MongoUserProvider.java
index 308d9fb..14081c1 100755
--- a/model/mongo/src/main/java/org/keycloak/models/mongo/keycloak/adapters/MongoUserProvider.java
+++ b/model/mongo/src/main/java/org/keycloak/models/mongo/keycloak/adapters/MongoUserProvider.java
@@ -19,6 +19,8 @@ import org.keycloak.models.UserFederationProviderModel;
 import org.keycloak.models.UserModel;
 import org.keycloak.models.UserProvider;
 import org.keycloak.models.entities.FederatedIdentityEntity;
+import org.keycloak.models.entities.OfflineClientSessionEntity;
+import org.keycloak.models.entities.OfflineUserSessionEntity;
 import org.keycloak.models.mongo.keycloak.entities.MongoUserConsentEntity;
 import org.keycloak.models.mongo.keycloak.entities.MongoUserEntity;
 import org.keycloak.models.utils.CredentialValidation;
@@ -399,6 +401,36 @@ public class MongoUserProvider implements UserProvider {
                 .and("clientId").is(client.getId())
                 .get();
         getMongoStore().removeEntities(MongoUserConsentEntity.class, query, false, invocationContext);
+
+        // Remove all offlineClientSessions
+        query = new QueryBuilder()
+                .and("offlineUserSessions.offlineClientSessions.clientId").is(client.getId())
+                .get();
+        List<MongoUserEntity> users = getMongoStore().loadEntities(MongoUserEntity.class, query, invocationContext);
+        for (MongoUserEntity user : users) {
+            boolean anyRemoved = false;
+            for (OfflineUserSessionEntity userSession : user.getOfflineUserSessions()) {
+                for (OfflineClientSessionEntity clientSession : userSession.getOfflineClientSessions()) {
+                    if (clientSession.getClientId().equals(client.getId())) {
+                        userSession.getOfflineClientSessions().remove(clientSession);
+                        anyRemoved = true;
+                        break;
+                    }
+                }
+
+                // Check if it was last clientSession. Then remove userSession too
+                if (userSession.getOfflineClientSessions().size() == 0) {
+                    user.getOfflineUserSessions().remove(userSession);
+                    anyRemoved = true;
+                    break;
+                }
+            }
+
+            if (anyRemoved) {
+                getMongoStore().updateEntity(user, invocationContext);
+            }
+
+        }
     }
 
     @Override

diff --git a/model/mongo/src/main/java/org/keycloak/models/mongo/keycloak/adapters/RoleAdapter.java b/model/mongo/src/main/java/org/keycloak/models/mongo/keycloak/adapters/RoleAdapter.java
index 91ef361..f3d918b 100755
--- a/model/mongo/src/main/java/org/keycloak/models/mongo/keycloak/adapters/RoleAdapter.java
+++ b/model/mongo/src/main/java/org/keycloak/models/mongo/keycloak/adapters/RoleAdapter.java
@@ -69,6 +69,17 @@ public class RoleAdapter extends AbstractMongoAdapter<MongoRoleEntity> implement
     }
 
     @Override
+    public boolean isScopeParamRequired() {
+        return role.isScopeParamRequired();
+    }
+
+    @Override
+    public void setScopeParamRequired(boolean scopeParamRequired) {
+        role.setScopeParamRequired(scopeParamRequired);
+        updateRole();
+    }
+
+    @Override
     public boolean isComposite() {
         return role.getCompositeRoleIds() != null && role.getCompositeRoleIds().size() > 0;
     }

diff --git a/model/mongo/src/main/java/org/keycloak/models/mongo/keycloak/adapters/UserAdapter.java b/model/mongo/src/main/java/org/keycloak/models/mongo/keycloak/adapters/UserAdapter.java
index 8130ff5..a475bb6 100755
--- a/model/mongo/src/main/java/org/keycloak/models/mongo/keycloak/adapters/UserAdapter.java
+++ b/model/mongo/src/main/java/org/keycloak/models/mongo/keycloak/adapters/UserAdapter.java
@@ -8,6 +8,8 @@ import com.mongodb.QueryBuilder;
 import org.keycloak.connections.mongo.api.context.MongoStoreInvocationContext;
 import org.keycloak.models.ClientModel;
 import org.keycloak.models.OTPPolicy;
+import org.keycloak.models.OfflineClientSessionModel;
+import org.keycloak.models.OfflineUserSessionModel;
 import org.keycloak.models.ProtocolMapperModel;
 import org.keycloak.models.UserConsentModel;
 import org.keycloak.models.KeycloakSession;
@@ -20,6 +22,8 @@ import org.keycloak.models.UserCredentialModel;
 import org.keycloak.models.UserCredentialValueModel;
 import org.keycloak.models.UserModel;
 import org.keycloak.models.entities.CredentialEntity;
+import org.keycloak.models.entities.OfflineClientSessionEntity;
+import org.keycloak.models.entities.OfflineUserSessionEntity;
 import org.keycloak.models.entities.UserConsentEntity;
 import org.keycloak.models.mongo.keycloak.entities.MongoUserConsentEntity;
 import org.keycloak.models.mongo.keycloak.entities.MongoUserEntity;
@@ -30,6 +34,7 @@ import org.keycloak.models.utils.Pbkdf2PasswordEncoder;
 import org.keycloak.util.Time;
 
 import java.util.ArrayList;
+import java.util.Collection;
 import java.util.Collections;
 import java.util.Comparator;
 import java.util.HashMap;
@@ -628,6 +633,145 @@ public class UserAdapter extends AbstractMongoAdapter<MongoUserEntity> implement
     }
 
     @Override
+    public void addOfflineUserSession(OfflineUserSessionModel userSession) {
+        if (user.getOfflineUserSessions() == null) {
+            user.setOfflineUserSessions(new ArrayList<OfflineUserSessionEntity>());
+        }
+
+        if (getUserSessionEntityById(userSession.getUserSessionId()) != null) {
+            throw new ModelDuplicateException("User session already exists with id " + userSession.getUserSessionId() + " for user " + getMongoEntity().getUsername());
+        }
+
+        OfflineUserSessionEntity entity = new OfflineUserSessionEntity();
+        entity.setUserSessionId(userSession.getUserSessionId());
+        entity.setData(userSession.getData());
+        entity.setOfflineClientSessions(new ArrayList<OfflineClientSessionEntity>());
+        user.getOfflineUserSessions().add(entity);
+        updateUser();
+    }
+
+    @Override
+    public OfflineUserSessionModel getOfflineUserSession(String userSessionId) {
+        OfflineUserSessionEntity entity = getUserSessionEntityById(userSessionId);
+        return entity==null ? null : toModel(entity);
+    }
+
+    @Override
+    public Collection<OfflineUserSessionModel> getOfflineUserSessions() {
+        if (user.getOfflineUserSessions()==null) {
+            return Collections.emptyList();
+        } else {
+            List<OfflineUserSessionModel> result = new ArrayList<>();
+            for (OfflineUserSessionEntity entity : user.getOfflineUserSessions()) {
+                result.add(toModel(entity));
+            }
+            return result;
+        }
+    }
+
+    private OfflineUserSessionModel toModel(OfflineUserSessionEntity entity) {
+        OfflineUserSessionModel model = new OfflineUserSessionModel();
+        model.setUserSessionId(entity.getUserSessionId());
+        model.setData(entity.getData());
+        return model;
+    }
+
+    @Override
+    public boolean removeOfflineUserSession(String userSessionId) {
+        OfflineUserSessionEntity entity = getUserSessionEntityById(userSessionId);
+        if (entity != null) {
+            user.getOfflineUserSessions().remove(entity);
+            updateUser();
+            return true;
+        } else {
+            return false;
+        }
+    }
+
+    private OfflineUserSessionEntity getUserSessionEntityById(String userSessionId) {
+        if (user.getOfflineUserSessions() != null) {
+            for (OfflineUserSessionEntity entity : user.getOfflineUserSessions()) {
+                if (entity.getUserSessionId().equals(userSessionId)) {
+                    return entity;
+                }
+            }
+        }
+        return null;
+    }
+
+    @Override
+    public void addOfflineClientSession(OfflineClientSessionModel clientSession) {
+        OfflineUserSessionEntity userSessionEntity = getUserSessionEntityById(clientSession.getUserSessionId());
+        if (userSessionEntity == null) {
+            throw new ModelException("OfflineUserSession with ID " + clientSession.getUserSessionId() + " doesn't exist for user " + getMongoEntity().getUsername());
+        }
+
+        OfflineClientSessionEntity clEntity = new OfflineClientSessionEntity();
+        clEntity.setClientSessionId(clientSession.getClientSessionId());
+        clEntity.setClientId(clientSession.getClientId());
+        clEntity.setData(clientSession.getData());
+
+        userSessionEntity.getOfflineClientSessions().add(clEntity);
+        updateUser();
+    }
+
+    @Override
+    public OfflineClientSessionModel getOfflineClientSession(String clientSessionId) {
+        if (user.getOfflineUserSessions() != null) {
+            for (OfflineUserSessionEntity userSession : user.getOfflineUserSessions()) {
+                for (OfflineClientSessionEntity clSession : userSession.getOfflineClientSessions()) {
+                    if (clSession.getClientSessionId().equals(clientSessionId)) {
+                        return toModel(clSession, userSession.getUserSessionId());
+                    }
+                }
+            }
+        }
+
+        return null;
+    }
+
+    private OfflineClientSessionModel toModel(OfflineClientSessionEntity cls, String userSessionId) {
+        OfflineClientSessionModel model = new OfflineClientSessionModel();
+        model.setClientSessionId(cls.getClientSessionId());
+        model.setClientId(cls.getClientId());
+        model.setData(cls.getData());
+        model.setUserSessionId(userSessionId);
+        return model;
+    }
+
+    @Override
+    public Collection<OfflineClientSessionModel> getOfflineClientSessions() {
+        List<OfflineClientSessionModel> result = new ArrayList<>();
+
+        if (user.getOfflineUserSessions() != null) {
+            for (OfflineUserSessionEntity userSession : user.getOfflineUserSessions()) {
+                for (OfflineClientSessionEntity clSession : userSession.getOfflineClientSessions()) {
+                    result.add(toModel(clSession, userSession.getUserSessionId()));
+                }
+            }
+        }
+
+        return result;
+    }
+
+    @Override
+    public boolean removeOfflineClientSession(String clientSessionId) {
+        if (user.getOfflineUserSessions() != null) {
+            for (OfflineUserSessionEntity userSession : user.getOfflineUserSessions()) {
+                for (OfflineClientSessionEntity clSession : userSession.getOfflineClientSessions()) {
+                    if (clSession.getClientSessionId().equals(clientSessionId)) {
+                        userSession.getOfflineClientSessions().remove(clSession);
+                        updateUser();
+                        return true;
+                    }
+                }
+            }
+        }
+
+        return false;
+    }
+
+    @Override
     public boolean equals(Object o) {
         if (this == o) return true;
         if (o == null || !(o instanceof UserModel)) return false;

diff --git a/model/sessions-infinispan/pom.xml b/model/sessions-infinispan/pom.xml
index 3d8c256..ee64a6b 100755
--- a/model/sessions-infinispan/pom.xml
+++ b/model/sessions-infinispan/pom.xml
@@ -17,22 +17,18 @@
         <dependency>
             <groupId>org.keycloak</groupId>
             <artifactId>keycloak-core</artifactId>
-            <scope>provided</scope>
         </dependency>
         <dependency>
             <groupId>org.keycloak</groupId>
             <artifactId>keycloak-model-api</artifactId>
-            <scope>provided</scope>
         </dependency>
         <dependency>
             <groupId>org.keycloak</groupId>
             <artifactId>keycloak-connections-infinispan</artifactId>
-            <scope>provided</scope>
         </dependency>
         <dependency>
             <groupId>org.infinispan</groupId>
             <artifactId>infinispan-core</artifactId>
-            <scope>provided</scope>
         </dependency>
     </dependencies>
 </project>

diff --git a/model/sessions-infinispan/src/main/java/org/keycloak/models/sessions/infinispan/compat/UserSessionAdapter.java b/model/sessions-infinispan/src/main/java/org/keycloak/models/sessions/infinispan/compat/UserSessionAdapter.java
index fbe8682..a9db618 100755
--- a/model/sessions-infinispan/src/main/java/org/keycloak/models/sessions/infinispan/compat/UserSessionAdapter.java
+++ b/model/sessions-infinispan/src/main/java/org/keycloak/models/sessions/infinispan/compat/UserSessionAdapter.java
@@ -10,6 +10,7 @@ import org.keycloak.models.sessions.infinispan.compat.entities.UserSessionEntity
 
 import java.util.LinkedList;
 import java.util.List;
+import java.util.Map;
 
 /**
  * @author <a href="mailto:sthorger@redhat.com">Stian Thorgersen</a>
@@ -144,5 +145,8 @@ public class UserSessionAdapter implements UserSessionModel {
 
     }
 
-
+    @Override
+    public Map<String, String> getNotes() {
+        return entity.getNotes();
+    }
 }

diff --git a/model/sessions-infinispan/src/main/java/org/keycloak/models/sessions/infinispan/UserSessionAdapter.java b/model/sessions-infinispan/src/main/java/org/keycloak/models/sessions/infinispan/UserSessionAdapter.java
index 6cfc121..c7104fb 100755
--- a/model/sessions-infinispan/src/main/java/org/keycloak/models/sessions/infinispan/UserSessionAdapter.java
+++ b/model/sessions-infinispan/src/main/java/org/keycloak/models/sessions/infinispan/UserSessionAdapter.java
@@ -14,6 +14,7 @@ import java.util.Collections;
 import java.util.HashMap;
 import java.util.LinkedList;
 import java.util.List;
+import java.util.Map;
 
 /**
  * @author <a href="mailto:sthorger@redhat.com">Stian Thorgersen</a>
@@ -110,6 +111,11 @@ public class UserSessionAdapter implements UserSessionModel {
     }
 
     @Override
+    public Map<String, String> getNotes() {
+        return entity.getNotes();
+    }
+
+    @Override
     public State getState() {
         return entity.getState();
     }

diff --git a/pom.xml b/pom.xml
index c0a1cc1..bfc0c06 100755
--- a/pom.xml
+++ b/pom.xml
@@ -39,6 +39,7 @@
         <io.netty.version>4.0.26.Final</io.netty.version> 
         <xnio.netty.netty-xnio-transport.version>0.1.1.Final</xnio.netty.netty-xnio-transport.version>
         <hibernate.javax.persistence.version>1.0.0.Final</hibernate.javax.persistence.version>
+        <hibernate.javax.persistence.artifactId>hibernate-jpa-2.1-api</hibernate.javax.persistence.artifactId>
         <hibernate.entitymanager.version>4.3.10.Final</hibernate.entitymanager.version>
         <h2.version>1.4.187</h2.version>
         <mysql.version>5.1.29</mysql.version>
@@ -322,7 +323,7 @@
             </dependency>
             <dependency>
                 <groupId>org.hibernate.javax.persistence</groupId>
-                <artifactId>hibernate-jpa-2.1-api</artifactId>
+                <artifactId>${hibernate.javax.persistence.artifactId}</artifactId>
                 <version>${hibernate.javax.persistence.version}</version>
             </dependency>
             <dependency>
@@ -1255,6 +1256,15 @@
             <plugins>
                 <plugin>
                     <groupId>org.apache.maven.plugins</groupId>
+                    <artifactId>maven-release-plugin</artifactId>
+                    <version>2.5.2</version>
+                    <configuration>
+                        <autoVersionSubmodules>true</autoVersionSubmodules>
+                        <tagNameFormat>@{project.version}</tagNameFormat>
+                    </configuration>
+                </plugin>
+                <plugin>
+                    <groupId>org.apache.maven.plugins</groupId>
                     <artifactId>maven-surefire-plugin</artifactId>
                     <configuration>
                         <forkMode>once</forkMode>
@@ -1349,6 +1359,48 @@
     </build>
 
     <profiles>
+        <profile>
+            <id>distribution</id>
+            <modules>
+                <module>distribution</module>
+            </modules>
+        </profile>
+
+        <profile>
+            <id>jboss-release</id>
+            <modules>
+                <module>docbook</module>
+                <module>distribution</module>
+            </modules>
+        </profile>
+
+        <profile>
+            <id>doclint-java8-disable</id>
+            <activation>
+                <jdk>[1.8,)</jdk>
+            </activation>
+
+            <build>
+                <plugins>
+                    <plugin>
+                        <groupId>org.apache.maven.plugins</groupId>
+                        <artifactId>maven-javadoc-plugin</artifactId>
+                        <configuration>
+                            <additionalparam>-Xdoclint:none</additionalparam>
+                        </configuration>
+                    </plugin>
+                </plugins>
+            </build>
+        </profile>
+
+        <profile>
+            <id>arquillian-integration-tests</id>
+            <modules>
+                <module>distribution</module>
+                <module>testsuite/integration-arquillian</module>
+            </modules>
+        </profile>
+
         <!-- Configure the JBoss Early Access Maven repository -->
         <profile>
             <id>jboss-earlyaccess-repository</id>
@@ -1382,63 +1434,5 @@
                 </pluginRepository>
             </pluginRepositories>
         </profile>
-        <profile>
-            <id>distribution</id>
-            <modules>
-                <module>distribution</module>
-                <module>testsuite/integration-arquillian</module>
-            </modules>
-        </profile>
-        <profile>
-            <id>jboss-release</id>
-            <modules>
-                <module>docbook</module>
-                <module>distribution</module>
-                <module>testsuite/integration-arquillian</module>
-            </modules>
-            <build>
-                <plugins>
-                    <plugin>
-                        <groupId>org.apache.maven.plugins</groupId>
-                        <artifactId>maven-javadoc-plugin</artifactId>
-                        <executions>
-                            <execution>
-                                <id>aggregate</id>
-                                <phase>package</phase>
-                                <goals>
-                                    <goal>aggregate</goal>
-                                </goals>
-                                <configuration>
-                                    <minmemory>128m</minmemory>
-                                    <maxmemory>1024m</maxmemory>
-                                    <aggregate>true</aggregate>
-                                    <excludePackageNames>
-                                        se.unlogic.*:com.restfully.*:org.jboss.resteasy.examples.*:org.jboss.resteasy.tests.*
-                                    </excludePackageNames>
-                                </configuration>
-                            </execution>
-                        </executions>
-                    </plugin>          
-                </plugins>
-            </build>
-        </profile>
-        <profile>
-            <id>doclint-java8-disable</id>
-            <activation>
-                <jdk>[1.8,)</jdk>
-            </activation>
-
-            <build>
-                <plugins>
-                    <plugin>
-                        <groupId>org.apache.maven.plugins</groupId>
-                        <artifactId>maven-javadoc-plugin</artifactId>
-                        <configuration>
-                            <additionalparam>-Xdoclint:none</additionalparam>
-                        </configuration>
-                    </plugin>
-                </plugins>
-            </build>
-        </profile>
     </profiles>
 </project>

diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/common/CommonActionType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/common/CommonActionType.java
index 6936b57..81e0685 100755
--- a/saml/saml-core/src/main/java/org/keycloak/dom/saml/common/CommonActionType.java
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/common/CommonActionType.java
@@ -27,8 +27,6 @@ import java.io.Serializable;
  */
 public class CommonActionType implements Serializable {
 
-    private static final long serialVersionUID = 1L;
-
     protected String namespace;
 
     protected String value;

diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/common/CommonAdviceType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/common/CommonAdviceType.java
index b6d3a2b..b5beb37 100755
--- a/saml/saml-core/src/main/java/org/keycloak/dom/saml/common/CommonAdviceType.java
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/common/CommonAdviceType.java
@@ -30,8 +30,6 @@ import java.util.List;
  */
 public class CommonAdviceType implements Serializable {
 
-    private static final long serialVersionUID = 1L;
-
     protected List<Object> advices = new ArrayList<Object>();
 
     /**

diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/common/CommonAssertionType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/common/CommonAssertionType.java
index 0637d7f..7d5d518 100755
--- a/saml/saml-core/src/main/java/org/keycloak/dom/saml/common/CommonAssertionType.java
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/common/CommonAssertionType.java
@@ -28,8 +28,6 @@ import java.io.Serializable;
  */
 public class CommonAssertionType implements Serializable {
 
-    private static final long serialVersionUID = 1L;
-
     protected XMLGregorianCalendar issueInstant;
 
     protected String ID;

diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/common/CommonConditionsType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/common/CommonConditionsType.java
index 4ad88a5..d69a7b9 100755
--- a/saml/saml-core/src/main/java/org/keycloak/dom/saml/common/CommonConditionsType.java
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/common/CommonConditionsType.java
@@ -26,8 +26,6 @@ import java.io.Serializable;
  */
 public class CommonConditionsType implements Serializable {
 
-    private static final long serialVersionUID = 1L;
-
     protected XMLGregorianCalendar notBefore;
 
     protected XMLGregorianCalendar notOnOrAfter;

diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/common/CommonRequestAbstractType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/common/CommonRequestAbstractType.java
index 9ba0638..6dd2219 100755
--- a/saml/saml-core/src/main/java/org/keycloak/dom/saml/common/CommonRequestAbstractType.java
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/common/CommonRequestAbstractType.java
@@ -30,8 +30,6 @@ import java.io.Serializable;
  */
 public abstract class CommonRequestAbstractType implements Serializable {
 
-    private static final long serialVersionUID = 1L;
-
     protected String id;
 
     protected XMLGregorianCalendar issueInstant;

diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/common/CommonResponseType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/common/CommonResponseType.java
index fbb4f65..c04fa9e 100755
--- a/saml/saml-core/src/main/java/org/keycloak/dom/saml/common/CommonResponseType.java
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/common/CommonResponseType.java
@@ -28,8 +28,6 @@ import java.io.Serializable;
  */
 public class CommonResponseType implements Serializable {
 
-    private static final long serialVersionUID = 1L;
-
     protected String id;
 
     protected XMLGregorianCalendar issueInstant;

diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/common/CommonStatusDetailType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/common/CommonStatusDetailType.java
index cb427e3..6c9d6b9 100755
--- a/saml/saml-core/src/main/java/org/keycloak/dom/saml/common/CommonStatusDetailType.java
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/common/CommonStatusDetailType.java
@@ -43,8 +43,6 @@ import java.util.List;
  */
 public class CommonStatusDetailType implements Serializable {
 
-    private static final long serialVersionUID = 1L;
-
     protected List<Object> any = new ArrayList<Object>();
 
     /**

diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11ActionType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11ActionType.java
index 8e70a3b..6fda13a 100755
--- a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11ActionType.java
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11ActionType.java
@@ -31,5 +31,4 @@ import org.keycloak.dom.saml.common.CommonActionType;
  */
 public class SAML11ActionType extends CommonActionType {
 
-    private static final long serialVersionUID = 1L;
 }
\ No newline at end of file

diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11AdviceType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11AdviceType.java
index 0f0dcc6..29ebad5 100755
--- a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11AdviceType.java
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11AdviceType.java
@@ -29,5 +29,4 @@ import org.keycloak.dom.saml.common.CommonAdviceType;
  */
 public class SAML11AdviceType extends CommonAdviceType {
 
-    private static final long serialVersionUID = 1L;
 }
\ No newline at end of file

diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11AssertionType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11AssertionType.java
index 1a72241..edd3ee0 100755
--- a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11AssertionType.java
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11AssertionType.java
@@ -46,8 +46,6 @@ import java.util.List;
  */
 public class SAML11AssertionType extends CommonAssertionType {
 
-    private static final long serialVersionUID = 1L;
-
     protected int majorVersion = 1;
 
     protected int minorVersion = 1;

diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11AttributeStatementType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11AttributeStatementType.java
index f572210..1ef6b82 100755
--- a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11AttributeStatementType.java
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11AttributeStatementType.java
@@ -33,8 +33,6 @@ import java.util.List;
  */
 public class SAML11AttributeStatementType extends SAML11SubjectStatementType {
 
-    private static final long serialVersionUID = 1L;
-
     protected List<SAML11AttributeType> attribute = new ArrayList<SAML11AttributeType>();
 
     public void add(SAML11AttributeType aAttribute) {

diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11AudienceRestrictionCondition.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11AudienceRestrictionCondition.java
index f54ef37..33e2a94 100755
--- a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11AudienceRestrictionCondition.java
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11AudienceRestrictionCondition.java
@@ -33,8 +33,6 @@ import java.util.List;
  */
 public class SAML11AudienceRestrictionCondition extends SAML11ConditionAbstractType {
 
-    private static final long serialVersionUID = 1L;
-
     protected List<URI> audience = new ArrayList<URI>();
 
     public void add(URI advice) {

diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11AuthenticationStatementType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11AuthenticationStatementType.java
index fd2fbe0..2ee15e8 100755
--- a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11AuthenticationStatementType.java
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11AuthenticationStatementType.java
@@ -35,8 +35,6 @@ import java.util.List;
  */
 public class SAML11AuthenticationStatementType extends SAML11SubjectStatementType {
 
-    private static final long serialVersionUID = 1L;
-
     protected URI authenticationMethod;
 
     protected XMLGregorianCalendar authenticationInstant;

diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11AuthorizationDecisionStatementType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11AuthorizationDecisionStatementType.java
index 970535b..c85701c 100755
--- a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11AuthorizationDecisionStatementType.java
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11AuthorizationDecisionStatementType.java
@@ -36,8 +36,6 @@ import java.util.List;
  */
 public class SAML11AuthorizationDecisionStatementType extends SAML11SubjectStatementType {
 
-    private static final long serialVersionUID = 1L;
-
     protected List<SAML11ActionType> actions = new ArrayList<SAML11ActionType>();
 
     protected SAML11EvidenceType evidence;

diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11ConditionAbstractType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11ConditionAbstractType.java
index 4208335..23f3231 100755
--- a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11ConditionAbstractType.java
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11ConditionAbstractType.java
@@ -25,5 +25,4 @@ import java.io.Serializable;
  */
 public abstract class SAML11ConditionAbstractType implements Serializable {
 
-    private static final long serialVersionUID = 1L;
 }
\ No newline at end of file

diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11ConditionsAbstractType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11ConditionsAbstractType.java
index 9106bf2..c56143f 100755
--- a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11ConditionsAbstractType.java
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11ConditionsAbstractType.java
@@ -25,5 +25,4 @@ import java.io.Serializable;
  */
 public abstract class SAML11ConditionsAbstractType implements Serializable {
 
-    private static final long serialVersionUID = 1L;
 }

diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11ConditionsType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11ConditionsType.java
index 4a4662c..8a7b33b 100755
--- a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11ConditionsType.java
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11ConditionsType.java
@@ -36,8 +36,6 @@ import java.util.List;
  */
 public class SAML11ConditionsType extends CommonConditionsType {
 
-    private static final long serialVersionUID = 1L;
-
     public List<SAML11ConditionAbstractType> conditions = new ArrayList<SAML11ConditionAbstractType>();
 
     public void add(SAML11ConditionAbstractType condition) {

diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11ConditionType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11ConditionType.java
index f06bf32..c6a0446 100755
--- a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11ConditionType.java
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11ConditionType.java
@@ -23,5 +23,4 @@ package org.keycloak.dom.saml.v1.assertion;
  */
 public class SAML11ConditionType extends SAML11ConditionAbstractType {
 
-    private static final long serialVersionUID = 1L;
 }
\ No newline at end of file

diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11DoNotCacheConditionType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11DoNotCacheConditionType.java
index dc0c791..3ba9b7d 100755
--- a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11DoNotCacheConditionType.java
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11DoNotCacheConditionType.java
@@ -23,5 +23,4 @@ package org.keycloak.dom.saml.v1.assertion;
  */
 public class SAML11DoNotCacheConditionType extends SAML11ConditionAbstractType {
 
-    private static final long serialVersionUID = 1L;
 }
\ No newline at end of file

diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11NameIdentifierType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11NameIdentifierType.java
index 0687f3c..78c3c94 100755
--- a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11NameIdentifierType.java
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11NameIdentifierType.java
@@ -30,8 +30,6 @@ import java.net.URI;
  */
 public class SAML11NameIdentifierType implements Serializable {
 
-    private static final long serialVersionUID = 1L;
-
     protected String nameQualifier;
 
     protected URI format;

diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11StatementAbstractType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11StatementAbstractType.java
index 96f1a24..f7a7ce5 100755
--- a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11StatementAbstractType.java
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11StatementAbstractType.java
@@ -25,5 +25,4 @@ import java.io.Serializable;
  */
 public abstract class SAML11StatementAbstractType implements Serializable {
 
-    private static final long serialVersionUID = 1L;
 }
\ No newline at end of file

diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11StatementType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11StatementType.java
index fa8a94d..8015555 100755
--- a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11StatementType.java
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11StatementType.java
@@ -23,5 +23,4 @@ package org.keycloak.dom.saml.v1.assertion;
  */
 public class SAML11StatementType extends SAML11StatementAbstractType {
 
-    private static final long serialVersionUID = 1L;
 }
\ No newline at end of file

diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11SubjectStatementType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11SubjectStatementType.java
index d6118ae..d1a64e5 100755
--- a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11SubjectStatementType.java
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11SubjectStatementType.java
@@ -28,8 +28,6 @@ package org.keycloak.dom.saml.v1.assertion;
  */
 public class SAML11SubjectStatementType extends SAML11StatementAbstractType {
 
-    private static final long serialVersionUID = 1L;
-
     protected SAML11SubjectType subject;
 
     public SAML11SubjectStatementType() {

diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/protocol/SAML11AttributeQueryType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/protocol/SAML11AttributeQueryType.java
index 9f13479..d79a6c3 100755
--- a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/protocol/SAML11AttributeQueryType.java
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/protocol/SAML11AttributeQueryType.java
@@ -36,8 +36,6 @@ import java.util.List;
  */
 public class SAML11AttributeQueryType extends SAML11SubjectQueryAbstractType {
 
-    private static final long serialVersionUID = 1L;
-
     protected List<SAML11AttributeDesignatorType> attributeDesignator = new ArrayList<SAML11AttributeDesignatorType>();
 
     protected URI resource;

diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/protocol/SAML11AuthenticationQueryType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/protocol/SAML11AuthenticationQueryType.java
index d2d7bc0..ac9ff4b 100755
--- a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/protocol/SAML11AuthenticationQueryType.java
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/protocol/SAML11AuthenticationQueryType.java
@@ -31,8 +31,6 @@ import java.net.URI;
  */
 public class SAML11AuthenticationQueryType extends SAML11SubjectQueryAbstractType {
 
-    private static final long serialVersionUID = 1L;
-
     protected URI authenticationMethod;
 
     public URI getAuthenticationMethod() {

diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/protocol/SAML11AuthorizationDecisionQueryType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/protocol/SAML11AuthorizationDecisionQueryType.java
index dc9d9b8..061b50a 100755
--- a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/protocol/SAML11AuthorizationDecisionQueryType.java
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/protocol/SAML11AuthorizationDecisionQueryType.java
@@ -39,8 +39,6 @@ import java.util.List;
  */
 public class SAML11AuthorizationDecisionQueryType extends SAML11SubjectQueryAbstractType {
 
-    private static final long serialVersionUID = 1L;
-
     protected List<SAML11ActionType> action = new ArrayList<SAML11ActionType>();
 
     protected SAML11EvidenceType evidence;

diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/protocol/SAML11QueryAbstractType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/protocol/SAML11QueryAbstractType.java
index 3b2c6df..88e52f4 100755
--- a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/protocol/SAML11QueryAbstractType.java
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/protocol/SAML11QueryAbstractType.java
@@ -25,5 +25,4 @@ import java.io.Serializable;
  */
 public abstract class SAML11QueryAbstractType implements Serializable {
 
-    private static final long serialVersionUID = 1L;
 }
\ No newline at end of file

diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/protocol/SAML11RequestAbstractType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/protocol/SAML11RequestAbstractType.java
index f0fa48b..c63c23f 100755
--- a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/protocol/SAML11RequestAbstractType.java
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/protocol/SAML11RequestAbstractType.java
@@ -39,8 +39,6 @@ import java.util.List;
  */
 public abstract class SAML11RequestAbstractType extends CommonRequestAbstractType {
 
-    private static final long serialVersionUID = 1L;
-
     protected int majorVersion = 1;
 
     protected int minorVersion = 1;

diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/protocol/SAML11RequestType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/protocol/SAML11RequestType.java
index f86ff31..a7d7307 100755
--- a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/protocol/SAML11RequestType.java
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/protocol/SAML11RequestType.java
@@ -36,8 +36,6 @@ import java.util.List;
  */
 public class SAML11RequestType extends SAML11RequestAbstractType {
 
-    private static final long serialVersionUID = 1L;
-
     protected SAML11QueryAbstractType query;
 
     protected List<String> assertionIDRef = new ArrayList<String>();

diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/protocol/SAML11ResponseAbstractType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/protocol/SAML11ResponseAbstractType.java
index 48b5938..1afd7b7 100755
--- a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/protocol/SAML11ResponseAbstractType.java
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/protocol/SAML11ResponseAbstractType.java
@@ -37,8 +37,6 @@ import java.net.URI;
  */
 public abstract class SAML11ResponseAbstractType extends CommonResponseType {
 
-    private static final long serialVersionUID = 1L;
-
     protected int majorVersion = 1;
 
     protected int minorVersion = 1;

diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/protocol/SAML11ResponseType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/protocol/SAML11ResponseType.java
index c07dae4..29936e5 100755
--- a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/protocol/SAML11ResponseType.java
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/protocol/SAML11ResponseType.java
@@ -35,8 +35,6 @@ import java.util.List;
  */
 public class SAML11ResponseType extends SAML11ResponseAbstractType {
 
-    private static final long serialVersionUID = 1L;
-
     protected List<SAML11AssertionType> assertions = new ArrayList<SAML11AssertionType>();
 
     protected SAML11StatusType status;

diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/protocol/SAML11StatusCodeType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/protocol/SAML11StatusCodeType.java
index 38c56bf..3591e62 100755
--- a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/protocol/SAML11StatusCodeType.java
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/protocol/SAML11StatusCodeType.java
@@ -30,8 +30,6 @@ import java.io.Serializable;
  */
 public class SAML11StatusCodeType implements Serializable {
 
-    private static final long serialVersionUID = 1L;
-
     public static final SAML11StatusCodeType SUCCESS = new SAML11StatusCodeType(new QName("samlp:Success"));
 
     protected SAML11StatusCodeType statusCode;

diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/protocol/SAML11StatusType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/protocol/SAML11StatusType.java
index 7f4b7a6..afea6a9 100755
--- a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/protocol/SAML11StatusType.java
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/protocol/SAML11StatusType.java
@@ -32,8 +32,6 @@ import java.io.Serializable;
  */
 public class SAML11StatusType implements Serializable {
 
-    private static final long serialVersionUID = 1L;
-
     protected SAML11StatusCodeType statusCode;
 
     protected String statusMessage;

diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/protocol/SAML11SubjectQueryAbstractType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/protocol/SAML11SubjectQueryAbstractType.java
index c9ef462..0328e16 100755
--- a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/protocol/SAML11SubjectQueryAbstractType.java
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/protocol/SAML11SubjectQueryAbstractType.java
@@ -31,8 +31,6 @@ import org.keycloak.dom.saml.v1.assertion.SAML11SubjectType;
  */
 public class SAML11SubjectQueryAbstractType extends SAML11QueryAbstractType {
 
-    private static final long serialVersionUID = 1L;
-
     protected SAML11SubjectType subject;
 
     public SAML11SubjectType getSubject() {

diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/ActionType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/ActionType.java
index c31bf4e..98b7510 100755
--- a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/ActionType.java
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/ActionType.java
@@ -38,5 +38,4 @@ import org.keycloak.dom.saml.common.CommonActionType;
  */
 public class ActionType extends CommonActionType {
 
-    private static final long serialVersionUID = 1L;
 }
\ No newline at end of file

diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/AdviceType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/AdviceType.java
index 8f9fc2d..31ca7d1 100755
--- a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/AdviceType.java
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/AdviceType.java
@@ -45,5 +45,4 @@ import org.keycloak.dom.saml.common.CommonAdviceType;
  */
 public class AdviceType extends CommonAdviceType {
 
-    private static final long serialVersionUID = 1L;
 }
\ No newline at end of file

diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/AssertionType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/AssertionType.java
index 7cbd35e..b401bcb 100755
--- a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/AssertionType.java
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/AssertionType.java
@@ -43,8 +43,6 @@ import java.util.Set;
  */
 public class AssertionType extends CommonAssertionType {
 
-    private static final long serialVersionUID = 1L;
-
     private Element signature;
 
     private final String version = "2.0";

diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/AttributeStatementType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/AttributeStatementType.java
index 9b65f38..0cb88c4 100755
--- a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/AttributeStatementType.java
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/AttributeStatementType.java
@@ -45,7 +45,6 @@ import java.util.List;
  */
 public class AttributeStatementType extends StatementAbstractType {
 
-    private static final long serialVersionUID = 1L;
     protected List<ASTChoiceType> attributes = new ArrayList<ASTChoiceType>();
 
     /**
@@ -81,7 +80,6 @@ public class AttributeStatementType extends StatementAbstractType {
 
     public static class ASTChoiceType implements Serializable {
 
-        private static final long serialVersionUID = 1L;
         private AttributeType attribute;
         private EncryptedElementType encryptedAssertion;
 

diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/AttributeType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/AttributeType.java
index c62111d..4393008 100755
--- a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/AttributeType.java
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/AttributeType.java
@@ -50,8 +50,6 @@ import java.util.Map;
  */
 public class AttributeType implements Serializable {
 
-    private static final long serialVersionUID = 1L;
-
     protected List<Object> attributeValue = new ArrayList<Object>();
     protected String name;
     protected String nameFormat;

diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/AudienceRestrictionType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/AudienceRestrictionType.java
index 38e1f9d..566dcbb 100755
--- a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/AudienceRestrictionType.java
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/AudienceRestrictionType.java
@@ -44,8 +44,6 @@ import java.util.List;
  */
 public class AudienceRestrictionType extends ConditionAbstractType implements Serializable {
 
-    private static final long serialVersionUID = 1L;
-
     protected List<URI> audience = new ArrayList<URI>();
 
     /**

diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/AuthnContextClassRefType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/AuthnContextClassRefType.java
index 00c7611..e06d5ed 100755
--- a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/AuthnContextClassRefType.java
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/AuthnContextClassRefType.java
@@ -28,8 +28,6 @@ import java.net.URI;
  */
 public class AuthnContextClassRefType implements URIType, Serializable {
 
-    private static final long serialVersionUID = 1L;
-
     private final URI value;
 
     public AuthnContextClassRefType(URI value) {

diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/AuthnContextDeclRefType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/AuthnContextDeclRefType.java
index e28ca5c..247aaeb 100755
--- a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/AuthnContextDeclRefType.java
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/AuthnContextDeclRefType.java
@@ -28,7 +28,6 @@ import java.net.URI;
  */
 public class AuthnContextDeclRefType implements URIType, Serializable {
 
-    private static final long serialVersionUID = 1L;
     private URI value;
 
     public AuthnContextDeclRefType(URI value) {

diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/AuthnContextDeclType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/AuthnContextDeclType.java
index 51749b9..bfde9d6 100755
--- a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/AuthnContextDeclType.java
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/AuthnContextDeclType.java
@@ -27,8 +27,6 @@ import java.io.Serializable;
  */
 public class AuthnContextDeclType implements Serializable {
 
-    private static final long serialVersionUID = 1L;
-
     private Object value;
 
     public AuthnContextDeclType(Object value) {

diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/AuthnContextType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/AuthnContextType.java
index 0f9e18c..38069ef 100755
--- a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/AuthnContextType.java
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/AuthnContextType.java
@@ -60,8 +60,6 @@ import java.util.Set;
  */
 public class AuthnContextType implements Serializable {
 
-    private static final long serialVersionUID = 1L;
-
     private final Set<URI> authenticatingAuthority = new LinkedHashSet<URI>();
 
     private AuthnContextTypeSequence sequence;
@@ -165,8 +163,6 @@ public class AuthnContextType implements Serializable {
      */
     public class AuthnContextTypeSequence implements Serializable {
 
-        private static final long serialVersionUID = 1L;
-
         private AuthnContextClassRefType classRef;
 
         private AuthnContextDeclType authnContextDecl;

diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/AuthnStatementType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/AuthnStatementType.java
index 33d8916..b68df7c 100755
--- a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/AuthnStatementType.java
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/AuthnStatementType.java
@@ -44,8 +44,6 @@ import javax.xml.datatype.XMLGregorianCalendar;
  */
 public class AuthnStatementType extends StatementAbstractType {
 
-    private static final long serialVersionUID = 1L;
-
     protected SubjectLocalityType subjectLocality;
     protected AuthnContextType authnContext;
     protected XMLGregorianCalendar authnInstant;

diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/AuthzDecisionStatementType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/AuthzDecisionStatementType.java
index fa8a861..fd9efb5 100755
--- a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/AuthzDecisionStatementType.java
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/AuthzDecisionStatementType.java
@@ -45,7 +45,6 @@ import java.util.List;
  */
 public class AuthzDecisionStatementType extends StatementAbstractType {
 
-    private static final long serialVersionUID = 1L;
     protected List<ActionType> action = new ArrayList<ActionType>();
     protected EvidenceType evidence;
     protected String resource;

diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/BaseIDAbstractType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/BaseIDAbstractType.java
index 0090d23..67056bf 100755
--- a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/BaseIDAbstractType.java
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/BaseIDAbstractType.java
@@ -38,7 +38,6 @@ import java.io.Serializable;
  */
 public abstract class BaseIDAbstractType implements Serializable {
 
-    private static final long serialVersionUID = 1L;
     private String nameQualifier;
     private String sPNameQualifier;
 

diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/ConditionAbstractType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/ConditionAbstractType.java
index 64fe2ab..c1fd41a 100755
--- a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/ConditionAbstractType.java
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/ConditionAbstractType.java
@@ -37,5 +37,4 @@ import java.io.Serializable;
  */
 public abstract class ConditionAbstractType implements Serializable {
 
-    private static final long serialVersionUID = 1L;
 }
\ No newline at end of file

diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/ConditionsType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/ConditionsType.java
index 0d77f40..65444cd 100755
--- a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/ConditionsType.java
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/ConditionsType.java
@@ -50,8 +50,6 @@ import java.util.List;
  */
 public class ConditionsType extends CommonConditionsType implements Serializable {
 
-    private static final long serialVersionUID = 1L;
-
     protected List<ConditionAbstractType> conditions = new ArrayList<ConditionAbstractType>();
 
     /**

diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/EncryptedAssertionType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/EncryptedAssertionType.java
index 31cc80d..88b863d 100755
--- a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/EncryptedAssertionType.java
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/EncryptedAssertionType.java
@@ -27,8 +27,6 @@ import org.w3c.dom.Element;
  */
 public class EncryptedAssertionType extends EncryptedElementType {
 
-    private static final long serialVersionUID = 1L;
-
     public EncryptedAssertionType() {
         super();
     }

diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/EncryptedElementType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/EncryptedElementType.java
index 19c13d6..073a8e1 100755
--- a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/EncryptedElementType.java
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/EncryptedElementType.java
@@ -29,8 +29,6 @@ import java.io.Serializable;
  */
 public class EncryptedElementType implements Serializable {
 
-    private static final long serialVersionUID = 1L;
-
     /**
      * <complexType name="EncryptedElementType"> <sequence> <element ref="xenc:EncryptedData"/> <element
      * ref="xenc:EncryptedKey"

diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/EvidenceType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/EvidenceType.java
index 47110fa..c93a168 100755
--- a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/EvidenceType.java
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/EvidenceType.java
@@ -48,7 +48,6 @@ import java.util.List;
  */
 public class EvidenceType implements Serializable {
 
-    private static final long serialVersionUID = 1L;
     protected List<ChoiceType> evidences = new ArrayList<ChoiceType>();
 
     /**
@@ -80,7 +79,6 @@ public class EvidenceType implements Serializable {
 
     public static class ChoiceType implements Serializable {
 
-        private static final long serialVersionUID = 1L;
         private String AssertionIDRef;
         private URI AssertionURIRef;
         private AssertionType assertion;

diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/KeyInfoConfirmationDataType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/KeyInfoConfirmationDataType.java
index e11dc49..bb3ed69 100755
--- a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/KeyInfoConfirmationDataType.java
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/KeyInfoConfirmationDataType.java
@@ -40,8 +40,6 @@ import org.w3c.dom.Element;
  */
 public class KeyInfoConfirmationDataType extends SubjectConfirmationDataType {
 
-    private static final long serialVersionUID = 2510471236717847074L;
-
     protected Element keyInfo;
 
     public Element getKeyInfo() {

diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/NameIDType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/NameIDType.java
index 3f7aec1..25a2b8a 100755
--- a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/NameIDType.java
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/NameIDType.java
@@ -35,7 +35,6 @@ public class NameIDType extends BaseIDAbstractType {
      * name="SPNameQualifier" type="string" use="optional"/> </attributeGroup>
      */
 
-    private static final long serialVersionUID = 1L;
     private String value;
     private URI format;
     private String sPProvidedID;

diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/OneTimeUseType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/OneTimeUseType.java
index 1898c7b..0b890a7 100755
--- a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/OneTimeUseType.java
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/OneTimeUseType.java
@@ -35,5 +35,4 @@ package org.keycloak.dom.saml.v2.assertion;
  */
 public class OneTimeUseType extends ConditionAbstractType {
 
-    private static final long serialVersionUID = 1L;
 }
\ No newline at end of file

diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/ProxyRestrictionType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/ProxyRestrictionType.java
index 5072181..2c032f4 100755
--- a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/ProxyRestrictionType.java
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/ProxyRestrictionType.java
@@ -45,8 +45,6 @@ import java.util.List;
  */
 public class ProxyRestrictionType extends ConditionAbstractType {
 
-    private static final long serialVersionUID = 1L;
-
     protected List<URI> audience = new ArrayList<URI>();
 
     protected BigInteger count;

diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/StatementAbstractType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/StatementAbstractType.java
index 0230b15..3f80635 100755
--- a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/StatementAbstractType.java
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/StatementAbstractType.java
@@ -38,5 +38,4 @@ import java.io.Serializable;
  */
 public abstract class StatementAbstractType implements Serializable {
 
-    private static final long serialVersionUID = 1L;
 }
\ No newline at end of file

diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/SubjectConfirmationDataType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/SubjectConfirmationDataType.java
index 274104f..579581a 100755
--- a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/SubjectConfirmationDataType.java
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/SubjectConfirmationDataType.java
@@ -50,8 +50,6 @@ import java.util.Map;
  */
 public class SubjectConfirmationDataType implements Serializable {
 
-    private static final long serialVersionUID = 7695748370849965158L;
-
     protected XMLGregorianCalendar notBefore;
 
     protected XMLGregorianCalendar notOnOrAfter;

diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/SubjectConfirmationType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/SubjectConfirmationType.java
index 6979022..dca866a 100755
--- a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/SubjectConfirmationType.java
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/SubjectConfirmationType.java
@@ -47,7 +47,6 @@ import java.io.Serializable;
  */
 public class SubjectConfirmationType implements Serializable {
 
-    private static final long serialVersionUID = 1L;
     protected BaseIDAbstractType baseID;
     protected NameIDType nameID;
     protected EncryptedElementType encryptedID;

diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/SubjectLocalityType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/SubjectLocalityType.java
index 4a8bb60..a89561d 100755
--- a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/SubjectLocalityType.java
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/SubjectLocalityType.java
@@ -39,8 +39,6 @@ import java.io.Serializable;
  */
 public class SubjectLocalityType implements Serializable {
 
-    private static final long serialVersionUID = 1L;
-
     protected String address;
 
     protected String dnsName;

diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/SubjectType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/SubjectType.java
index 61aeb08..c391bae 100755
--- a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/SubjectType.java
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/SubjectType.java
@@ -52,8 +52,6 @@ import java.util.List;
  */
 public class SubjectType implements Serializable {
 
-    private static final long serialVersionUID = 1L;
-
     protected List<SubjectConfirmationType> subjectConfirmation = new ArrayList<SubjectConfirmationType>();
 
     protected STSubType subType;
@@ -114,8 +112,6 @@ public class SubjectType implements Serializable {
 
     public static class STSubType implements Serializable {
 
-        private static final long serialVersionUID = -4073731807610876524L;
-
         private BaseIDAbstractType baseID;
 
         private EncryptedElementType encryptedID;

diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/metadata/RequestedAttributeType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/metadata/RequestedAttributeType.java
index 2d6bb85..428ba9f 100755
--- a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/metadata/RequestedAttributeType.java
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/metadata/RequestedAttributeType.java
@@ -38,8 +38,6 @@ import org.keycloak.dom.saml.v2.assertion.AttributeType;
  */
 public class RequestedAttributeType extends AttributeType {
 
-    private static final long serialVersionUID = 1L;
-
     public RequestedAttributeType(String name) {
         super(name);
     }

diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/ArtifactResolveType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/ArtifactResolveType.java
index 6d6f3ed..90b2641 100755
--- a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/ArtifactResolveType.java
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/ArtifactResolveType.java
@@ -40,8 +40,6 @@ import javax.xml.datatype.XMLGregorianCalendar;
  */
 public class ArtifactResolveType extends RequestAbstractType {
 
-    private static final long serialVersionUID = 1L;
-
     protected String artifact;
 
     public ArtifactResolveType(String id, XMLGregorianCalendar instant) {

diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/ArtifactResponseType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/ArtifactResponseType.java
index 8ec699c..9fc3bb0 100755
--- a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/ArtifactResponseType.java
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/ArtifactResponseType.java
@@ -40,8 +40,6 @@ import javax.xml.datatype.XMLGregorianCalendar;
  */
 public class ArtifactResponseType extends StatusResponseType {
 
-    private static final long serialVersionUID = 1L;
-
     protected Object any;
 
     public ArtifactResponseType(String id, XMLGregorianCalendar issueInstant) {

diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/AssertionIDRequestType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/AssertionIDRequestType.java
index 4f3e946..fed66ee 100755
--- a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/AssertionIDRequestType.java
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/AssertionIDRequestType.java
@@ -43,8 +43,6 @@ import java.util.List;
  */
 public class AssertionIDRequestType extends RequestAbstractType {
 
-    private static final long serialVersionUID = 1L;
-
     protected List<String> assertionIDRef = new ArrayList<String>();
 
     public AssertionIDRequestType(String id, XMLGregorianCalendar instant) {

diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/AttributeQueryType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/AttributeQueryType.java
index 9f706a5..fdf5484 100755
--- a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/AttributeQueryType.java
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/AttributeQueryType.java
@@ -45,8 +45,6 @@ import java.util.List;
  */
 public class AttributeQueryType extends SubjectQueryAbstractType {
 
-    private static final long serialVersionUID = 1L;
-
     protected List<AttributeType> attribute = new ArrayList<AttributeType>();
 
     public AttributeQueryType(String id, XMLGregorianCalendar instant) {

diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/AuthnQueryType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/AuthnQueryType.java
index d6951eb..9898068 100755
--- a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/AuthnQueryType.java
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/AuthnQueryType.java
@@ -41,8 +41,6 @@ import javax.xml.datatype.XMLGregorianCalendar;
  */
 public class AuthnQueryType extends SubjectQueryAbstractType {
 
-    private static final long serialVersionUID = 1L;
-
     protected RequestedAuthnContextType requestedAuthnContext;
 
     protected String sessionIndex;

diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/AuthnRequestType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/AuthnRequestType.java
index aa6c8d9..1491848 100755
--- a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/AuthnRequestType.java
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/AuthnRequestType.java
@@ -56,8 +56,6 @@ import java.net.URI;
  */
 public class AuthnRequestType extends RequestAbstractType {
 
-    private static final long serialVersionUID = 1L;
-
     protected SubjectType subject;
 
     protected NameIDPolicyType nameIDPolicy;

diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/AuthzDecisionQueryType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/AuthzDecisionQueryType.java
index 20ee1b9..2c52846 100755
--- a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/AuthzDecisionQueryType.java
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/AuthzDecisionQueryType.java
@@ -49,8 +49,6 @@ import java.util.List;
  */
 public class AuthzDecisionQueryType extends SubjectQueryAbstractType {
 
-    private static final long serialVersionUID = 1L;
-
     protected List<ActionType> action = new ArrayList<ActionType>();
 
     protected EvidenceType evidence;

diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/LogoutRequestType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/LogoutRequestType.java
index 7249481..6db55a1 100755
--- a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/LogoutRequestType.java
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/LogoutRequestType.java
@@ -54,8 +54,6 @@ import java.util.List;
  */
 public class LogoutRequestType extends RequestAbstractType {
 
-    private static final long serialVersionUID = 1L;
-
     protected BaseIDAbstractType baseID;
 
     protected NameIDType nameID;

diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/ManageNameIDRequestType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/ManageNameIDRequestType.java
index c798d12..89952bb 100755
--- a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/ManageNameIDRequestType.java
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/ManageNameIDRequestType.java
@@ -51,8 +51,6 @@ import javax.xml.datatype.XMLGregorianCalendar;
  */
 public class ManageNameIDRequestType extends RequestAbstractType {
 
-    private static final long serialVersionUID = 1L;
-
     protected NameIDType nameID;
 
     protected EncryptedElementType encryptedID;

diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/NameIDMappingRequestType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/NameIDMappingRequestType.java
index d2b77b5..bd5fe43 100755
--- a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/NameIDMappingRequestType.java
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/NameIDMappingRequestType.java
@@ -49,8 +49,6 @@ import javax.xml.datatype.XMLGregorianCalendar;
  */
 public class NameIDMappingRequestType extends RequestAbstractType {
 
-    private static final long serialVersionUID = 1L;
-
     protected BaseIDAbstractType baseID;
 
     protected NameIDType nameID;

diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/NameIDMappingResponseType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/NameIDMappingResponseType.java
index 30ce02c..dedc8ff 100755
--- a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/NameIDMappingResponseType.java
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/NameIDMappingResponseType.java
@@ -44,8 +44,6 @@ import javax.xml.datatype.XMLGregorianCalendar;
  */
 public class NameIDMappingResponseType extends StatusResponseType {
 
-    private static final long serialVersionUID = 1L;
-
     protected NameIDType nameID;
 
     protected EncryptedElementType encryptedID;

diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/RequestAbstractType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/RequestAbstractType.java
index 5fa57ab..c670169 100755
--- a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/RequestAbstractType.java
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/RequestAbstractType.java
@@ -52,8 +52,6 @@ import java.net.URI;
  */
 public abstract class RequestAbstractType extends CommonRequestAbstractType implements SAML2Object {
 
-    private static final long serialVersionUID = 1L;
-
     protected NameIDType issuer;
 
     protected ExtensionsType extensions;

diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/ResponseType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/ResponseType.java
index e4664b4..fec0f13 100755
--- a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/ResponseType.java
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/ResponseType.java
@@ -47,8 +47,6 @@ import java.util.List;
  */
 public class ResponseType extends StatusResponseType {
 
-    private static final long serialVersionUID = 1L;
-
     protected List<RTChoiceType> assertions = new ArrayList<ResponseType.RTChoiceType>();
 
     public ResponseType(String id, XMLGregorianCalendar issueInstant) {

diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/StatusDetailType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/StatusDetailType.java
index 22f2171..2166e3a 100755
--- a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/StatusDetailType.java
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/StatusDetailType.java
@@ -40,5 +40,4 @@ import org.keycloak.dom.saml.common.CommonStatusDetailType;
  */
 public class StatusDetailType extends CommonStatusDetailType {
 
-    private static final long serialVersionUID = 1L;
 }
\ No newline at end of file

diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/StatusResponseType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/StatusResponseType.java
index 5cbd1d1..12235b3 100755
--- a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/StatusResponseType.java
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/StatusResponseType.java
@@ -53,8 +53,6 @@ import javax.xml.datatype.XMLGregorianCalendar;
  */
 public class StatusResponseType extends CommonResponseType implements SAML2Object {
 
-    private static final long serialVersionUID = 1L;
-
     protected NameIDType issuer;
 
     protected ExtensionsType extensions;

diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/SubjectQueryAbstractType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/SubjectQueryAbstractType.java
index 31b2958..857e3e7 100755
--- a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/SubjectQueryAbstractType.java
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/SubjectQueryAbstractType.java
@@ -42,8 +42,6 @@ import javax.xml.datatype.XMLGregorianCalendar;
  */
 public abstract class SubjectQueryAbstractType extends RequestAbstractType {
 
-    private static final long serialVersionUID = 1L;
-
     protected SubjectType subject;
 
     public SubjectQueryAbstractType(String id, XMLGregorianCalendar instant) {

diff --git a/saml/saml-core/src/main/java/org/keycloak/saml/common/exceptions/ConfigurationException.java b/saml/saml-core/src/main/java/org/keycloak/saml/common/exceptions/ConfigurationException.java
index dd1b9dd..4a377b0 100755
--- a/saml/saml-core/src/main/java/org/keycloak/saml/common/exceptions/ConfigurationException.java
+++ b/saml/saml-core/src/main/java/org/keycloak/saml/common/exceptions/ConfigurationException.java
@@ -26,8 +26,7 @@ import java.security.GeneralSecurityException;
  * @since May 22, 2009
  */
 public class ConfigurationException extends GeneralSecurityException {
-    private static final long serialVersionUID = 1L;
-
+    
     public ConfigurationException() {
         super();
     }

diff --git a/saml/saml-core/src/main/java/org/keycloak/saml/common/exceptions/fed/AssertionExpiredException.java b/saml/saml-core/src/main/java/org/keycloak/saml/common/exceptions/fed/AssertionExpiredException.java
index 3877363..746c072 100755
--- a/saml/saml-core/src/main/java/org/keycloak/saml/common/exceptions/fed/AssertionExpiredException.java
+++ b/saml/saml-core/src/main/java/org/keycloak/saml/common/exceptions/fed/AssertionExpiredException.java
@@ -26,7 +26,6 @@ import java.security.GeneralSecurityException;
  * @since Dec 12, 2008
  */
 public class AssertionExpiredException extends GeneralSecurityException {
-    private static final long serialVersionUID = 1L;
 
     protected String id;
 

diff --git a/saml/saml-core/src/main/java/org/keycloak/saml/common/exceptions/fed/IssueInstantMissingException.java b/saml/saml-core/src/main/java/org/keycloak/saml/common/exceptions/fed/IssueInstantMissingException.java
index aae6dd5..e8cbd56 100755
--- a/saml/saml-core/src/main/java/org/keycloak/saml/common/exceptions/fed/IssueInstantMissingException.java
+++ b/saml/saml-core/src/main/java/org/keycloak/saml/common/exceptions/fed/IssueInstantMissingException.java
@@ -26,7 +26,6 @@ import java.security.GeneralSecurityException;
  * @since Jun 3, 2009
  */
 public class IssueInstantMissingException extends GeneralSecurityException {
-    private static final long serialVersionUID = 1L;
 
     public IssueInstantMissingException() {
         super();

diff --git a/saml/saml-core/src/main/java/org/keycloak/saml/common/exceptions/fed/IssuerNotTrustedException.java b/saml/saml-core/src/main/java/org/keycloak/saml/common/exceptions/fed/IssuerNotTrustedException.java
index a9cc524..02820ee 100755
--- a/saml/saml-core/src/main/java/org/keycloak/saml/common/exceptions/fed/IssuerNotTrustedException.java
+++ b/saml/saml-core/src/main/java/org/keycloak/saml/common/exceptions/fed/IssuerNotTrustedException.java
@@ -26,7 +26,6 @@ import java.security.GeneralSecurityException;
  * @since Jan 26, 2009
  */
 public class IssuerNotTrustedException extends GeneralSecurityException {
-    private static final long serialVersionUID = 1L;
 
     public IssuerNotTrustedException() {
         super();

diff --git a/saml/saml-core/src/main/java/org/keycloak/saml/common/exceptions/fed/SignatureValidationException.java b/saml/saml-core/src/main/java/org/keycloak/saml/common/exceptions/fed/SignatureValidationException.java
index 59f0b82..bfafecd 100755
--- a/saml/saml-core/src/main/java/org/keycloak/saml/common/exceptions/fed/SignatureValidationException.java
+++ b/saml/saml-core/src/main/java/org/keycloak/saml/common/exceptions/fed/SignatureValidationException.java
@@ -26,7 +26,6 @@ import java.security.GeneralSecurityException;
  * @since Jul 28, 2011
  */
 public class SignatureValidationException extends GeneralSecurityException {
-    private static final long serialVersionUID = 1L;
 
     public SignatureValidationException() {
     }

diff --git a/saml/saml-core/src/main/java/org/keycloak/saml/common/exceptions/fed/WSTrustException.java b/saml/saml-core/src/main/java/org/keycloak/saml/common/exceptions/fed/WSTrustException.java
index 75f56ff..937ebb6 100755
--- a/saml/saml-core/src/main/java/org/keycloak/saml/common/exceptions/fed/WSTrustException.java
+++ b/saml/saml-core/src/main/java/org/keycloak/saml/common/exceptions/fed/WSTrustException.java
@@ -28,8 +28,6 @@ import java.security.GeneralSecurityException;
  */
 public class WSTrustException extends GeneralSecurityException {
 
-    private static final long serialVersionUID = -232066282004315310L;
-
     /**
      * <p>
      * Creates an instance of {@code WSTrustException} using the specified error message.

diff --git a/saml/saml-core/src/main/java/org/keycloak/saml/common/exceptions/ParsingException.java b/saml/saml-core/src/main/java/org/keycloak/saml/common/exceptions/ParsingException.java
index fb02e6f..ea1fa2b 100755
--- a/saml/saml-core/src/main/java/org/keycloak/saml/common/exceptions/ParsingException.java
+++ b/saml/saml-core/src/main/java/org/keycloak/saml/common/exceptions/ParsingException.java
@@ -28,7 +28,6 @@ import java.security.GeneralSecurityException;
  * @since May 22, 2009
  */
 public class ParsingException extends GeneralSecurityException {
-    private static final long serialVersionUID = 1L;
 
     private Location location;
 

diff --git a/saml/saml-core/src/main/java/org/keycloak/saml/common/exceptions/PicketLinkException.java b/saml/saml-core/src/main/java/org/keycloak/saml/common/exceptions/PicketLinkException.java
index 0a6645d..799e377 100755
--- a/saml/saml-core/src/main/java/org/keycloak/saml/common/exceptions/PicketLinkException.java
+++ b/saml/saml-core/src/main/java/org/keycloak/saml/common/exceptions/PicketLinkException.java
@@ -27,8 +27,6 @@ package org.keycloak.saml.common.exceptions;
  */
 public class PicketLinkException extends RuntimeException {
 
-    private static final long serialVersionUID = 789326682407249952L;
-
     public PicketLinkException() {
         super();
     }

diff --git a/saml/saml-core/src/main/java/org/keycloak/saml/common/exceptions/ProcessingException.java b/saml/saml-core/src/main/java/org/keycloak/saml/common/exceptions/ProcessingException.java
index 313e9e1..2b88e2f 100755
--- a/saml/saml-core/src/main/java/org/keycloak/saml/common/exceptions/ProcessingException.java
+++ b/saml/saml-core/src/main/java/org/keycloak/saml/common/exceptions/ProcessingException.java
@@ -26,7 +26,6 @@ import java.security.GeneralSecurityException;
  * @since May 22, 2009
  */
 public class ProcessingException extends GeneralSecurityException {
-    private static final long serialVersionUID = 1L;
 
     public ProcessingException() {
         super();

diff --git a/saml/saml-core/src/main/java/org/keycloak/saml/common/exceptions/TrustKeyConfigurationException.java b/saml/saml-core/src/main/java/org/keycloak/saml/common/exceptions/TrustKeyConfigurationException.java
index f8fc736..7f88085 100755
--- a/saml/saml-core/src/main/java/org/keycloak/saml/common/exceptions/TrustKeyConfigurationException.java
+++ b/saml/saml-core/src/main/java/org/keycloak/saml/common/exceptions/TrustKeyConfigurationException.java
@@ -24,7 +24,6 @@ package org.keycloak.saml.common.exceptions;
  * @since May 22, 2009
  */
 public class TrustKeyConfigurationException extends ConfigurationException {
-    private static final long serialVersionUID = 1L;
 
     public TrustKeyConfigurationException() {
         super();

diff --git a/saml/saml-core/src/main/java/org/keycloak/saml/common/exceptions/TrustKeyProcessingException.java b/saml/saml-core/src/main/java/org/keycloak/saml/common/exceptions/TrustKeyProcessingException.java
index e08644a..b900f0e 100755
--- a/saml/saml-core/src/main/java/org/keycloak/saml/common/exceptions/TrustKeyProcessingException.java
+++ b/saml/saml-core/src/main/java/org/keycloak/saml/common/exceptions/TrustKeyProcessingException.java
@@ -24,7 +24,6 @@ package org.keycloak.saml.common.exceptions;
  * @since May 22, 2009
  */
 public class TrustKeyProcessingException extends ProcessingException {
-    private static final long serialVersionUID = 1L;
 
     public TrustKeyProcessingException() {
         super();

diff --git a/services/pom.xml b/services/pom.xml
index 3f6bd51..1e2e84e 100755
--- a/services/pom.xml
+++ b/services/pom.xml
@@ -21,67 +21,54 @@
         <dependency>
             <groupId>org.bouncycastle</groupId>
             <artifactId>bcprov-jdk15on</artifactId>
-            <scope>provided</scope>
         </dependency>
         <dependency>
             <groupId>org.bouncycastle</groupId>
             <artifactId>bcpkix-jdk15on</artifactId>
-            <scope>provided</scope>
         </dependency>
         <dependency>
             <groupId>org.keycloak</groupId>
             <artifactId>keycloak-core</artifactId>
-            <scope>provided</scope>
         </dependency>
         <dependency>
             <groupId>org.keycloak</groupId>
             <artifactId>keycloak-core-jaxrs</artifactId>
-            <scope>provided</scope>
         </dependency>
         <dependency>
             <groupId>org.keycloak</groupId>
             <artifactId>keycloak-connections-http-client</artifactId>
-            <scope>provided</scope>
         </dependency>
         <dependency>
             <groupId>org.keycloak</groupId>
             <artifactId>keycloak-forms-common-freemarker</artifactId>
-            <scope>provided</scope>
         </dependency>
         <dependency>
             <groupId>org.keycloak</groupId>
             <artifactId>keycloak-events-api</artifactId>
-            <scope>provided</scope>
         </dependency>
         <dependency>
             <groupId>org.keycloak</groupId>
             <artifactId>keycloak-account-api</artifactId>
-            <scope>provided</scope>
         </dependency>
         <dependency>
             <groupId>org.keycloak</groupId>
             <artifactId>keycloak-email-api</artifactId>
-            <scope>provided</scope>
         </dependency>
         <dependency>
             <groupId>org.keycloak</groupId>
             <artifactId>keycloak-login-api</artifactId>
-            <scope>provided</scope>
         </dependency>
         <dependency>
             <groupId>org.keycloak</groupId>
             <artifactId>keycloak-model-api</artifactId>
-            <scope>provided</scope>
         </dependency>
         <dependency>
             <groupId>org.keycloak</groupId>
             <artifactId>keycloak-invalidation-cache-model</artifactId>
-            <scope>provided</scope>
         </dependency>
         <dependency>
             <groupId>org.keycloak</groupId>
             <artifactId>keycloak-social-core</artifactId>
-            <scope>provided</scope>
         </dependency>
         <dependency>
             <groupId>org.keycloak</groupId>
@@ -90,33 +77,27 @@
         <dependency>
             <groupId>org.keycloak</groupId>
             <artifactId>keycloak-timer-api</artifactId>
-            <scope>provided</scope>
         </dependency>
         <dependency>
             <groupId>org.keycloak</groupId>
             <artifactId>keycloak-timer-basic</artifactId>
-            <scope>provided</scope>
         </dependency>
         <dependency>
             <groupId>org.keycloak</groupId>
             <artifactId>keycloak-export-import-api</artifactId>
-            <scope>provided</scope>
         </dependency>
         <dependency>
             <groupId>org.jboss.spec.javax.servlet</groupId>
             <artifactId>jboss-servlet-api_3.0_spec</artifactId>
-            <scope>provided</scope>
         </dependency>
 
         <dependency>
             <groupId>org.jboss.logging</groupId>
             <artifactId>jboss-logging</artifactId>
-            <scope>provided</scope>
         </dependency>
         <dependency>
             <groupId>org.jboss.resteasy</groupId>
             <artifactId>resteasy-jaxrs</artifactId>
-            <scope>provided</scope>
             <exclusions>
                 <exclusion>
                     <groupId>log4j</groupId>
@@ -135,32 +116,26 @@
         <dependency>
             <groupId>org.jboss.resteasy</groupId>
             <artifactId>jaxrs-api</artifactId>
-            <scope>provided</scope>
         </dependency>
         <dependency>
             <groupId>org.jboss.resteasy</groupId>
             <artifactId>resteasy-multipart-provider</artifactId>
-            <scope>provided</scope>
         </dependency>
         <dependency>
             <groupId>org.codehaus.jackson</groupId>
             <artifactId>jackson-core-asl</artifactId>
-            <scope>provided</scope>
         </dependency>
         <dependency>
             <groupId>org.codehaus.jackson</groupId>
             <artifactId>jackson-mapper-asl</artifactId>
-            <scope>provided</scope>
         </dependency>
         <dependency>
             <groupId>org.codehaus.jackson</groupId>
             <artifactId>jackson-xc</artifactId>
-            <scope>provided</scope>
         </dependency>
         <dependency>
             <groupId>com.google.zxing</groupId>
             <artifactId>javase</artifactId>
-            <scope>provided</scope>
         </dependency>
         <dependency>
             <groupId>junit</groupId>

diff --git a/services/src/docs/asciidoc/index.adoc b/services/src/docs/asciidoc/index.adoc
index 226d206..17ffc52 100644
--- a/services/src/docs/asciidoc/index.adoc
+++ b/services/src/docs/asciidoc/index.adoc
@@ -1,3 +1,3 @@
-include::{generated}/overview.adoc[]
+include::overview.adoc[]
 include::{generated}/paths.adoc[]
 include::{generated}/definitions.adoc[]
\ No newline at end of file

diff --git a/services/src/docs/asciidoc/overview.adoc b/services/src/docs/asciidoc/overview.adoc
new file mode 100644
index 0000000..e2457ab
--- /dev/null
+++ b/services/src/docs/asciidoc/overview.adoc
@@ -0,0 +1,13 @@
+= Keycloak Admin REST API
+
+== Overview
+This is a REST API reference for the Keycloak Admin
+
+=== Version information
+Version: 1
+
+=== URI scheme
+Host: localhost:8080
+BasePath: /auth
+Schemes: HTTP
+

diff --git a/services/src/main/java/org/keycloak/authentication/authenticators/client/JWTClientAuthenticator.java b/services/src/main/java/org/keycloak/authentication/authenticators/client/JWTClientAuthenticator.java
index 0c308ab..96f81cb 100644
--- a/services/src/main/java/org/keycloak/authentication/authenticators/client/JWTClientAuthenticator.java
+++ b/services/src/main/java/org/keycloak/authentication/authenticators/client/JWTClientAuthenticator.java
@@ -27,7 +27,7 @@ import org.keycloak.services.Urls;
 
 /**
  * Client authentication based on JWT signed by client private key .
- * See <a href="https://tools.ietf.org/html/draft-jones-oauth-jwt-bearer-03">specs</a> for more details.
+ * See <a href="https://tools.ietf.org/html/rfc7519">specs</a> for more details.
  *
  * This is server side, which verifies JWT from client_assertion parameter, where the assertion was created on adapter side by
  * org.keycloak.adapters.authentication.JWTClientCredentialsProvider

diff --git a/services/src/main/java/org/keycloak/authentication/requiredactions/UpdateProfile.java b/services/src/main/java/org/keycloak/authentication/requiredactions/UpdateProfile.java
index 42c2e02..9630f3b 100755
--- a/services/src/main/java/org/keycloak/authentication/requiredactions/UpdateProfile.java
+++ b/services/src/main/java/org/keycloak/authentication/requiredactions/UpdateProfile.java
@@ -52,7 +52,7 @@ public class UpdateProfile implements RequiredActionProvider, RequiredActionFact
         RealmModel realm = context.getRealm();
 
 
-        List<FormMessage> errors = Validation.validateUpdateProfileForm(formData);
+        List<FormMessage> errors = Validation.validateUpdateProfileForm(realm, formData);
         if (errors != null && !errors.isEmpty()) {
             Response challenge = context.form()
                     .setErrors(errors)
@@ -62,6 +62,28 @@ public class UpdateProfile implements RequiredActionProvider, RequiredActionFact
             return;
         }
 
+        if (realm.isEditUsernameAllowed()) {
+            String username = formData.getFirst("username");
+            String oldUsername = user.getUsername();
+
+            boolean usernameChanged = oldUsername != null ? !oldUsername.equals(username) : username != null;
+
+            if (usernameChanged) {
+
+                if (session.users().getUserByUsername(username, realm) != null) {
+                    Response challenge = context.form()
+                            .setError(Messages.USERNAME_EXISTS)
+                            .setFormData(formData)
+                            .createResponse(UserModel.RequiredAction.UPDATE_PROFILE);
+                    context.challenge(challenge);
+                    return;
+                }
+
+                user.setUsername(username);
+            }
+
+        }
+
         user.setFirstName(formData.getFirst("firstName"));
         user.setLastName(formData.getFirst("lastName"));
 

diff --git a/services/src/main/java/org/keycloak/protocol/oidc/endpoints/TokenEndpoint.java b/services/src/main/java/org/keycloak/protocol/oidc/endpoints/TokenEndpoint.java
index 15c1f46..00970e2 100755
--- a/services/src/main/java/org/keycloak/protocol/oidc/endpoints/TokenEndpoint.java
+++ b/services/src/main/java/org/keycloak/protocol/oidc/endpoints/TokenEndpoint.java
@@ -262,11 +262,14 @@ public class TokenEndpoint {
 
         AccessTokenResponse res;
         try {
-            res = tokenManager.refreshAccessToken(session, uriInfo, clientConnection, realm, client, refreshToken, event, headers);
+            TokenManager.RefreshResult result = tokenManager.refreshAccessToken(session, uriInfo, clientConnection, realm, client, refreshToken, event, headers);
+            res = result.getResponse();
 
-            UserSessionModel userSession = session.sessions().getUserSession(realm, res.getSessionState());
-            updateClientSessions(userSession.getClientSessions());
-            updateUserSessionFromClientAuth(userSession);
+            if (!result.isOfflineToken()) {
+                UserSessionModel userSession = session.sessions().getUserSession(realm, res.getSessionState());
+                updateClientSessions(userSession.getClientSessions());
+                updateUserSessionFromClientAuth(userSession);
+            }
 
         } catch (OAuthErrorException e) {
             event.error(Errors.INVALID_TOKEN);
@@ -337,6 +340,8 @@ public class TokenEndpoint {
         clientSession.setAuthMethod(OIDCLoginProtocol.LOGIN_PROTOCOL);
         clientSession.setAction(ClientSessionModel.Action.AUTHENTICATE.name());
         clientSession.setNote(OIDCLoginProtocol.ISSUER, Urls.realmIssuer(uriInfo.getBaseUri(), realm.getName()));
+        clientSession.setNote(OIDCLoginProtocol.SCOPE_PARAM, scope);
+
         AuthenticationFlowModel flow = realm.getDirectGrantFlow();
         String flowId = flow.getId();
         AuthenticationProcessor processor = new AuthenticationProcessor();
@@ -363,7 +368,7 @@ public class TokenEndpoint {
         updateUserSessionFromClientAuth(userSession);
 
         AccessTokenResponse res = tokenManager.responseBuilder(realm, client, event, session, userSession, clientSession)
-                .generateAccessToken(session, scope, client, user, userSession, clientSession)
+                .generateAccessToken()
                 .generateRefreshToken()
                 .generateIDToken()
                 .build();
@@ -415,6 +420,7 @@ public class TokenEndpoint {
         ClientSessionModel clientSession = sessions.createClientSession(realm, client);
         clientSession.setAuthMethod(OIDCLoginProtocol.LOGIN_PROTOCOL);
         clientSession.setNote(OIDCLoginProtocol.ISSUER, Urls.realmIssuer(uriInfo.getBaseUri(), realm.getName()));
+        clientSession.setNote(OIDCLoginProtocol.SCOPE_PARAM, scope);
 
         UserSessionModel userSession = sessions.createUserSession(realm, clientUser, clientUsername, clientConnection.getRemoteAddr(), ServiceAccountConstants.CLIENT_AUTH, false, null, null);
         event.session(userSession);
@@ -429,7 +435,7 @@ public class TokenEndpoint {
         updateUserSessionFromClientAuth(userSession);
 
         AccessTokenResponse res = tokenManager.responseBuilder(realm, client, event, session, userSession, clientSession)
-                .generateAccessToken(session, scope, client, clientUser, userSession, clientSession)
+                .generateAccessToken()
                 .generateRefreshToken()
                 .generateIDToken()
                 .build();

diff --git a/services/src/main/java/org/keycloak/protocol/oidc/OIDCWellKnownProvider.java b/services/src/main/java/org/keycloak/protocol/oidc/OIDCWellKnownProvider.java
index afd2a8a..714c0d1 100755
--- a/services/src/main/java/org/keycloak/protocol/oidc/OIDCWellKnownProvider.java
+++ b/services/src/main/java/org/keycloak/protocol/oidc/OIDCWellKnownProvider.java
@@ -20,7 +20,7 @@ public class OIDCWellKnownProvider implements WellKnownProvider {
 
     public static final List<String> DEFAULT_ID_TOKEN_SIGNING_ALG_VALUES_SUPPORTED = list("RS256");
 
-    public static final List<String> DEFAULT_GRANT_TYPES_SUPPORTED = list(OAuth2Constants.AUTHORIZATION_CODE, OAuth2Constants.REFRESH_TOKEN, OAuth2Constants.PASSWORD);
+    public static final List<String> DEFAULT_GRANT_TYPES_SUPPORTED = list(OAuth2Constants.AUTHORIZATION_CODE, OAuth2Constants.REFRESH_TOKEN, OAuth2Constants.PASSWORD, OAuth2Constants.CLIENT_CREDENTIALS);
 
     public static final List<String> DEFAULT_RESPONSE_TYPES_SUPPORTED = list(OAuth2Constants.CODE);
 

diff --git a/services/src/main/java/org/keycloak/protocol/oidc/TokenManager.java b/services/src/main/java/org/keycloak/protocol/oidc/TokenManager.java
index 5ee8191..c43140a 100755
--- a/services/src/main/java/org/keycloak/protocol/oidc/TokenManager.java
+++ b/services/src/main/java/org/keycloak/protocol/oidc/TokenManager.java
@@ -2,9 +2,10 @@ package org.keycloak.protocol.oidc;
 
 import org.jboss.logging.Logger;
 import org.keycloak.ClientConnection;
+import org.keycloak.OAuth2Constants;
 import org.keycloak.OAuthErrorException;
-import org.keycloak.authentication.AuthenticationProcessor;
 import org.keycloak.events.Details;
+import org.keycloak.events.Errors;
 import org.keycloak.events.EventBuilder;
 import org.keycloak.jose.jws.JWSBuilder;
 import org.keycloak.jose.jws.JWSInput;
@@ -27,13 +28,20 @@ import org.keycloak.representations.AccessToken;
 import org.keycloak.representations.AccessTokenResponse;
 import org.keycloak.representations.IDToken;
 import org.keycloak.representations.RefreshToken;
+import org.keycloak.services.ErrorResponseException;
 import org.keycloak.services.managers.AuthenticationManager;
 import org.keycloak.services.managers.ClientSessionCode;
+import org.keycloak.services.offline.OfflineTokenUtils;
+import org.keycloak.util.RefreshTokenUtil;
 import org.keycloak.util.Time;
 
 import javax.ws.rs.core.HttpHeaders;
+import javax.ws.rs.core.Response;
 import javax.ws.rs.core.UriInfo;
 import java.io.IOException;
+import java.util.Arrays;
+import java.util.Collection;
+import java.util.Collections;
 import java.util.HashSet;
 import java.util.Map;
 import java.util.Set;
@@ -85,16 +93,27 @@ public class TokenManager {
             throw new OAuthErrorException(OAuthErrorException.INVALID_GRANT, "User disabled", "User disabled");
         }
 
-        UserSessionModel userSession = session.sessions().getUserSession(realm, oldToken.getSessionState());
-        if (!AuthenticationManager.isSessionValid(realm, userSession)) {
-            AuthenticationManager.backchannelLogout(session, realm, userSession, uriInfo, connection, headers, true);
-            throw new OAuthErrorException(OAuthErrorException.INVALID_GRANT, "Session not active", "Session not active");
-        }
+        UserSessionModel userSession = null;
         ClientSessionModel clientSession = null;
-        for (ClientSessionModel clientSessionModel : userSession.getClientSessions()) {
-            if (clientSessionModel.getId().equals(oldToken.getClientSession())) {
-                clientSession = clientSessionModel;
-                break;
+        if (RefreshTokenUtil.TOKEN_TYPE_OFFLINE.equals(oldToken.getType())) {
+
+            clientSession = OfflineTokenUtils.findOfflineClientSession(realm, user, oldToken.getClientSession(), oldToken.getSessionState());
+            if (clientSession != null) {
+                userSession = clientSession.getUserSession();
+            }
+        } else {
+            // Find userSession regularly for online tokens
+            userSession = session.sessions().getUserSession(realm, oldToken.getSessionState());
+            if (!AuthenticationManager.isSessionValid(realm, userSession)) {
+                AuthenticationManager.backchannelLogout(session, realm, userSession, uriInfo, connection, headers, true);
+                throw new OAuthErrorException(OAuthErrorException.INVALID_GRANT, "Session not active", "Session not active");
+            }
+
+            for (ClientSessionModel clientSessionModel : userSession.getClientSessions()) {
+                if (clientSessionModel.getId().equals(oldToken.getClientSession())) {
+                    clientSession = clientSessionModel;
+                    break;
+                }
             }
         }
 
@@ -117,7 +136,8 @@ public class TokenManager {
 
 
         // recreate token.
-        Set<RoleModel> requestedRoles = TokenManager.getAccess(null, clientSession.getClient(), user);
+        String scopeParam = clientSession.getNote(OAuth2Constants.SCOPE);
+        Set<RoleModel> requestedRoles = TokenManager.getAccess(scopeParam, true, clientSession.getClient(), user);
         AccessToken newToken = createClientAccessToken(session, requestedRoles, realm, client, user, userSession, clientSession);
         verifyAccess(oldToken, newToken);
 
@@ -126,10 +146,12 @@ public class TokenManager {
 
     }
 
-    public AccessTokenResponse refreshAccessToken(KeycloakSession session, UriInfo uriInfo, ClientConnection connection, RealmModel realm, ClientModel authorizedClient, String encodedRefreshToken, EventBuilder event, HttpHeaders headers) throws OAuthErrorException {
+    public RefreshResult refreshAccessToken(KeycloakSession session, UriInfo uriInfo, ClientConnection connection, RealmModel realm, ClientModel authorizedClient, String encodedRefreshToken, EventBuilder event, HttpHeaders headers) throws OAuthErrorException {
         RefreshToken refreshToken = verifyRefreshToken(realm, encodedRefreshToken);
 
-        event.user(refreshToken.getSubject()).session(refreshToken.getSessionState()).detail(Details.REFRESH_TOKEN_ID, refreshToken.getId());
+        event.user(refreshToken.getSubject()).session(refreshToken.getSessionState())
+                .detail(Details.REFRESH_TOKEN_ID, refreshToken.getId())
+                .detail(Details.REFRESH_TOKEN_TYPE, refreshToken.getType());
 
         TokenValidation validation = validateToken(session, uriInfo, connection, realm, refreshToken, headers);
         // validate authorizedClient is same as validated client
@@ -140,11 +162,17 @@ public class TokenManager {
         int currentTime = Time.currentTime();
         validation.userSession.setLastSessionRefresh(currentTime);
 
-        AccessTokenResponse res = responseBuilder(realm, authorizedClient, event, session, validation.userSession, validation.clientSession)
+        AccessTokenResponseBuilder responseBuilder = responseBuilder(realm, authorizedClient, event, session, validation.userSession, validation.clientSession)
                 .accessToken(validation.newToken)
-                .generateIDToken()
-                .generateRefreshToken().build();
-        return res;
+                .generateIDToken();
+
+        // Don't generate refresh token again if refresh was triggered with offline token
+        if (!refreshToken.getType().equals(RefreshTokenUtil.TOKEN_TYPE_OFFLINE)) {
+            responseBuilder.generateRefreshToken();
+        }
+
+        AccessTokenResponse res = responseBuilder.build();
+        return new RefreshResult(res, RefreshTokenUtil.TOKEN_TYPE_OFFLINE.equals(refreshToken.getType()));
     }
 
     public RefreshToken verifyRefreshToken(RealmModel realm, String encodedRefreshToken) throws OAuthErrorException {
@@ -158,7 +186,7 @@ public class TokenManager {
         } catch (Exception e) {
             throw new OAuthErrorException(OAuthErrorException.INVALID_GRANT, "Invalid refresh token", e);
         }
-        if (refreshToken.isExpired()) {
+        if (refreshToken.getExpiration() != 0 && refreshToken.isExpired()) {
             throw new OAuthErrorException(OAuthErrorException.INVALID_GRANT, "Refresh token expired");
         }
 
@@ -172,18 +200,18 @@ public class TokenManager {
         IDToken idToken = null;
         try {
             if (!RSAProvider.verify(jws, realm.getPublicKey())) {
-                throw new OAuthErrorException(OAuthErrorException.INVALID_GRANT, "Invalid refresh token");
+                throw new OAuthErrorException(OAuthErrorException.INVALID_GRANT, "Invalid IDToken");
             }
             idToken = jws.readJsonContent(IDToken.class);
         } catch (IOException e) {
-            throw new OAuthErrorException(OAuthErrorException.INVALID_GRANT, "Invalid refresh token", e);
+            throw new OAuthErrorException(OAuthErrorException.INVALID_GRANT, "Invalid IDToken", e);
         }
         if (idToken.isExpired()) {
-            throw new OAuthErrorException(OAuthErrorException.INVALID_GRANT, "Refresh token expired");
+            throw new OAuthErrorException(OAuthErrorException.INVALID_GRANT, "IDToken expired");
         }
 
         if (idToken.getIssuedAt() < realm.getNotBefore()) {
-            throw new OAuthErrorException(OAuthErrorException.INVALID_GRANT, "Stale refresh token");
+            throw new OAuthErrorException(OAuthErrorException.INVALID_GRANT, "Stale IDToken");
         }
         return idToken;
     }
@@ -206,7 +234,8 @@ public class TokenManager {
         clientSession.setUserSession(session);
         Set<String> requestedRoles = new HashSet<String>();
         // todo scope param protocol independent
-        for (RoleModel r : TokenManager.getAccess(null, clientSession.getClient(), user)) {
+        String scopeParam = clientSession.getNote(OAuth2Constants.SCOPE);
+        for (RoleModel r : TokenManager.getAccess(scopeParam, true, clientSession.getClient(), user)) {
             requestedRoles.add(r.getId());
         }
         clientSession.setRoles(requestedRoles);
@@ -242,28 +271,62 @@ public class TokenManager {
         }
     }
 
-    public static Set<RoleModel> getAccess(String scopeParam, ClientModel client, UserModel user) {
-        // todo scopeParam is ignored until we figure out a scheme that fits with openid connect
+    public static Set<RoleModel> getAccess(String scopeParam, boolean applyScopeParam, ClientModel client, UserModel user) {
         Set<RoleModel> requestedRoles = new HashSet<RoleModel>();
 
         Set<RoleModel> roleMappings = user.getRoleMappings();
-        if (client.isFullScopeAllowed()) return roleMappings;
 
-        Set<RoleModel> scopeMappings = client.getScopeMappings();
-        if (client instanceof ClientModel) {
-            scopeMappings.addAll(((ClientModel) client).getRoles());
+        if (client.isFullScopeAllowed()) {
+            requestedRoles = roleMappings;
+        } else {
+
+            Set<RoleModel> scopeMappings = client.getScopeMappings();
+            scopeMappings.addAll(client.getRoles());
+
+            for (RoleModel role : roleMappings) {
+                for (RoleModel desiredRole : scopeMappings) {
+                    Set<RoleModel> visited = new HashSet<RoleModel>();
+                    applyScope(role, desiredRole, visited, requestedRoles);
+                }
+            }
         }
 
-        for (RoleModel role : roleMappings) {
-            for (RoleModel desiredRole : scopeMappings) {
-                Set<RoleModel> visited = new HashSet<RoleModel>();
-                applyScope(role, desiredRole, visited, requestedRoles);
+        if (applyScopeParam) {
+            Collection<String> scopeParamRoles;
+            if (scopeParam != null) {
+                String[] scopes = scopeParam.split(" ");
+                scopeParamRoles = Arrays.asList(scopes);
+            } else {
+                scopeParamRoles = Collections.emptyList();
+            }
+
+            Set<RoleModel> roles = new HashSet<>();
+            for (RoleModel role : requestedRoles) {
+                String roleName = getRoleNameForScopeParam(role);
+                if (!role.isScopeParamRequired() || scopeParamRoles.contains(roleName)) {
+                    roles.add(role);
+                } else {
+                    if (logger.isTraceEnabled()) {
+                        logger.tracef("Role '%s' excluded by scope param. Client is '%s', User is '%s', Scope param is '%s' ", role.getName(), client.getClientId(), user.getUsername(), scopeParam);
+                    }
+                }
             }
+            requestedRoles = roles;
         }
 
         return requestedRoles;
     }
 
+    // For now, just use "roleName" for realm roles and "clientId/roleName" for client roles
+    private static String getRoleNameForScopeParam(RoleModel role) {
+        if (role.getContainer() instanceof RealmModel) {
+            return role.getName();
+        } else {
+            ClientModel client = (ClientModel) role.getContainer();
+            return client.getClientId() + "/" + role.getName();
+        }
+    }
+
     public void verifyAccess(AccessToken token, AccessToken newToken) throws OAuthErrorException {
         if (token.getRealmAccess() != null) {
             if (newToken.getRealmAccess() == null) throw new OAuthErrorException(OAuthErrorException.INVALID_SCOPE, "User no long has permission for realm roles");
@@ -409,8 +472,10 @@ public class TokenManager {
             return this;
         }
 
-        public AccessTokenResponseBuilder generateAccessToken(KeycloakSession session, String scopeParam, ClientModel client, UserModel user, UserSessionModel userSession, ClientSessionModel clientSession) {
-            Set<RoleModel> requestedRoles = getAccess(scopeParam, client, user);
+        public AccessTokenResponseBuilder generateAccessToken() {
+            UserModel user = userSession.getUser();
+            String scopeParam = clientSession.getNote(OIDCLoginProtocol.SCOPE_PARAM);
+            Set<RoleModel> requestedRoles = getAccess(scopeParam, true, client, user);
             accessToken = createClientAccessToken(session, requestedRoles, realm, client, user, userSession, clientSession);
             return this;
         }
@@ -419,10 +484,24 @@ public class TokenManager {
             if (accessToken == null) {
                 throw new IllegalStateException("accessToken not set");
             }
-            refreshToken = new RefreshToken(accessToken);
+
+            String scopeParam = clientSession.getNote(OIDCLoginProtocol.SCOPE_PARAM);
+            boolean offlineTokenRequested = RefreshTokenUtil.isOfflineTokenRequested(scopeParam);
+            if (offlineTokenRequested) {
+                if (!OfflineTokenUtils.isOfflineTokenAllowed(realm, clientSession)) {
+                    event.error(Errors.NOT_ALLOWED);
+                    throw new ErrorResponseException("not_allowed", "Offline tokens not allowed for the user or client", Response.Status.BAD_REQUEST);
+                }
+
+                refreshToken = new RefreshToken(accessToken);
+                refreshToken.type(RefreshTokenUtil.TOKEN_TYPE_OFFLINE);
+                OfflineTokenUtils.persistOfflineSession(clientSession, userSession);
+            } else {
+                refreshToken = new RefreshToken(accessToken);
+                refreshToken.expiration(Time.currentTime() + realm.getSsoSessionIdleTimeout());
+            }
             refreshToken.id(KeycloakModelUtils.generateId());
             refreshToken.issuedNow();
-            refreshToken.expiration(Time.currentTime() + realm.getSsoSessionIdleTimeout());
             return this;
         }
 
@@ -459,6 +538,7 @@ public class TokenManager {
                 } else {
                     event.detail(Details.REFRESH_TOKEN_ID, refreshToken.getId());
                 }
+                event.detail(Details.REFRESH_TOKEN_TYPE, refreshToken.getType());
             }
 
             AccessTokenResponse res = new AccessTokenResponse();
@@ -489,4 +569,23 @@ public class TokenManager {
         }
     }
 
+    public class RefreshResult {
+
+        private final AccessTokenResponse response;
+        private final boolean offlineToken;
+
+        private RefreshResult(AccessTokenResponse response, boolean offlineToken) {
+            this.response = response;
+            this.offlineToken = offlineToken;
+        }
+
+        public AccessTokenResponse getResponse() {
+            return response;
+        }
+
+        public boolean isOfflineToken() {
+            return offlineToken;
+        }
+    }
+
 }

diff --git a/services/src/main/java/org/keycloak/services/managers/RealmManager.java b/services/src/main/java/org/keycloak/services/managers/RealmManager.java
index fb0578e..958cd3e 100755
--- a/services/src/main/java/org/keycloak/services/managers/RealmManager.java
+++ b/services/src/main/java/org/keycloak/services/managers/RealmManager.java
@@ -27,6 +27,7 @@ import org.keycloak.representations.idm.ClientRepresentation;
 import org.keycloak.representations.idm.OAuthClientRepresentation;
 import org.keycloak.representations.idm.RealmEventsConfigRepresentation;
 import org.keycloak.representations.idm.RealmRepresentation;
+import org.keycloak.representations.idm.RoleRepresentation;
 import org.keycloak.timer.TimerProvider;
 
 import java.util.Collections;
@@ -95,6 +96,7 @@ public class RealmManager implements RealmImporter {
         setupImpersonationService(realm);
         setupAuthenticationFlows(realm);
         setupRequiredActions(realm);
+        setupOfflineTokens(realm);
 
         return realm;
     }
@@ -107,6 +109,10 @@ public class RealmManager implements RealmImporter {
         if (realm.getRequiredActionProviders().size() == 0) DefaultRequiredActions.addActions(realm);
     }
 
+    protected void setupOfflineTokens(RealmModel realm) {
+        KeycloakModelUtils.setupOfflineTokens(realm);
+    }
+
     protected void setupAdminConsole(RealmModel realm) {
         ClientModel adminConsole = realm.getClientByClientId(Constants.ADMIN_CONSOLE_CLIENT_ID);
         if (adminConsole == null) adminConsole = new ClientManager(this).createClient(realm, Constants.ADMIN_CONSOLE_CLIENT_ID);
@@ -216,12 +222,14 @@ public class RealmManager implements RealmImporter {
 
             RoleModel createRealmRole = realm.addRole(AdminRoles.CREATE_REALM);
             adminRole.addCompositeRole(createRealmRole);
-            createRealmRole.setDescription("${role_"+AdminRoles.CREATE_REALM+"}");
+            createRealmRole.setDescription("${role_" + AdminRoles.CREATE_REALM + "}");
+            createRealmRole.setScopeParamRequired(false);
         } else {
             adminRealm = model.getRealmByName(Config.getAdminRealm());
             adminRole = adminRealm.getRole(AdminRoles.ADMIN);
         }
         adminRole.setDescription("${role_"+AdminRoles.ADMIN+"}");
+        adminRole.setScopeParamRequired(false);
 
         ClientModel realmAdminApp = KeycloakModelUtils.createClient(adminRealm, KeycloakModelUtils.getMasterRealmAdminApplicationClientId(realm.getName()));
         // No localized name for now
@@ -232,6 +240,7 @@ public class RealmManager implements RealmImporter {
         for (String r : AdminRoles.ALL_REALM_ROLES) {
             RoleModel role = realmAdminApp.addRole(r);
             role.setDescription("${role_"+r+"}");
+            role.setScopeParamRequired(false);
             adminRole.addCompositeRole(role);
         }
     }
@@ -249,12 +258,14 @@ public class RealmManager implements RealmImporter {
         }
         RoleModel adminRole = realmAdminClient.addRole(AdminRoles.REALM_ADMIN);
         adminRole.setDescription("${role_" + AdminRoles.REALM_ADMIN + "}");
+        adminRole.setScopeParamRequired(false);
         realmAdminClient.setBearerOnly(true);
         realmAdminClient.setFullScopeAllowed(false);
 
         for (String r : AdminRoles.ALL_REALM_ROLES) {
             RoleModel role = realmAdminClient.addRole(r);
             role.setDescription("${role_"+r+"}");
+            role.setScopeParamRequired(false);
             adminRole.addCompositeRole(role);
         }
     }
@@ -274,7 +285,9 @@ public class RealmManager implements RealmImporter {
 
             for (String role : AccountRoles.ALL) {
                 client.addDefaultRole(role);
-                client.getRole(role).setDescription("${role_"+role+"}");
+                RoleModel roleModel = client.getRole(role);
+                roleModel.setDescription("${role_" + role + "}");
+                roleModel.setScopeParamRequired(false);
             }
         }
     }
@@ -292,7 +305,9 @@ public class RealmManager implements RealmImporter {
             client.setFullScopeAllowed(false);
 
             for (String role : Constants.BROKER_SERVICE_ROLES) {
-                client.addRole(role).setDescription("${role_"+ role.toLowerCase().replaceAll("_", "-") +"}");
+                RoleModel roleModel = client.addRole(role);
+                roleModel.setDescription("${role_"+ role.toLowerCase().replaceAll("_", "-") +"}");
+                roleModel.setScopeParamRequired(false);
             }
         }
     }
@@ -329,6 +344,7 @@ public class RealmManager implements RealmImporter {
 
         if (!hasBrokerClient(rep)) setupBrokerService(realm);
         if (!hasAdminConsoleClient(rep)) setupAdminConsole(realm);
+        if (!hasRealmRole(rep, Constants.OFFLINE_ACCESS_ROLE)) setupOfflineTokens(realm);
 
         RepresentationToModel.importRealm(session, rep, realm);
 
@@ -409,6 +425,20 @@ public class RealmManager implements RealmImporter {
         return false;
     }
 
+    private boolean hasRealmRole(RealmRepresentation rep, String roleName) {
+        if (rep.getRoles() == null || rep.getRoles().getRealm() == null) {
+            return false;
+        }
+
+        for (RoleRepresentation role : rep.getRoles().getRealm()) {
+            if (roleName.equals(role.getName())) {
+                return true;
+            }
+        }
+
+        return false;
+    }
+
     /**
      * Query users based on a search string:
      * <p/>

diff --git a/services/src/main/java/org/keycloak/services/offline/OfflineClientSessionAdapter.java b/services/src/main/java/org/keycloak/services/offline/OfflineClientSessionAdapter.java
new file mode 100644
index 0000000..50abfd4
--- /dev/null
+++ b/services/src/main/java/org/keycloak/services/offline/OfflineClientSessionAdapter.java
@@ -0,0 +1,289 @@
+package org.keycloak.services.offline;
+
+import java.io.IOException;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.Set;
+
+import org.codehaus.jackson.annotate.JsonProperty;
+import org.keycloak.models.ClientModel;
+import org.keycloak.models.ClientSessionModel;
+import org.keycloak.models.ModelException;
+import org.keycloak.models.OfflineClientSessionModel;
+import org.keycloak.models.OfflineUserSessionModel;
+import org.keycloak.models.RealmModel;
+import org.keycloak.models.UserModel;
+import org.keycloak.models.UserSessionModel;
+import org.keycloak.util.JsonSerialization;
+
+/**
+ * @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
+ */
+public class OfflineClientSessionAdapter implements ClientSessionModel {
+
+    private final OfflineClientSessionModel model;
+    private final RealmModel realm;
+    private final ClientModel client;
+    private final OfflineUserSessionAdapter userSession;
+
+    private OfflineClientSessionData data;
+
+    public OfflineClientSessionAdapter(OfflineClientSessionModel model, RealmModel realm, ClientModel client, OfflineUserSessionAdapter userSession) {
+        this.model = model;
+        this.realm = realm;
+        this.client = client;
+        this.userSession = userSession;
+    }
+
+    // lazily init representation
+    private OfflineClientSessionData getData() {
+        if (data == null) {
+            try {
+                data = JsonSerialization.readValue(model.getData(), OfflineClientSessionData.class);
+            } catch (IOException ioe) {
+                throw new ModelException(ioe);
+            }
+        }
+
+        return data;
+    }
+
+    @Override
+    public String getId() {
+        return model.getClientSessionId();
+    }
+
+    @Override
+    public RealmModel getRealm() {
+        return realm;
+    }
+
+    @Override
+    public ClientModel getClient() {
+        return client;
+    }
+
+    @Override
+    public UserSessionModel getUserSession() {
+        return userSession;
+    }
+
+    @Override
+    public void setUserSession(UserSessionModel userSession) {
+        throw new IllegalStateException("Not supported setUserSession");
+    }
+
+    @Override
+    public String getRedirectUri() {
+        return data.getRedirectUri();
+    }
+
+    @Override
+    public void setRedirectUri(String uri) {
+        throw new IllegalStateException("Not supported setRedirectUri");
+    }
+
+    @Override
+    public int getTimestamp() {
+        return 0;
+    }
+
+    @Override
+    public void setTimestamp(int timestamp) {
+        throw new IllegalStateException("Not supported setTimestamp");
+    }
+
+    @Override
+    public String getAction() {
+        return null;
+    }
+
+    @Override
+    public void setAction(String action) {
+        throw new IllegalStateException("Not supported setAction");
+    }
+
+    @Override
+    public Set<String> getRoles() {
+        return getData().getRoles();
+    }
+
+    @Override
+    public void setRoles(Set<String> roles) {
+        throw new IllegalStateException("Not supported setRoles");
+    }
+
+    @Override
+    public Set<String> getProtocolMappers() {
+        return getData().getProtocolMappers();
+    }
+
+    @Override
+    public void setProtocolMappers(Set<String> protocolMappers) {
+        throw new IllegalStateException("Not supported setProtocolMappers");
+    }
+
+    @Override
+    public Map<String, ExecutionStatus> getExecutionStatus() {
+        return getData().getAuthenticatorStatus();
+    }
+
+    @Override
+    public void setExecutionStatus(String authenticator, ExecutionStatus status) {
+        throw new IllegalStateException("Not supported setExecutionStatus");
+    }
+
+    @Override
+    public void clearExecutionStatus() {
+        throw new IllegalStateException("Not supported clearExecutionStatus");
+    }
+
+    @Override
+    public UserModel getAuthenticatedUser() {
+        return userSession.getUser();
+    }
+
+    @Override
+    public void setAuthenticatedUser(UserModel user) {
+        throw new IllegalStateException("Not supported setAuthenticatedUser");
+    }
+
+    @Override
+    public String getAuthMethod() {
+        return getData().getAuthMethod();
+    }
+
+    @Override
+    public void setAuthMethod(String method) {
+        throw new IllegalStateException("Not supported setAuthMethod");
+    }
+
+    @Override
+    public String getNote(String name) {
+        return getData().getNotes()==null ? null : getData().getNotes().get(name);
+    }
+
+    @Override
+    public void setNote(String name, String value) {
+        throw new IllegalStateException("Not supported setNote");
+    }
+
+    @Override
+    public void removeNote(String name) {
+        throw new IllegalStateException("Not supported removeNote");
+    }
+
+    @Override
+    public Map<String, String> getNotes() {
+        return getData().getNotes();
+    }
+
+    @Override
+    public Set<String> getRequiredActions() {
+        throw new IllegalStateException("Not supported getRequiredActions");
+    }
+
+    @Override
+    public void addRequiredAction(String action) {
+        throw new IllegalStateException("Not supported addRequiredAction");
+    }
+
+    @Override
+    public void removeRequiredAction(String action) {
+        throw new IllegalStateException("Not supported removeRequiredAction");
+    }
+
+    @Override
+    public void addRequiredAction(UserModel.RequiredAction action) {
+        throw new IllegalStateException("Not supported addRequiredAction");
+    }
+
+    @Override
+    public void removeRequiredAction(UserModel.RequiredAction action) {
+        throw new IllegalStateException("Not supported removeRequiredAction");
+    }
+
+    @Override
+    public void setUserSessionNote(String name, String value) {
+        throw new IllegalStateException("Not supported setUserSessionNote");
+    }
+
+    @Override
+    public Map<String, String> getUserSessionNotes() {
+        throw new IllegalStateException("Not supported getUserSessionNotes");
+    }
+
+    @Override
+    public void clearUserSessionNotes() {
+        throw new IllegalStateException("Not supported clearUserSessionNotes");
+    }
+
+    protected static class OfflineClientSessionData {
+
+        @JsonProperty("authMethod")
+        private String authMethod;
+
+        @JsonProperty("redirectUri")
+        private String redirectUri;
+
+        @JsonProperty("protocolMappers")
+        private Set<String> protocolMappers;
+
+        @JsonProperty("roles")
+        private Set<String> roles;
+
+        @JsonProperty("notes")
+        private Map<String, String> notes;
+
+        @JsonProperty("authenticatorStatus")
+        private Map<String, ClientSessionModel.ExecutionStatus> authenticatorStatus = new HashMap<>();
+
+        public String getAuthMethod() {
+            return authMethod;
+        }
+
+        public void setAuthMethod(String authMethod) {
+            this.authMethod = authMethod;
+        }
+
+        public String getRedirectUri() {
+            return redirectUri;
+        }
+
+        public void setRedirectUri(String redirectUri) {
+            this.redirectUri = redirectUri;
+        }
+
+        public Set<String> getProtocolMappers() {
+            return protocolMappers;
+        }
+
+        public void setProtocolMappers(Set<String> protocolMappers) {
+            this.protocolMappers = protocolMappers;
+        }
+
+        public Set<String> getRoles() {
+            return roles;
+        }
+
+        public void setRoles(Set<String> roles) {
+            this.roles = roles;
+        }
+
+        public Map<String, String> getNotes() {
+            return notes;
+        }
+
+        public void setNotes(Map<String, String> notes) {
+            this.notes = notes;
+        }
+
+        public Map<String, ClientSessionModel.ExecutionStatus> getAuthenticatorStatus() {
+            return authenticatorStatus;
+        }
+
+        public void setAuthenticatorStatus(Map<String, ClientSessionModel.ExecutionStatus> authenticatorStatus) {
+            this.authenticatorStatus = authenticatorStatus;
+        }
+    }
+}

diff --git a/services/src/main/java/org/keycloak/services/offline/OfflineTokenUtils.java b/services/src/main/java/org/keycloak/services/offline/OfflineTokenUtils.java
new file mode 100644
index 0000000..b4900c1
--- /dev/null
+++ b/services/src/main/java/org/keycloak/services/offline/OfflineTokenUtils.java
@@ -0,0 +1,191 @@
+package org.keycloak.services.offline;
+
+import java.io.IOException;
+import java.util.Collection;
+import java.util.HashSet;
+import java.util.Set;
+
+import org.jboss.logging.Logger;
+import org.keycloak.models.ClientModel;
+import org.keycloak.models.ClientSessionModel;
+import org.keycloak.models.Constants;
+import org.keycloak.models.ModelException;
+import org.keycloak.models.OfflineClientSessionModel;
+import org.keycloak.models.OfflineUserSessionModel;
+import org.keycloak.models.RealmModel;
+import org.keycloak.models.RoleModel;
+import org.keycloak.models.UserModel;
+import org.keycloak.models.UserSessionModel;
+import org.keycloak.util.JsonSerialization;
+
+/**
+ * TODO: Change to utils?
+ *
+ * @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
+ */
+public class OfflineTokenUtils {
+
+    protected static Logger logger = Logger.getLogger(OfflineTokenUtils.class);
+
+    public static void persistOfflineSession(ClientSessionModel clientSession, UserSessionModel userSession) {
+        UserModel user = userSession.getUser();
+        ClientModel client = clientSession.getClient();
+
+        // First verify if we already have offlineToken for this user+client . If yes, then invalidate it (This is to avoid leaks)
+        Collection<OfflineClientSessionModel> clientSessions = user.getOfflineClientSessions();
+        for (OfflineClientSessionModel existing : clientSessions) {
+            if (existing.getClientId().equals(client.getId())) {
+                if (logger.isTraceEnabled()) {
+                    logger.tracef("Removing existing offline token for user '%s' and client '%s' . ClientSessionID was '%s' . Offline token will be replaced with new one",
+                            user.getUsername(), client.getClientId(), existing.getClientSessionId());
+                }
+
+                user.removeOfflineClientSession(existing.getClientSessionId());
+
+                // Check if userSession is ours. If not, then check if it has other clientSessions and remove it otherwise
+                if (!existing.getUserSessionId().equals(userSession.getId())) {
+                    checkUserSessionHasClientSessions(user, existing.getUserSessionId());
+                }
+            }
+        }
+
+        // Verify if we already have UserSession with this ID. If yes, don't create another one
+        OfflineUserSessionModel userSessionRep = user.getOfflineUserSession(userSession.getId());
+        if (userSessionRep == null) {
+            createOfflineUserSession(user, userSession);
+        }
+
+        // Create clientRep and save to DB.
+        createOfflineClientSession(user, clientSession, userSession);
+    }
+
+    // userSessionId is provided from offline token. It's used just to verify if it match the ID from clientSession representation
+    public static ClientSessionModel findOfflineClientSession(RealmModel realm, UserModel user, String clientSessionId, String userSessionId) {
+        OfflineClientSessionModel clientSession = user.getOfflineClientSession(clientSessionId);
+        if (clientSession == null) {
+            return null;
+        }
+
+        if (!userSessionId.equals(clientSession.getUserSessionId())) {
+            throw new ModelException("User session don't match. Offline client session " + clientSession.getClientSessionId() + ", It's user session " + clientSession.getUserSessionId() +
+                    "  Wanted user session: " + userSessionId);
+        }
+
+        OfflineUserSessionModel userSession = user.getOfflineUserSession(userSessionId);
+        if (userSession == null) {
+            throw new ModelException("Found clientSession " + clientSessionId + " but not userSession " + userSessionId);
+        }
+
+        OfflineUserSessionAdapter userSessionAdapter = new OfflineUserSessionAdapter(userSession, user);
+
+        ClientModel client = realm.getClientById(clientSession.getClientId());
+        OfflineClientSessionAdapter clientSessionAdapter = new OfflineClientSessionAdapter(clientSession, realm, client, userSessionAdapter);
+
+        return clientSessionAdapter;
+    }
+
+    public static Set<ClientModel> findClientsWithOfflineToken(RealmModel realm, UserModel user) {
+        Collection<OfflineClientSessionModel> clientSessions = user.getOfflineClientSessions();
+        Set<ClientModel> clients = new HashSet<>();
+        for (OfflineClientSessionModel clientSession : clientSessions) {
+            ClientModel client = realm.getClientById(clientSession.getClientId());
+            clients.add(client);
+        }
+        return clients;
+    }
+
+    public static boolean revokeOfflineToken(UserModel user, ClientModel client) {
+        Collection<OfflineClientSessionModel> clientSessions = user.getOfflineClientSessions();
+        boolean anyRemoved = false;
+        for (OfflineClientSessionModel clientSession : clientSessions) {
+            if (clientSession.getClientId().equals(client.getId())) {
+                if (logger.isTraceEnabled()) {
+                    logger.tracef("Removing existing offline token for user '%s' and client '%s' . ClientSessionID was '%s' .",
+                            user.getUsername(), client.getClientId(), clientSession.getClientSessionId());
+                }
+
+                user.removeOfflineClientSession(clientSession.getClientSessionId());
+                checkUserSessionHasClientSessions(user, clientSession.getUserSessionId());
+                anyRemoved = true;
+            }
+        }
+
+        return anyRemoved;
+    }
+
+    public static boolean isOfflineTokenAllowed(RealmModel realm, ClientSessionModel clientSession) {
+        RoleModel offlineAccessRole = realm.getRole(Constants.OFFLINE_ACCESS_ROLE);
+        if (offlineAccessRole == null) {
+            logger.warnf("Role '%s' not available in realm", Constants.OFFLINE_ACCESS_ROLE);
+            return false;
+        }
+
+        return clientSession.getRoles().contains(offlineAccessRole.getId());
+    }
+
+    private static void createOfflineUserSession(UserModel user, UserSessionModel userSession) {
+        if (logger.isTraceEnabled()) {
+            logger.tracef("Creating new offline user session. UserSessionID: '%s' , Username: '%s'", userSession.getId(), user.getUsername());
+        }
+        OfflineUserSessionAdapter.OfflineUserSessionData rep = new OfflineUserSessionAdapter.OfflineUserSessionData();
+        rep.setBrokerUserId(userSession.getBrokerUserId());
+        rep.setBrokerSessionId(userSession.getBrokerSessionId());
+        rep.setIpAddress(userSession.getIpAddress());
+        rep.setAuthMethod(userSession.getAuthMethod());
+        rep.setRememberMe(userSession.isRememberMe());
+        rep.setStarted(userSession.getStarted());
+        rep.setNotes(userSession.getNotes());
+
+        try {
+            String stringRep = JsonSerialization.writeValueAsString(rep);
+            OfflineUserSessionModel sessionModel = new OfflineUserSessionModel();
+            sessionModel.setUserSessionId(userSession.getId());
+            sessionModel.setData(stringRep);
+            user.addOfflineUserSession(sessionModel);
+        } catch (IOException ioe) {
+            throw new ModelException(ioe);
+        }
+    }
+
+    private static void createOfflineClientSession(UserModel user, ClientSessionModel clientSession, UserSessionModel userSession) {
+        if (logger.isTraceEnabled()) {
+            logger.tracef("Creating new offline token client session. ClientSessionId: '%s', UserSessionID: '%s' , Username: '%s', Client: '%s'" ,
+                    clientSession.getId(), userSession.getId(), user.getUsername(), clientSession.getClient().getClientId());
+        }
+        OfflineClientSessionAdapter.OfflineClientSessionData rep = new OfflineClientSessionAdapter.OfflineClientSessionData();
+        rep.setAuthMethod(clientSession.getAuthMethod());
+        rep.setRedirectUri(clientSession.getRedirectUri());
+        rep.setProtocolMappers(clientSession.getProtocolMappers());
+        rep.setRoles(clientSession.getRoles());
+        rep.setNotes(clientSession.getNotes());
+        rep.setAuthenticatorStatus(clientSession.getExecutionStatus());
+
+        try {
+            String stringRep = JsonSerialization.writeValueAsString(rep);
+            OfflineClientSessionModel clsModel = new OfflineClientSessionModel();
+            clsModel.setClientSessionId(clientSession.getId());
+            clsModel.setClientId(clientSession.getClient().getId());
+            clsModel.setUserSessionId(userSession.getId());
+            clsModel.setData(stringRep);
+            user.addOfflineClientSession(clsModel);
+        } catch (IOException ioe) {
+            throw new ModelException(ioe);
+        }
+    }
+
+    // Check if userSession has any offline clientSessions attached to it. Remove userSession if not
+    private static void checkUserSessionHasClientSessions(UserModel user, String userSessionId) {
+        Collection<OfflineClientSessionModel> clientSessions = user.getOfflineClientSessions();
+
+        for (OfflineClientSessionModel clientSession : clientSessions) {
+            if (clientSession.getUserSessionId().equals(userSessionId)) {
+                return;
+            }
+        }
+
+        if (logger.isTraceEnabled()) {
+            logger.tracef("Removing offline userSession for user %s as it doesn't have any client sessions attached. UserSessionID: %s", user.getUsername(), userSessionId);
+        }
+        user.removeOfflineUserSession(userSessionId);
+    }
+}

diff --git a/services/src/main/java/org/keycloak/services/offline/OfflineUserSessionAdapter.java b/services/src/main/java/org/keycloak/services/offline/OfflineUserSessionAdapter.java
new file mode 100644
index 0000000..bd01d38
--- /dev/null
+++ b/services/src/main/java/org/keycloak/services/offline/OfflineUserSessionAdapter.java
@@ -0,0 +1,215 @@
+package org.keycloak.services.offline;
+
+import java.io.IOException;
+import java.util.List;
+import java.util.Map;
+
+import org.codehaus.jackson.annotate.JsonProperty;
+import org.keycloak.models.ClientSessionModel;
+import org.keycloak.models.ModelException;
+import org.keycloak.models.OfflineUserSessionModel;
+import org.keycloak.models.UserModel;
+import org.keycloak.models.UserSessionModel;
+import org.keycloak.util.JsonSerialization;
+
+/**
+ * @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
+ */
+public class OfflineUserSessionAdapter implements UserSessionModel {
+
+    private final OfflineUserSessionModel model;
+    private final UserModel user;
+
+    private OfflineUserSessionData data;
+
+    public OfflineUserSessionAdapter(OfflineUserSessionModel model, UserModel user) {
+        this.model = model;
+        this.user = user;
+    }
+
+    // lazily init representation
+    private OfflineUserSessionData getData() {
+        if (data == null) {
+            try {
+                data = JsonSerialization.readValue(model.getData(), OfflineUserSessionData.class);
+            } catch (IOException ioe) {
+                throw new ModelException(ioe);
+            }
+        }
+
+        return data;
+    }
+
+    @Override
+    public String getId() {
+        return model.getUserSessionId();
+    }
+
+    @Override
+    public String getBrokerSessionId() {
+        return getData().getBrokerSessionId();
+    }
+
+    @Override
+    public String getBrokerUserId() {
+        return getData().getBrokerUserId();
+    }
+
+    @Override
+    public UserModel getUser() {
+        return user;
+    }
+
+    @Override
+    public String getLoginUsername() {
+        return user.getUsername();
+    }
+
+    @Override
+    public String getIpAddress() {
+        return getData().getIpAddress();
+    }
+
+    @Override
+    public String getAuthMethod() {
+        return getData().getAuthMethod();
+    }
+
+    @Override
+    public boolean isRememberMe() {
+        return getData().isRememberMe();
+    }
+
+    @Override
+    public int getStarted() {
+        return getData().getStarted();
+    }
+
+    @Override
+    public int getLastSessionRefresh() {
+        return 0;
+    }
+
+    @Override
+    public void setLastSessionRefresh(int seconds) {
+        // Ignore
+    }
+
+    @Override
+    public List<ClientSessionModel> getClientSessions() {
+        throw new IllegalStateException("Not yet supported");
+    }
+
+    @Override
+    public String getNote(String name) {
+        return getData().getNotes()==null ? null : getData().getNotes().get(name);
+    }
+
+    @Override
+    public void setNote(String name, String value) {
+        throw new IllegalStateException("Illegal to set note offline session");
+
+    }
+
+    @Override
+    public void removeNote(String name) {
+        throw new IllegalStateException("Illegal to remove note from offline session");
+    }
+
+    @Override
+    public Map<String, String> getNotes() {
+        return getData().getNotes();
+    }
+
+    @Override
+    public State getState() {
+        return null;
+    }
+
+    @Override
+    public void setState(State state) {
+        throw new IllegalStateException("Illegal to set state on offline session");
+    }
+
+
+    protected static class OfflineUserSessionData {
+
+        @JsonProperty("brokerSessionId")
+        private String brokerSessionId;
+
+        @JsonProperty("brokerUserId")
+        private String brokerUserId;
+
+        @JsonProperty("ipAddress")
+        private String ipAddress;
+
+        @JsonProperty("authMethod")
+        private String authMethod;
+
+        @JsonProperty("rememberMe")
+        private boolean rememberMe;
+
+        @JsonProperty("started")
+        private int started;
+
+        @JsonProperty("notes")
+        private Map<String, String> notes;
+
+        public String getBrokerSessionId() {
+            return brokerSessionId;
+        }
+
+        public void setBrokerSessionId(String brokerSessionId) {
+            this.brokerSessionId = brokerSessionId;
+        }
+
+        public String getBrokerUserId() {
+            return brokerUserId;
+        }
+
+        public void setBrokerUserId(String brokerUserId) {
+            this.brokerUserId = brokerUserId;
+        }
+
+        public String getIpAddress() {
+            return ipAddress;
+        }
+
+        public void setIpAddress(String ipAddress) {
+            this.ipAddress = ipAddress;
+        }
+
+        public String getAuthMethod() {
+            return authMethod;
+        }
+
+        public void setAuthMethod(String authMethod) {
+            this.authMethod = authMethod;
+        }
+
+        public boolean isRememberMe() {
+            return rememberMe;
+        }
+
+        public void setRememberMe(boolean rememberMe) {
+            this.rememberMe = rememberMe;
+        }
+
+        public int getStarted() {
+            return started;
+        }
+
+        public void setStarted(int started) {
+            this.started = started;
+        }
+
+        public Map<String, String> getNotes() {
+            return notes;
+        }
+
+        public void setNotes(Map<String, String> notes) {
+            this.notes = notes;
+        }
+
+    }
+}

diff --git a/services/src/main/java/org/keycloak/services/resources/AccountService.java b/services/src/main/java/org/keycloak/services/resources/AccountService.java
index 1756f12..3b6edea 100755
--- a/services/src/main/java/org/keycloak/services/resources/AccountService.java
+++ b/services/src/main/java/org/keycloak/services/resources/AccountService.java
@@ -46,7 +46,6 @@ import org.keycloak.models.UserSessionModel;
 import org.keycloak.models.utils.CredentialValidation;
 import org.keycloak.models.utils.FormMessage;
 import org.keycloak.models.utils.ModelToRepresentation;
-import org.keycloak.models.utils.TimeBasedOTP;
 import org.keycloak.protocol.oidc.OIDCLoginProtocol;
 import org.keycloak.protocol.oidc.utils.RedirectUtils;
 import org.keycloak.representations.idm.CredentialRepresentation;
@@ -58,6 +57,7 @@ import org.keycloak.services.managers.Auth;
 import org.keycloak.services.managers.AuthenticationManager;
 import org.keycloak.services.managers.ClientSessionCode;
 import org.keycloak.services.messages.Messages;
+import org.keycloak.services.offline.OfflineTokenUtils;
 import org.keycloak.services.util.ResolveRelative;
 import org.keycloak.services.validation.Validation;
 import org.keycloak.util.UriUtils;
@@ -486,6 +486,7 @@ public class AccountService extends AbstractSecuredLocalService {
         // Revoke grant in UserModel
         UserModel user = auth.getUser();
         user.revokeConsentForClient(client.getId());
+        OfflineTokenUtils.revokeOfflineToken(user, client);
 
         // Logout clientSessions for this user and client
         AuthenticationManager.backchannelUserFromClient(session, realm, user, client, uriInfo, headers);

diff --git a/services/src/main/java/org/keycloak/services/resources/admin/RealmAdminResource.java b/services/src/main/java/org/keycloak/services/resources/admin/RealmAdminResource.java
index bab74d6..fda0ee3 100755
--- a/services/src/main/java/org/keycloak/services/resources/admin/RealmAdminResource.java
+++ b/services/src/main/java/org/keycloak/services/resources/admin/RealmAdminResource.java
@@ -111,7 +111,7 @@ public class RealmAdminResource {
      * @return
      */
     @Path("attack-detection")
-    public AttackDetectionResource getClientImporter() {
+    public AttackDetectionResource getAttackDetection() {
         AttackDetectionResource resource = new AttackDetectionResource(auth, realm, adminEvent);
         ResteasyProviderFactory.getInstance().injectProperties(resource);
         return resource;

diff --git a/services/src/main/java/org/keycloak/services/resources/admin/RealmsAdminResource.java b/services/src/main/java/org/keycloak/services/resources/admin/RealmsAdminResource.java
index d0fb521..18e6df5 100755
--- a/services/src/main/java/org/keycloak/services/resources/admin/RealmsAdminResource.java
+++ b/services/src/main/java/org/keycloak/services/resources/admin/RealmsAdminResource.java
@@ -144,51 +144,6 @@ public class RealmsAdminResource {
         }
     }
 
-    /**
-     * Import a realm from uploaded JSON file
-     *
-     * The posted represenation is expected to be a multipart/form-data encapsulation
-     * of a JSON file.  The same format a browser would use when uploading a file.
-     *
-     * @param uriInfo
-     * @param input multipart/form data
-     * @return
-     * @throws IOException
-     */
-    @POST
-    @Consumes(MediaType.MULTIPART_FORM_DATA)
-    public Response uploadRealm(@Context final UriInfo uriInfo, MultipartFormDataInput input) throws IOException {
-        RealmManager realmManager = new RealmManager(session);
-        realmManager.setContextPath(keycloak.getContextPath());
-        if (!auth.getRealm().equals(realmManager.getKeycloakAdminstrationRealm())) {
-            throw new ForbiddenException();
-        }
-        if (!auth.hasRealmRole(AdminRoles.CREATE_REALM)) {
-            throw new ForbiddenException();
-        }
-
-        Map<String, List<InputPart>> uploadForm = input.getFormDataMap();
-        List<InputPart> inputParts = uploadForm.get("file");
-        RealmRepresentation rep = null;
-        
-        for (InputPart inputPart : inputParts) {
-            // inputPart.getBody doesn't work as content-type is wrong, and inputPart.setMediaType is not supported on AS7 (RestEasy 2.3.2.Final)
-            rep = JsonSerialization.readValue(inputPart.getBodyAsString(), RealmRepresentation.class);
-
-            RealmModel realm = realmManager.importRealm(rep);
-
-            grantPermissionsToRealmCreator(realm);
-            
-            URI location = null;
-            if (inputParts.size() == 1) {
-                location = AdminRoot.realmsUrl(uriInfo).path(realm.getName()).build();
-                return Response.created(location).build();
-            }
-        }
-        
-        return Response.noContent().build();
-    }
-
     private void grantPermissionsToRealmCreator(RealmModel realm) {
         if (auth.hasRealmRole(AdminRoles.ADMIN)) {
             return;

diff --git a/services/src/main/java/org/keycloak/services/resources/admin/RoleContainerResource.java b/services/src/main/java/org/keycloak/services/resources/admin/RoleContainerResource.java
index 168ff47..879ff6f 100755
--- a/services/src/main/java/org/keycloak/services/resources/admin/RoleContainerResource.java
+++ b/services/src/main/java/org/keycloak/services/resources/admin/RoleContainerResource.java
@@ -82,6 +82,8 @@ public class RoleContainerResource extends RoleResource {
         try {
             RoleModel role = roleContainer.addRole(rep.getName());
             role.setDescription(rep.getDescription());
+            boolean scopeParamRequired = rep.isScopeParamRequired()==null ? false : rep.isScopeParamRequired();
+            role.setScopeParamRequired(scopeParamRequired);
 
             adminEvent.operation(OperationType.CREATE).resourcePath(uriInfo, role.getId()).representation(rep).success();
 

diff --git a/services/src/main/java/org/keycloak/services/resources/admin/RoleResource.java b/services/src/main/java/org/keycloak/services/resources/admin/RoleResource.java
index 827b817..3635da8 100755
--- a/services/src/main/java/org/keycloak/services/resources/admin/RoleResource.java
+++ b/services/src/main/java/org/keycloak/services/resources/admin/RoleResource.java
@@ -38,6 +38,7 @@ public abstract class RoleResource {
     protected void updateRole(RoleRepresentation rep, RoleModel role) {
         role.setName(rep.getName());
         role.setDescription(rep.getDescription());
+        if (rep.isScopeParamRequired() != null) role.setScopeParamRequired(rep.isScopeParamRequired());
     }
 
     protected void addComposites(AdminEventBuilder adminEvent, UriInfo uriInfo, List<RoleRepresentation> roles, RoleModel role) {

diff --git a/testsuite/integration/pom.xml b/testsuite/integration/pom.xml
index 166fa4b..599d0b2 100755
--- a/testsuite/integration/pom.xml
+++ b/testsuite/integration/pom.xml
@@ -151,7 +151,7 @@
         </dependency>
         <dependency>
             <groupId>org.hibernate.javax.persistence</groupId>
-            <artifactId>hibernate-jpa-2.1-api</artifactId>
+            <artifactId>${hibernate.javax.persistence.artifactId}</artifactId>
         </dependency>
         <dependency>
             <groupId>com.h2database</groupId>

diff --git a/testsuite/integration/src/test/java/org/keycloak/testsuite/account/AccountTest.java b/testsuite/integration/src/test/java/org/keycloak/testsuite/account/AccountTest.java
index 95d644e..9458998 100755
--- a/testsuite/integration/src/test/java/org/keycloak/testsuite/account/AccountTest.java
+++ b/testsuite/integration/src/test/java/org/keycloak/testsuite/account/AccountTest.java
@@ -646,7 +646,7 @@ public class AccountTest {
         }
     }
 
-    // More tests (including revoke) are in OAuthGrantTest
+    // More tests (including revoke) are in OAuthGrantTest and OfflineTokenTest
     @Test
     public void applications() {
         applicationsPage.open();
@@ -668,7 +668,8 @@ public class AccountTest {
         Assert.assertTrue(accountEntry.getProtocolMappersGranted().contains("Full Access"));
 
         AccountApplicationsPage.AppEntry testAppEntry = apps.get("test-app");
-        Assert.assertEquals(4, testAppEntry.getRolesAvailable().size());
+        Assert.assertEquals(5, testAppEntry.getRolesAvailable().size());
+        Assert.assertTrue(testAppEntry.getRolesAvailable().contains("Offline access"));
         Assert.assertTrue(testAppEntry.getRolesGranted().contains("Full Access"));
         Assert.assertTrue(testAppEntry.getProtocolMappersGranted().contains("Full Access"));
 

diff --git a/testsuite/integration/src/test/java/org/keycloak/testsuite/actions/RequiredActionMultipleActionsTest.java b/testsuite/integration/src/test/java/org/keycloak/testsuite/actions/RequiredActionMultipleActionsTest.java
index 868a76c..47b4e1d 100755
--- a/testsuite/integration/src/test/java/org/keycloak/testsuite/actions/RequiredActionMultipleActionsTest.java
+++ b/testsuite/integration/src/test/java/org/keycloak/testsuite/actions/RequiredActionMultipleActionsTest.java
@@ -33,11 +33,8 @@ import org.keycloak.models.UserModel.RequiredAction;
 import org.keycloak.services.managers.RealmManager;
 import org.keycloak.testsuite.AssertEvents;
 import org.keycloak.testsuite.OAuthClient;
-import org.keycloak.testsuite.pages.AppPage;
+import org.keycloak.testsuite.pages.*;
 import org.keycloak.testsuite.pages.AppPage.RequestType;
-import org.keycloak.testsuite.pages.LoginPage;
-import org.keycloak.testsuite.pages.LoginPasswordUpdatePage;
-import org.keycloak.testsuite.pages.LoginUpdateProfilePage;
 import org.keycloak.testsuite.rule.KeycloakRule;
 import org.keycloak.testsuite.rule.KeycloakRule.KeycloakSetup;
 import org.keycloak.testsuite.rule.WebResource;
@@ -83,7 +80,7 @@ public class RequiredActionMultipleActionsTest {
     protected LoginPasswordUpdatePage changePasswordPage;
 
     @WebResource
-    protected LoginUpdateProfilePage updateProfilePage;
+    protected LoginUpdateProfileEditUsernameAllowedPage updateProfilePage;
 
     @Test
     public void updateProfileAndPassword() throws Exception {
@@ -121,7 +118,7 @@ public class RequiredActionMultipleActionsTest {
     }
 
     public String updateProfile(String sessionId) {
-        updateProfilePage.update("New first", "New last", "new@email.com");
+        updateProfilePage.update("New first", "New last", "new@email.com", "test-user@localhost");
 
         AssertEvents.ExpectedEvent expectedEvent = events.expectRequiredAction(EventType.UPDATE_EMAIL).detail(Details.PREVIOUS_EMAIL, "test-user@localhost").detail(Details.UPDATED_EMAIL, "new@email.com");
         if (sessionId != null) {

diff --git a/testsuite/integration/src/test/java/org/keycloak/testsuite/actions/RequiredActionUpdateProfileTest.java b/testsuite/integration/src/test/java/org/keycloak/testsuite/actions/RequiredActionUpdateProfileTest.java
index e3d6ac9..492cd4b 100755
--- a/testsuite/integration/src/test/java/org/keycloak/testsuite/actions/RequiredActionUpdateProfileTest.java
+++ b/testsuite/integration/src/test/java/org/keycloak/testsuite/actions/RequiredActionUpdateProfileTest.java
@@ -21,11 +21,7 @@
  */
 package org.keycloak.testsuite.actions;
 
-import org.junit.Assert;
-import org.junit.Before;
-import org.junit.ClassRule;
-import org.junit.Rule;
-import org.junit.Test;
+import org.junit.*;
 import org.keycloak.events.Details;
 import org.keycloak.events.EventType;
 import org.keycloak.models.RealmModel;
@@ -36,7 +32,7 @@ import org.keycloak.testsuite.AssertEvents;
 import org.keycloak.testsuite.pages.AppPage;
 import org.keycloak.testsuite.pages.AppPage.RequestType;
 import org.keycloak.testsuite.pages.LoginPage;
-import org.keycloak.testsuite.pages.LoginUpdateProfilePage;
+import org.keycloak.testsuite.pages.LoginUpdateProfileEditUsernameAllowedPage;
 import org.keycloak.testsuite.rule.KeycloakRule;
 import org.keycloak.testsuite.rule.WebResource;
 import org.keycloak.testsuite.rule.WebRule;
@@ -66,7 +62,7 @@ public class RequiredActionUpdateProfileTest {
     protected LoginPage loginPage;
 
     @WebResource
-    protected LoginUpdateProfilePage updateProfilePage;
+    protected LoginUpdateProfileEditUsernameAllowedPage updateProfilePage;
 
     @Before
     public void before() {
@@ -75,6 +71,8 @@ public class RequiredActionUpdateProfileTest {
             public void config(RealmManager manager, RealmModel defaultRealm, RealmModel appRealm) {
                 UserModel user = manager.getSession().users().getUserByUsername("test-user@localhost", appRealm);
                 user.addRequiredAction(UserModel.RequiredAction.UPDATE_PROFILE);
+                UserModel anotherUser = manager.getSession().users().getUserByEmail("john-doh@localhost", appRealm);
+                anotherUser.addRequiredAction(UserModel.RequiredAction.UPDATE_PROFILE);
             }
         });
     }
@@ -87,7 +85,7 @@ public class RequiredActionUpdateProfileTest {
 
         updateProfilePage.assertCurrent();
 
-        updateProfilePage.update("New first", "New last", "new@email.com");
+        updateProfilePage.update("New first", "New last", "new@email.com", "test-user@localhost");
 
         String sessionId = events.expectRequiredAction(EventType.UPDATE_EMAIL).detail(Details.PREVIOUS_EMAIL, "test-user@localhost").detail(Details.UPDATED_EMAIL, "new@email.com").assertEvent().getSessionId();
         events.expectRequiredAction(EventType.UPDATE_PROFILE).session(sessionId).assertEvent();
@@ -101,6 +99,41 @@ public class RequiredActionUpdateProfileTest {
         Assert.assertEquals("New first", user.getFirstName());
         Assert.assertEquals("New last", user.getLastName());
         Assert.assertEquals("new@email.com", user.getEmail());
+        Assert.assertEquals("test-user@localhost", user.getUsername());
+    }
+
+    @Test
+    public void updateUsername() {
+        loginPage.open();
+
+        loginPage.login("john-doh@localhost", "password");
+
+        String userId = keycloakRule.getUser("test", "john-doh@localhost").getId();
+
+        updateProfilePage.assertCurrent();
+
+        updateProfilePage.update("New first", "New last", "john-doh@localhost", "new");
+
+        String sessionId = events
+                .expectLogin()
+                .event(EventType.UPDATE_PROFILE)
+                .detail(Details.USERNAME, "john-doh@localhost")
+                .user(userId)
+                .session(AssertEvents.isUUID())
+                .removeDetail(Details.CONSENT)
+                .assertEvent()
+                .getSessionId();
+
+        Assert.assertEquals(RequestType.AUTH_RESPONSE, appPage.getRequestType());
+
+        events.expectLogin().detail(Details.USERNAME, "john-doh@localhost").user(userId).session(sessionId).assertEvent();
+
+        // assert user is really updated in persistent store
+        UserRepresentation user = keycloakRule.getUser("test", "new");
+        Assert.assertEquals("New first", user.getFirstName());
+        Assert.assertEquals("New last", user.getLastName());
+        Assert.assertEquals("john-doh@localhost", user.getEmail());
+        Assert.assertEquals("new", user.getUsername());
     }
 
     @Test
@@ -111,7 +144,7 @@ public class RequiredActionUpdateProfileTest {
 
         updateProfilePage.assertCurrent();
 
-        updateProfilePage.update("", "New last", "new@email.com");
+        updateProfilePage.update("", "New last", "new@email.com", "new");
 
         updateProfilePage.assertCurrent();
 
@@ -133,7 +166,7 @@ public class RequiredActionUpdateProfileTest {
 
         updateProfilePage.assertCurrent();
 
-        updateProfilePage.update("New first", "", "new@email.com");
+        updateProfilePage.update("New first", "", "new@email.com", "new");
 
         updateProfilePage.assertCurrent();
 
@@ -155,7 +188,7 @@ public class RequiredActionUpdateProfileTest {
 
         updateProfilePage.assertCurrent();
 
-        updateProfilePage.update("New first", "New last", "");
+        updateProfilePage.update("New first", "New last", "", "new");
 
         updateProfilePage.assertCurrent();
 
@@ -177,7 +210,7 @@ public class RequiredActionUpdateProfileTest {
 
         updateProfilePage.assertCurrent();
 
-        updateProfilePage.update("New first", "New last", "invalidemail");
+        updateProfilePage.update("New first", "New last", "invalidemail", "invalid");
 
         updateProfilePage.assertCurrent();
 
@@ -192,6 +225,52 @@ public class RequiredActionUpdateProfileTest {
     }
 
     @Test
+    public void updateProfileMissingUsername() {
+        loginPage.open();
+
+        loginPage.login("john-doh@localhost", "password");
+
+        updateProfilePage.assertCurrent();
+
+        updateProfilePage.update("New first", "New last", "new@email.com", "");
+
+        updateProfilePage.assertCurrent();
+
+        // assert that form holds submitted values during validation error
+        Assert.assertEquals("New first", updateProfilePage.getFirstName());
+        Assert.assertEquals("New last", updateProfilePage.getLastName());
+        Assert.assertEquals("new@email.com", updateProfilePage.getEmail());
+        Assert.assertEquals("", updateProfilePage.getUsername());
+
+        Assert.assertEquals("Please specify username.", updateProfilePage.getError());
+
+        events.assertEmpty();
+    }
+
+    @Test
+    public void updateProfileDuplicateUsername() {
+        loginPage.open();
+
+        loginPage.login("john-doh@localhost", "password");
+
+        updateProfilePage.assertCurrent();
+
+        updateProfilePage.update("New first", "New last", "new@email.com", "test-user@localhost");
+
+        updateProfilePage.assertCurrent();
+
+        // assert that form holds submitted values during validation error
+        Assert.assertEquals("New first", updateProfilePage.getFirstName());
+        Assert.assertEquals("New last", updateProfilePage.getLastName());
+        Assert.assertEquals("new@email.com", updateProfilePage.getEmail());
+        Assert.assertEquals("test-user@localhost", updateProfilePage.getUsername());
+
+        Assert.assertEquals("Username already exists.", updateProfilePage.getError());
+
+        events.assertEmpty();
+    }
+
+    @Test
     public void updateProfileDuplicatedEmail() {
         loginPage.open();
 
@@ -199,7 +278,7 @@ public class RequiredActionUpdateProfileTest {
 
         updateProfilePage.assertCurrent();
 
-        updateProfilePage.update("New first", "New last", "keycloak-user@localhost");
+        updateProfilePage.update("New first", "New last", "keycloak-user@localhost", "test-user@localhost");
 
         updateProfilePage.assertCurrent();
 

diff --git a/testsuite/integration/src/test/java/org/keycloak/testsuite/admin/AdminAPITest.java b/testsuite/integration/src/test/java/org/keycloak/testsuite/admin/AdminAPITest.java
index bae16d5..aaed86e 100755
--- a/testsuite/integration/src/test/java/org/keycloak/testsuite/admin/AdminAPITest.java
+++ b/testsuite/integration/src/test/java/org/keycloak/testsuite/admin/AdminAPITest.java
@@ -85,7 +85,7 @@ public class AdminAPITest {
             ClientSessionModel clientSession = session.sessions().createClientSession(adminRealm, adminConsole);
             clientSession.setNote(OIDCLoginProtocol.ISSUER, "http://localhost:8081/auth/realms/master");
             UserSessionModel userSession = session.sessions().createUserSession(adminRealm, admin, "admin", null, "form", false, null, null);
-            AccessToken token = tm.createClientAccessToken(session, tm.getAccess(null, adminConsole, admin), adminRealm, adminConsole, admin, userSession, clientSession);
+            AccessToken token = tm.createClientAccessToken(session, tm.getAccess(null, true, adminConsole, admin), adminRealm, adminConsole, admin, userSession, clientSession);
             return tm.encodeToken(adminRealm, token);
         } finally {
             keycloakRule.stopSession(session, true);

diff --git a/testsuite/integration/src/test/java/org/keycloak/testsuite/admin/ClientTest.java b/testsuite/integration/src/test/java/org/keycloak/testsuite/admin/ClientTest.java
index c30ee36..2097175 100755
--- a/testsuite/integration/src/test/java/org/keycloak/testsuite/admin/ClientTest.java
+++ b/testsuite/integration/src/test/java/org/keycloak/testsuite/admin/ClientTest.java
@@ -108,7 +108,7 @@ public class ClientTest extends AbstractClientTest {
         response.close();
         String id = ApiUtil.getCreatedId(response);
 
-        RoleRepresentation role = new RoleRepresentation("test", "test");
+        RoleRepresentation role = new RoleRepresentation("test", "test", false);
         realm.clients().get(id).roles().create(role);
 
         rep = realm.clients().get(id).toRepresentation();

diff --git a/testsuite/integration/src/test/java/org/keycloak/testsuite/admin/ImpersonationTest.java b/testsuite/integration/src/test/java/org/keycloak/testsuite/admin/ImpersonationTest.java
index 0de7dd6..0f1510b 100755
--- a/testsuite/integration/src/test/java/org/keycloak/testsuite/admin/ImpersonationTest.java
+++ b/testsuite/integration/src/test/java/org/keycloak/testsuite/admin/ImpersonationTest.java
@@ -123,7 +123,7 @@ public class ImpersonationTest {
             ClientSessionModel clientSession = session.sessions().createClientSession(adminRealm, adminConsole);
             clientSession.setNote(OIDCLoginProtocol.ISSUER, "http://localhost:8081/auth/realms/" + realm);
             UserSessionModel userSession = session.sessions().createUserSession(adminRealm, admin, "admin", null, "form", false, null, null);
-            AccessToken token = tm.createClientAccessToken(session, tm.getAccess(null, adminConsole, admin), adminRealm, adminConsole, admin, userSession, clientSession);
+            AccessToken token = tm.createClientAccessToken(session, tm.getAccess(null, true, adminConsole, admin), adminRealm, adminConsole, admin, userSession, clientSession);
             return tm.encodeToken(adminRealm, token);
         } finally {
             keycloakRule.stopSession(session, true);

diff --git a/testsuite/integration/src/test/java/org/keycloak/testsuite/admin/RealmTest.java b/testsuite/integration/src/test/java/org/keycloak/testsuite/admin/RealmTest.java
index 6cf6427..8208aa2 100644
--- a/testsuite/integration/src/test/java/org/keycloak/testsuite/admin/RealmTest.java
+++ b/testsuite/integration/src/test/java/org/keycloak/testsuite/admin/RealmTest.java
@@ -112,7 +112,7 @@ public class RealmTest extends AbstractClientTest {
     @Test
     // KEYCLOAK-1110
     public void deleteDefaultRole() {
-        RoleRepresentation role = new RoleRepresentation("test", "test");
+        RoleRepresentation role = new RoleRepresentation("test", "test", false);
         realm.roles().create(role);
 
         assertNotNull(realm.roles().get("test").toRepresentation());

diff --git a/testsuite/integration/src/test/java/org/keycloak/testsuite/AssertEvents.java b/testsuite/integration/src/test/java/org/keycloak/testsuite/AssertEvents.java
index 88c1ccc..77b6d19 100755
--- a/testsuite/integration/src/test/java/org/keycloak/testsuite/AssertEvents.java
+++ b/testsuite/integration/src/test/java/org/keycloak/testsuite/AssertEvents.java
@@ -30,6 +30,7 @@ import org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint;
 import org.keycloak.representations.idm.UserRepresentation;
 import org.keycloak.services.managers.RealmManager;
 import org.keycloak.testsuite.rule.KeycloakRule;
+import org.keycloak.util.RefreshTokenUtil;
 
 import java.util.HashMap;
 import java.util.HashSet;
@@ -156,6 +157,7 @@ public class AssertEvents implements TestRule, EventListenerProviderFactory {
                 .detail(Details.CODE_ID, codeId)
                 .detail(Details.TOKEN_ID, isUUID())
                 .detail(Details.REFRESH_TOKEN_ID, isUUID())
+                .detail(Details.REFRESH_TOKEN_TYPE, RefreshTokenUtil.TOKEN_TYPE_REFRESH)
                 .detail(Details.CLIENT_AUTH_METHOD, ClientIdAndSecretAuthenticator.PROVIDER_ID)
                 .session(sessionId);
     }
@@ -164,6 +166,7 @@ public class AssertEvents implements TestRule, EventListenerProviderFactory {
         return expect(EventType.REFRESH_TOKEN)
                 .detail(Details.TOKEN_ID, isUUID())
                 .detail(Details.REFRESH_TOKEN_ID, refreshTokenId)
+                .detail(Details.REFRESH_TOKEN_TYPE, RefreshTokenUtil.TOKEN_TYPE_REFRESH)
                 .detail(Details.UPDATED_REFRESH_TOKEN_ID, isUUID())
                 .detail(Details.CLIENT_AUTH_METHOD, ClientIdAndSecretAuthenticator.PROVIDER_ID)
                 .session(sessionId);

diff --git a/testsuite/integration/src/test/java/org/keycloak/testsuite/broker/AbstractIdentityProviderTest.java b/testsuite/integration/src/test/java/org/keycloak/testsuite/broker/AbstractIdentityProviderTest.java
index fb2b5df..d7084c1 100755
--- a/testsuite/integration/src/test/java/org/keycloak/testsuite/broker/AbstractIdentityProviderTest.java
+++ b/testsuite/integration/src/test/java/org/keycloak/testsuite/broker/AbstractIdentityProviderTest.java
@@ -17,7 +17,6 @@
  */
 package org.keycloak.testsuite.broker;
 
-import org.codehaus.jackson.map.ObjectMapper;
 import org.junit.After;
 import org.junit.Assert;
 import org.junit.Before;

diff --git a/testsuite/integration/src/test/java/org/keycloak/testsuite/federation/LDAPTestConfiguration.java b/testsuite/integration/src/test/java/org/keycloak/testsuite/federation/LDAPTestConfiguration.java
index 31b8d2b..6e433f2 100644
--- a/testsuite/integration/src/test/java/org/keycloak/testsuite/federation/LDAPTestConfiguration.java
+++ b/testsuite/integration/src/test/java/org/keycloak/testsuite/federation/LDAPTestConfiguration.java
@@ -20,6 +20,7 @@ public class LDAPTestConfiguration {
     private static final Logger log = Logger.getLogger(LDAPTestConfiguration.class);
 
     private String connectionPropertiesLocation;
+    private int sleepTime;
     private boolean startEmbeddedLdapLerver = true;
     private Map<String, String> config;
 
@@ -109,6 +110,7 @@ public class LDAPTestConfiguration {
         }
 
         startEmbeddedLdapLerver = Boolean.parseBoolean(p.getProperty("idm.test.ldap.start.embedded.ldap.server", "true"));
+        sleepTime = Integer.parseInt(p.getProperty("idm.test.ldap.sleepTime", "1000"));
         log.info("Start embedded server: " + startEmbeddedLdapLerver);
         log.info("Read config: " + config);
     }
@@ -125,4 +127,8 @@ public class LDAPTestConfiguration {
         return startEmbeddedLdapLerver;
     }
 
+    public int getSleepTime() {
+        return sleepTime;
+    }
+
 }

diff --git a/testsuite/integration/src/test/java/org/keycloak/testsuite/federation/SyncProvidersTest.java b/testsuite/integration/src/test/java/org/keycloak/testsuite/federation/SyncProvidersTest.java
index f946825..819ee41 100755
--- a/testsuite/integration/src/test/java/org/keycloak/testsuite/federation/SyncProvidersTest.java
+++ b/testsuite/integration/src/test/java/org/keycloak/testsuite/federation/SyncProvidersTest.java
@@ -56,7 +56,6 @@ public class SyncProvidersTest {
             Map<String,String> ldapConfig = ldapRule.getConfig();
             ldapConfig.put(LDAPConstants.SYNC_REGISTRATIONS, "false");
             ldapConfig.put(LDAPConstants.EDIT_MODE, UserFederationProvider.EditMode.WRITABLE.toString());
-
             ldapModel = appRealm.addUserFederationProvider(LDAPFederationProviderFactory.PROVIDER_NAME, ldapConfig, 0, "test-ldap",
                     -1, -1, 0);
 
@@ -91,7 +90,7 @@ public class SyncProvidersTest {
         UsersSyncManager usersSyncManager = new UsersSyncManager();
 
         // wait a bit
-        sleep(1000);
+        sleep(ldapRule.getSleepTime());
 
         KeycloakSession session = keycloakRule.startSession();
         try {
@@ -125,7 +124,7 @@ public class SyncProvidersTest {
             }
 
             // wait a bit
-            sleep(1000);
+            sleep(ldapRule.getSleepTime());
 
             // Add user to LDAP and update 'user5' in LDAP
             LDAPFederationProvider ldapFedProvider = FederationTestUtils.getLdapProvider(session, ldapModel);
@@ -391,9 +390,9 @@ public class SyncProvidersTest {
     }
 
     private void assertSyncEquals(UserFederationSyncResult syncResult, int expectedAdded, int expectedUpdated, int expectedRemoved, int expectedFailed) {
-        Assert.assertEquals(syncResult.getAdded(), expectedAdded);
-        Assert.assertEquals(syncResult.getUpdated(), expectedUpdated);
-        Assert.assertEquals(syncResult.getRemoved(), expectedRemoved);
-        Assert.assertEquals(syncResult.getFailed(), expectedFailed);
+        Assert.assertEquals(expectedAdded, syncResult.getAdded());
+        Assert.assertEquals(expectedUpdated, syncResult.getUpdated());
+        Assert.assertEquals(expectedRemoved, syncResult.getRemoved());
+        Assert.assertEquals(expectedFailed, syncResult.getFailed());
     }
 }

diff --git a/testsuite/integration/src/test/java/org/keycloak/testsuite/model/AbstractModelTest.java b/testsuite/integration/src/test/java/org/keycloak/testsuite/model/AbstractModelTest.java
index a3e0976..d6d8724 100755
--- a/testsuite/integration/src/test/java/org/keycloak/testsuite/model/AbstractModelTest.java
+++ b/testsuite/integration/src/test/java/org/keycloak/testsuite/model/AbstractModelTest.java
@@ -117,6 +117,7 @@ public class AbstractModelTest {
         Assert.assertEquals(expected.getId(), actual.getId());
         Assert.assertEquals(expected.getName(), actual.getName());
         Assert.assertEquals(expected.getDescription(), actual.getDescription());
+        Assert.assertEquals(expected.isScopeParamRequired(), actual.isScopeParamRequired());
         Assert.assertEquals(expected.getContainer(), actual.getContainer());
         Assert.assertEquals(expected.getComposites().size(), actual.getComposites().size());
     }

diff --git a/testsuite/integration/src/test/java/org/keycloak/testsuite/model/AdapterTest.java b/testsuite/integration/src/test/java/org/keycloak/testsuite/model/AdapterTest.java
index 48ed318..4e771df 100755
--- a/testsuite/integration/src/test/java/org/keycloak/testsuite/model/AdapterTest.java
+++ b/testsuite/integration/src/test/java/org/keycloak/testsuite/model/AdapterTest.java
@@ -68,8 +68,8 @@ public class AdapterTest extends AbstractModelTest {
         Assert.assertEquals(realmModel.getName(), "JUGGLER");
         Assert.assertArrayEquals(realmModel.getPrivateKey().getEncoded(), keyPair.getPrivate().getEncoded());
         Assert.assertArrayEquals(realmModel.getPublicKey().getEncoded(), keyPair.getPublic().getEncoded());
-        Assert.assertEquals(1, realmModel.getDefaultRoles().size());
-        Assert.assertEquals("foo", realmModel.getDefaultRoles().get(0));
+        Assert.assertEquals(2, realmModel.getDefaultRoles().size());
+        Assert.assertTrue(realmModel.getDefaultRoles().contains("foo"));
     }
 
     @Test
@@ -94,8 +94,8 @@ public class AdapterTest extends AbstractModelTest {
         Assert.assertEquals(realmModel.getName(), "JUGGLER");
         Assert.assertArrayEquals(realmModel.getPrivateKey().getEncoded(), keyPair.getPrivate().getEncoded());
         Assert.assertArrayEquals(realmModel.getPublicKey().getEncoded(), keyPair.getPublic().getEncoded());
-        Assert.assertEquals(1, realmModel.getDefaultRoles().size());
-        Assert.assertEquals("foo", realmModel.getDefaultRoles().get(0));
+        Assert.assertEquals(2, realmModel.getDefaultRoles().size());
+        Assert.assertTrue(realmModel.getDefaultRoles().contains("foo"));
 
         realmModel.getId();
 
@@ -444,7 +444,7 @@ public class AdapterTest extends AbstractModelTest {
         realmModel.addRole("admin");
         realmModel.addRole("user");
         Set<RoleModel> roles = realmModel.getRoles();
-        Assert.assertEquals(3, roles.size());
+        Assert.assertEquals(4, roles.size());
         UserModel user = realmManager.getSession().users().addUser(realmModel, "bburke");
         RoleModel realmUserRole = realmModel.getRole("user");
         user.grantRole(realmUserRole);
@@ -470,7 +470,7 @@ public class AdapterTest extends AbstractModelTest {
         user.grantRole(application.getRole("user"));
 
         roles = user.getRealmRoleMappings();
-        Assert.assertEquals(roles.size(), 2);
+        Assert.assertEquals(roles.size(), 3);
         assertRolesContains(realmUserRole, roles);
         Assert.assertTrue(user.hasRole(realmUserRole));
         // Role "foo" is default realm role
@@ -485,13 +485,13 @@ public class AdapterTest extends AbstractModelTest {
         // Test that application role 'user' don't clash with realm role 'user'
         Assert.assertNotEquals(realmModel.getRole("user").getId(), application.getRole("user").getId());
 
-        Assert.assertEquals(6, user.getRoleMappings().size());
+        Assert.assertEquals(7, user.getRoleMappings().size());
 
         // Revoke some roles
         user.deleteRoleMapping(realmModel.getRole("foo"));
         user.deleteRoleMapping(appBarRole);
         roles = user.getRoleMappings();
-        Assert.assertEquals(4, roles.size());
+        Assert.assertEquals(5, roles.size());
         assertRolesContains(realmUserRole, roles);
         assertRolesContains(application.getRole("user"), roles);
         Assert.assertFalse(user.hasRole(appBarRole));

diff --git a/testsuite/integration/src/test/java/org/keycloak/testsuite/model/CacheTest.java b/testsuite/integration/src/test/java/org/keycloak/testsuite/model/CacheTest.java
index 5bc3556..597e7dd 100755
--- a/testsuite/integration/src/test/java/org/keycloak/testsuite/model/CacheTest.java
+++ b/testsuite/integration/src/test/java/org/keycloak/testsuite/model/CacheTest.java
@@ -1,6 +1,7 @@
 package org.keycloak.testsuite.model;
 
 import java.util.List;
+import java.util.Set;
 
 import org.junit.Assert;
 import org.junit.ClassRule;
@@ -89,4 +90,51 @@ public class CacheTest {
         }
     }
 
+    // KEYCLOAK-1842
+    @Test
+    public void testRoleMappingsInvalidatedWhenClientRemoved() {
+        KeycloakSession session = kc.startSession();
+        try {
+            RealmModel realm = session.realms().getRealmByName("test");
+            UserModel user = session.users().addUser(realm, "joel");
+            ClientModel client = realm.addClient("foo");
+            RoleModel fooRole = client.addRole("foo-role");
+            user.grantRole(fooRole);
+        } finally {
+            session.getTransaction().commit();
+            session.close();
+        }
+
+        // Remove client
+        session = kc.startSession();
+        int grantedRolesCount;
+        try {
+            RealmModel realm = session.realms().getRealmByName("test");
+            UserModel user = session.users().getUserByUsername("joel", realm);
+            grantedRolesCount = user.getRoleMappings().size();
+
+            ClientModel client = realm.getClientByClientId("foo");
+            realm.removeClient(client.getId());
+        } finally {
+            session.getTransaction().commit();
+            session.close();
+        }
+
+        // Assert role mappings was removed from user as well
+        session = kc.startSession();
+        try {
+            RealmModel realm = session.realms().getRealmByName("test");
+            UserModel user = session.users().getUserByUsername("joel", realm);
+            Set<RoleModel> roles = user.getRoleMappings();
+            for (RoleModel role : roles) {
+                Assert.assertNotNull(role.getContainer());
+            }
+
+            Assert.assertEquals(roles.size(), grantedRolesCount - 1);
+        } finally {
+            session.getTransaction().commit();
+            session.close();
+        }
+    }
+
 }

diff --git a/testsuite/integration/src/test/java/org/keycloak/testsuite/model/ImportTest.java b/testsuite/integration/src/test/java/org/keycloak/testsuite/model/ImportTest.java
index 2f33e43..6f42fd5 100755
--- a/testsuite/integration/src/test/java/org/keycloak/testsuite/model/ImportTest.java
+++ b/testsuite/integration/src/test/java/org/keycloak/testsuite/model/ImportTest.java
@@ -79,7 +79,7 @@ public class ImportTest extends AbstractModelTest {
         Assert.assertEquals(1, creds.size());
         RequiredCredentialModel cred = creds.get(0);
         Assert.assertEquals("password", cred.getFormLabel());
-        Assert.assertEquals(2, realm.getDefaultRoles().size());
+        Assert.assertEquals(3, realm.getDefaultRoles().size());
 
         Assert.assertNotNull(realm.getRole("foo"));
         Assert.assertNotNull(realm.getRole("bar"));
@@ -132,6 +132,10 @@ public class ImportTest extends AbstractModelTest {
         Assert.assertTrue(allRoles.contains(application.getRole("app-admin")));
         Assert.assertTrue(allRoles.contains(otherApp.getRole("otherapp-admin")));
 
+        Assert.assertTrue(application.getRole("app-admin").isScopeParamRequired());
+        Assert.assertFalse(otherApp.getRole("otherapp-admin").isScopeParamRequired());
+        Assert.assertFalse(otherApp.getRole("otherapp-user").isScopeParamRequired());
+
         UserModel wburke =  session.users().getUserByUsername("wburke", realm);
         // user with creation timestamp in import
         Assert.assertEquals(new Long(123654), wburke.getCreatedTimestamp());

diff --git a/testsuite/integration/src/test/java/org/keycloak/testsuite/model/UserModelTest.java b/testsuite/integration/src/test/java/org/keycloak/testsuite/model/UserModelTest.java
index 258dd3c..f0118c2 100755
--- a/testsuite/integration/src/test/java/org/keycloak/testsuite/model/UserModelTest.java
+++ b/testsuite/integration/src/test/java/org/keycloak/testsuite/model/UserModelTest.java
@@ -4,6 +4,8 @@ import org.junit.Assert;
 import org.junit.Test;
 import org.keycloak.models.ClientModel;
 import org.keycloak.models.KeycloakSession;
+import org.keycloak.models.OfflineClientSessionModel;
+import org.keycloak.models.OfflineUserSessionModel;
 import org.keycloak.models.RealmModel;
 import org.keycloak.models.UserModel;
 import org.keycloak.models.UserModel.RequiredAction;
@@ -283,6 +285,59 @@ public class UserModelTest extends AbstractModelTest {
         Assert.assertNull(session.users().getUserByUsername("user1", realm));
     }
 
+    @Test
+    public void testOfflineSessionsRemoved() {
+        RealmModel realm = realmManager.createRealm("original");
+        ClientModel fooClient = realm.addClient("foo");
+        ClientModel barClient = realm.addClient("bar");
+
+        UserModel user1 = session.users().addUser(realm, "user1");
+        addOfflineUserSession(user1, "123", "something1");
+        addOfflineClientSession(user1, "456", "123", fooClient.getId(), "something2");
+        addOfflineClientSession(user1, "789", "123", barClient.getId(), "something3");
+
+        commit();
+
+        realm = realmManager.getRealmByName("original");
+        realm.removeClient(barClient.getId());
+
+        commit();
+
+        realm = realmManager.getRealmByName("original");
+        user1 = session.users().getUserByUsername("user1", realm);
+        Assert.assertEquals("something1", user1.getOfflineUserSession("123").getData());
+        Assert.assertEquals("something2", user1.getOfflineClientSession("456").getData());
+        Assert.assertNull(user1.getOfflineClientSession("789"));
+
+        realm.removeClient(fooClient.getId());
+
+        commit();
+
+        realm = realmManager.getRealmByName("original");
+        user1 = session.users().getUserByUsername("user1", realm);
+        Assert.assertNull(user1.getOfflineClientSession("456"));
+        Assert.assertNull(user1.getOfflineClientSession("789"));
+        Assert.assertNull(user1.getOfflineUserSession("123"));
+        Assert.assertEquals(0, user1.getOfflineUserSessions().size());
+        Assert.assertEquals(0, user1.getOfflineClientSessions().size());
+    }
+
+    private void addOfflineUserSession(UserModel user, String userSessionId, String data) {
+        OfflineUserSessionModel model = new OfflineUserSessionModel();
+        model.setUserSessionId(userSessionId);
+        model.setData(data);
+        user.addOfflineUserSession(model);
+    }
+
+    private void addOfflineClientSession(UserModel user, String clientSessionId, String userSessionId, String clientId, String data) {
+        OfflineClientSessionModel model = new OfflineClientSessionModel();
+        model.setClientSessionId(clientSessionId);
+        model.setUserSessionId(userSessionId);
+        model.setClientId(clientId);
+        model.setData(data);
+        user.addOfflineClientSession(model);
+    }
+
     public static void assertEquals(UserModel expected, UserModel actual) {
         Assert.assertEquals(expected.getUsername(), actual.getUsername());
         Assert.assertEquals(expected.getCreatedTimestamp(), actual.getCreatedTimestamp());

diff --git a/testsuite/integration/src/test/java/org/keycloak/testsuite/oauth/AccessTokenTest.java b/testsuite/integration/src/test/java/org/keycloak/testsuite/oauth/AccessTokenTest.java
index cbfc76f..24f4911 100755
--- a/testsuite/integration/src/test/java/org/keycloak/testsuite/oauth/AccessTokenTest.java
+++ b/testsuite/integration/src/test/java/org/keycloak/testsuite/oauth/AccessTokenTest.java
@@ -180,7 +180,11 @@ public class AccessTokenTest {
         Assert.assertEquals("invalid_grant", response.getError());
         Assert.assertEquals("Incorrect redirect_uri", response.getErrorDescription());
 
-        events.expectCodeToToken(codeId, loginEvent.getSessionId()).error("invalid_code").removeDetail(Details.TOKEN_ID).removeDetail(Details.REFRESH_TOKEN_ID).assertEvent();
+        events.expectCodeToToken(codeId, loginEvent.getSessionId()).error("invalid_code")
+                .removeDetail(Details.TOKEN_ID)
+                .removeDetail(Details.REFRESH_TOKEN_ID)
+                .removeDetail(Details.REFRESH_TOKEN_TYPE)
+                .assertEvent();
     }
 
     @Test
@@ -201,7 +205,13 @@ public class AccessTokenTest {
         assertNull(tokenResponse.getAccessToken());
         assertNull(tokenResponse.getRefreshToken());
 
-        events.expectCodeToToken(codeId, sessionId).removeDetail(Details.TOKEN_ID).user((String) null).session((String) null).removeDetail(Details.REFRESH_TOKEN_ID).error(Errors.INVALID_CODE).assertEvent();
+        events.expectCodeToToken(codeId, sessionId)
+                .removeDetail(Details.TOKEN_ID)
+                .user((String) null)
+                .session((String) null)
+                .removeDetail(Details.REFRESH_TOKEN_ID)
+                .removeDetail(Details.REFRESH_TOKEN_TYPE)
+                .error(Errors.INVALID_CODE).assertEvent();
 
         events.clear();
     }
@@ -230,7 +240,11 @@ public class AccessTokenTest {
         Assert.assertEquals(400, response.getStatusCode());
 
         AssertEvents.ExpectedEvent expectedEvent = events.expectCodeToToken(codeId, null);
-        expectedEvent.error("invalid_code").removeDetail(Details.TOKEN_ID).removeDetail(Details.REFRESH_TOKEN_ID).user((String) null);
+        expectedEvent.error("invalid_code")
+                .removeDetail(Details.TOKEN_ID)
+                .removeDetail(Details.REFRESH_TOKEN_ID)
+                .removeDetail(Details.REFRESH_TOKEN_TYPE)
+                .user((String) null);
         expectedEvent.assertEvent();
 
         events.clear();
@@ -264,7 +278,11 @@ public class AccessTokenTest {
         Assert.assertEquals(400, response.getStatusCode());
 
         AssertEvents.ExpectedEvent expectedEvent = events.expectCodeToToken(codeId, null);
-        expectedEvent.error("invalid_code").removeDetail(Details.TOKEN_ID).removeDetail(Details.REFRESH_TOKEN_ID).user((String) null);
+        expectedEvent.error("invalid_code")
+                .removeDetail(Details.TOKEN_ID)
+                .removeDetail(Details.REFRESH_TOKEN_ID)
+                .removeDetail(Details.REFRESH_TOKEN_TYPE)
+                .user((String) null);
         expectedEvent.assertEvent();
 
         events.clear();

diff --git a/testsuite/integration/src/test/java/org/keycloak/testsuite/oauth/OAuthGrantTest.java b/testsuite/integration/src/test/java/org/keycloak/testsuite/oauth/OAuthGrantTest.java
index 2363305..059cdd7 100755
--- a/testsuite/integration/src/test/java/org/keycloak/testsuite/oauth/OAuthGrantTest.java
+++ b/testsuite/integration/src/test/java/org/keycloak/testsuite/oauth/OAuthGrantTest.java
@@ -34,6 +34,7 @@ import org.keycloak.models.ClientModel;
 import org.keycloak.models.ProtocolMapperModel;
 import org.keycloak.models.RealmModel;
 import org.keycloak.models.RoleModel;
+import org.keycloak.models.UserConsentModel;
 import org.keycloak.models.UserModel;
 import org.keycloak.protocol.oidc.OIDCLoginProtocol;
 import org.keycloak.protocol.oidc.OIDCLoginProtocolFactory;
@@ -290,4 +291,71 @@ public class OAuthGrantTest {
         });
     }
 
+    @Test
+    public void oauthGrantScopeParamRequired() throws Exception {
+        keycloakRule.update(new KeycloakRule.KeycloakSetup() {
+
+            @Override
+            public void config(RealmManager manager, RealmModel adminstrationRealm, RealmModel appRealm) {
+                ClientModel thirdParty = appRealm.getClientByClientId("third-party");
+                RoleModel barAppRole = thirdParty.addRole("bar-role");
+                barAppRole.setScopeParamRequired(true);
+
+                RoleModel fooRole = appRealm.addRole("foo-role");
+                fooRole.setScopeParamRequired(true);
+                thirdParty.addScopeMapping(fooRole);
+
+                UserModel testUser = manager.getSession().users().getUserByUsername("test-user@localhost", appRealm);
+                testUser.grantRole(fooRole);
+                testUser.grantRole(barAppRole);
+            }
+
+        });
+
+        // Assert roles not on grant screen when not requested
+        oauth.clientId("third-party");
+        oauth.doLoginGrant("test-user@localhost", "password");
+        grantPage.assertCurrent();
+        Assert.assertFalse(driver.getPageSource().contains("foo-role"));
+        Assert.assertFalse(driver.getPageSource().contains("bar-role"));
+        grantPage.cancel();
+
+        events.expectLogin()
+                .client("third-party")
+                .error("rejected_by_user")
+                .removeDetail(Details.CONSENT)
+                .assertEvent();
+
+        oauth.scope("foo-role third-party/bar-role");
+        oauth.doLoginGrant("test-user@localhost", "password");
+        grantPage.assertCurrent();
+        Assert.assertTrue(driver.getPageSource().contains("foo-role"));
+        Assert.assertTrue(driver.getPageSource().contains("bar-role"));
+        grantPage.accept();
+
+        events.expectLogin()
+                .client("third-party")
+                .detail(Details.CONSENT, Details.CONSENT_VALUE_CONSENT_GRANTED)
+                .assertEvent();
+
+        // Revoke
+        accountAppsPage.open();
+        accountAppsPage.revokeGrant("third-party");
+        events.expect(EventType.REVOKE_GRANT)
+                .client("account").detail(Details.REVOKED_CLIENT, "third-party").assertEvent();
+
+        // cleanup
+        keycloakRule.update(new KeycloakRule.KeycloakSetup() {
+
+            @Override
+            public void config(RealmManager manager, RealmModel adminstrationRealm, RealmModel appRealm) {
+                appRealm.removeRole(appRealm.getRole("foo-role"));
+                ClientModel thirdparty = appRealm.getClientByClientId("third-party");
+                thirdparty.removeRole(thirdparty.getRole("bar-role"));
+            }
+
+        });
+
+    }
+
 }

diff --git a/testsuite/integration/src/test/java/org/keycloak/testsuite/oauth/OfflineTokenTest.java b/testsuite/integration/src/test/java/org/keycloak/testsuite/oauth/OfflineTokenTest.java
new file mode 100644
index 0000000..8eab300
--- /dev/null
+++ b/testsuite/integration/src/test/java/org/keycloak/testsuite/oauth/OfflineTokenTest.java
@@ -0,0 +1,552 @@
+package org.keycloak.testsuite.oauth;
+
+import java.io.IOException;
+import java.net.URL;
+import java.util.Arrays;
+import java.util.HashSet;
+import java.util.List;
+
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import javax.ws.rs.core.UriBuilder;
+
+import org.junit.Assert;
+import org.junit.ClassRule;
+import org.junit.Rule;
+import org.junit.Test;
+import org.keycloak.KeycloakSecurityContext;
+import org.keycloak.OAuth2Constants;
+import org.keycloak.adapters.RefreshableKeycloakSecurityContext;
+import org.keycloak.constants.ServiceAccountConstants;
+import org.keycloak.events.Details;
+import org.keycloak.events.Errors;
+import org.keycloak.events.Event;
+import org.keycloak.events.EventType;
+import org.keycloak.jose.jws.JWSInput;
+import org.keycloak.models.ClientModel;
+import org.keycloak.models.Constants;
+import org.keycloak.models.RealmModel;
+import org.keycloak.models.RoleModel;
+import org.keycloak.models.UserModel;
+import org.keycloak.representations.AccessToken;
+import org.keycloak.representations.RefreshToken;
+import org.keycloak.services.managers.ClientManager;
+import org.keycloak.services.managers.RealmManager;
+import org.keycloak.testsuite.AssertEvents;
+import org.keycloak.testsuite.OAuthClient;
+import org.keycloak.testsuite.pages.AccountApplicationsPage;
+import org.keycloak.testsuite.pages.LoginPage;
+import org.keycloak.testsuite.pages.OAuthGrantPage;
+import org.keycloak.testsuite.rule.KeycloakRule;
+import org.keycloak.testsuite.rule.WebResource;
+import org.keycloak.testsuite.rule.WebRule;
+import org.keycloak.util.JsonSerialization;
+import org.keycloak.util.RefreshTokenUtil;
+import org.keycloak.util.Time;
+import org.keycloak.util.UriUtils;
+import org.openqa.selenium.WebDriver;
+
+import static org.junit.Assert.assertEquals;
+
+/**
+ * @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
+ */
+public class OfflineTokenTest {
+
+    @ClassRule
+    public static KeycloakRule keycloakRule = new KeycloakRule(new KeycloakRule.KeycloakSetup() {
+
+        @Override
+        public void config(RealmManager manager, RealmModel adminstrationRealm, RealmModel appRealm) {
+            // For testing
+            appRealm.setAccessTokenLifespan(10);
+            appRealm.setSsoSessionIdleTimeout(30);
+
+            ClientModel app = new ClientManager(manager).createClient(appRealm, "offline-client");
+            app.setSecret("secret1");
+            String testAppRedirectUri = appRealm.getClientByClientId("test-app").getRedirectUris().iterator().next();
+            offlineClientAppUri = UriUtils.getOrigin(testAppRedirectUri) + "/offline-client";
+            app.setRedirectUris(new HashSet<>(Arrays.asList(offlineClientAppUri)));
+            app.setManagementUrl(offlineClientAppUri);
+
+            new ClientManager(manager).enableServiceAccount(app);
+            UserModel serviceAccountUser = manager.getSession().users().getUserByUsername(ServiceAccountConstants.SERVICE_ACCOUNT_USER_PREFIX + "offline-client", appRealm);
+            RoleModel customerUserRole = appRealm.getClientByClientId("test-app").getRole("customer-user");
+            serviceAccountUser.grantRole(customerUserRole);
+
+            userId = manager.getSession().users().getUserByUsername("test-user@localhost", appRealm).getId();
+
+            URL url = getClass().getResource("/oidc/offline-client-keycloak.json");
+            keycloakRule.createApplicationDeployment()
+                    .name("offline-client").contextPath("/offline-client")
+                    .servletClass(OfflineTokenServlet.class).adapterConfigPath(url.getPath())
+                    .role("user").deployApplication();
+        }
+
+    });
+
+    private static String userId;
+    private static String offlineClientAppUri;
+
+    @Rule
+    public WebRule webRule = new WebRule(this);
+
+    @WebResource
+    protected WebDriver driver;
+
+    @WebResource
+    protected OAuthClient oauth;
+
+    @WebResource
+    protected LoginPage loginPage;
+
+    @WebResource
+    protected OAuthGrantPage oauthGrantPage;
+
+    @WebResource
+    protected AccountApplicationsPage accountAppPage;
+
+    @Rule
+    public AssertEvents events = new AssertEvents(keycloakRule);
+
+
+//    @Test
+//    public void testSleep() throws Exception {
+//        Thread.sleep(9999000);
+//    }
+
+    @Test
+    public void offlineTokenDisabledForClient() throws Exception {
+        keycloakRule.update(new KeycloakRule.KeycloakSetup() {
+
+            @Override
+            public void config(RealmManager manager, RealmModel adminstrationRealm, RealmModel appRealm) {
+                appRealm.getClientByClientId("offline-client").setFullScopeAllowed(false);
+            }
+
+        });
+
+        oauth.scope(OAuth2Constants.OFFLINE_ACCESS);
+        oauth.clientId("offline-client");
+        oauth.redirectUri(offlineClientAppUri);
+        oauth.doLogin("test-user@localhost", "password");
+
+        Event loginEvent = events.expectLogin()
+                .client("offline-client")
+                .detail(Details.REDIRECT_URI, offlineClientAppUri)
+                .assertEvent();
+
+        String sessionId = loginEvent.getSessionId();
+        String codeId = loginEvent.getDetails().get(Details.CODE_ID);
+
+        String code = oauth.getCurrentQuery().get(OAuth2Constants.CODE);
+
+        OAuthClient.AccessTokenResponse tokenResponse = oauth.doAccessTokenRequest(code, "secret1");
+
+        assertEquals(400, tokenResponse.getStatusCode());
+        assertEquals("not_allowed", tokenResponse.getError());
+
+        events.expectCodeToToken(codeId, sessionId)
+                .client("offline-client")
+                .error("not_allowed")
+                .clearDetails()
+                .assertEvent();
+
+        keycloakRule.update(new KeycloakRule.KeycloakSetup() {
+
+            @Override
+            public void config(RealmManager manager, RealmModel adminstrationRealm, RealmModel appRealm) {
+                appRealm.getClientByClientId("offline-client").setFullScopeAllowed(true);
+            }
+
+        });
+    }
+
+    @Test
+    public void offlineTokenUserNotAllowed() throws Exception {
+        String userId = keycloakRule.getUser("test", "keycloak-user@localhost").getId();
+
+        oauth.scope(OAuth2Constants.OFFLINE_ACCESS);
+        oauth.clientId("offline-client");
+        oauth.redirectUri(offlineClientAppUri);
+        oauth.doLogin("keycloak-user@localhost", "password");
+
+        Event loginEvent = events.expectLogin()
+                .client("offline-client")
+                .user(userId)
+                .detail(Details.REDIRECT_URI, offlineClientAppUri)
+                .assertEvent();
+
+        String sessionId = loginEvent.getSessionId();
+        String codeId = loginEvent.getDetails().get(Details.CODE_ID);
+
+        String code = oauth.getCurrentQuery().get(OAuth2Constants.CODE);
+
+        OAuthClient.AccessTokenResponse tokenResponse = oauth.doAccessTokenRequest(code, "secret1");
+
+        assertEquals(400, tokenResponse.getStatusCode());
+        assertEquals("not_allowed", tokenResponse.getError());
+
+        events.expectCodeToToken(codeId, sessionId)
+                .client("offline-client")
+                .user(userId)
+                .error("not_allowed")
+                .clearDetails()
+                .assertEvent();
+    }
+
+    @Test
+    public void offlineTokenBrowserFlow() throws Exception {
+        oauth.scope(OAuth2Constants.OFFLINE_ACCESS);
+        oauth.clientId("offline-client");
+        oauth.redirectUri(offlineClientAppUri);
+        oauth.doLogin("test-user@localhost", "password");
+
+        Event loginEvent = events.expectLogin()
+                .client("offline-client")
+                .detail(Details.REDIRECT_URI, offlineClientAppUri)
+                .assertEvent();
+
+        final String sessionId = loginEvent.getSessionId();
+        String codeId = loginEvent.getDetails().get(Details.CODE_ID);
+
+        String code = oauth.getCurrentQuery().get(OAuth2Constants.CODE);
+
+        OAuthClient.AccessTokenResponse tokenResponse = oauth.doAccessTokenRequest(code, "secret1");
+        AccessToken token = oauth.verifyToken(tokenResponse.getAccessToken());
+        String offlineTokenString = tokenResponse.getRefreshToken();
+        RefreshToken offlineToken = oauth.verifyRefreshToken(offlineTokenString);
+
+        events.expectCodeToToken(codeId, sessionId)
+                .client("offline-client")
+                .detail(Details.REFRESH_TOKEN_TYPE, RefreshTokenUtil.TOKEN_TYPE_OFFLINE)
+                .assertEvent();
+
+        Assert.assertEquals(RefreshTokenUtil.TOKEN_TYPE_OFFLINE, offlineToken.getType());
+        Assert.assertEquals(0, offlineToken.getExpiration());
+
+        testRefreshWithOfflineToken(token, offlineToken, offlineTokenString, sessionId, userId);
+    }
+
+    private void testRefreshWithOfflineToken(AccessToken oldToken, RefreshToken offlineToken, String offlineTokenString,
+                                             final String sessionId, String userId) {
+        // Change offset to big value to ensure userSession expired
+        Time.setOffset(99999);
+        Assert.assertFalse(oldToken.isActive());
+        Assert.assertTrue(offlineToken.isActive());
+
+        // Assert userSession expired
+        keycloakRule.update(new KeycloakRule.KeycloakSetup() {
+
+            @Override
+            public void config(RealmManager manager, RealmModel adminstrationRealm, RealmModel appRealm) {
+                manager.getSession().sessions().removeExpiredUserSessions(appRealm);
+            }
+
+        });
+        keycloakRule.update(new KeycloakRule.KeycloakSetup() {
+
+            @Override
+            public void config(RealmManager manager, RealmModel adminstrationRealm, RealmModel appRealm) {
+                Assert.assertNull(manager.getSession().sessions().getUserSession(appRealm, sessionId));
+            }
+
+        });
+
+
+        OAuthClient.AccessTokenResponse response = oauth.doRefreshTokenRequest(offlineTokenString, "secret1");
+        AccessToken refreshedToken = oauth.verifyToken(response.getAccessToken());
+        Assert.assertEquals(200, response.getStatusCode());
+        Assert.assertEquals(sessionId, refreshedToken.getSessionState());
+
+        // Assert no refreshToken in the response
+        Assert.assertNull(response.getRefreshToken());
+        Assert.assertNotEquals(oldToken.getId(), refreshedToken.getId());
+
+        Assert.assertEquals(userId, refreshedToken.getSubject());
+
+        Assert.assertEquals(2, refreshedToken.getRealmAccess().getRoles().size());
+        Assert.assertTrue(refreshedToken.getRealmAccess().isUserInRole("user"));
+        Assert.assertTrue(refreshedToken.getRealmAccess().isUserInRole(Constants.OFFLINE_ACCESS_ROLE));
+
+        Assert.assertEquals(1, refreshedToken.getResourceAccess("test-app").getRoles().size());
+        Assert.assertTrue(refreshedToken.getResourceAccess("test-app").isUserInRole("customer-user"));
+
+        Event refreshEvent = events.expectRefresh(offlineToken.getId(), sessionId)
+                .client("offline-client")
+                .user(userId)
+                .removeDetail(Details.UPDATED_REFRESH_TOKEN_ID)
+                .detail(Details.REFRESH_TOKEN_TYPE, RefreshTokenUtil.TOKEN_TYPE_OFFLINE)
+                .assertEvent();
+        Assert.assertNotEquals(oldToken.getId(), refreshEvent.getDetails().get(Details.TOKEN_ID));
+
+        Time.setOffset(0);
+    }
+
+    @Test
+    public void offlineTokenDirectGrantFlow() throws Exception {
+        oauth.scope(OAuth2Constants.OFFLINE_ACCESS);
+        oauth.clientId("offline-client");
+        OAuthClient.AccessTokenResponse tokenResponse = oauth.doGrantAccessTokenRequest("secret1", "test-user@localhost", "password");
+
+        AccessToken token = oauth.verifyToken(tokenResponse.getAccessToken());
+        String offlineTokenString = tokenResponse.getRefreshToken();
+        RefreshToken offlineToken = oauth.verifyRefreshToken(offlineTokenString);
+
+        events.expectLogin()
+                .client("offline-client")
+                .user(userId)
+                .session(token.getSessionState())
+                .detail(Details.RESPONSE_TYPE, "token")
+                .detail(Details.TOKEN_ID, token.getId())
+                .detail(Details.REFRESH_TOKEN_ID, offlineToken.getId())
+                .detail(Details.REFRESH_TOKEN_TYPE, RefreshTokenUtil.TOKEN_TYPE_OFFLINE)
+                .detail(Details.USERNAME, "test-user@localhost")
+                .removeDetail(Details.CODE_ID)
+                .removeDetail(Details.REDIRECT_URI)
+                .removeDetail(Details.CONSENT)
+                .assertEvent();
+
+        Assert.assertEquals(RefreshTokenUtil.TOKEN_TYPE_OFFLINE, offlineToken.getType());
+        Assert.assertEquals(0, offlineToken.getExpiration());
+
+        testRefreshWithOfflineToken(token, offlineToken, offlineTokenString, token.getSessionState(), userId);
+    }
+
+    @Test
+    public void offlineTokenServiceAccountFlow() throws Exception {
+        oauth.scope(OAuth2Constants.OFFLINE_ACCESS);
+        oauth.clientId("offline-client");
+        OAuthClient.AccessTokenResponse tokenResponse = oauth.doClientCredentialsGrantAccessTokenRequest("secret1");
+
+        AccessToken token = oauth.verifyToken(tokenResponse.getAccessToken());
+        String offlineTokenString = tokenResponse.getRefreshToken();
+        RefreshToken offlineToken = oauth.verifyRefreshToken(offlineTokenString);
+
+        String serviceAccountUserId = keycloakRule.getUser("test",  ServiceAccountConstants.SERVICE_ACCOUNT_USER_PREFIX + "offline-client").getId();
+
+        events.expectClientLogin()
+                .client("offline-client")
+                .user(serviceAccountUserId)
+                .session(token.getSessionState())
+                .detail(Details.TOKEN_ID, token.getId())
+                .detail(Details.REFRESH_TOKEN_ID, offlineToken.getId())
+                .detail(Details.REFRESH_TOKEN_TYPE, RefreshTokenUtil.TOKEN_TYPE_OFFLINE)
+                .detail(Details.USERNAME, ServiceAccountConstants.SERVICE_ACCOUNT_USER_PREFIX + "offline-client")
+                .assertEvent();
+
+        Assert.assertEquals(RefreshTokenUtil.TOKEN_TYPE_OFFLINE, offlineToken.getType());
+        Assert.assertEquals(0, offlineToken.getExpiration());
+
+        testRefreshWithOfflineToken(token, offlineToken, offlineTokenString, token.getSessionState(), serviceAccountUserId);
+
+
+        // Now retrieve another offline token and verify that previous offline token is not valid anymore
+        tokenResponse = oauth.doClientCredentialsGrantAccessTokenRequest("secret1");
+
+        AccessToken token2 = oauth.verifyToken(tokenResponse.getAccessToken());
+        String offlineTokenString2 = tokenResponse.getRefreshToken();
+        RefreshToken offlineToken2 = oauth.verifyRefreshToken(offlineTokenString2);
+
+        events.expectClientLogin()
+                .client("offline-client")
+                .user(serviceAccountUserId)
+                .session(token2.getSessionState())
+                .detail(Details.TOKEN_ID, token2.getId())
+                .detail(Details.REFRESH_TOKEN_ID, offlineToken2.getId())
+                .detail(Details.REFRESH_TOKEN_TYPE, RefreshTokenUtil.TOKEN_TYPE_OFFLINE)
+                .detail(Details.USERNAME, ServiceAccountConstants.SERVICE_ACCOUNT_USER_PREFIX + "offline-client")
+                .assertEvent();
+
+        // Refresh with old offline token should fail
+        OAuthClient.AccessTokenResponse response = oauth.doRefreshTokenRequest(offlineTokenString, "secret1");
+        Assert.assertEquals(400, response.getStatusCode());
+        Assert.assertEquals("invalid_grant", response.getError());
+
+        events.expectRefresh(offlineToken.getId(), offlineToken.getSessionState())
+                .error(Errors.INVALID_TOKEN)
+                .client("offline-client")
+                .user(serviceAccountUserId)
+                .removeDetail(Details.UPDATED_REFRESH_TOKEN_ID)
+                .removeDetail(Details.TOKEN_ID)
+                .detail(Details.REFRESH_TOKEN_TYPE, RefreshTokenUtil.TOKEN_TYPE_OFFLINE)
+                .assertEvent();
+
+        // Refresh with new offline token is ok
+        testRefreshWithOfflineToken(token2, offlineToken2, offlineTokenString2, token2.getSessionState(), serviceAccountUserId);
+    }
+
+    @Test
+    public void testServlet() {
+        OfflineTokenServlet.tokenInfo = null;
+
+        String servletUri = UriBuilder.fromUri(offlineClientAppUri)
+                .queryParam(OAuth2Constants.SCOPE, OAuth2Constants.OFFLINE_ACCESS)
+                .build().toString();
+        driver.navigate().to(servletUri);
+        loginPage.login("test-user@localhost", "password");
+        Assert.assertTrue(driver.getCurrentUrl().startsWith(offlineClientAppUri));
+
+        Assert.assertEquals(OfflineTokenServlet.tokenInfo.refreshToken.getType(), RefreshTokenUtil.TOKEN_TYPE_OFFLINE);
+        Assert.assertEquals(OfflineTokenServlet.tokenInfo.refreshToken.getExpiration(), 0);
+
+        String accessTokenId = OfflineTokenServlet.tokenInfo.accessToken.getId();
+        String refreshTokenId = OfflineTokenServlet.tokenInfo.refreshToken.getId();
+
+        // Assert access token will be refreshed, but offline token will be still the same
+        Time.setOffset(9999);
+        driver.navigate().to(offlineClientAppUri);
+        Assert.assertTrue(driver.getCurrentUrl().startsWith(offlineClientAppUri));
+        Assert.assertEquals(OfflineTokenServlet.tokenInfo.refreshToken.getId(), refreshTokenId);
+        Assert.assertNotEquals(OfflineTokenServlet.tokenInfo.accessToken.getId(), accessTokenId);
+
+        // Ensure that logout works for webapp (even if offline token will be still valid in Keycloak DB)
+        driver.navigate().to(offlineClientAppUri + "/logout");
+        loginPage.assertCurrent();
+        driver.navigate().to(offlineClientAppUri);
+        loginPage.assertCurrent();
+
+        Time.setOffset(0);
+        events.clear();
+    }
+
+    @Test
+    public void testServletWithRevoke() {
+        // Login to servlet first with offline token
+        String servletUri = UriBuilder.fromUri(offlineClientAppUri)
+                .queryParam(OAuth2Constants.SCOPE, OAuth2Constants.OFFLINE_ACCESS)
+                .build().toString();
+        driver.navigate().to(servletUri);
+        loginPage.login("test-user@localhost", "password");
+        Assert.assertTrue(driver.getCurrentUrl().startsWith(offlineClientAppUri));
+
+        Assert.assertEquals(OfflineTokenServlet.tokenInfo.refreshToken.getType(), RefreshTokenUtil.TOKEN_TYPE_OFFLINE);
+
+        // Assert refresh works with increased time
+        Time.setOffset(9999);
+        driver.navigate().to(offlineClientAppUri);
+        Assert.assertTrue(driver.getCurrentUrl().startsWith(offlineClientAppUri));
+        Time.setOffset(0);
+
+        events.clear();
+
+        // Go to account service and revoke grant
+        accountAppPage.open();
+        List<String> additionalGrants = accountAppPage.getApplications().get("offline-client").getAdditionalGrants();
+        Assert.assertEquals(additionalGrants.size(), 1);
+        Assert.assertEquals(additionalGrants.get(0), "Offline Token");
+        accountAppPage.revokeGrant("offline-client");
+        Assert.assertEquals(accountAppPage.getApplications().get("offline-client").getAdditionalGrants().size(), 0);
+
+        events.expect(EventType.REVOKE_GRANT)
+                .client("account").detail(Details.REVOKED_CLIENT, "offline-client").assertEvent();
+
+        // Assert refresh doesn't work now (increase time one more time)
+        Time.setOffset(9999);
+        driver.navigate().to(offlineClientAppUri);
+        Assert.assertFalse(driver.getCurrentUrl().startsWith(offlineClientAppUri));
+        loginPage.assertCurrent();
+        Time.setOffset(0);
+    }
+
+    @Test
+    public void testServletWithConsent() {
+        keycloakRule.update(new KeycloakRule.KeycloakSetup() {
+
+            @Override
+            public void config(RealmManager manager, RealmModel adminstrationRealm, RealmModel appRealm) {
+                appRealm.getClientByClientId("offline-client").setConsentRequired(true);
+            }
+
+        });
+
+        // Assert grant page doesn't have 'Offline Access' role when offline token is not requested
+        driver.navigate().to(offlineClientAppUri);
+        loginPage.login("test-user@localhost", "password");
+        oauthGrantPage.assertCurrent();
+        Assert.assertFalse(driver.getPageSource().contains("Offline access"));
+        oauthGrantPage.cancel();
+
+        // Assert grant page has 'Offline Access' role now
+        String servletUri = UriBuilder.fromUri(offlineClientAppUri)
+                .queryParam(OAuth2Constants.SCOPE, OAuth2Constants.OFFLINE_ACCESS)
+                .build().toString();
+        driver.navigate().to(servletUri);
+        loginPage.login("test-user@localhost", "password");
+        oauthGrantPage.assertCurrent();
+        Assert.assertTrue(driver.getPageSource().contains("Offline access"));
+        oauthGrantPage.accept();
+
+        Assert.assertTrue(driver.getCurrentUrl().startsWith(offlineClientAppUri));
+        Assert.assertEquals(OfflineTokenServlet.tokenInfo.refreshToken.getType(), RefreshTokenUtil.TOKEN_TYPE_OFFLINE);
+
+        accountAppPage.open();
+        AccountApplicationsPage.AppEntry offlineClient = accountAppPage.getApplications().get("offline-client");
+        Assert.assertTrue(offlineClient.getRolesGranted().contains("Offline access"));
+        Assert.assertTrue(offlineClient.getAdditionalGrants().contains("Offline Token"));
+
+        events.clear();
+
+        // Revert change
+        keycloakRule.update(new KeycloakRule.KeycloakSetup() {
+
+            @Override
+            public void config(RealmManager manager, RealmModel adminstrationRealm, RealmModel appRealm) {
+                appRealm.getClientByClientId("offline-client").setConsentRequired(false);
+            }
+
+        });
+    }
+
+    public static class OfflineTokenServlet extends HttpServlet {
+
+        private static TokenInfo tokenInfo;
+
+        @Override
+        protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
+            if (req.getRequestURI().endsWith("logout")) {
+
+                UriBuilder redirectUriBuilder = UriBuilder.fromUri(offlineClientAppUri);
+                if (req.getParameter(OAuth2Constants.SCOPE) != null) {
+                    redirectUriBuilder.queryParam(OAuth2Constants.SCOPE, req.getParameter(OAuth2Constants.SCOPE));
+                }
+                String redirectUri = redirectUriBuilder.build().toString();
+
+                String origin = UriUtils.getOrigin(req.getRequestURL().toString());
+                String serverLogoutRedirect = UriBuilder.fromUri(origin + "/auth/realms/test/protocol/openid-connect/logout")
+                        .queryParam("redirect_uri", redirectUri)
+                        .build().toString();
+
+                resp.sendRedirect(serverLogoutRedirect);
+                return;
+            }
+
+            StringBuilder response = new StringBuilder("<html><head><title>Offline token servlet</title></head><body><pre>");
+            RefreshableKeycloakSecurityContext ctx = (RefreshableKeycloakSecurityContext) req.getAttribute(KeycloakSecurityContext.class.getName());
+            String accessTokenPretty = JsonSerialization.writeValueAsPrettyString(ctx.getToken());
+            RefreshToken refreshToken = new JWSInput(ctx.getRefreshToken()).readJsonContent(RefreshToken.class);
+            String refreshTokenPretty = JsonSerialization.writeValueAsPrettyString(refreshToken);
+
+            response = response.append(accessTokenPretty)
+                    .append(refreshTokenPretty)
+                    .append("</pre></body></html>");
+            resp.getWriter().println(response.toString());
+
+            tokenInfo = new TokenInfo(ctx.getToken(), refreshToken);
+        }
+
+    }
+
+    private static class TokenInfo {
+
+        private final AccessToken accessToken;
+        private final RefreshToken refreshToken;
+
+        public TokenInfo(AccessToken accessToken, RefreshToken refreshToken) {
+            this.accessToken = accessToken;
+            this.refreshToken = refreshToken;
+        }
+    }
+}

diff --git a/testsuite/integration/src/test/java/org/keycloak/testsuite/OAuthClient.java b/testsuite/integration/src/test/java/org/keycloak/testsuite/OAuthClient.java
index b06e433..087f82f 100755
--- a/testsuite/integration/src/test/java/org/keycloak/testsuite/OAuthClient.java
+++ b/testsuite/integration/src/test/java/org/keycloak/testsuite/OAuthClient.java
@@ -76,6 +76,8 @@ public class OAuthClient {
 
     private String state = "mystate";
 
+    private String scope;
+
     private String uiLocales = null;
 
     private PublicKey realmPublicKey;
@@ -192,6 +194,9 @@ public class OAuthClient {
             if (clientSessionHost != null) {
                 parameters.add(new BasicNameValuePair(AdapterConstants.CLIENT_SESSION_HOST, clientSessionHost));
             }
+            if (scope != null) {
+                parameters.add(new BasicNameValuePair(OAuth2Constants.SCOPE, scope));
+            }
 
             UrlEncodedFormEntity formEntity;
             try {
@@ -218,6 +223,10 @@ public class OAuthClient {
             List<NameValuePair> parameters = new LinkedList<NameValuePair>();
             parameters.add(new BasicNameValuePair(OAuth2Constants.GRANT_TYPE, OAuth2Constants.CLIENT_CREDENTIALS));
 
+            if (scope != null) {
+                parameters.add(new BasicNameValuePair(OAuth2Constants.SCOPE, scope));
+            }
+
             UrlEncodedFormEntity formEntity;
             try {
                 formEntity = new UrlEncodedFormEntity(parameters, "UTF-8");
@@ -390,6 +399,9 @@ public class OAuthClient {
         if(uiLocales != null){
             b.queryParam(LocaleHelper.UI_LOCALES_PARAM, uiLocales);
         }
+        if (scope != null) {
+            b.queryParam(OAuth2Constants.SCOPE, scope);
+        }
         return b.build(realm).toString();
     }
 
@@ -452,6 +464,11 @@ public class OAuthClient {
         return this;
     }
 
+    public OAuthClient scope(String scope) {
+        this.scope = scope;
+        return this;
+    }
+
     public OAuthClient uiLocales(String uiLocales){
         this.uiLocales = uiLocales;
         return this;

diff --git a/testsuite/integration/src/test/java/org/keycloak/testsuite/pages/AccountApplicationsPage.java b/testsuite/integration/src/test/java/org/keycloak/testsuite/pages/AccountApplicationsPage.java
index f88db27..b48559c 100644
--- a/testsuite/integration/src/test/java/org/keycloak/testsuite/pages/AccountApplicationsPage.java
+++ b/testsuite/integration/src/test/java/org/keycloak/testsuite/pages/AccountApplicationsPage.java
@@ -77,6 +77,15 @@ public class AccountApplicationsPage extends AbstractAccountPage {
                             currentEntry.addMapper(protMapper);
                         }
                         break;
+                    case 5:
+                        String additionalGrant = col.getText();
+                        if (additionalGrant.isEmpty()) break;
+                        String[] grants = additionalGrant.split(",");
+                        for (String grant : grants) {
+                            grant = grant.trim();
+                            currentEntry.addAdditionalGrant(grant);
+                        }
+                        break;
                 }
             }
         }
@@ -89,6 +98,7 @@ public class AccountApplicationsPage extends AbstractAccountPage {
         private final List<String> rolesAvailable = new ArrayList<String>();
         private final List<String> rolesGranted = new ArrayList<String>();
         private final List<String> protocolMappersGranted = new ArrayList<String>();
+        private final List<String> additionalGrants = new ArrayList<>();
 
         private void addAvailableRole(String role) {
             rolesAvailable.add(role);
@@ -102,6 +112,10 @@ public class AccountApplicationsPage extends AbstractAccountPage {
             protocolMappersGranted.add(protocolMapper);
         }
 
+        private void addAdditionalGrant(String grant) {
+            additionalGrants.add(grant);
+        }
+
         public List<String> getRolesGranted() {
             return rolesGranted;
         }
@@ -113,5 +127,9 @@ public class AccountApplicationsPage extends AbstractAccountPage {
         public List<String> getProtocolMappersGranted() {
             return protocolMappersGranted;
         }
+
+        public List<String> getAdditionalGrants() {
+            return additionalGrants;
+        }
     }
 }

diff --git a/testsuite/integration/src/test/java/org/keycloak/testsuite/pages/LoginUpdateProfileEditUsernameAllowedPage.java b/testsuite/integration/src/test/java/org/keycloak/testsuite/pages/LoginUpdateProfileEditUsernameAllowedPage.java
new file mode 100644
index 0000000..bba3f93
--- /dev/null
+++ b/testsuite/integration/src/test/java/org/keycloak/testsuite/pages/LoginUpdateProfileEditUsernameAllowedPage.java
@@ -0,0 +1,51 @@
+/*
+ * JBoss, Home of Professional Open Source.
+ * Copyright 2012, Red Hat, Inc., and individual contributors
+ * as indicated by the @author tags. See the copyright.txt file in the
+ * distribution for a full listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+package org.keycloak.testsuite.pages;
+
+import org.openqa.selenium.WebElement;
+import org.openqa.selenium.support.FindBy;
+
+public class LoginUpdateProfileEditUsernameAllowedPage extends LoginUpdateProfilePage {
+
+    @FindBy(id = "username")
+    private WebElement usernameInput;
+
+    public void update(String firstName, String lastName, String email, String username) {
+        usernameInput.clear();
+        usernameInput.sendKeys(username);
+        update(firstName, lastName, email);
+    }
+
+    public String getUsername() {
+        return usernameInput.getAttribute("value");
+    }
+
+    public boolean isCurrent() {
+        return driver.getTitle().equals("Update Account Information");
+    }
+
+    @Override
+    public void open() {
+        throw new UnsupportedOperationException();
+    }
+
+}

diff --git a/testsuite/integration/src/test/java/org/keycloak/testsuite/rule/LDAPRule.java b/testsuite/integration/src/test/java/org/keycloak/testsuite/rule/LDAPRule.java
index add9708..438938f 100755
--- a/testsuite/integration/src/test/java/org/keycloak/testsuite/rule/LDAPRule.java
+++ b/testsuite/integration/src/test/java/org/keycloak/testsuite/rule/LDAPRule.java
@@ -57,4 +57,8 @@ public class LDAPRule extends ExternalResource {
     public Map<String, String> getConfig() {
         return ldapTestConfiguration.getLDAPConfig();
     }
+
+    public int getSleepTime() {
+        return ldapTestConfiguration.getSleepTime();
+    }
 }

diff --git a/testsuite/integration/src/test/java/org/keycloak/testsuite/saml/SamlBindingTest.java b/testsuite/integration/src/test/java/org/keycloak/testsuite/saml/SamlBindingTest.java
index d556a83..2d2ab44 100755
--- a/testsuite/integration/src/test/java/org/keycloak/testsuite/saml/SamlBindingTest.java
+++ b/testsuite/integration/src/test/java/org/keycloak/testsuite/saml/SamlBindingTest.java
@@ -457,7 +457,7 @@ public class SamlBindingTest {
             ClientSessionModel clientSession = session.sessions().createClientSession(adminRealm, adminConsole);
             clientSession.setNote(OIDCLoginProtocol.ISSUER, "http://localhost:8081/auth/realms/master");
             UserSessionModel userSession = session.sessions().createUserSession(adminRealm, admin, "admin", null, "form", false, null, null);
-            AccessToken token = tm.createClientAccessToken(session, tm.getAccess(null, adminConsole, admin), adminRealm, adminConsole, admin, userSession, clientSession);
+            AccessToken token = tm.createClientAccessToken(session, tm.getAccess(null, true, adminConsole, admin), adminRealm, adminConsole, admin, userSession, clientSession);
             return tm.encodeToken(adminRealm, token);
         } finally {
             keycloakRule.stopSession(session, true);

diff --git a/testsuite/integration/src/test/resources/model/testrealm.json b/testsuite/integration/src/test/resources/model/testrealm.json
index acbbdf5..f7c8cdd 100755
--- a/testsuite/integration/src/test/resources/model/testrealm.json
+++ b/testsuite/integration/src/test/resources/model/testrealm.json
@@ -198,7 +198,8 @@
         "application" : {
             "Application" : [
                 {
-                    "name": "app-admin"
+                    "name": "app-admin",
+                    "scopeParamRequired": true
                 },
                 {
                     "name": "app-user"
@@ -206,7 +207,8 @@
             ],
             "OtherApp" : [
                 {
-                    "name": "otherapp-admin"
+                    "name": "otherapp-admin",
+                    "scopeParamRequired": false
                 },
                 {
                     "name": "otherapp-user"

diff --git a/testsuite/integration/src/test/resources/oidc/offline-client-keycloak.json b/testsuite/integration/src/test/resources/oidc/offline-client-keycloak.json
new file mode 100644
index 0000000..bc7be17
--- /dev/null
+++ b/testsuite/integration/src/test/resources/oidc/offline-client-keycloak.json
@@ -0,0 +1,10 @@
+{
+  "realm": "test",
+  "resource": "offline-client",
+  "realm-public-key": "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrVrCuTtArbgaZzL1hvh0xtL5mc7o0NqPVnYXkLvgcwiC3BjLGw1tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/UMG4kytBWxheNVKnL6GgqlNabMaFfPLPCF8kAgKnsi79NMo+n6KnSY8YeUmec/p2vjO2NjsSAVcWEQMVhJ31LwIDAQAB",
+  "auth-server-url": "http://localhost:8081/auth",
+  "ssl-required" : "external",
+  "credentials": {
+    "secret": "secret1"
+  }
+}
\ No newline at end of file

diff --git a/testsuite/integration/src/test/resources/testrealm.json b/testsuite/integration/src/test/resources/testrealm.json
index 8ad29cc..e16e3e2 100755
--- a/testsuite/integration/src/test/resources/testrealm.json
+++ b/testsuite/integration/src/test/resources/testrealm.json
@@ -5,6 +5,7 @@
     "sslRequired": "external",
     "registrationAllowed": true,
     "resetPasswordAllowed": true,
+    "editUsernameAllowed" : true,
     "privateKey": "MIICXAIBAAKBgQCrVrCuTtArbgaZzL1hvh0xtL5mc7o0NqPVnYXkLvgcwiC3BjLGw1tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/UMG4kytBWxheNVKnL6GgqlNabMaFfPLPCF8kAgKnsi79NMo+n6KnSY8YeUmec/p2vjO2NjsSAVcWEQMVhJ31LwIDAQABAoGAfmO8gVhyBxdqlxmIuglbz8bcjQbhXJLR2EoS8ngTXmN1bo2L90M0mUKSdc7qF10LgETBzqL8jYlQIbt+e6TH8fcEpKCjUlyq0Mf/vVbfZSNaVycY13nTzo27iPyWQHK5NLuJzn1xvxxrUeXI6A2WFpGEBLbHjwpx5WQG9A+2scECQQDvdn9NE75HPTVPxBqsEd2z10TKkl9CZxu10Qby3iQQmWLEJ9LNmy3acvKrE3gMiYNWb6xHPKiIqOR1as7L24aTAkEAtyvQOlCvr5kAjVqrEKXalj0Tzewjweuxc0pskvArTI2Oo070h65GpoIKLc9jf+UA69cRtquwP93aZKtW06U8dQJAF2Y44ks/mK5+eyDqik3koCI08qaC8HYq2wVl7G2QkJ6sbAaILtcvD92ToOvyGyeE0flvmDZxMYlvaZnaQ0lcSQJBAKZU6umJi3/xeEbkJqMfeLclD27XGEFoPeNrmdx0q10Azp4NfJAY+Z8KRyQCR2BEG+oNitBOZ+YXF9KCpH3cdmECQHEigJhYg+ykOvr1aiZUMFT72HU0jnmQe2FVekuG+LJUt2Tm7GtMjTFoGpf0JwrVuZN39fOYAlo+nTixgeW7X8Y=",
     "publicKey": "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrVrCuTtArbgaZzL1hvh0xtL5mc7o0NqPVnYXkLvgcwiC3BjLGw1tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/UMG4kytBWxheNVKnL6GgqlNabMaFfPLPCF8kAgKnsi79NMo+n6KnSY8YeUmec/p2vjO2NjsSAVcWEQMVhJ31LwIDAQAB",
     "requiredCredentials": [ "password" ],
@@ -25,6 +26,22 @@
                 { "type" : "password",
                   "value" : "password" }
             ],
+            "realmRoles": ["user", "offline_access"],
+            "clientRoles": {
+                "test-app": [ "customer-user" ],
+                "account": [ "view-profile", "manage-account" ]
+            }
+        },
+        {
+            "username" : "john-doh@localhost",
+            "enabled": true,
+            "email" : "john-doh@localhost",
+            "firstName": "John",
+            "lastName": "Doh",
+            "credentials" : [
+                { "type" : "password",
+                    "value" : "password" }
+            ],
             "realmRoles": ["user"],
             "clientRoles": {
                 "test-app": [ "customer-user" ],
@@ -32,7 +49,7 @@
             }
         },
         {
-            "username" : "keycloak-user@localhost",
+                "username" : "keycloak-user@localhost",
             "enabled": true,
             "email" : "keycloak-user@localhost",
             "credentials" : [

diff --git a/testsuite/integration-arquillian/pom.xml b/testsuite/integration-arquillian/pom.xml
index 2ef2ac3..064e065 100644
--- a/testsuite/integration-arquillian/pom.xml
+++ b/testsuite/integration-arquillian/pom.xml
@@ -2,190 +2,44 @@
 <project xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd" xmlns="http://maven.apache.org/POM/4.0.0"
          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
     <parent>
-        <artifactId>keycloak-testsuite-pom</artifactId>
         <groupId>org.keycloak</groupId>
+        <artifactId>keycloak-testsuite-pom</artifactId>
         <version>1.6.0.Final-SNAPSHOT</version>
         <relativePath>../pom.xml</relativePath>
     </parent>
     <modelVersion>4.0.0</modelVersion>
-
-    <artifactId>keycloak-testsuite-integration-arquillian</artifactId>
-    <name>KeyCloak Arquillian TestSuite</name>
-
-    <properties>
-        <browser>phantomjs</browser>
-		
-        <arquillian-core.version>1.1.5.Final</arquillian-core.version>
-        <selenium.version>2.45.0</selenium.version>
-        <arquillian-drone.version>1.3.1.Final</arquillian-drone.version>
-        <arquillian-phantomjs.version>1.1.4.Final</arquillian-phantomjs.version>
-        <arquillian-graphene.version>2.0.3.Final</arquillian-graphene.version>
-        <arquillian-wildfly-container.version>8.1.0.Final</arquillian-wildfly-container.version>
-        
-        <!-- Used in profile "wildfly-8-remote".
-        Set to "false" if admin password has already been updated after first login. -->
-        <firstAdminLogin>true</firstAdminLogin>
-    </properties>
-
-    <dependencyManagement>
-        <dependencies>
-            <dependency>
-                <groupId>org.jboss.arquillian.selenium</groupId>
-                <artifactId>selenium-bom</artifactId>
-                <version>${selenium.version}</version>
-                <type>pom</type>
-                <scope>import</scope>
-            </dependency>
-            <dependency>
-                <groupId>org.jboss.arquillian</groupId>
-                <artifactId>arquillian-bom</artifactId>
-                <version>${arquillian-core.version}</version>
-                <type>pom</type>
-                <scope>import</scope>
-            </dependency>
-            <dependency>
-                <groupId>org.jboss.arquillian.extension</groupId>
-                <artifactId>arquillian-drone-bom</artifactId>
-                <version>${arquillian-drone.version}</version>
-                <type>pom</type>
-                <scope>import</scope>
-            </dependency>
-            <dependency>
-                <groupId>org.wildfly</groupId>
-                <artifactId>wildfly-arquillian-container-remote</artifactId>
-                <version>${arquillian-wildfly-container.version}</version>
-            </dependency>
-            <dependency>
-                <groupId>org.wildfly</groupId>
-                <artifactId>wildfly-arquillian-container-managed</artifactId>
-                <version>${arquillian-wildfly-container.version}</version>
-            </dependency>
-        </dependencies>
-    </dependencyManagement>
-
-    <dependencies>
-        <dependency>
-            <groupId>junit</groupId>
-            <artifactId>junit</artifactId>
-            <scope>test</scope>
-        </dependency>
-        <dependency>
-            <groupId>org.jboss.arquillian.junit</groupId>
-            <artifactId>arquillian-junit-container</artifactId>
-            <scope>test</scope>
-        </dependency>
-        <dependency>
-            <groupId>org.jboss.arquillian.graphene</groupId>
-            <artifactId>graphene-webdriver</artifactId>
-            <version>${arquillian-graphene.version}</version>
-            <type>pom</type>
-            <scope>test</scope>
-        </dependency>
-        <dependency>
-            <groupId>org.jboss.arquillian.extension</groupId>
-            <artifactId>arquillian-phantom-driver</artifactId>
-            <version>${arquillian-phantomjs.version}</version>
-            <scope>test</scope>
-        </dependency>
-        <dependency>
-            <groupId>org.keycloak</groupId>
-            <artifactId>keycloak-server-dist</artifactId>
-            <scope>test</scope>
-            <type>zip</type>
-        </dependency>
-        <dependency>
-            <groupId>org.slf4j</groupId>
-            <artifactId>slf4j-log4j12</artifactId>
-        </dependency>
-    </dependencies>
-
-    <profiles>
-        <profile>
-            <id>wildfly-8-remote</id>
-            <dependencies>
-                <dependency>
-                    <groupId>org.wildfly</groupId>
-                    <artifactId>wildfly-arquillian-container-remote</artifactId>
-                    <scope>test</scope>
-                </dependency>
-            </dependencies>
-            <build>
-                <plugins>
-                    <plugin>
-                        <groupId>org.apache.maven.plugins</groupId>
-                        <artifactId>maven-surefire-plugin</artifactId>
-                        <configuration>
-                            <systemPropertyVariables>
-                                <shouldDeploy>false</shouldDeploy>
-                                <arquillian.launch>wildfly-8-remote</arquillian.launch>
-                                <browser>${browser}</browser>
-                                <firstAdminLogin>${first.login}</firstAdminLogin>
-                            </systemPropertyVariables>
-                        </configuration>
-                    </plugin>
-                </plugins>
-            </build>
-        </profile>
-		
-        <profile>
-            <id>wildfly-8-managed</id>
-            <activation>
-                <activeByDefault>true</activeByDefault>
-            </activation>
-            <dependencies>
-                <dependency>
-                    <groupId>org.wildfly</groupId>
-                    <artifactId>wildfly-arquillian-container-managed</artifactId>
-                    <scope>test</scope>
-                </dependency>
-            </dependencies>
-            <properties>
-                <install.directory>${project.build.directory}/install</install.directory>
-                <jbossHome>${install.directory}/keycloak-${project.version}</jbossHome>
-            </properties>
-            <build>
-                <plugins>
-                    <plugin>
-                        <groupId>org.apache.maven.plugins</groupId>
-                        <artifactId>maven-dependency-plugin</artifactId>
-                        <version>2.10</version>
-                        <executions>
-                            <execution>
-                                <id>unpack</id>
-                                <phase>process-test-resources</phase>
-                                <goals>
-                                    <goal>unpack</goal>
-                                </goals>
-                                <configuration>
-                                    <artifactItems>
-                                        <artifactItem>
-                                            <groupId>org.keycloak</groupId>
-                                            <artifactId>keycloak-server-dist</artifactId>
-                                            <type>zip</type>
-                                            <overWrite>false</overWrite>
-                                        </artifactItem>
-                                    </artifactItems>
-                                    <outputDirectory>${install.directory}</outputDirectory>
-                                    <overWriteReleases>false</overWriteReleases>
-                                    <overWriteSnapshots>true</overWriteSnapshots>
-                                </configuration>
-                            </execution>
-                        </executions>
-                    </plugin>
-                    <plugin>
-                        <groupId>org.apache.maven.plugins</groupId>
-                        <artifactId>maven-surefire-plugin</artifactId>
-                        <configuration>
-                            <systemPropertyVariables>
-                                <shouldDeploy>false</shouldDeploy>
-                                <arquillian.launch>wildfly-8-managed</arquillian.launch>
-                                <browser>${browser}</browser>
-                                <jbossHome>${jbossHome}</jbossHome>
-                            </systemPropertyVariables>
-                        </configuration>
-                    </plugin>
-                </plugins>
-            </build>
-        </profile>
-    </profiles>
+    
+    <groupId>org.keycloak.testsuite</groupId>
+    <artifactId>integration-arquillian</artifactId>
+    <packaging>pom</packaging>
+    <name>Keycloak Integration TestSuite with Arquillian</name>
+    
+    <modules>
+        <module>servers</module>
+        <module>tests</module>
+    </modules>
+    
+    <build>
+        <pluginManagement>
+            <plugins>
+                <plugin>
+                    <groupId>org.apache.maven.plugins</groupId>
+                    <artifactId>maven-surefire-plugin</artifactId>
+                    <version>2.18.1</version>
+                </plugin>
+                <plugin>
+                    <groupId>org.codehaus.mojo</groupId>
+                    <artifactId>xml-maven-plugin</artifactId>
+                    <version>1.0</version>
+                </plugin>
+                <plugin>
+                    <groupId>org.apache.maven.plugins</groupId>
+                    <artifactId>maven-dependency-plugin</artifactId>
+                    <version>2.10</version>
+                </plugin>
+            </plugins>
+        </pluginManagement>
+    </build>
+    
+    
 </project>

diff --git a/testsuite/integration-arquillian/README.md b/testsuite/integration-arquillian/README.md
index a81701d..7620d98 100644
--- a/testsuite/integration-arquillian/README.md
+++ b/testsuite/integration-arquillian/README.md
@@ -1,21 +1,61 @@
-Testing admin console with Arquillian
-=====================================
+# Keycloak Integration Testsuite with Arquillian
 
-There are currently two ways of running the tests with help of Arquillian.
+## Structure
 
-Remote mode
-----------
+```
+integration-arquillian
+│
+├──servers  (submodules enabled via profiles)
+│  ├──wildfly
+│  └──eap6
+│
+└──tests
+   ├──base
+   └──adapters  (submodules enabled via profiles, all depend on base)
+      ├──wildfly
+      ├──wildfly-relative  (needs servers/wildfly)
+      ├──wildfly8
+      ├──as7
+      ├──tomcat
+      └──karaf
 
-Just simply typle `mvn verify` and you are all set. This requires the instance of Wildfly with embedded Keycloak to be already running.
+```
 
-Managed mode
-------------
+## General Concepts
 
-You need to pass two arguments to Maven, first is location of your Wildfly server with embedded Keycloak and the other is name of the profile.
+The testsuite supports **multiple server runtimes** for the Keycloak server.
+The **default is Undertow** which is the fastest and easiest option, and runs in the same JVM as the tests.
 
-    mvn verify -Pwildfly-8-managed -DjbossHome=/your/server/location
+Other options are **Wildfly 9** and **EAP 6**. These have some additional requirements and limitations:
+1. The selected server module must be built before any tests can be run. 
+All server-side configuration is done during this build (e.g. datasource configuration).
+Once server artifact is built the tests modules can unpack it via `maven-dependency-plugin` into their working directory before running.
+2. Before the selected server module can be built the `keycloak/distribution` module also needs to be built.
 
-Browser
--------
+### Server Runtimes
 
-There are currently two supported browsers - PhantomJS and Firefox. PhantomJS is the default one, in order to use Firefox just specify `-Dbrowser=firefox` parameter in the Maven command. 
+TODO: explain why separate module, list config options, note on migration modules
+
+### Base Testsuite
+
+login flows + account management
+
+admin ui
+
+abstract adapter tests
+
+### Adapter Tests
+
+test servlets: demo, session
+
+examples
+
+## Running the Tests
+
+### Undertow
+
+### Wildfly or EAP 6
+
+### Adapters
+
+### Supported Browsers
\ No newline at end of file

diff --git a/testsuite/integration-arquillian/README_old.md b/testsuite/integration-arquillian/README_old.md
new file mode 100644
index 0000000..76357ce
--- /dev/null
+++ b/testsuite/integration-arquillian/README_old.md
@@ -0,0 +1,189 @@
+# Keycloak Integration Testsuite with Arquillian
+
+*OUT OF DATE - NEEDS REWRITE*
+
+## Usage
+
+Running the tests: `mvn test` or `mvn clean test`
+
+## Test suite
+
+### Selecting container for Keycloak Server
+
+The testsuite requires a container for Keycloak Server to be selected.
+This container is used by all tests in the suite during a single test execution.
+
+*By default* the tests run with server on embedded *Undertow*.
+A different container can be selected with profile, e.g. `-Pauth-server-wildfly`.
+
+### Containers Supported for Keycloak Server
+
+| Container | Arquillian Qualifier | Maven | Dependencies |
+| --- | --- | --- | --- |
+| **Undertow** | `auth-server-undertow` | **default** | `undertow-core`, `resteasy-undertow` |
+| **Wildfly 9** | `auth-server-wildfly` | `-Pauth-server-wildfly` | `keycloak-server-dist` or `wildfly-dist`+`keycloak-server-overlay` |
+| **EAP 6.4** | `auth-server-eap6` | `-Pauth-server-eap6` | `keycloak-server-dist` or `eap6-dist`+`keycloak-server-overlay` |
+
+See the relevant container definitions in `arquillian.xml` located in the **test resources** folder.
+
+### Test Class Hierarchy
+```
+AbstractKeycloakTest
+├── AbstractAdminConsoleTest
+└── AbstractAdapterTest
+```
+
+### AbstractKeycloakTest
+
+Handles test realms. Provides Admin Client for REST operations.
+
+* **@BeforeClass**
+ 1. Updates the admin password to enable the admin user.
+* **@Before**
+ 1. Initiates admin client
+ 2. Imports test realms. (Loading test realms is overriden in subclasses.)
+* **@After**
+ 1. Removes test realms.
+ 2. Closes admin client.
+
+### ContainersTestEnricher
+
+Manages *container lifecycles*.
+
+`ContainersTestEnricher` is a custom Arquillian observer that handles lifecycles of auth server and app server containers for each test class.
+Containers are started during `@BeforeClass` and shut down during `@AfterClass` event.
+
+*Optionally* each test class can be annotated with `@AuthServerContainer("qualifier")` and `@AppServerConatiner("qualifier")` annotations 
+to indicate containers required for the test.
+
+* In case `@AuthServerContainer` is not present the *auth server qualifier* is loaded from `auth.server.container` property.
+* In case `@AppServerContainer` is not present or it's value is the same as *auth server qualifier*, the app server isn't started for the test class.
+
+## Admin Console Tests
+
+Tests for admin console are located in `org/keycloak/testsuite/console`.
+Related non-test classes are located on the same path in the **main sources**.
+
+Admin console tests are **ENABLED by default**. They can be disabled by `-P no-console`.
+
+
+## Adapter Tests
+
+Adapter tests are located in `org/keycloak/testsuite/adapter`.
+Related non-test classes can be found on the same path in the **main sources**.
+
+Adapter tests are **DISABLED by default**. They can be enabled by profiles.
+Multiple profiles can be enabled for a single test execution.
+
+*Note:* When testing adapter with multiple containers in a single run it is better 
+to use the `--fail-at-end` (`-fae`) strategy instead of the default `--fail-fast` one.
+This will allow Maven to continue building other modules even if some of them have test failures.
+
+### Containers Supported for Adapter Tests
+
+| Container | Arquillian Qualifier | Maven | Dependencies |
+| --- | --- | --- | --- |
+| **Wildfly 9** Relative | `auth-server-wildfly` | `-Pauth-server-wildfly` | `keycloak-server-dist` or `wildfly-dist`+`keycloak-server-overlay`, `keycloak-adapter-dist-wf9` |
+| **Wildfly 9** | `app-server-wildfly` | `-Papp-server-wildfly` | `wildfly-dist`, `keycloak-adapter-dist-wf9` |
+| **Wildfly 8** | `app-server-wildfly` | `-Papp-server-wildfly8` | `wildfly-dist:8.2.1.Final`, `keycloak-adapter-dist-wf8` |
+| **JBoss AS 7** | `app-server-as7` | `-Papp-server-as7` | `jboss-as-dist`, `keycloak-adapter-dist-as7` |
+| **Tomcat 8** | `app-server-tomcat` | `-Papp-server-tomcat` | `tomcat`, `keycloak-tomcat8-adapter-dist` |
+| **Karaf 3** | `app-server-karaf` | `-Papp-server-karaf` | `apache-camel`, `apache-cxf`, `keycloak-osgi-features`, `keycloak-fuse-example-features` |
+
+See the relevant container definitions in `tests/adapter/<container>/src/main/xslt/arquillian.xsl`.
+
+***Important:*** Arquillian cannot load multiple controllers for JBossAS/Wildfly containers in a single run (because same class name)
+but a different controller is required for JBossAS7/EAP6 than for WF8/9. Because of this:
+
+ - Adapter tests for *Wildfly 8/9* cannot be run against server on *EAP 6*. `-Papp-server-wildfly*` ⇒ `!auth-server-eap6`
+ - Adapter tests for *JBossAS 7* can only be run against server on *EAP 6*. `-Papp-server-as7,auth-server-eap6`
+
+### Adapter Test Types
+
+1. Using **test servlets**.
+2. Using **example/demo wars**.
+
+```
+AbstractKeycloakTest
+└── AbstractAdapterTest
+    ├── AbstractServletsAdapterTest
+    |   ├── Relative…
+    |   ├── Wildfly…
+    |   ├── Tomcat…
+    |   …
+    └── AbstractExampleAdapterTest
+        ├── AbstractDemoExampleAdapterTest
+        |   ├── Relative…
+        |   ├── Wildfly…
+        |   ├── Tomcat…
+        |   …
+        ├── AbstractBasicAuthExampleAdapterTest
+        |   ├── Relative…
+        |   ├── Wildfly…
+        |   ├── Tomcat…
+        |   …
+        …
+```
+
+### Relative vs Non-relative scenario
+
+The test suite can handle both types.
+It automatically modifies imported test realms and deployments' adapter configs based on scenario type.
+
+| Scenario | Description | Realm config (server side) | Adapter config (client side) |
+| --- | --- | --- | --- |
+| **Relative** | Both Keycloak Server and test apps running in the same container. | client `baseUrl`, `adminUrl` and `redirect-uris` can be relative | `auth-server-url` can be relative |
+| **Non-relative** | Test apps run in a different container than Keycloak Server. | client `baseUrl`, `adminUrl` and `redirect-uris` need to include FQDN of the app server | `auth-server-url` needs to include FQDN of the auth server|
+
+### Adapter Libraries Mode
+
+1. **Provided.** By container, e.g. as a subsystem. *Default.*
+2. **Bundled.** In the deployed war in `/WEB-INF/libs`. Enable with `-Dadapter.libs.bundled`. *Wildfly only*.
+
+### Adapter Config Mode
+
+1. ~~**Provided.** In `standalone.xml` using `secure-deployment`. *Wildfly only.*~~ WIP
+2. **Bundled.** In the deployed war in `/WEB-INF/keycloak.json`. *Default.*
+
+### Adapters Test Coverage
+
+| Module | Coverage | Supported Containers |
+| --- | --- | --- |
+| ***Test Servlets*** | Good | All |
+| **Demo** | Minimal, WIP | `auth-server-wildfly` (relative) |
+| **Admin Client** |  |
+| **Cordova** |  |
+| **CORS** |  |
+| **JS Console** | Good | `auth-server-wildfly` (relative) |
+| **Providers** |  |
+| Themes |  |
+| Multitenancy | WIP |  |
+| **Basic Auth** | Good | All |
+| **Fuse** | Good | `app-server-karaf` |
+| SAML |  |
+| LDAP |  |
+| Kerberos |  |
+
+## Supported Browsers
+
+| Browser | Maven |
+| --- | --- | 
+| **PhantomJS** | `-Dbrowser=phantomjs` **default** |
+| **Firefox** | `-Dbrowser=firefox` |
+
+
+## Custom Arquillian Extensions
+
+Custom extensions are registered in `META-INF/services/org.jboss.arquillian.core.spi.LoadableExtension`.
+
+* Multiple containers extension
+ * Replaces Arquillian's default container handling.
+ * Allows to manage multiple container instances of different types within a single test run.
+ * Allows to skip loading disabled containers based on `enabled` config property in `arquillian.xml`.
+* Custom extension
+ * `ContainersTestEnricher` - Handles lifecycles of auth-server and app-server.
+ * `CustomUndertowContainer` - A custom container controller for JAX-RS-enabled Undertow with Keycloak Server.
+ * `DeploymentArchiveProcessor` - Modifies adapter config before deployment on app server based on relative/non-relative scenario.
+ * `URLProvider` - Fixes URLs injected by Arquillian which contain 127.0.0.1 instead of localhost.
+ * `JiraTestExecutionDecider` - Skipping tests for unresolved JIRAs.
+

diff --git a/testsuite/integration-arquillian/servers/eap6/assembly.xml b/testsuite/integration-arquillian/servers/eap6/assembly.xml
new file mode 100644
index 0000000..537dd4e
--- /dev/null
+++ b/testsuite/integration-arquillian/servers/eap6/assembly.xml
@@ -0,0 +1,29 @@
+<assembly>
+    
+    <id>auth-server-eap6</id>
+
+    <formats>
+        <format>zip</format>
+    </formats>
+
+    <includeBaseDirectory>false</includeBaseDirectory>
+
+    <fileSets>
+        <fileSet>
+            <directory>${keycloak.server.home}</directory>
+            <outputDirectory>keycloak-${project.version}</outputDirectory>
+            <excludes>
+                <exclude>**/*.sh</exclude>
+            </excludes>
+        </fileSet>
+        <fileSet>
+            <directory>${keycloak.server.home}</directory>
+            <outputDirectory>keycloak-${project.version}</outputDirectory>
+            <includes>
+                <include>**/*.sh</include>
+            </includes>
+            <fileMode>0755</fileMode>
+        </fileSet>
+    </fileSets>
+
+</assembly>

diff --git a/testsuite/integration-arquillian/servers/eap6/pom.xml b/testsuite/integration-arquillian/servers/eap6/pom.xml
new file mode 100644
index 0000000..4bab815
--- /dev/null
+++ b/testsuite/integration-arquillian/servers/eap6/pom.xml
@@ -0,0 +1,184 @@
+<?xml version="1.0"?>
+<project xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd" xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+    <parent>
+        <groupId>org.keycloak.testsuite</groupId>
+        <artifactId>integration-arquillian-servers</artifactId>
+        <version>1.6.0.Final-SNAPSHOT</version>
+    </parent>
+    <modelVersion>4.0.0</modelVersion>
+
+    <artifactId>integration-arquillian-server-eap6</artifactId>
+    <packaging>pom</packaging>
+    <name>Server on EAP 6</name>
+    
+    <properties>
+        <keycloak.server.home>${project.build.directory}/unpacked/jboss-eap-6.4</keycloak.server.home>
+    </properties>
+            
+    <dependencies>
+        <dependency>
+            <groupId>org.jboss.as</groupId>
+            <artifactId>jboss-as-dist</artifactId>
+            <version>${jboss.version}</version>
+            <type>zip</type>
+        </dependency>
+        <dependency>
+            <groupId>org.keycloak</groupId>
+            <artifactId>keycloak-server-overlay-eap6</artifactId>
+            <version>${project.version}</version>
+            <type>zip</type>
+        </dependency>
+        <dependency>
+            <groupId>org.keycloak</groupId>
+            <artifactId>keycloak-eap6-adapter-dist</artifactId>
+            <type>zip</type>
+        </dependency>
+    </dependencies>
+            
+    <build>
+        <plugins>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-deploy-plugin</artifactId>
+                <configuration>
+                    <skip>true</skip>
+                </configuration>
+            </plugin>            
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-dependency-plugin</artifactId>
+                <executions>
+                    <execution>
+                        <id>unpack-eap6-and-server-overlay</id>
+                        <phase>generate-resources</phase>
+                        <goals>
+                            <goal>unpack</goal>
+                        </goals>
+                        <configuration>
+                            <artifactItems>
+                                <artifactItem>
+                                    <groupId>org.jboss.as</groupId>
+                                    <artifactId>jboss-as-dist</artifactId>
+                                    <version>${jboss.version}</version>
+                                    <type>zip</type>
+                                    <outputDirectory>${project.build.directory}/unpacked</outputDirectory>
+                                </artifactItem>
+                                <artifactItem>
+                                    <groupId>org.keycloak</groupId>
+                                    <artifactId>keycloak-server-overlay-eap6</artifactId>
+                                    <version>${project.version}</version>
+                                    <type>zip</type>
+                                    <outputDirectory>${keycloak.server.home}</outputDirectory>
+                                </artifactItem>
+                            </artifactItems>
+                        </configuration>
+                    </execution>
+                </executions>
+            </plugin>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-antrun-plugin</artifactId>
+                <version>1.8</version>
+                <executions>
+                    <execution>
+                        <id>move-standalone-keycloak-xml</id>
+                        <phase>process-resources</phase>
+                        <goals>
+                            <goal>run</goal>
+                        </goals>
+                        <configuration>
+                            <tasks>
+                                <move file="${keycloak.server.home}/standalone/configuration/standalone-keycloak.xml" 
+                                      tofile="${keycloak.server.home}/standalone/configuration/standalone.xml"/>
+                            </tasks>
+                        </configuration>
+                    </execution>
+                </executions>
+            </plugin>
+            <plugin>
+                <artifactId>maven-assembly-plugin</artifactId>
+                <executions>
+                    <execution>
+                        <id>create-zip</id>
+                        <phase>package</phase>
+                        <goals>
+                            <goal>single</goal>
+                        </goals>
+                        <configuration>
+                            <descriptors>
+                                <descriptor>assembly.xml</descriptor>
+                            </descriptors>
+                            <appendAssemblyId>false</appendAssemblyId>
+                        </configuration>
+                    </execution>
+                </executions>
+            </plugin>
+        </plugins>
+    </build>
+    
+    <profiles>
+        <profile>
+            <id>adapter-libs-provided</id>
+            <activation>    
+                <property>
+                    <name>!adapter.libs.bundled</name>
+                </property>
+            </activation>
+            <build>
+                <plugins>
+                    <plugin>
+                        <groupId>org.apache.maven.plugins</groupId>
+                        <artifactId>maven-dependency-plugin</artifactId>
+                        <executions>
+                            <execution>
+                                <id>unpack-adapter</id>
+                                <phase>generate-resources</phase>
+                                <goals>
+                                    <goal>unpack</goal>
+                                </goals>
+                                <configuration>
+                                    <artifactItems>
+                                        <artifactItem>
+                                            <groupId>org.keycloak</groupId>
+                                            <artifactId>keycloak-eap6-adapter-dist</artifactId>
+                                            <version>${project.version}</version>
+                                            <type>zip</type>
+                                            <outputDirectory>${keycloak.server.home}</outputDirectory>
+                                        </artifactItem>
+                                    </artifactItems>
+                                </configuration>
+                            </execution>
+                        </executions>
+                    </plugin>
+                    <plugin>
+                        <groupId>org.codehaus.mojo</groupId>
+                        <artifactId>xml-maven-plugin</artifactId>
+                        <executions>
+                            <execution>
+                                <id>configure-adapter-subsystem</id>
+                                <phase>process-resources</phase>
+                                <goals>
+                                    <goal>transform</goal>
+                                </goals>
+                                <configuration>
+                                    <transformationSets>
+                                        <transformationSet>
+                                            <dir>${keycloak.server.home}/standalone/configuration</dir>
+                                            <includes>
+                                                <include>standalone.xml</include>
+                                            </includes>
+                                            <stylesheet>src/main/xslt/standalone.xsl</stylesheet>
+                                            <outputDir>${keycloak.server.home}/standalone/configuration</outputDir>
+                                        </transformationSet>
+                                    </transformationSets>
+                                </configuration>
+                            </execution>
+                        </executions>
+                    </plugin>
+                </plugins>
+            </build>
+        </profile>
+    </profiles>
+            
+</project>

diff --git a/testsuite/integration-arquillian/servers/eap6/src/main/xslt/datasource.xsl b/testsuite/integration-arquillian/servers/eap6/src/main/xslt/datasource.xsl
new file mode 100644
index 0000000..c06899f
--- /dev/null
+++ b/testsuite/integration-arquillian/servers/eap6/src/main/xslt/datasource.xsl
@@ -0,0 +1,94 @@
+<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+                xmlns:xalan="http://xml.apache.org/xalan"
+                xmlns:j="urn:jboss:domain:3.0"
+                xmlns:ds="urn:jboss:domain:datasources:3.0"
+                xmlns:k="urn:jboss:domain:keycloak:1.1"
+                xmlns:sec="urn:jboss:domain:security:1.2"
+                version="2.0"
+                exclude-result-prefixes="xalan j ds k sec">
+
+    <xsl:output method="xml" version="1.0" encoding="UTF-8" indent="yes" xalan:indent-amount="4" standalone="no"/>
+    <xsl:strip-space elements="*"/>
+
+
+    <xsl:variable name="nsDS" select="'urn:jboss:domain:datasources:'"/>
+    
+    <!-- Remove keycloak datasource definition. -->
+    <xsl:template match="//*[local-name()='subsystem' and starts-with(namespace-uri(), $nsDS)]
+		         /*[local-name()='datasources' and starts-with(namespace-uri(), $nsDS)]
+                         /*[local-name()='datasource' and starts-with(namespace-uri(), $nsDS) and @pool-name='KeycloakDS']">
+    </xsl:template>
+    
+    <xsl:param name="jdbc.url" select="'jdbc:h2:${jboss.server.data.dir}/keycloak;AUTO_SERVER=TRUE'"/>
+    <xsl:param name="driver" select="'h2'"/>
+    
+    <xsl:param name="username" select="'sa'"/>
+    <xsl:param name="password" select="'sa'"/>
+    
+    <xsl:param name="min.poolsize" select="'10'"/>
+    <xsl:param name="max.poolsize" select="'50'"/>
+    <xsl:param name="pool.prefill" select="'true'"/>
+    
+    <xsl:variable name="newDatasourceDefinition">
+        <datasource jndi-name="java:jboss/datasources/KeycloakDS" pool-name="KeycloakDS" enabled="true" use-java-context="true">
+            <connection-url>
+                <xsl:value-of select="$jdbc.url"/>
+            </connection-url>
+            <driver>
+                <xsl:value-of select="$driver"/>
+            </driver>
+            <security>
+                <user-name>
+                    <xsl:value-of select="$username"/>
+                </user-name>
+                <password>
+                    <xsl:value-of select="$password"/>
+                </password>
+            </security>
+            <pool>
+                <min-pool-size>
+                    <xsl:value-of select="$min.poolsize"/>
+                </min-pool-size>
+                <max-pool-size>
+                    <xsl:value-of select="$max.poolsize"/>
+                </max-pool-size>
+                <prefill>
+                    <xsl:value-of select="$pool.prefill"/>
+                </prefill>
+            </pool>
+        </datasource>
+    </xsl:variable>
+    
+    <xsl:variable name="newDriverDefinition">
+        <xsl:if test="$driver != 'h2'">
+            <driver name="{$driver}" module="com.{$driver}" />
+        </xsl:if>
+    </xsl:variable>
+    
+    <!-- Add new datasource definition. -->
+    <xsl:template match="//*[local-name()='subsystem' and starts-with(namespace-uri(), $nsDS)]
+		         /*[local-name()='datasources' and starts-with(namespace-uri(), $nsDS)]">
+        <xsl:copy>
+            <xsl:copy-of select="$newDatasourceDefinition"/>
+            <xsl:apply-templates select="@* | node()" />
+        </xsl:copy>
+    </xsl:template>
+    
+    <!-- Add new driver definition. -->
+    <xsl:template match="//*[local-name()='subsystem' and starts-with(namespace-uri(), $nsDS)]
+		         /*[local-name()='datasources' and starts-with(namespace-uri(), $nsDS)]
+		         /*[local-name()='drivers' and starts-with(namespace-uri(), $nsDS)]">
+        <xsl:copy>
+            <xsl:copy-of select="$newDriverDefinition"/>
+            <xsl:apply-templates select="@* | node()" />
+        </xsl:copy>
+    </xsl:template>
+    
+    <!-- Copy everything else. -->
+    <xsl:template match="@*|node()">
+        <xsl:copy>
+            <xsl:apply-templates select="@*|node()" />
+        </xsl:copy>
+    </xsl:template>
+
+</xsl:stylesheet>
\ No newline at end of file

diff --git a/testsuite/integration-arquillian/servers/eap6/src/main/xslt/module.xsl b/testsuite/integration-arquillian/servers/eap6/src/main/xslt/module.xsl
new file mode 100644
index 0000000..88ac56b
--- /dev/null
+++ b/testsuite/integration-arquillian/servers/eap6/src/main/xslt/module.xsl
@@ -0,0 +1,33 @@
+<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+                xmlns:xalan="http://xml.apache.org/xalan"
+                xmlns:m="urn:jboss:module:1.3"
+                version="2.0"
+                exclude-result-prefixes="xalan m">
+
+    <xsl:output method="xml" version="1.0" encoding="UTF-8" indent="yes" xalan:indent-amount="4" />
+    
+       
+    <xsl:param name="database" select="''"/>
+    <xsl:param name="version" select="''"/>
+    
+    <xsl:variable name="newModuleDefinition">
+        <module xmlns="urn:jboss:module:1.3" name="com.{$database}">
+            <resources>
+                <resource-root path="{$database}-{$version}.jar"/>
+            </resources>
+            <dependencies>
+                <module name="javax.api"/>
+                <module name="javax.transaction.api"/>
+            </dependencies>
+        </module>
+    </xsl:variable>
+    
+    <!-- clear whole document -->
+    <xsl:template match="/*" />
+    
+    <!-- Copy new module definition. -->
+    <xsl:template match="/*">
+        <xsl:copy-of select="$newModuleDefinition"/>
+    </xsl:template>
+
+</xsl:stylesheet>
\ No newline at end of file

diff --git a/testsuite/integration-arquillian/servers/eap6/src/main/xslt/standalone.xsl b/testsuite/integration-arquillian/servers/eap6/src/main/xslt/standalone.xsl
new file mode 100644
index 0000000..4ffc2c6
--- /dev/null
+++ b/testsuite/integration-arquillian/servers/eap6/src/main/xslt/standalone.xsl
@@ -0,0 +1,51 @@
+<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+                xmlns:xalan="http://xml.apache.org/xalan"
+                xmlns:j="urn:jboss:domain:1.7"
+                xmlns:ds="urn:jboss:domain:datasources:1.2"
+                xmlns:k="urn:jboss:domain:keycloak:1.1"
+                xmlns:sec="urn:jboss:domain:security:1.1"
+                version="2.0"
+                exclude-result-prefixes="xalan j ds k sec">
+
+    <xsl:param name="config"/>
+
+    <xsl:output method="xml" version="1.0" encoding="UTF-8" indent="yes" xalan:indent-amount="4" standalone="no"/>
+    <xsl:strip-space elements="*"/>
+
+    <xsl:template match="//j:extensions">
+        <xsl:copy>
+            <xsl:apply-templates select="node()|@*"/>
+            <extension module="org.keycloak.keycloak-adapter-subsystem"/>
+        </xsl:copy>
+    </xsl:template>
+
+    <xsl:template match="//j:profile">
+        <xsl:copy>
+            <xsl:apply-templates select="node()|@*"/>
+            <subsystem xmlns="urn:jboss:domain:keycloak:1.1"/>
+        </xsl:copy>
+    </xsl:template>
+
+    <xsl:template match="//sec:security-domains">
+        <xsl:copy>
+            <xsl:apply-templates select="node()[name(.)='security-domain']"/>
+            <security-domain name="keycloak">
+                <authentication>
+                    <login-module code="org.keycloak.adapters.jboss.KeycloakLoginModule" flag="required"/>
+                </authentication>
+            </security-domain>
+            <security-domain name="sp" cache-type="default">
+                <authentication>
+                    <login-module code="org.picketlink.identity.federation.bindings.wildfly.SAML2LoginModule" flag="required"/>
+                </authentication>
+            </security-domain>
+        </xsl:copy>
+    </xsl:template>
+
+    <xsl:template match="@*|node()">
+        <xsl:copy>
+            <xsl:apply-templates select="@*|node()" />
+        </xsl:copy>
+    </xsl:template>
+
+</xsl:stylesheet>
\ No newline at end of file

diff --git a/testsuite/integration-arquillian/servers/pom.xml b/testsuite/integration-arquillian/servers/pom.xml
new file mode 100644
index 0000000..254e40e
--- /dev/null
+++ b/testsuite/integration-arquillian/servers/pom.xml
@@ -0,0 +1,49 @@
+<?xml version="1.0"?>
+<project xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd" xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+    <parent>
+        <groupId>org.keycloak.testsuite</groupId>
+        <artifactId>integration-arquillian</artifactId>
+        <version>1.6.0.Final-SNAPSHOT</version>
+    </parent>
+    <modelVersion>4.0.0</modelVersion>
+
+    <artifactId>integration-arquillian-servers</artifactId>
+    <packaging>pom</packaging>
+    <name>Servers</name>
+
+    <profiles>
+        <profile>
+            <id>auth-server-wildfly</id>
+            <modules>
+                <module>wildfly</module>
+            </modules>
+        </profile>
+        <profile>
+            <id>auth-server-eap6</id>
+            <modules>
+                <!--doesn't work yet, WIP-->
+                <module>eap6</module>
+            </modules>
+        </profile>
+        <profile>
+            <id>migration-kc14</id>
+            <modules>
+                <module>wildfly_kc14</module>
+            </modules>
+        </profile>
+        <profile>
+            <id>migration-kc13</id>
+            <modules>
+                <module>wildfly_kc13</module>
+            </modules>
+        </profile>
+        <profile>
+            <id>migration-kc12</id>
+            <modules>
+                <module>wildfly_kc12</module>
+            </modules>
+        </profile>
+    </profiles>    
+
+</project>

diff --git a/testsuite/integration-arquillian/servers/wildfly/assembly.xml b/testsuite/integration-arquillian/servers/wildfly/assembly.xml
new file mode 100644
index 0000000..bfcad35
--- /dev/null
+++ b/testsuite/integration-arquillian/servers/wildfly/assembly.xml
@@ -0,0 +1,29 @@
+<assembly>
+    
+    <id>auth-server-wildfly</id>
+
+    <formats>
+        <format>zip</format>
+    </formats>
+
+    <includeBaseDirectory>false</includeBaseDirectory>
+
+    <fileSets>
+        <fileSet>
+            <directory>${keycloak.server.home}</directory>
+            <outputDirectory>keycloak-${project.version}</outputDirectory>
+            <excludes>
+                <exclude>**/*.sh</exclude>
+            </excludes>
+        </fileSet>
+        <fileSet>
+            <directory>${keycloak.server.home}</directory>
+            <outputDirectory>keycloak-${project.version}</outputDirectory>
+            <includes>
+                <include>**/*.sh</include>
+            </includes>
+            <fileMode>0755</fileMode>
+        </fileSet>
+    </fileSets>
+
+</assembly>

diff --git a/testsuite/integration-arquillian/servers/wildfly/pom.xml b/testsuite/integration-arquillian/servers/wildfly/pom.xml
new file mode 100644
index 0000000..e2b91e7
--- /dev/null
+++ b/testsuite/integration-arquillian/servers/wildfly/pom.xml
@@ -0,0 +1,372 @@
+<?xml version="1.0"?>
+<project xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd" xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+    <parent>
+        <groupId>org.keycloak.testsuite</groupId>
+        <artifactId>integration-arquillian-servers</artifactId>
+        <version>1.6.0.Final-SNAPSHOT</version>
+    </parent>
+    <modelVersion>4.0.0</modelVersion>
+
+    <artifactId>integration-arquillian-server-wildfly</artifactId>
+    <packaging>pom</packaging>
+    <name>Server on Wildfly</name>
+    
+    <build>
+        <plugins>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-deploy-plugin</artifactId>
+                <configuration>
+                    <skip>true</skip>
+                </configuration>
+            </plugin>            
+            <plugin>
+                <artifactId>maven-assembly-plugin</artifactId>
+                <executions>
+                    <execution>
+                        <id>create-zip</id>
+                        <phase>package</phase>
+                        <goals>
+                            <goal>single</goal>
+                        </goals>
+                        <configuration>
+                            <descriptors>
+                                <descriptor>assembly.xml</descriptor>
+                            </descriptors>
+                            <appendAssemblyId>false</appendAssemblyId>
+                        </configuration>
+                    </execution>
+                </executions>
+            </plugin>
+        </plugins>
+    </build>
+    
+    <profiles>
+        <profile>
+            <id>server-overlay</id>
+            <activation>
+                <property>
+                    <name>server-overlay</name>
+                </property>
+            </activation>
+            <properties>
+                <keycloak.server.home>${project.build.directory}/unpacked/wildfly-${wildfly.version}</keycloak.server.home>
+            </properties>
+            <build>
+                <plugins>
+                    <plugin>
+                        <groupId>org.apache.maven.plugins</groupId>
+                        <artifactId>maven-dependency-plugin</artifactId>
+                        <executions>
+                            <execution>
+                                <id>unpack-wildfly-and-server-overlay</id>
+                                <phase>generate-resources</phase>
+                                <goals>
+                                    <goal>unpack</goal>
+                                </goals>
+                                <configuration>
+                                    <artifactItems>
+                                        <artifactItem>
+                                            <groupId>org.wildfly</groupId>
+                                            <artifactId>wildfly-dist</artifactId>
+                                            <version>${wildfly.version}</version>
+                                            <type>zip</type>
+                                            <outputDirectory>${project.build.directory}/unpacked</outputDirectory>
+                                        </artifactItem>
+                                        <artifactItem>
+                                            <groupId>org.keycloak</groupId>
+                                            <artifactId>keycloak-server-overlay</artifactId>
+                                            <version>${project.version}</version>
+                                            <type>zip</type>
+                                            <outputDirectory>${keycloak.server.home}</outputDirectory>
+                                        </artifactItem>
+                                    </artifactItems>
+                                </configuration>
+                            </execution>
+                        </executions>
+                    </plugin>
+                    <plugin>
+                        <groupId>org.apache.maven.plugins</groupId>
+                        <artifactId>maven-antrun-plugin</artifactId>
+                        <version>1.8</version>
+                        <executions>
+                            <execution>
+                                <id>move-standalone-keycloak-xml</id>
+                                <phase>process-resources</phase>
+                                <goals>
+                                    <goal>run</goal>
+                                </goals>
+                                <configuration>
+                                    <tasks>
+                                        <move file="${keycloak.server.home}/standalone/configuration/standalone-keycloak.xml" 
+                                              tofile="${keycloak.server.home}/standalone/configuration/standalone.xml"/>
+                                    </tasks>
+                                </configuration>
+                            </execution>
+                        </executions>
+                    </plugin>
+                </plugins>
+            </build>
+        </profile>
+        
+        <profile>
+            <id>server-dist</id>
+            <activation>
+                <property>
+                    <name>!server-overlay</name>
+                </property>
+            </activation>
+            <properties>
+                <keycloak.server.home>${project.build.directory}/unpacked/keycloak-${project.version}</keycloak.server.home>
+            </properties>
+            <dependencies>
+                <dependency>
+                    <groupId>org.keycloak</groupId>
+                    <artifactId>keycloak-server-dist</artifactId>
+                    <type>zip</type>
+                </dependency>
+            </dependencies>
+            <build>
+                <plugins>
+                    <plugin>
+                        <groupId>org.apache.maven.plugins</groupId>
+                        <artifactId>maven-dependency-plugin</artifactId>
+                        <executions>
+                            <execution>
+                                <id>unpack-server</id>
+                                <phase>generate-resources</phase>
+                                <goals>
+                                    <goal>unpack</goal>
+                                </goals>
+                                <configuration>
+                                    <artifactItems>
+                                        <artifactItem>
+                                            <groupId>org.keycloak</groupId>
+                                            <artifactId>keycloak-server-dist</artifactId>
+                                            <version>${project.version}</version>
+                                            <type>zip</type>
+                                            <outputDirectory>${project.build.directory}/unpacked</outputDirectory>
+                                        </artifactItem>
+                                    </artifactItems>
+                                </configuration>
+                            </execution>
+                        </executions>
+                    </plugin>
+                </plugins>
+            </build>
+        </profile>
+        
+        <profile>
+            <id>adapter-libs-provided</id>
+            <activation>    
+                <property>
+                    <name>!adapter.libs.bundled</name>
+                </property>
+            </activation>
+            <dependencies>
+                <dependency>
+                    <groupId>org.keycloak</groupId>
+                    <artifactId>keycloak-wf9-adapter-dist</artifactId>
+                    <type>zip</type>
+                </dependency>
+            </dependencies>
+            <build>
+                <plugins>
+                    <plugin>
+                        <groupId>org.apache.maven.plugins</groupId>
+                        <artifactId>maven-dependency-plugin</artifactId>
+                        <executions>
+                            <execution>
+                                <id>unpack-adapter</id>
+                                <phase>generate-resources</phase>
+                                <goals>
+                                    <goal>unpack</goal>
+                                </goals>
+                                <configuration>
+                                    <artifactItems>
+                                        <artifactItem>
+                                            <groupId>org.keycloak</groupId>
+                                            <artifactId>keycloak-wf9-adapter-dist</artifactId>
+                                            <version>${project.version}</version>
+                                            <type>zip</type>
+                                            <outputDirectory>${keycloak.server.home}</outputDirectory>
+                                        </artifactItem>
+                                    </artifactItems>
+                                </configuration>
+                            </execution>
+                        </executions>
+                    </plugin>
+                    <plugin>
+                        <groupId>org.codehaus.mojo</groupId>
+                        <artifactId>xml-maven-plugin</artifactId>
+                        <executions>
+                            <execution>
+                                <id>configure-adapter-subsystem</id>
+                                <phase>process-resources</phase>
+                                <goals>
+                                    <goal>transform</goal>
+                                </goals>
+                                <configuration>
+                                    <transformationSets>
+                                        <transformationSet>
+                                            <dir>${keycloak.server.home}/standalone/configuration</dir>
+                                            <includes>
+                                                <include>standalone.xml</include>
+                                            </includes>
+                                            <stylesheet>src/main/xslt/standalone.xsl</stylesheet>
+                                            <outputDir>${keycloak.server.home}/standalone/configuration</outputDir>
+                                        </transformationSet>
+                                    </transformationSets>
+                                </configuration>
+                            </execution>
+                        </executions>
+                    </plugin>
+                </plugins>
+            </build>
+        </profile>
+        <profile>
+            <id>jpa</id>
+            <properties>
+                <jdbc.mvn.driver.deployment.dir>${keycloak.server.home}/modules/system/layers/base/com/${jdbc.mvn.artifactId}/main</jdbc.mvn.driver.deployment.dir>
+            </properties>
+            <build>
+                <plugins>
+                    <plugin>
+                        <groupId>org.apache.maven.plugins</groupId>
+                        <artifactId>maven-enforcer-plugin</artifactId>
+                        <version>1.4</version>
+                        <executions>
+                            <execution>
+                                <id>enforce-properties</id>
+                                <goals>
+                                    <goal>enforce</goal>
+                                </goals>
+                                <configuration>
+                                    <rules>
+                                        <requireProperty>
+                                            <property>jdbc.mvn.groupId</property>
+                                        </requireProperty>
+                                        <requireProperty>
+                                            <property>jdbc.mvn.artifactId</property>
+                                        </requireProperty>
+                                        <requireProperty>
+                                            <property>jdbc.mvn.version</property>
+                                        </requireProperty>
+                                        <requireProperty>
+                                            <property>keycloak.connectionsJpa.url</property>
+                                        </requireProperty>
+                                        <requireProperty>
+                                            <property>keycloak.connectionsJpa.user</property>
+                                        </requireProperty>
+                                        <requireProperty>
+                                            <property>keycloak.connectionsJpa.password</property>
+                                        </requireProperty>
+                                    </rules>
+                                </configuration>
+                            </execution>
+                        </executions>
+                    </plugin>
+                    <plugin>
+                        <groupId>org.apache.maven.plugins</groupId>
+                        <artifactId>maven-dependency-plugin</artifactId>
+                        <executions>
+                            <execution>
+                                <id>jdbc-driver</id>
+                                <phase>process-resources</phase>
+                                <goals>
+                                    <goal>copy</goal>
+                                </goals>
+                                <configuration>
+                                    <artifactItems>
+                                        <artifactItem>
+                                            <groupId>${jdbc.mvn.groupId}</groupId>
+                                            <artifactId>${jdbc.mvn.artifactId}</artifactId>        
+                                            <version>${jdbc.mvn.version}</version>
+                                            <type>jar</type>
+                                        </artifactItem>
+                                    </artifactItems>
+                                    <outputDirectory>${jdbc.mvn.driver.deployment.dir}</outputDirectory>
+                                    <overWriteIfNewer>true</overWriteIfNewer>
+                                </configuration>
+                            </execution>
+                        </executions>
+                    </plugin>
+                    <plugin>
+                        <groupId>org.codehaus.mojo</groupId>
+                        <artifactId>xml-maven-plugin</artifactId>
+                        <executions>
+                            <execution>
+                                <id>configure-wildfly-datasource</id>
+                                <phase>process-resources</phase>
+                                <goals>
+                                    <goal>transform</goal>
+                                </goals>
+                                <configuration>
+                                    <transformationSets>
+                                        <!-- create module.xml in modules -->
+                                        <transformationSet>
+                                            <dir>${keycloak.server.home}/modules/system/layers/base/com/h2database/h2/main</dir>
+                                            <stylesheet>src/main/xslt/module.xsl</stylesheet>
+                                            <includes>
+                                                <include>module.xml</include>
+                                            </includes>
+                                            <outputDir>${jdbc.mvn.driver.deployment.dir}</outputDir>
+                                            <parameters>
+                                                <parameter>
+                                                    <name>database</name>
+                                                    <value>${jdbc.mvn.artifactId}</value>
+                                                </parameter>
+                                                <parameter>
+                                                    <name>version</name>
+                                                    <value>${jdbc.mvn.version}</value>
+                                                </parameter>
+                                            </parameters>
+                                        </transformationSet>
+                                        <!-- add datasource to standalone.xml -->
+                                        <transformationSet>
+                                            <dir>${keycloak.server.home}/standalone/configuration</dir>
+                                            <stylesheet>src/main/xslt/datasource.xsl</stylesheet>
+                                            <includes>
+                                                <include>standalone.xml</include>
+                                            </includes>
+                                            <outputDir>${keycloak.server.home}/standalone/configuration</outputDir>
+                                            <parameters>
+                                                <parameter>
+                                                    <name>jdbc.url</name>
+                                                    <value>${keycloak.connectionsJpa.url}</value>
+                                                </parameter>
+                                                <parameter>
+                                                    <name>driver</name>
+                                                    <value>${jdbc.mvn.artifactId}</value>
+                                                </parameter>
+                                                <parameter>
+                                                    <name>username</name>
+                                                    <value>${keycloak.connectionsJpa.user}</value>
+                                                </parameter>
+                                                <parameter>
+                                                    <name>password</name>
+                                                    <value>${keycloak.connectionsJpa.password}</value>
+                                                </parameter>
+                                            </parameters>
+                                        </transformationSet>
+                                        <!-- add logger for org.hibernate.dialect.Dialect -->
+                                        <transformationSet>
+                                            <dir>${keycloak.server.home}/standalone/configuration</dir>
+                                            <stylesheet>src/main/xslt/add-dialect-logger.xsl</stylesheet>
+                                            <includes>
+                                                <include>standalone.xml</include>
+                                            </includes>
+                                            <outputDir>${keycloak.server.home}/standalone/configuration</outputDir>
+                                        </transformationSet>
+                                    </transformationSets>
+                                </configuration>
+                            </execution>
+                        </executions>
+                    </plugin>
+                </plugins>
+            </build>
+        </profile>        
+    </profiles>
+    
+</project>

diff --git a/testsuite/integration-arquillian/servers/wildfly/src/main/xslt/add-dialect-logger.xsl b/testsuite/integration-arquillian/servers/wildfly/src/main/xslt/add-dialect-logger.xsl
new file mode 100644
index 0000000..b5dc8c4
--- /dev/null
+++ b/testsuite/integration-arquillian/servers/wildfly/src/main/xslt/add-dialect-logger.xsl
@@ -0,0 +1,28 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" 
+                xmlns:xalan="http://xml.apache.org/xalan" 
+                version="2.0"
+                exclude-result-prefixes="xalan">
+    
+    <xsl:output method="xml" version="1.0" encoding="UTF-8" indent="yes" xalan:indent-amount="4" standalone="no"/>
+
+    <xsl:variable name="nsDS" select="'urn:jboss:domain:logging:'"/>
+
+    <xsl:template match="//*[local-name()='subsystem' and starts-with(namespace-uri(), $nsDS)]
+                        /*[local-name()='root-logger' and starts-with(namespace-uri(), $nsDS)]">
+        <logger category="org.hibernate.dialect.Dialect">
+            <level name="ALL"/>
+        </logger>
+        <xsl:copy>
+            <xsl:apply-templates select="@* | node()" />
+        </xsl:copy>
+    </xsl:template>
+
+    <!-- Copy everything else. -->
+    <xsl:template match="@* | node()">
+        <xsl:copy>
+            <xsl:apply-templates select="@* | node()"/>
+        </xsl:copy>
+    </xsl:template>
+
+</xsl:stylesheet>
\ No newline at end of file

diff --git a/testsuite/integration-arquillian/servers/wildfly/src/main/xslt/datasource.xsl b/testsuite/integration-arquillian/servers/wildfly/src/main/xslt/datasource.xsl
new file mode 100644
index 0000000..c06899f
--- /dev/null
+++ b/testsuite/integration-arquillian/servers/wildfly/src/main/xslt/datasource.xsl
@@ -0,0 +1,94 @@
+<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+                xmlns:xalan="http://xml.apache.org/xalan"
+                xmlns:j="urn:jboss:domain:3.0"
+                xmlns:ds="urn:jboss:domain:datasources:3.0"
+                xmlns:k="urn:jboss:domain:keycloak:1.1"
+                xmlns:sec="urn:jboss:domain:security:1.2"
+                version="2.0"
+                exclude-result-prefixes="xalan j ds k sec">
+
+    <xsl:output method="xml" version="1.0" encoding="UTF-8" indent="yes" xalan:indent-amount="4" standalone="no"/>
+    <xsl:strip-space elements="*"/>
+
+
+    <xsl:variable name="nsDS" select="'urn:jboss:domain:datasources:'"/>
+    
+    <!-- Remove keycloak datasource definition. -->
+    <xsl:template match="//*[local-name()='subsystem' and starts-with(namespace-uri(), $nsDS)]
+		         /*[local-name()='datasources' and starts-with(namespace-uri(), $nsDS)]
+                         /*[local-name()='datasource' and starts-with(namespace-uri(), $nsDS) and @pool-name='KeycloakDS']">
+    </xsl:template>
+    
+    <xsl:param name="jdbc.url" select="'jdbc:h2:${jboss.server.data.dir}/keycloak;AUTO_SERVER=TRUE'"/>
+    <xsl:param name="driver" select="'h2'"/>
+    
+    <xsl:param name="username" select="'sa'"/>
+    <xsl:param name="password" select="'sa'"/>
+    
+    <xsl:param name="min.poolsize" select="'10'"/>
+    <xsl:param name="max.poolsize" select="'50'"/>
+    <xsl:param name="pool.prefill" select="'true'"/>
+    
+    <xsl:variable name="newDatasourceDefinition">
+        <datasource jndi-name="java:jboss/datasources/KeycloakDS" pool-name="KeycloakDS" enabled="true" use-java-context="true">
+            <connection-url>
+                <xsl:value-of select="$jdbc.url"/>
+            </connection-url>
+            <driver>
+                <xsl:value-of select="$driver"/>
+            </driver>
+            <security>
+                <user-name>
+                    <xsl:value-of select="$username"/>
+                </user-name>
+                <password>
+                    <xsl:value-of select="$password"/>
+                </password>
+            </security>
+            <pool>
+                <min-pool-size>
+                    <xsl:value-of select="$min.poolsize"/>
+                </min-pool-size>
+                <max-pool-size>
+                    <xsl:value-of select="$max.poolsize"/>
+                </max-pool-size>
+                <prefill>
+                    <xsl:value-of select="$pool.prefill"/>
+                </prefill>
+            </pool>
+        </datasource>
+    </xsl:variable>
+    
+    <xsl:variable name="newDriverDefinition">
+        <xsl:if test="$driver != 'h2'">
+            <driver name="{$driver}" module="com.{$driver}" />
+        </xsl:if>
+    </xsl:variable>
+    
+    <!-- Add new datasource definition. -->
+    <xsl:template match="//*[local-name()='subsystem' and starts-with(namespace-uri(), $nsDS)]
+		         /*[local-name()='datasources' and starts-with(namespace-uri(), $nsDS)]">
+        <xsl:copy>
+            <xsl:copy-of select="$newDatasourceDefinition"/>
+            <xsl:apply-templates select="@* | node()" />
+        </xsl:copy>
+    </xsl:template>
+    
+    <!-- Add new driver definition. -->
+    <xsl:template match="//*[local-name()='subsystem' and starts-with(namespace-uri(), $nsDS)]
+		         /*[local-name()='datasources' and starts-with(namespace-uri(), $nsDS)]
+		         /*[local-name()='drivers' and starts-with(namespace-uri(), $nsDS)]">
+        <xsl:copy>
+            <xsl:copy-of select="$newDriverDefinition"/>
+            <xsl:apply-templates select="@* | node()" />
+        </xsl:copy>
+    </xsl:template>
+    
+    <!-- Copy everything else. -->
+    <xsl:template match="@*|node()">
+        <xsl:copy>
+            <xsl:apply-templates select="@*|node()" />
+        </xsl:copy>
+    </xsl:template>
+
+</xsl:stylesheet>
\ No newline at end of file

diff --git a/testsuite/integration-arquillian/servers/wildfly/src/main/xslt/module.xsl b/testsuite/integration-arquillian/servers/wildfly/src/main/xslt/module.xsl
new file mode 100644
index 0000000..88ac56b
--- /dev/null
+++ b/testsuite/integration-arquillian/servers/wildfly/src/main/xslt/module.xsl
@@ -0,0 +1,33 @@
+<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+                xmlns:xalan="http://xml.apache.org/xalan"
+                xmlns:m="urn:jboss:module:1.3"
+                version="2.0"
+                exclude-result-prefixes="xalan m">
+
+    <xsl:output method="xml" version="1.0" encoding="UTF-8" indent="yes" xalan:indent-amount="4" />
+    
+       
+    <xsl:param name="database" select="''"/>
+    <xsl:param name="version" select="''"/>
+    
+    <xsl:variable name="newModuleDefinition">
+        <module xmlns="urn:jboss:module:1.3" name="com.{$database}">
+            <resources>
+                <resource-root path="{$database}-{$version}.jar"/>
+            </resources>
+            <dependencies>
+                <module name="javax.api"/>
+                <module name="javax.transaction.api"/>
+            </dependencies>
+        </module>
+    </xsl:variable>
+    
+    <!-- clear whole document -->
+    <xsl:template match="/*" />
+    
+    <!-- Copy new module definition. -->
+    <xsl:template match="/*">
+        <xsl:copy-of select="$newModuleDefinition"/>
+    </xsl:template>
+
+</xsl:stylesheet>
\ No newline at end of file

diff --git a/testsuite/integration-arquillian/servers/wildfly/src/main/xslt/standalone.xsl b/testsuite/integration-arquillian/servers/wildfly/src/main/xslt/standalone.xsl
new file mode 100644
index 0000000..a483717
--- /dev/null
+++ b/testsuite/integration-arquillian/servers/wildfly/src/main/xslt/standalone.xsl
@@ -0,0 +1,51 @@
+<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+                xmlns:xalan="http://xml.apache.org/xalan"
+                xmlns:j="urn:jboss:domain:3.0"
+                xmlns:ds="urn:jboss:domain:datasources:3.0"
+                xmlns:k="urn:jboss:domain:keycloak:1.1"
+                xmlns:sec="urn:jboss:domain:security:1.2"
+                version="2.0"
+                exclude-result-prefixes="xalan j ds k sec">
+
+    <xsl:param name="config"/>
+
+    <xsl:output method="xml" version="1.0" encoding="UTF-8" indent="yes" xalan:indent-amount="4" standalone="no"/>
+    <xsl:strip-space elements="*"/>
+
+    <xsl:template match="//j:extensions">
+        <xsl:copy>
+            <xsl:apply-templates select="node()|@*"/>
+            <extension module="org.keycloak.keycloak-adapter-subsystem"/>
+        </xsl:copy>
+    </xsl:template>
+
+    <xsl:template match="//j:profile">
+        <xsl:copy>
+            <xsl:apply-templates select="node()|@*"/>
+            <subsystem xmlns="urn:jboss:domain:keycloak:1.1"/>
+        </xsl:copy>
+    </xsl:template>
+
+    <xsl:template match="//sec:security-domains">
+        <xsl:copy>
+            <xsl:apply-templates select="node()[name(.)='security-domain']"/>
+            <security-domain name="keycloak">
+                <authentication>
+                    <login-module code="org.keycloak.adapters.jboss.KeycloakLoginModule" flag="required"/>
+                </authentication>
+            </security-domain>
+            <security-domain name="sp" cache-type="default">
+                <authentication>
+                    <login-module code="org.picketlink.identity.federation.bindings.wildfly.SAML2LoginModule" flag="required"/>
+                </authentication>
+            </security-domain>
+        </xsl:copy>
+    </xsl:template>
+
+    <xsl:template match="@*|node()">
+        <xsl:copy>
+            <xsl:apply-templates select="@*|node()" />
+        </xsl:copy>
+    </xsl:template>
+
+</xsl:stylesheet>
\ No newline at end of file

diff --git a/testsuite/integration-arquillian/servers/wildfly_kc12/assembly.xml b/testsuite/integration-arquillian/servers/wildfly_kc12/assembly.xml
new file mode 100644
index 0000000..b3e9e20
--- /dev/null
+++ b/testsuite/integration-arquillian/servers/wildfly_kc12/assembly.xml
@@ -0,0 +1,29 @@
+<assembly>
+    
+    <id>auth-server-wildfly-kc14</id>
+
+    <formats>
+        <format>zip</format>
+    </formats>
+
+    <includeBaseDirectory>false</includeBaseDirectory>
+
+    <fileSets>
+        <fileSet>
+            <directory>${keycloak.server.home}</directory>
+            <outputDirectory>keycloak-1.2.0.Final</outputDirectory>
+            <excludes>
+                <exclude>**/*.sh</exclude>
+            </excludes>
+        </fileSet>
+        <fileSet>
+            <directory>${keycloak.server.home}</directory>
+            <outputDirectory>keycloak-1.2.0.Final</outputDirectory>
+            <includes>
+                <include>**/*.sh</include>
+            </includes>
+            <fileMode>0755</fileMode>
+        </fileSet>
+    </fileSets>
+
+</assembly>

diff --git a/testsuite/integration-arquillian/servers/wildfly_kc12/pom.xml b/testsuite/integration-arquillian/servers/wildfly_kc12/pom.xml
new file mode 100644
index 0000000..2d98af1
--- /dev/null
+++ b/testsuite/integration-arquillian/servers/wildfly_kc12/pom.xml
@@ -0,0 +1,199 @@
+<?xml version="1.0"?>
+<project xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd" xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+    <parent>
+        <groupId>org.keycloak.testsuite</groupId>
+        <artifactId>integration-arquillian-servers</artifactId>
+        <version>1.6.0.Final-SNAPSHOT</version>
+    </parent>
+    <modelVersion>4.0.0</modelVersion>
+
+    <artifactId>integration-arquillian-server-wildfly-kc12 </artifactId>
+    <packaging>pom</packaging>
+    <name>Keycloak 1.2.0.Final on Wildfly</name>
+    
+    <properties>
+        <keycloak.server.home>${project.build.directory}/unpacked/keycloak-1.2.0.Final</keycloak.server.home>
+        <jdbc.mvn.driver.deployment.dir>${keycloak.server.home}/modules/system/layers/base/com/${jdbc.mvn.artifactId}/main</jdbc.mvn.driver.deployment.dir>
+    </properties>
+    
+    <build>
+        <plugins>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-deploy-plugin</artifactId>
+                <configuration>
+                    <skip>true</skip>
+                </configuration>
+            </plugin>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-enforcer-plugin</artifactId>
+                <version>1.4</version>
+                <executions>
+                    <execution>
+                        <id>enforce-properties</id>
+                        <goals>
+                            <goal>enforce</goal>
+                        </goals>
+                        <configuration>
+                            <rules>
+                                <requireProperty>
+                                    <property>jdbc.mvn.groupId</property>
+                                </requireProperty>
+                                <requireProperty>
+                                    <property>jdbc.mvn.artifactId</property>
+                                </requireProperty>
+                                <requireProperty>
+                                    <property>jdbc.mvn.version</property>
+                                </requireProperty>
+                                <requireProperty>
+                                    <property>keycloak.connectionsJpa.url</property>
+                                </requireProperty>
+                                <requireProperty>
+                                    <property>keycloak.connectionsJpa.user</property>
+                                </requireProperty>
+                                <requireProperty>
+                                    <property>keycloak.connectionsJpa.password</property>
+                                </requireProperty>
+                            </rules>
+                        </configuration>
+                    </execution>
+                </executions>
+            </plugin>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-dependency-plugin</artifactId>
+                <executions>
+                    <execution>
+                        <id>unpack-server</id>
+                        <phase>generate-resources</phase>
+                        <goals>
+                            <goal>unpack</goal>
+                        </goals>
+                        <configuration>
+                            <artifactItems>
+                                <artifactItem>
+                                    <groupId>org.keycloak</groupId>
+                                    <artifactId>keycloak-server-dist</artifactId>
+                                    <version>1.2.0.Final</version>
+                                    <type>zip</type>
+                                    <outputDirectory>${project.build.directory}/unpacked</outputDirectory>
+                                </artifactItem>
+                            </artifactItems>
+                        </configuration>
+                    </execution>
+                    <execution>
+                        <id>jdbc-driver</id>
+                        <phase>process-resources</phase>
+                        <goals>
+                            <goal>copy</goal>
+                        </goals>
+                        <configuration>
+                            <artifactItems>
+                                <artifactItem>
+                                    <groupId>${jdbc.mvn.groupId}</groupId>
+                                    <artifactId>${jdbc.mvn.artifactId}</artifactId>
+                                    <version>${jdbc.mvn.version}</version>
+                                    <type>jar</type>
+                                </artifactItem>
+                            </artifactItems>
+                            <outputDirectory>${jdbc.mvn.driver.deployment.dir}</outputDirectory>
+                            <overWriteIfNewer>true</overWriteIfNewer>
+                        </configuration>
+                    </execution>
+                </executions>
+            </plugin>
+            <plugin>
+                <groupId>org.codehaus.mojo</groupId>
+                <artifactId>xml-maven-plugin</artifactId>
+                <executions>
+                    <execution>
+                        <id>configure-wildfly-datasource</id>
+                        <phase>process-resources</phase>
+                        <goals>
+                            <goal>transform</goal>
+                        </goals>
+                        <configuration>
+                            <transformationSets>
+                                <!-- create module.xml in modules -->
+                                <transformationSet>
+                                    <dir>${keycloak.server.home}/modules/system/layers/base/com/h2database/h2/main</dir>
+                                    <stylesheet>src/main/xslt/module.xsl</stylesheet>
+                                    <includes>
+                                        <include>module.xml</include>
+                                    </includes>
+                                    <outputDir>${jdbc.mvn.driver.deployment.dir}</outputDir>
+                                    <parameters>
+                                        <parameter>
+                                            <name>database</name>
+                                            <value>${jdbc.mvn.artifactId}</value>
+                                        </parameter>
+                                        <parameter>
+                                            <name>version</name>
+                                            <value>${jdbc.mvn.version}</value>
+                                        </parameter>
+                                    </parameters>
+                                </transformationSet>
+                                <!-- add datasource to standalone.xml -->
+                                <transformationSet>
+                                    <dir>${keycloak.server.home}/standalone/configuration</dir>
+                                    <stylesheet>src/main/xslt/datasource.xsl</stylesheet>
+                                    <includes>
+                                        <include>standalone.xml</include>
+                                    </includes>
+                                    <outputDir>${keycloak.server.home}/standalone/configuration</outputDir>
+                                    <parameters>
+                                        <parameter>
+                                            <name>jdbc.url</name>
+                                            <value>${keycloak.connectionsJpa.url}</value>
+                                        </parameter>
+                                        <parameter>
+                                            <name>driver</name>
+                                            <value>${jdbc.mvn.artifactId}</value>
+                                        </parameter>
+                                        <parameter>
+                                            <name>username</name>
+                                            <value>${keycloak.connectionsJpa.user}</value>
+                                        </parameter>
+                                        <parameter>
+                                            <name>password</name>
+                                            <value>${keycloak.connectionsJpa.password}</value>
+                                        </parameter>
+                                    </parameters>
+                                </transformationSet>
+                                <!-- add logger for org.hibernate.dialect.Dialect to standalone.xml-->
+                                <transformationSet>
+                                    <dir>${keycloak.server.home}/standalone/configuration</dir>
+                                    <stylesheet>src/main/xslt/add-dialect-logger.xsl</stylesheet>
+                                    <includes>
+                                        <include>standalone.xml</include>
+                                    </includes>
+                                    <outputDir>${keycloak.server.home}/standalone/configuration</outputDir>
+                                </transformationSet>
+                            </transformationSets>
+                        </configuration>
+                    </execution>
+                </executions>
+            </plugin>
+            <plugin>
+                <artifactId>maven-assembly-plugin</artifactId>
+                <executions>
+                    <execution>
+                        <id>create-zip</id>
+                        <phase>package</phase>
+                        <goals>
+                            <goal>single</goal>
+                        </goals>
+                        <configuration>
+                            <descriptors>
+                                <descriptor>assembly.xml</descriptor>
+                            </descriptors>
+                            <appendAssemblyId>false</appendAssemblyId>
+                        </configuration>
+                    </execution>
+                </executions>
+            </plugin>
+        </plugins>
+    </build>
+</project>

diff --git a/testsuite/integration-arquillian/servers/wildfly_kc12/src/main/xslt/add-dialect-logger.xsl b/testsuite/integration-arquillian/servers/wildfly_kc12/src/main/xslt/add-dialect-logger.xsl
new file mode 100644
index 0000000..b5dc8c4
--- /dev/null
+++ b/testsuite/integration-arquillian/servers/wildfly_kc12/src/main/xslt/add-dialect-logger.xsl
@@ -0,0 +1,28 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" 
+                xmlns:xalan="http://xml.apache.org/xalan" 
+                version="2.0"
+                exclude-result-prefixes="xalan">
+    
+    <xsl:output method="xml" version="1.0" encoding="UTF-8" indent="yes" xalan:indent-amount="4" standalone="no"/>
+
+    <xsl:variable name="nsDS" select="'urn:jboss:domain:logging:'"/>
+
+    <xsl:template match="//*[local-name()='subsystem' and starts-with(namespace-uri(), $nsDS)]
+                        /*[local-name()='root-logger' and starts-with(namespace-uri(), $nsDS)]">
+        <logger category="org.hibernate.dialect.Dialect">
+            <level name="ALL"/>
+        </logger>
+        <xsl:copy>
+            <xsl:apply-templates select="@* | node()" />
+        </xsl:copy>
+    </xsl:template>
+
+    <!-- Copy everything else. -->
+    <xsl:template match="@* | node()">
+        <xsl:copy>
+            <xsl:apply-templates select="@* | node()"/>
+        </xsl:copy>
+    </xsl:template>
+
+</xsl:stylesheet>
\ No newline at end of file

diff --git a/testsuite/integration-arquillian/servers/wildfly_kc12/src/main/xslt/datasource.xsl b/testsuite/integration-arquillian/servers/wildfly_kc12/src/main/xslt/datasource.xsl
new file mode 100644
index 0000000..c06899f
--- /dev/null
+++ b/testsuite/integration-arquillian/servers/wildfly_kc12/src/main/xslt/datasource.xsl
@@ -0,0 +1,94 @@
+<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+                xmlns:xalan="http://xml.apache.org/xalan"
+                xmlns:j="urn:jboss:domain:3.0"
+                xmlns:ds="urn:jboss:domain:datasources:3.0"
+                xmlns:k="urn:jboss:domain:keycloak:1.1"
+                xmlns:sec="urn:jboss:domain:security:1.2"
+                version="2.0"
+                exclude-result-prefixes="xalan j ds k sec">
+
+    <xsl:output method="xml" version="1.0" encoding="UTF-8" indent="yes" xalan:indent-amount="4" standalone="no"/>
+    <xsl:strip-space elements="*"/>
+
+
+    <xsl:variable name="nsDS" select="'urn:jboss:domain:datasources:'"/>
+    
+    <!-- Remove keycloak datasource definition. -->
+    <xsl:template match="//*[local-name()='subsystem' and starts-with(namespace-uri(), $nsDS)]
+		         /*[local-name()='datasources' and starts-with(namespace-uri(), $nsDS)]
+                         /*[local-name()='datasource' and starts-with(namespace-uri(), $nsDS) and @pool-name='KeycloakDS']">
+    </xsl:template>
+    
+    <xsl:param name="jdbc.url" select="'jdbc:h2:${jboss.server.data.dir}/keycloak;AUTO_SERVER=TRUE'"/>
+    <xsl:param name="driver" select="'h2'"/>
+    
+    <xsl:param name="username" select="'sa'"/>
+    <xsl:param name="password" select="'sa'"/>
+    
+    <xsl:param name="min.poolsize" select="'10'"/>
+    <xsl:param name="max.poolsize" select="'50'"/>
+    <xsl:param name="pool.prefill" select="'true'"/>
+    
+    <xsl:variable name="newDatasourceDefinition">
+        <datasource jndi-name="java:jboss/datasources/KeycloakDS" pool-name="KeycloakDS" enabled="true" use-java-context="true">
+            <connection-url>
+                <xsl:value-of select="$jdbc.url"/>
+            </connection-url>
+            <driver>
+                <xsl:value-of select="$driver"/>
+            </driver>
+            <security>
+                <user-name>
+                    <xsl:value-of select="$username"/>
+                </user-name>
+                <password>
+                    <xsl:value-of select="$password"/>
+                </password>
+            </security>
+            <pool>
+                <min-pool-size>
+                    <xsl:value-of select="$min.poolsize"/>
+                </min-pool-size>
+                <max-pool-size>
+                    <xsl:value-of select="$max.poolsize"/>
+                </max-pool-size>
+                <prefill>
+                    <xsl:value-of select="$pool.prefill"/>
+                </prefill>
+            </pool>
+        </datasource>
+    </xsl:variable>
+    
+    <xsl:variable name="newDriverDefinition">
+        <xsl:if test="$driver != 'h2'">
+            <driver name="{$driver}" module="com.{$driver}" />
+        </xsl:if>
+    </xsl:variable>
+    
+    <!-- Add new datasource definition. -->
+    <xsl:template match="//*[local-name()='subsystem' and starts-with(namespace-uri(), $nsDS)]
+		         /*[local-name()='datasources' and starts-with(namespace-uri(), $nsDS)]">
+        <xsl:copy>
+            <xsl:copy-of select="$newDatasourceDefinition"/>
+            <xsl:apply-templates select="@* | node()" />
+        </xsl:copy>
+    </xsl:template>
+    
+    <!-- Add new driver definition. -->
+    <xsl:template match="//*[local-name()='subsystem' and starts-with(namespace-uri(), $nsDS)]
+		         /*[local-name()='datasources' and starts-with(namespace-uri(), $nsDS)]
+		         /*[local-name()='drivers' and starts-with(namespace-uri(), $nsDS)]">
+        <xsl:copy>
+            <xsl:copy-of select="$newDriverDefinition"/>
+            <xsl:apply-templates select="@* | node()" />
+        </xsl:copy>
+    </xsl:template>
+    
+    <!-- Copy everything else. -->
+    <xsl:template match="@*|node()">
+        <xsl:copy>
+            <xsl:apply-templates select="@*|node()" />
+        </xsl:copy>
+    </xsl:template>
+
+</xsl:stylesheet>
\ No newline at end of file

diff --git a/testsuite/integration-arquillian/servers/wildfly_kc12/src/main/xslt/module.xsl b/testsuite/integration-arquillian/servers/wildfly_kc12/src/main/xslt/module.xsl
new file mode 100644
index 0000000..88ac56b
--- /dev/null
+++ b/testsuite/integration-arquillian/servers/wildfly_kc12/src/main/xslt/module.xsl
@@ -0,0 +1,33 @@
+<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+                xmlns:xalan="http://xml.apache.org/xalan"
+                xmlns:m="urn:jboss:module:1.3"
+                version="2.0"
+                exclude-result-prefixes="xalan m">
+
+    <xsl:output method="xml" version="1.0" encoding="UTF-8" indent="yes" xalan:indent-amount="4" />
+    
+       
+    <xsl:param name="database" select="''"/>
+    <xsl:param name="version" select="''"/>
+    
+    <xsl:variable name="newModuleDefinition">
+        <module xmlns="urn:jboss:module:1.3" name="com.{$database}">
+            <resources>
+                <resource-root path="{$database}-{$version}.jar"/>
+            </resources>
+            <dependencies>
+                <module name="javax.api"/>
+                <module name="javax.transaction.api"/>
+            </dependencies>
+        </module>
+    </xsl:variable>
+    
+    <!-- clear whole document -->
+    <xsl:template match="/*" />
+    
+    <!-- Copy new module definition. -->
+    <xsl:template match="/*">
+        <xsl:copy-of select="$newModuleDefinition"/>
+    </xsl:template>
+
+</xsl:stylesheet>
\ No newline at end of file

diff --git a/testsuite/integration-arquillian/servers/wildfly_kc13/assembly.xml b/testsuite/integration-arquillian/servers/wildfly_kc13/assembly.xml
new file mode 100644
index 0000000..08e3ebf
--- /dev/null
+++ b/testsuite/integration-arquillian/servers/wildfly_kc13/assembly.xml
@@ -0,0 +1,29 @@
+<assembly>
+    
+    <id>auth-server-wildfly-kc14</id>
+
+    <formats>
+        <format>zip</format>
+    </formats>
+
+    <includeBaseDirectory>false</includeBaseDirectory>
+
+    <fileSets>
+        <fileSet>
+            <directory>${keycloak.server.home}</directory>
+            <outputDirectory>keycloak-1.3.1.Final</outputDirectory>
+            <excludes>
+                <exclude>**/*.sh</exclude>
+            </excludes>
+        </fileSet>
+        <fileSet>
+            <directory>${keycloak.server.home}</directory>
+            <outputDirectory>keycloak-1.3.1.Final</outputDirectory>
+            <includes>
+                <include>**/*.sh</include>
+            </includes>
+            <fileMode>0755</fileMode>
+        </fileSet>
+    </fileSets>
+
+</assembly>

diff --git a/testsuite/integration-arquillian/servers/wildfly_kc13/pom.xml b/testsuite/integration-arquillian/servers/wildfly_kc13/pom.xml
new file mode 100644
index 0000000..58be6cc
--- /dev/null
+++ b/testsuite/integration-arquillian/servers/wildfly_kc13/pom.xml
@@ -0,0 +1,199 @@
+<?xml version="1.0"?>
+<project xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd" xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+    <parent>
+        <groupId>org.keycloak.testsuite</groupId>
+        <artifactId>integration-arquillian-servers</artifactId>
+        <version>1.6.0.Final-SNAPSHOT</version>
+    </parent>
+    <modelVersion>4.0.0</modelVersion>
+
+    <artifactId>integration-arquillian-server-wildfly-kc13</artifactId>
+    <packaging>pom</packaging>
+    <name>Keycloak 1.3.1.Final on Wildfly</name>
+    
+    <properties>
+        <keycloak.server.home>${project.build.directory}/unpacked/keycloak-1.3.1.Final</keycloak.server.home>
+        <jdbc.mvn.driver.deployment.dir>${keycloak.server.home}/modules/system/layers/base/com/${jdbc.mvn.artifactId}/main</jdbc.mvn.driver.deployment.dir>
+    </properties>
+    
+    <build>
+        <plugins>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-deploy-plugin</artifactId>
+                <configuration>
+                    <skip>true</skip>
+                </configuration>
+            </plugin>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-enforcer-plugin</artifactId>
+                <version>1.4</version>
+                <executions>
+                    <execution>
+                        <id>enforce-properties</id>
+                        <goals>
+                            <goal>enforce</goal>
+                        </goals>
+                        <configuration>
+                            <rules>
+                                <requireProperty>
+                                    <property>jdbc.mvn.groupId</property>
+                                </requireProperty>
+                                <requireProperty>
+                                    <property>jdbc.mvn.artifactId</property>
+                                </requireProperty>
+                                <requireProperty>
+                                    <property>jdbc.mvn.version</property>
+                                </requireProperty>
+                                <requireProperty>
+                                    <property>keycloak.connectionsJpa.url</property>
+                                </requireProperty>
+                                <requireProperty>
+                                    <property>keycloak.connectionsJpa.user</property>
+                                </requireProperty>
+                                <requireProperty>
+                                    <property>keycloak.connectionsJpa.password</property>
+                                </requireProperty>
+                            </rules>
+                        </configuration>
+                    </execution>
+                </executions>
+            </plugin>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-dependency-plugin</artifactId>
+                <executions>
+                    <execution>
+                        <id>unpack-server</id>
+                        <phase>generate-resources</phase>
+                        <goals>
+                            <goal>unpack</goal>
+                        </goals>
+                        <configuration>
+                            <artifactItems>
+                                <artifactItem>
+                                    <groupId>org.keycloak</groupId>
+                                    <artifactId>keycloak-server-dist</artifactId>
+                                    <version>1.3.1.Final</version>
+                                    <type>zip</type>
+                                    <outputDirectory>${project.build.directory}/unpacked</outputDirectory>
+                                </artifactItem>
+                            </artifactItems>
+                        </configuration>
+                    </execution>
+                    <execution>
+                        <id>jdbc-driver</id>
+                        <phase>process-resources</phase>
+                        <goals>
+                            <goal>copy</goal>
+                        </goals>
+                        <configuration>
+                            <artifactItems>
+                                <artifactItem>
+                                    <groupId>${jdbc.mvn.groupId}</groupId>
+                                    <artifactId>${jdbc.mvn.artifactId}</artifactId>
+                                    <version>${jdbc.mvn.version}</version>
+                                    <type>jar</type>
+                                </artifactItem>
+                            </artifactItems>
+                            <outputDirectory>${jdbc.mvn.driver.deployment.dir}</outputDirectory>
+                            <overWriteIfNewer>true</overWriteIfNewer>
+                        </configuration>
+                    </execution>
+                </executions>
+            </plugin>
+            <plugin>
+                <groupId>org.codehaus.mojo</groupId>
+                <artifactId>xml-maven-plugin</artifactId>
+                <executions>
+                    <execution>
+                        <id>configure-wildfly-datasource</id>
+                        <phase>process-resources</phase>
+                        <goals>
+                            <goal>transform</goal>
+                        </goals>
+                        <configuration>
+                            <transformationSets>
+                                <!-- create module.xml in modules -->
+                                <transformationSet>
+                                    <dir>${keycloak.server.home}/modules/system/layers/base/com/h2database/h2/main</dir>
+                                    <stylesheet>src/main/xslt/module.xsl</stylesheet>
+                                    <includes>
+                                        <include>module.xml</include>
+                                    </includes>
+                                    <outputDir>${jdbc.mvn.driver.deployment.dir}</outputDir>
+                                    <parameters>
+                                        <parameter>
+                                            <name>database</name>
+                                            <value>${jdbc.mvn.artifactId}</value>
+                                        </parameter>
+                                        <parameter>
+                                            <name>version</name>
+                                            <value>${jdbc.mvn.version}</value>
+                                        </parameter>
+                                    </parameters>
+                                </transformationSet>
+                                <!-- add datasource to standalone.xml -->
+                                <transformationSet>
+                                    <dir>${keycloak.server.home}/standalone/configuration</dir>
+                                    <stylesheet>src/main/xslt/datasource.xsl</stylesheet>
+                                    <includes>
+                                        <include>standalone.xml</include>
+                                    </includes>
+                                    <outputDir>${keycloak.server.home}/standalone/configuration</outputDir>
+                                    <parameters>
+                                        <parameter>
+                                            <name>jdbc.url</name>
+                                            <value>${keycloak.connectionsJpa.url}</value>
+                                        </parameter>
+                                        <parameter>
+                                            <name>driver</name>
+                                            <value>${jdbc.mvn.artifactId}</value>
+                                        </parameter>
+                                        <parameter>
+                                            <name>username</name>
+                                            <value>${keycloak.connectionsJpa.user}</value>
+                                        </parameter>
+                                        <parameter>
+                                            <name>password</name>
+                                            <value>${keycloak.connectionsJpa.password}</value>
+                                        </parameter>
+                                    </parameters>
+                                </transformationSet>
+                                <!-- add logger for org.hibernate.dialect.Dialect to standalone.xml-->
+                                <transformationSet>
+                                    <dir>${keycloak.server.home}/standalone/configuration</dir>
+                                    <stylesheet>src/main/xslt/add-dialect-logger.xsl</stylesheet>
+                                    <includes>
+                                        <include>standalone.xml</include>
+                                    </includes>
+                                    <outputDir>${keycloak.server.home}/standalone/configuration</outputDir>
+                                </transformationSet>
+                            </transformationSets>
+                        </configuration>
+                    </execution>
+                </executions>
+            </plugin>
+            <plugin>
+                <artifactId>maven-assembly-plugin</artifactId>
+                <executions>
+                    <execution>
+                        <id>create-zip</id>
+                        <phase>package</phase>
+                        <goals>
+                            <goal>single</goal>
+                        </goals>
+                        <configuration>
+                            <descriptors>
+                                <descriptor>assembly.xml</descriptor>
+                            </descriptors>
+                            <appendAssemblyId>false</appendAssemblyId>
+                        </configuration>
+                    </execution>
+                </executions>
+            </plugin>
+        </plugins>
+    </build>
+</project>

diff --git a/testsuite/integration-arquillian/servers/wildfly_kc13/src/main/xslt/add-dialect-logger.xsl b/testsuite/integration-arquillian/servers/wildfly_kc13/src/main/xslt/add-dialect-logger.xsl
new file mode 100644
index 0000000..b5dc8c4
--- /dev/null
+++ b/testsuite/integration-arquillian/servers/wildfly_kc13/src/main/xslt/add-dialect-logger.xsl
@@ -0,0 +1,28 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" 
+                xmlns:xalan="http://xml.apache.org/xalan" 
+                version="2.0"
+                exclude-result-prefixes="xalan">
+    
+    <xsl:output method="xml" version="1.0" encoding="UTF-8" indent="yes" xalan:indent-amount="4" standalone="no"/>
+
+    <xsl:variable name="nsDS" select="'urn:jboss:domain:logging:'"/>
+
+    <xsl:template match="//*[local-name()='subsystem' and starts-with(namespace-uri(), $nsDS)]
+                        /*[local-name()='root-logger' and starts-with(namespace-uri(), $nsDS)]">
+        <logger category="org.hibernate.dialect.Dialect">
+            <level name="ALL"/>
+        </logger>
+        <xsl:copy>
+            <xsl:apply-templates select="@* | node()" />
+        </xsl:copy>
+    </xsl:template>
+
+    <!-- Copy everything else. -->
+    <xsl:template match="@* | node()">
+        <xsl:copy>
+            <xsl:apply-templates select="@* | node()"/>
+        </xsl:copy>
+    </xsl:template>
+
+</xsl:stylesheet>
\ No newline at end of file

diff --git a/testsuite/integration-arquillian/servers/wildfly_kc13/src/main/xslt/datasource.xsl b/testsuite/integration-arquillian/servers/wildfly_kc13/src/main/xslt/datasource.xsl
new file mode 100644
index 0000000..c06899f
--- /dev/null
+++ b/testsuite/integration-arquillian/servers/wildfly_kc13/src/main/xslt/datasource.xsl
@@ -0,0 +1,94 @@
+<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+                xmlns:xalan="http://xml.apache.org/xalan"
+                xmlns:j="urn:jboss:domain:3.0"
+                xmlns:ds="urn:jboss:domain:datasources:3.0"
+                xmlns:k="urn:jboss:domain:keycloak:1.1"
+                xmlns:sec="urn:jboss:domain:security:1.2"
+                version="2.0"
+                exclude-result-prefixes="xalan j ds k sec">
+
+    <xsl:output method="xml" version="1.0" encoding="UTF-8" indent="yes" xalan:indent-amount="4" standalone="no"/>
+    <xsl:strip-space elements="*"/>
+
+
+    <xsl:variable name="nsDS" select="'urn:jboss:domain:datasources:'"/>
+    
+    <!-- Remove keycloak datasource definition. -->
+    <xsl:template match="//*[local-name()='subsystem' and starts-with(namespace-uri(), $nsDS)]
+		         /*[local-name()='datasources' and starts-with(namespace-uri(), $nsDS)]
+                         /*[local-name()='datasource' and starts-with(namespace-uri(), $nsDS) and @pool-name='KeycloakDS']">
+    </xsl:template>
+    
+    <xsl:param name="jdbc.url" select="'jdbc:h2:${jboss.server.data.dir}/keycloak;AUTO_SERVER=TRUE'"/>
+    <xsl:param name="driver" select="'h2'"/>
+    
+    <xsl:param name="username" select="'sa'"/>
+    <xsl:param name="password" select="'sa'"/>
+    
+    <xsl:param name="min.poolsize" select="'10'"/>
+    <xsl:param name="max.poolsize" select="'50'"/>
+    <xsl:param name="pool.prefill" select="'true'"/>
+    
+    <xsl:variable name="newDatasourceDefinition">
+        <datasource jndi-name="java:jboss/datasources/KeycloakDS" pool-name="KeycloakDS" enabled="true" use-java-context="true">
+            <connection-url>
+                <xsl:value-of select="$jdbc.url"/>
+            </connection-url>
+            <driver>
+                <xsl:value-of select="$driver"/>
+            </driver>
+            <security>
+                <user-name>
+                    <xsl:value-of select="$username"/>
+                </user-name>
+                <password>
+                    <xsl:value-of select="$password"/>
+                </password>
+            </security>
+            <pool>
+                <min-pool-size>
+                    <xsl:value-of select="$min.poolsize"/>
+                </min-pool-size>
+                <max-pool-size>
+                    <xsl:value-of select="$max.poolsize"/>
+                </max-pool-size>
+                <prefill>
+                    <xsl:value-of select="$pool.prefill"/>
+                </prefill>
+            </pool>
+        </datasource>
+    </xsl:variable>
+    
+    <xsl:variable name="newDriverDefinition">
+        <xsl:if test="$driver != 'h2'">
+            <driver name="{$driver}" module="com.{$driver}" />
+        </xsl:if>
+    </xsl:variable>
+    
+    <!-- Add new datasource definition. -->
+    <xsl:template match="//*[local-name()='subsystem' and starts-with(namespace-uri(), $nsDS)]
+		         /*[local-name()='datasources' and starts-with(namespace-uri(), $nsDS)]">
+        <xsl:copy>
+            <xsl:copy-of select="$newDatasourceDefinition"/>
+            <xsl:apply-templates select="@* | node()" />
+        </xsl:copy>
+    </xsl:template>
+    
+    <!-- Add new driver definition. -->
+    <xsl:template match="//*[local-name()='subsystem' and starts-with(namespace-uri(), $nsDS)]
+		         /*[local-name()='datasources' and starts-with(namespace-uri(), $nsDS)]
+		         /*[local-name()='drivers' and starts-with(namespace-uri(), $nsDS)]">
+        <xsl:copy>
+            <xsl:copy-of select="$newDriverDefinition"/>
+            <xsl:apply-templates select="@* | node()" />
+        </xsl:copy>
+    </xsl:template>
+    
+    <!-- Copy everything else. -->
+    <xsl:template match="@*|node()">
+        <xsl:copy>
+            <xsl:apply-templates select="@*|node()" />
+        </xsl:copy>
+    </xsl:template>
+
+</xsl:stylesheet>
\ No newline at end of file

diff --git a/testsuite/integration-arquillian/servers/wildfly_kc13/src/main/xslt/module.xsl b/testsuite/integration-arquillian/servers/wildfly_kc13/src/main/xslt/module.xsl
new file mode 100644
index 0000000..88ac56b
--- /dev/null
+++ b/testsuite/integration-arquillian/servers/wildfly_kc13/src/main/xslt/module.xsl
@@ -0,0 +1,33 @@
+<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+                xmlns:xalan="http://xml.apache.org/xalan"
+                xmlns:m="urn:jboss:module:1.3"
+                version="2.0"
+                exclude-result-prefixes="xalan m">
+
+    <xsl:output method="xml" version="1.0" encoding="UTF-8" indent="yes" xalan:indent-amount="4" />
+    
+       
+    <xsl:param name="database" select="''"/>
+    <xsl:param name="version" select="''"/>
+    
+    <xsl:variable name="newModuleDefinition">
+        <module xmlns="urn:jboss:module:1.3" name="com.{$database}">
+            <resources>
+                <resource-root path="{$database}-{$version}.jar"/>
+            </resources>
+            <dependencies>
+                <module name="javax.api"/>
+                <module name="javax.transaction.api"/>
+            </dependencies>
+        </module>
+    </xsl:variable>
+    
+    <!-- clear whole document -->
+    <xsl:template match="/*" />
+    
+    <!-- Copy new module definition. -->
+    <xsl:template match="/*">
+        <xsl:copy-of select="$newModuleDefinition"/>
+    </xsl:template>
+
+</xsl:stylesheet>
\ No newline at end of file

diff --git a/testsuite/integration-arquillian/servers/wildfly_kc14/assembly.xml b/testsuite/integration-arquillian/servers/wildfly_kc14/assembly.xml
new file mode 100644
index 0000000..da4b459
--- /dev/null
+++ b/testsuite/integration-arquillian/servers/wildfly_kc14/assembly.xml
@@ -0,0 +1,29 @@
+<assembly>
+    
+    <id>auth-server-wildfly-kc14</id>
+
+    <formats>
+        <format>zip</format>
+    </formats>
+
+    <includeBaseDirectory>false</includeBaseDirectory>
+
+    <fileSets>
+        <fileSet>
+            <directory>${keycloak.server.home}</directory>
+            <outputDirectory>keycloak-1.4.0.Final</outputDirectory>
+            <excludes>
+                <exclude>**/*.sh</exclude>
+            </excludes>
+        </fileSet>
+        <fileSet>
+            <directory>${keycloak.server.home}</directory>
+            <outputDirectory>keycloak-1.4.0.Final</outputDirectory>
+            <includes>
+                <include>**/*.sh</include>
+            </includes>
+            <fileMode>0755</fileMode>
+        </fileSet>
+    </fileSets>
+
+</assembly>

diff --git a/testsuite/integration-arquillian/servers/wildfly_kc14/pom.xml b/testsuite/integration-arquillian/servers/wildfly_kc14/pom.xml
new file mode 100644
index 0000000..ba4ff50
--- /dev/null
+++ b/testsuite/integration-arquillian/servers/wildfly_kc14/pom.xml
@@ -0,0 +1,199 @@
+<?xml version="1.0"?>
+<project xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd" xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+    <parent>
+        <groupId>org.keycloak.testsuite</groupId>
+        <artifactId>integration-arquillian-servers</artifactId>
+        <version>1.6.0.Final-SNAPSHOT</version>
+    </parent>
+    <modelVersion>4.0.0</modelVersion>
+
+    <artifactId>integration-arquillian-server-wildfly-kc14</artifactId>
+    <packaging>pom</packaging>
+    <name>Keycloak 1.4.0.Final on Wildfly</name>
+    
+    <properties>
+        <keycloak.server.home>${project.build.directory}/unpacked/keycloak-1.4.0.Final</keycloak.server.home>
+        <jdbc.mvn.driver.deployment.dir>${keycloak.server.home}/modules/system/layers/base/com/${jdbc.mvn.artifactId}/main</jdbc.mvn.driver.deployment.dir>
+    </properties>
+    
+    <build>
+        <plugins>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-deploy-plugin</artifactId>
+                <configuration>
+                    <skip>true</skip>
+                </configuration>
+            </plugin>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-enforcer-plugin</artifactId>
+                <version>1.4</version>
+                <executions>
+                    <execution>
+                        <id>enforce-properties</id>
+                        <goals>
+                            <goal>enforce</goal>
+                        </goals>
+                        <configuration>
+                            <rules>
+                                <requireProperty>
+                                    <property>jdbc.mvn.groupId</property>
+                                </requireProperty>
+                                <requireProperty>
+                                    <property>jdbc.mvn.artifactId</property>
+                                </requireProperty>
+                                <requireProperty>
+                                    <property>jdbc.mvn.version</property>
+                                </requireProperty>
+                                <requireProperty>
+                                    <property>keycloak.connectionsJpa.url</property>
+                                </requireProperty>
+                                <requireProperty>
+                                    <property>keycloak.connectionsJpa.user</property>
+                                </requireProperty>
+                                <requireProperty>
+                                    <property>keycloak.connectionsJpa.password</property>
+                                </requireProperty>
+                            </rules>
+                        </configuration>
+                    </execution>
+                </executions>
+            </plugin>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-dependency-plugin</artifactId>
+                <executions>
+                    <execution>
+                        <id>unpack-server</id>
+                        <phase>generate-resources</phase>
+                        <goals>
+                            <goal>unpack</goal>
+                        </goals>
+                        <configuration>
+                            <artifactItems>
+                                <artifactItem>
+                                    <groupId>org.keycloak</groupId>
+                                    <artifactId>keycloak-server-dist</artifactId>
+                                    <version>1.4.0.Final</version>
+                                    <type>zip</type>
+                                    <outputDirectory>${project.build.directory}/unpacked</outputDirectory>
+                                </artifactItem>
+                            </artifactItems>
+                        </configuration>
+                    </execution>
+                    <execution>
+                        <id>jdbc-driver</id>
+                        <phase>process-resources</phase>
+                        <goals>
+                            <goal>copy</goal>
+                        </goals>
+                        <configuration>
+                            <artifactItems>
+                                <artifactItem>
+                                    <groupId>${jdbc.mvn.groupId}</groupId>
+                                    <artifactId>${jdbc.mvn.artifactId}</artifactId>
+                                    <version>${jdbc.mvn.version}</version>
+                                    <type>jar</type>
+                                </artifactItem>
+                            </artifactItems>
+                            <outputDirectory>${jdbc.mvn.driver.deployment.dir}</outputDirectory>
+                            <overWriteIfNewer>true</overWriteIfNewer>
+                        </configuration>
+                    </execution>
+                </executions>
+            </plugin>
+            <plugin>
+                <groupId>org.codehaus.mojo</groupId>
+                <artifactId>xml-maven-plugin</artifactId>
+                <executions>
+                    <execution>
+                        <id>configure-wildfly-datasource</id>
+                        <phase>process-resources</phase>
+                        <goals>
+                            <goal>transform</goal>
+                        </goals>
+                        <configuration>
+                            <transformationSets>
+                                <!-- create module.xml in modules -->
+                                <transformationSet>
+                                    <dir>${keycloak.server.home}/modules/system/layers/base/com/h2database/h2/main</dir>
+                                    <stylesheet>src/main/xslt/module.xsl</stylesheet>
+                                    <includes>
+                                        <include>module.xml</include>
+                                    </includes>
+                                    <outputDir>${jdbc.mvn.driver.deployment.dir}</outputDir>
+                                    <parameters>
+                                        <parameter>
+                                            <name>database</name>
+                                            <value>${jdbc.mvn.artifactId}</value>
+                                        </parameter>
+                                        <parameter>
+                                            <name>version</name>
+                                            <value>${jdbc.mvn.version}</value>
+                                        </parameter>
+                                    </parameters>
+                                </transformationSet>
+                                <!-- add datasource to standalone.xml -->
+                                <transformationSet>
+                                    <dir>${keycloak.server.home}/standalone/configuration</dir>
+                                    <stylesheet>src/main/xslt/datasource.xsl</stylesheet>
+                                    <includes>
+                                        <include>standalone.xml</include>
+                                    </includes>
+                                    <outputDir>${keycloak.server.home}/standalone/configuration</outputDir>
+                                    <parameters>
+                                        <parameter>
+                                            <name>jdbc.url</name>
+                                            <value>${keycloak.connectionsJpa.url}</value>
+                                        </parameter>
+                                        <parameter>
+                                            <name>driver</name>
+                                            <value>${jdbc.mvn.artifactId}</value>
+                                        </parameter>
+                                        <parameter>
+                                            <name>username</name>
+                                            <value>${keycloak.connectionsJpa.user}</value>
+                                        </parameter>
+                                        <parameter>
+                                            <name>password</name>
+                                            <value>${keycloak.connectionsJpa.password}</value>
+                                        </parameter>
+                                    </parameters>
+                                </transformationSet>
+                                <!-- add logger for org.hibernate.dialect.Dialect to standalone.xml-->
+                                <transformationSet>
+                                    <dir>${keycloak.server.home}/standalone/configuration</dir>
+                                    <stylesheet>src/main/xslt/add-dialect-logger.xsl</stylesheet>
+                                    <includes>
+                                        <include>standalone.xml</include>
+                                    </includes>
+                                    <outputDir>${keycloak.server.home}/standalone/configuration</outputDir>
+                                </transformationSet>
+                            </transformationSets>
+                        </configuration>
+                    </execution>
+                </executions>
+            </plugin>
+            <plugin>
+                <artifactId>maven-assembly-plugin</artifactId>
+                <executions>
+                    <execution>
+                        <id>create-zip</id>
+                        <phase>package</phase>
+                        <goals>
+                            <goal>single</goal>
+                        </goals>
+                        <configuration>
+                            <descriptors>
+                                <descriptor>assembly.xml</descriptor>
+                            </descriptors>
+                            <appendAssemblyId>false</appendAssemblyId>
+                        </configuration>
+                    </execution>
+                </executions>
+            </plugin>
+        </plugins>
+    </build>
+</project>

diff --git a/testsuite/integration-arquillian/servers/wildfly_kc14/src/main/xslt/add-dialect-logger.xsl b/testsuite/integration-arquillian/servers/wildfly_kc14/src/main/xslt/add-dialect-logger.xsl
new file mode 100644
index 0000000..b5dc8c4
--- /dev/null
+++ b/testsuite/integration-arquillian/servers/wildfly_kc14/src/main/xslt/add-dialect-logger.xsl
@@ -0,0 +1,28 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" 
+                xmlns:xalan="http://xml.apache.org/xalan" 
+                version="2.0"
+                exclude-result-prefixes="xalan">
+    
+    <xsl:output method="xml" version="1.0" encoding="UTF-8" indent="yes" xalan:indent-amount="4" standalone="no"/>
+
+    <xsl:variable name="nsDS" select="'urn:jboss:domain:logging:'"/>
+
+    <xsl:template match="//*[local-name()='subsystem' and starts-with(namespace-uri(), $nsDS)]
+                        /*[local-name()='root-logger' and starts-with(namespace-uri(), $nsDS)]">
+        <logger category="org.hibernate.dialect.Dialect">
+            <level name="ALL"/>
+        </logger>
+        <xsl:copy>
+            <xsl:apply-templates select="@* | node()" />
+        </xsl:copy>
+    </xsl:template>
+
+    <!-- Copy everything else. -->
+    <xsl:template match="@* | node()">
+        <xsl:copy>
+            <xsl:apply-templates select="@* | node()"/>
+        </xsl:copy>
+    </xsl:template>
+
+</xsl:stylesheet>
\ No newline at end of file

diff --git a/testsuite/integration-arquillian/servers/wildfly_kc14/src/main/xslt/datasource.xsl b/testsuite/integration-arquillian/servers/wildfly_kc14/src/main/xslt/datasource.xsl
new file mode 100644
index 0000000..c06899f
--- /dev/null
+++ b/testsuite/integration-arquillian/servers/wildfly_kc14/src/main/xslt/datasource.xsl
@@ -0,0 +1,94 @@
+<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+                xmlns:xalan="http://xml.apache.org/xalan"
+                xmlns:j="urn:jboss:domain:3.0"
+                xmlns:ds="urn:jboss:domain:datasources:3.0"
+                xmlns:k="urn:jboss:domain:keycloak:1.1"
+                xmlns:sec="urn:jboss:domain:security:1.2"
+                version="2.0"
+                exclude-result-prefixes="xalan j ds k sec">
+
+    <xsl:output method="xml" version="1.0" encoding="UTF-8" indent="yes" xalan:indent-amount="4" standalone="no"/>
+    <xsl:strip-space elements="*"/>
+
+
+    <xsl:variable name="nsDS" select="'urn:jboss:domain:datasources:'"/>
+    
+    <!-- Remove keycloak datasource definition. -->
+    <xsl:template match="//*[local-name()='subsystem' and starts-with(namespace-uri(), $nsDS)]
+		         /*[local-name()='datasources' and starts-with(namespace-uri(), $nsDS)]
+                         /*[local-name()='datasource' and starts-with(namespace-uri(), $nsDS) and @pool-name='KeycloakDS']">
+    </xsl:template>
+    
+    <xsl:param name="jdbc.url" select="'jdbc:h2:${jboss.server.data.dir}/keycloak;AUTO_SERVER=TRUE'"/>
+    <xsl:param name="driver" select="'h2'"/>
+    
+    <xsl:param name="username" select="'sa'"/>
+    <xsl:param name="password" select="'sa'"/>
+    
+    <xsl:param name="min.poolsize" select="'10'"/>
+    <xsl:param name="max.poolsize" select="'50'"/>
+    <xsl:param name="pool.prefill" select="'true'"/>
+    
+    <xsl:variable name="newDatasourceDefinition">
+        <datasource jndi-name="java:jboss/datasources/KeycloakDS" pool-name="KeycloakDS" enabled="true" use-java-context="true">
+            <connection-url>
+                <xsl:value-of select="$jdbc.url"/>
+            </connection-url>
+            <driver>
+                <xsl:value-of select="$driver"/>
+            </driver>
+            <security>
+                <user-name>
+                    <xsl:value-of select="$username"/>
+                </user-name>
+                <password>
+                    <xsl:value-of select="$password"/>
+                </password>
+            </security>
+            <pool>
+                <min-pool-size>
+                    <xsl:value-of select="$min.poolsize"/>
+                </min-pool-size>
+                <max-pool-size>
+                    <xsl:value-of select="$max.poolsize"/>
+                </max-pool-size>
+                <prefill>
+                    <xsl:value-of select="$pool.prefill"/>
+                </prefill>
+            </pool>
+        </datasource>
+    </xsl:variable>
+    
+    <xsl:variable name="newDriverDefinition">
+        <xsl:if test="$driver != 'h2'">
+            <driver name="{$driver}" module="com.{$driver}" />
+        </xsl:if>
+    </xsl:variable>
+    
+    <!-- Add new datasource definition. -->
+    <xsl:template match="//*[local-name()='subsystem' and starts-with(namespace-uri(), $nsDS)]
+		         /*[local-name()='datasources' and starts-with(namespace-uri(), $nsDS)]">
+        <xsl:copy>
+            <xsl:copy-of select="$newDatasourceDefinition"/>
+            <xsl:apply-templates select="@* | node()" />
+        </xsl:copy>
+    </xsl:template>
+    
+    <!-- Add new driver definition. -->
+    <xsl:template match="//*[local-name()='subsystem' and starts-with(namespace-uri(), $nsDS)]
+		         /*[local-name()='datasources' and starts-with(namespace-uri(), $nsDS)]
+		         /*[local-name()='drivers' and starts-with(namespace-uri(), $nsDS)]">
+        <xsl:copy>
+            <xsl:copy-of select="$newDriverDefinition"/>
+            <xsl:apply-templates select="@* | node()" />
+        </xsl:copy>
+    </xsl:template>
+    
+    <!-- Copy everything else. -->
+    <xsl:template match="@*|node()">
+        <xsl:copy>
+            <xsl:apply-templates select="@*|node()" />
+        </xsl:copy>
+    </xsl:template>
+
+</xsl:stylesheet>
\ No newline at end of file

diff --git a/testsuite/integration-arquillian/servers/wildfly_kc14/src/main/xslt/module.xsl b/testsuite/integration-arquillian/servers/wildfly_kc14/src/main/xslt/module.xsl
new file mode 100644
index 0000000..88ac56b
--- /dev/null
+++ b/testsuite/integration-arquillian/servers/wildfly_kc14/src/main/xslt/module.xsl
@@ -0,0 +1,33 @@
+<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+                xmlns:xalan="http://xml.apache.org/xalan"
+                xmlns:m="urn:jboss:module:1.3"
+                version="2.0"
+                exclude-result-prefixes="xalan m">
+
+    <xsl:output method="xml" version="1.0" encoding="UTF-8" indent="yes" xalan:indent-amount="4" />
+    
+       
+    <xsl:param name="database" select="''"/>
+    <xsl:param name="version" select="''"/>
+    
+    <xsl:variable name="newModuleDefinition">
+        <module xmlns="urn:jboss:module:1.3" name="com.{$database}">
+            <resources>
+                <resource-root path="{$database}-{$version}.jar"/>
+            </resources>
+            <dependencies>
+                <module name="javax.api"/>
+                <module name="javax.transaction.api"/>
+            </dependencies>
+        </module>
+    </xsl:variable>
+    
+    <!-- clear whole document -->
+    <xsl:template match="/*" />
+    
+    <!-- Copy new module definition. -->
+    <xsl:template match="/*">
+        <xsl:copy-of select="$newModuleDefinition"/>
+    </xsl:template>
+
+</xsl:stylesheet>
\ No newline at end of file

diff --git a/testsuite/integration-arquillian/tests/adapters/as7/pom.xml b/testsuite/integration-arquillian/tests/adapters/as7/pom.xml
new file mode 100644
index 0000000..701a6ef
--- /dev/null
+++ b/testsuite/integration-arquillian/tests/adapters/as7/pom.xml
@@ -0,0 +1,137 @@
+<?xml version="1.0"?>
+<project xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd" xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+    <parent>
+        <groupId>org.keycloak.testsuite</groupId>
+        <artifactId>integration-arquillian-tests-adapters</artifactId>
+        <version>1.6.0.Final-SNAPSHOT</version>
+    </parent>
+    <modelVersion>4.0.0</modelVersion>
+
+    <artifactId>integration-arquillian-adapters-as7</artifactId>
+    <name>Adapter Tests on JBossAS 7</name>
+    
+    <properties>
+        <as7.version>7.1.1.Final</as7.version>
+        <app.server.as7.home>${containers.home}/jboss-as-${as7.version}</app.server.as7.home>
+        <adapter.libs.as7>${containers.home}/keycloak-as7-adapter-dist</adapter.libs.as7>
+    </properties>
+
+    <dependencies>
+        <dependency>
+            <groupId>org.jboss.as</groupId>
+            <artifactId>jboss-as-dist</artifactId>
+            <version>${as7.version}</version>
+            <type>zip</type>
+        </dependency>
+        <dependency>
+            <groupId>org.keycloak</groupId>
+            <artifactId>keycloak-as7-adapter-dist</artifactId>
+            <type>zip</type>
+        </dependency>
+        <dependency>
+            <groupId>org.jboss.as</groupId>
+            <artifactId>jboss-as-arquillian-container-managed</artifactId>
+            <version>7.2.0.Final</version>
+        </dependency>
+    </dependencies>
+
+    <build>
+        <plugins>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-deploy-plugin</artifactId>
+                <configuration>
+                    <skip>true</skip>
+                </configuration>
+            </plugin>  
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-dependency-plugin</artifactId>
+                <executions>
+                    <execution>
+                        <id>unpack-as7-and-adapter</id>
+                        <phase>generate-resources</phase>
+                        <goals>
+                            <goal>unpack</goal>
+                        </goals>
+                        <configuration>
+                            <artifactItems>
+                                <artifactItem>
+                                    <groupId>org.jboss.as</groupId>
+                                    <artifactId>jboss-as-dist</artifactId>
+                                    <version>${as7.version}</version>
+                                    <type>zip</type>
+                                    <outputDirectory>${containers.home}</outputDirectory>
+                                </artifactItem>
+                                <artifactItem>
+                                    <groupId>org.keycloak</groupId>
+                                    <artifactId>keycloak-as7-adapter-dist</artifactId>
+                                    <type>zip</type>
+                                    <outputDirectory>${adapter.libs.as7}</outputDirectory>
+                                </artifactItem>
+                            </artifactItems>
+                            <overWriteIfNewer>true</overWriteIfNewer>
+                        </configuration>
+                    </execution>
+                </executions>
+            </plugin>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-surefire-plugin</artifactId>
+                <configuration>
+                    <systemPropertyVariables>
+                        <app.server.as7>true</app.server.as7>
+                        <app.server.as7.home>${app.server.as7.home}</app.server.as7.home>
+                        <adapter.libs.as7>${adapter.libs.as7}</adapter.libs.as7>
+                    </systemPropertyVariables>
+                </configuration>
+            </plugin>
+        </plugins>
+    </build>
+    
+    
+    <profiles>
+        <profile>
+            <id>adapter-libs-provided</id>
+            <activation>    
+                <property>
+                    <name>!adapter.libs.bundled</name>
+                </property>
+            </activation>
+            <properties>
+                <adapter.libs.as7>${app.server.as7.home}</adapter.libs.as7>
+            </properties>
+            <build>
+                <plugins>
+                    <plugin>
+                        <groupId>org.codehaus.mojo</groupId>
+                        <artifactId>xml-maven-plugin</artifactId>
+                        <executions>
+                            <execution>
+                                <id>configure-adapter-subsystem</id>
+                                <phase>process-resources</phase>
+                                <goals>
+                                    <goal>transform</goal>
+                                </goals>
+                                <configuration>
+                                    <transformationSets>
+                                        <transformationSet>
+                                            <dir>${app.server.as7.home}/standalone/configuration</dir>
+                                            <includes>
+                                                <include>standalone.xml</include>
+                                            </includes>
+                                            <stylesheet>src/main/xslt/standalone.xsl</stylesheet>
+                                            <outputDir>${app.server.as7.home}/standalone/configuration</outputDir>
+                                        </transformationSet>
+                                    </transformationSets>
+                                </configuration>
+                            </execution>
+                        </executions>
+                    </plugin>
+                </plugins>
+            </build>
+        </profile>
+    </profiles>        
+    
+</project>

diff --git a/testsuite/integration-arquillian/tests/adapters/as7/src/main/xslt/arquillian.xsl b/testsuite/integration-arquillian/tests/adapters/as7/src/main/xslt/arquillian.xsl
new file mode 100644
index 0000000..8970850
--- /dev/null
+++ b/testsuite/integration-arquillian/tests/adapters/as7/src/main/xslt/arquillian.xsl
@@ -0,0 +1,36 @@
+<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+                xmlns:xalan="http://xml.apache.org/xalan"
+                xmlns:a="http://jboss.org/schema/arquillian"
+                version="2.0"
+                exclude-result-prefixes="xalan a">
+
+    <xsl:output method="xml" version="1.0" encoding="UTF-8" indent="yes" xalan:indent-amount="4" standalone="no"/>
+    <xsl:strip-space elements="*"/>
+
+    <xsl:template match="/a:arquillian">
+        <xsl:copy>
+            <xsl:apply-templates select="node()|@*"/>
+            
+            <container qualifier="app-server-as7" mode="manual" >
+                <configuration>
+                    <property name="enabled">${app.server.as7}</property>
+                    <property name="adapterImplClass">org.jboss.as.arquillian.container.managed.ManagedDeployableContainer</property>
+                    <property name="jbossHome">${app.server.as7.home}</property>
+                    <property name="javaVmArguments">-Djboss.socket.binding.port-offset=${app.server.port.offset} -Xms64m -Xmx512m -XX:MaxPermSize=256m ${adapter.test.props}</property>
+                    <property name="managementAddress">localhost</property>
+                    <property name="managementPort">${app.server.management.port.jmx}</property>
+                </configuration>
+            </container>
+
+        </xsl:copy>
+    </xsl:template>
+    
+
+    <xsl:template match="@*|node()">
+        <xsl:copy>
+            <xsl:apply-templates select="@*|node()" />
+        </xsl:copy>
+    </xsl:template>
+    
+
+</xsl:stylesheet>
\ No newline at end of file

diff --git a/testsuite/integration-arquillian/tests/adapters/as7/src/main/xslt/standalone.xsl b/testsuite/integration-arquillian/tests/adapters/as7/src/main/xslt/standalone.xsl
new file mode 100644
index 0000000..5aac0f0
--- /dev/null
+++ b/testsuite/integration-arquillian/tests/adapters/as7/src/main/xslt/standalone.xsl
@@ -0,0 +1,51 @@
+<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+                xmlns:xalan="http://xml.apache.org/xalan"
+                xmlns:j="urn:jboss:domain:1.2"
+                xmlns:ds="urn:jboss:domain:datasources:1.0"
+                xmlns:k="urn:jboss:domain:keycloak:1.1"
+                xmlns:sec="urn:jboss:domain:security:1.1"
+                version="2.0"
+                exclude-result-prefixes="xalan j ds k sec">
+
+    <xsl:param name="config"/>
+
+    <xsl:output method="xml" version="1.0" encoding="UTF-8" indent="yes" xalan:indent-amount="4" standalone="no"/>
+    <xsl:strip-space elements="*"/>
+
+    <xsl:template match="//j:extensions">
+        <xsl:copy>
+            <xsl:apply-templates select="node()|@*"/>
+            <extension module="org.keycloak.keycloak-adapter-subsystem"/>
+        </xsl:copy>
+    </xsl:template>
+
+    <xsl:template match="//j:profile">
+        <xsl:copy>
+            <xsl:apply-templates select="node()|@*"/>
+            <subsystem xmlns="urn:jboss:domain:keycloak:1.1"/>
+        </xsl:copy>
+    </xsl:template>
+
+    <xsl:template match="//sec:security-domains">
+        <xsl:copy>
+            <xsl:apply-templates select="node()[name(.)='security-domain']"/>
+            <security-domain name="keycloak">
+                <authentication>
+                    <login-module code="org.keycloak.adapters.jboss.KeycloakLoginModule" flag="required"/>
+                </authentication>
+            </security-domain>
+            <security-domain name="sp" cache-type="default">
+                <authentication>
+                    <login-module code="org.picketlink.identity.federation.bindings.wildfly.SAML2LoginModule" flag="required"/>
+                </authentication>
+            </security-domain>
+        </xsl:copy>
+    </xsl:template>
+
+    <xsl:template match="@*|node()">
+        <xsl:copy>
+            <xsl:apply-templates select="@*|node()" />
+        </xsl:copy>
+    </xsl:template>
+
+</xsl:stylesheet>
\ No newline at end of file