keycloak-aplcache

diff --git a/.gitignore b/.gitignore
index 32e898b..bf5d094 100644
--- a/.gitignore
+++ b/.gitignore
@@ -49,3 +49,7 @@ target
 # Maven shade
 #############
 *dependency-reduced-pom.xml
+
+# nodejs #
+##########
+node_modules
\ No newline at end of file

diff --git a/.travis.yml b/.travis.yml
index ec6ed80..d3ea4f1 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -1,33 +1,27 @@
 language: java
+dist: precise
 
 cache:
-  directories:
-    - $HOME/.m2
-
-before_cache:
-  - rm -rf $HOME/.m2/repository/org/keycloak
+  cache: false
 
 env:
   global:
     - MAVEN_SKIP_RC=true
-    - MAVEN_OPTS="-Xms512m -Xmx2048m"
+    - MAVEN_OPTS="-Xms512m -Xmx1536m"
   matrix:
-    - TESTS=group1
-    - TESTS=group2
-    - TESTS=group3
-    - TESTS=group4
+    - TESTS=unit
+    - TESTS=server-group1
+    - TESTS=server-group2
+    - TESTS=server-group3
+    - TESTS=server-group4
     - TESTS=old
 
 jdk:
   - oraclejdk8
 
-before_script:
-  - export MAVEN_SKIP_RC=true
-
-install: 
-  - travis_wait 60 mvn install --no-snapshot-updates -Pdistribution -DskipTestsuite -B -V -q
+install: true
 
-script:
+script: 
   - ./travis-run-tests.sh $TESTS
 
 sudo: false

diff --git a/adapters/oidc/adapter-core/pom.xml b/adapters/oidc/adapter-core/pom.xml
index c2afe45..a2f5b5b 100755
--- a/adapters/oidc/adapter-core/pom.xml
+++ b/adapters/oidc/adapter-core/pom.xml
@@ -21,7 +21,7 @@
     <parent>
         <artifactId>keycloak-parent</artifactId>
         <groupId>org.keycloak</groupId>
-        <version>3.2.0.CR1-SNAPSHOT</version>
+        <version>3.3.0.CR1-SNAPSHOT</version>
         <relativePath>../../../pom.xml</relativePath>
     </parent>
     <modelVersion>4.0.0</modelVersion>

diff --git a/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/KeycloakDeployment.java b/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/KeycloakDeployment.java
index 45c4557..d5761bc 100755
--- a/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/KeycloakDeployment.java
+++ b/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/KeycloakDeployment.java
@@ -91,6 +91,8 @@ public class KeycloakDeployment {
     // https://tools.ietf.org/html/rfc7636
     protected boolean pkce = false;
     protected boolean ignoreOAuthQueryParameter;
+    
+    protected Map<String, String> redirectRewriteRules;
 
     public KeycloakDeployment() {
     }
@@ -446,4 +448,14 @@ public class KeycloakDeployment {
     public boolean isOAuthQueryParameterEnabled() {
         return !this.ignoreOAuthQueryParameter;
     }
+
+    public Map<String, String> getRedirectRewriteRules() {
+        return redirectRewriteRules;
+    }
+
+    public void setRewriteRedirectRules(Map<String, String> redirectRewriteRules) {
+        this.redirectRewriteRules = redirectRewriteRules;
+    }
+    
+    
 }

diff --git a/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/KeycloakDeploymentBuilder.java b/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/KeycloakDeploymentBuilder.java
index eca6849..7fca1f1 100755
--- a/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/KeycloakDeploymentBuilder.java
+++ b/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/KeycloakDeploymentBuilder.java
@@ -116,6 +116,7 @@ public class KeycloakDeploymentBuilder {
         deployment.setMinTimeBetweenJwksRequests(adapterConfig.getMinTimeBetweenJwksRequests());
         deployment.setPublicKeyCacheTtl(adapterConfig.getPublicKeyCacheTtl());
         deployment.setIgnoreOAuthQueryParameter(adapterConfig.isIgnoreOAuthQueryParameter());
+        deployment.setRewriteRedirectRules(adapterConfig.getRedirectRewriteRules());
 
         if (realmKeyPem == null && adapterConfig.isBearerOnly() && adapterConfig.getAuthServerUrl() == null) {
             throw new IllegalArgumentException("For bearer auth, you must set the realm-public-key or auth-server-url");

diff --git a/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/OAuthRequestAuthenticator.java b/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/OAuthRequestAuthenticator.java
index fe8dfdc..ee3f214 100755
--- a/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/OAuthRequestAuthenticator.java
+++ b/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/OAuthRequestAuthenticator.java
@@ -25,7 +25,6 @@ import org.keycloak.adapters.spi.AuthChallenge;
 import org.keycloak.adapters.spi.AuthOutcome;
 import org.keycloak.adapters.spi.HttpFacade;
 import org.keycloak.common.VerificationException;
-import org.keycloak.common.util.Encode;
 import org.keycloak.common.util.KeycloakUriBuilder;
 import org.keycloak.common.util.UriUtils;
 import org.keycloak.constants.AdapterConstants;
@@ -38,7 +37,10 @@ import org.keycloak.representations.IDToken;
 import org.keycloak.util.TokenUtil;
 
 import java.io.IOException;
-import java.util.concurrent.atomic.AtomicLong;
+import java.net.MalformedURLException;
+import java.net.URL;
+import java.util.Map;
+import java.util.logging.Level;
 
 
 /**
@@ -141,6 +143,7 @@ public class OAuthRequestAuthenticator {
     protected String getRedirectUri(String state) {
         String url = getRequestUrl();
         log.debugf("callback uri: %s", url);
+      
         if (!facade.getRequest().isSecure() && deployment.getSslRequired().isRequired(facade.getRequest().getRemoteAddr())) {
             int port = sslRedirectPort();
             if (port < 0) {
@@ -170,7 +173,7 @@ public class OAuthRequestAuthenticator {
         KeycloakUriBuilder redirectUriBuilder = deployment.getAuthUrl().clone()
                 .queryParam(OAuth2Constants.RESPONSE_TYPE, OAuth2Constants.CODE)
                 .queryParam(OAuth2Constants.CLIENT_ID, deployment.getResourceName())
-                .queryParam(OAuth2Constants.REDIRECT_URI, Encode.encodeQueryParamAsIs(url)) // Need to encode uri ourselves as queryParam() will not encode % characters.
+                .queryParam(OAuth2Constants.REDIRECT_URI, rewrittenRedirectUri(url))
                 .queryParam(OAuth2Constants.STATE, state)
                 .queryParam("login", "true");
         if(loginHint != null && loginHint.length() > 0){
@@ -320,10 +323,11 @@ public class OAuthRequestAuthenticator {
 
         AccessTokenResponse tokenResponse = null;
         strippedOauthParametersRequestUri = stripOauthParametersFromRedirect();
+    
         try {
             // For COOKIE store we don't have httpSessionId and single sign-out won't be available
             String httpSessionId = deployment.getTokenStore() == TokenStore.SESSION ? reqAuthenticator.changeHttpSessionId(true) : null;
-            tokenResponse = ServerRequest.invokeAccessCodeToToken(deployment, code, strippedOauthParametersRequestUri, httpSessionId);
+            tokenResponse = ServerRequest.invokeAccessCodeToToken(deployment, code, rewrittenRedirectUri(strippedOauthParametersRequestUri), httpSessionId);
         } catch (ServerRequest.HttpFailure failure) {
             log.error("failed to turn code into token");
             log.error("status from server: " + failure.getStatus());
@@ -375,6 +379,23 @@ public class OAuthRequestAuthenticator {
                 .replaceQueryParam(OAuth2Constants.STATE, null);
         return builder.build().toString();
     }
-
+    
+    private String rewrittenRedirectUri(String originalUri) {
+        Map<String, String> rewriteRules = deployment.getRedirectRewriteRules();
+            if(rewriteRules != null && !rewriteRules.isEmpty()) {
+            try {
+                URL url = new URL(originalUri);
+                Map.Entry<String, String> rule =  rewriteRules.entrySet().iterator().next();
+                StringBuilder redirectUriBuilder = new StringBuilder(url.getProtocol());
+                redirectUriBuilder.append("://"+ url.getAuthority());
+                redirectUriBuilder.append(url.getPath().replaceFirst(rule.getKey(), rule.getValue()));
+                return redirectUriBuilder.toString();
+            } catch (MalformedURLException ex) {
+                log.error("Not a valid request url");
+                throw new RuntimeException(ex);
+            }
+            }
+        return originalUri;
+    }
 
 }

diff --git a/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/RefreshableKeycloakSecurityContext.java b/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/RefreshableKeycloakSecurityContext.java
index c70bce1..fa1cefd 100755
--- a/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/RefreshableKeycloakSecurityContext.java
+++ b/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/RefreshableKeycloakSecurityContext.java
@@ -155,7 +155,9 @@ public class RefreshableKeycloakSecurityContext extends KeycloakSecurityContext 
             this.refreshToken = response.getRefreshToken();
         }
         this.tokenString = tokenString;
-        tokenStore.refreshCallback(this);
+        if (tokenStore != null) {
+            tokenStore.refreshCallback(this);
+        }
         return true;
     }
 

diff --git a/adapters/oidc/adapter-core/src/test/java/org/keycloak/adapters/KeycloakDeploymentBuilderTest.java b/adapters/oidc/adapter-core/src/test/java/org/keycloak/adapters/KeycloakDeploymentBuilderTest.java
index cd191e2..af58b33 100644
--- a/adapters/oidc/adapter-core/src/test/java/org/keycloak/adapters/KeycloakDeploymentBuilderTest.java
+++ b/adapters/oidc/adapter-core/src/test/java/org/keycloak/adapters/KeycloakDeploymentBuilderTest.java
@@ -75,6 +75,7 @@ public class KeycloakDeploymentBuilderTest {
         assertEquals(10, deployment.getTokenMinimumTimeToLive());
         assertEquals(20, deployment.getMinTimeBetweenJwksRequests());
         assertEquals(120, deployment.getPublicKeyCacheTtl());
+        assertEquals("/api/$1", deployment.getRedirectRewriteRules().get("^/wsmaster/api/(.*)$"));
     }
 
     @Test

diff --git a/adapters/oidc/adapter-core/src/test/resources/keycloak.json b/adapters/oidc/adapter-core/src/test/resources/keycloak.json
index 521b8a9..e1b8881 100644
--- a/adapters/oidc/adapter-core/src/test/resources/keycloak.json
+++ b/adapters/oidc/adapter-core/src/test/resources/keycloak.json
@@ -33,5 +33,8 @@
     "token-minimum-time-to-live": 10,
     "min-time-between-jwks-requests": 20,
     "public-key-cache-ttl": 120,
-    "ignore-oauth-query-parameter": true
+    "ignore-oauth-query-parameter": true,
+    "redirect-rewrite-rules" : {
+  	"^/wsmaster/api/(.*)$" : "/api/$1"
+     }
 }
\ No newline at end of file

diff --git a/adapters/oidc/as7-eap6/as7-adapter/pom.xml b/adapters/oidc/as7-eap6/as7-adapter/pom.xml
index ed8c3c2..47e344f 100755
--- a/adapters/oidc/as7-eap6/as7-adapter/pom.xml
+++ b/adapters/oidc/as7-eap6/as7-adapter/pom.xml
@@ -21,7 +21,7 @@
     <parent>
         <artifactId>keycloak-as7-integration-pom</artifactId>
         <groupId>org.keycloak</groupId>
-        <version>3.2.0.CR1-SNAPSHOT</version>
+        <version>3.3.0.CR1-SNAPSHOT</version>
         <relativePath>../pom.xml</relativePath>
     </parent>
     <modelVersion>4.0.0</modelVersion>

diff --git a/adapters/oidc/as7-eap6/as7-adapter-spi/pom.xml b/adapters/oidc/as7-eap6/as7-adapter-spi/pom.xml
index 0ed189d..89faf8b 100755
--- a/adapters/oidc/as7-eap6/as7-adapter-spi/pom.xml
+++ b/adapters/oidc/as7-eap6/as7-adapter-spi/pom.xml
@@ -21,7 +21,7 @@
     <parent>
         <artifactId>keycloak-as7-integration-pom</artifactId>
         <groupId>org.keycloak</groupId>
-        <version>3.2.0.CR1-SNAPSHOT</version>
+        <version>3.3.0.CR1-SNAPSHOT</version>
         <relativePath>../pom.xml</relativePath>
     </parent>
     <modelVersion>4.0.0</modelVersion>

diff --git a/adapters/oidc/as7-eap6/as7-subsystem/pom.xml b/adapters/oidc/as7-eap6/as7-subsystem/pom.xml
index de9b424..5a2d24e 100755
--- a/adapters/oidc/as7-eap6/as7-subsystem/pom.xml
+++ b/adapters/oidc/as7-eap6/as7-subsystem/pom.xml
@@ -21,7 +21,7 @@
     <parent>
         <groupId>org.keycloak</groupId>
         <artifactId>keycloak-as7-integration-pom</artifactId>
-        <version>3.2.0.CR1-SNAPSHOT</version>
+        <version>3.3.0.CR1-SNAPSHOT</version>
         <relativePath>../pom.xml</relativePath>
     </parent>
 

diff --git a/adapters/oidc/as7-eap6/pom.xml b/adapters/oidc/as7-eap6/pom.xml
index 3d3a174..4b5a427 100755
--- a/adapters/oidc/as7-eap6/pom.xml
+++ b/adapters/oidc/as7-eap6/pom.xml
@@ -20,7 +20,7 @@
     <parent>
         <artifactId>keycloak-parent</artifactId>
         <groupId>org.keycloak</groupId>
-        <version>3.2.0.CR1-SNAPSHOT</version>
+        <version>3.3.0.CR1-SNAPSHOT</version>
         <relativePath>../../../pom.xml</relativePath>
     </parent>
     <name>Keycloak AS7 / JBoss EAP 6 Integration</name>

diff --git a/adapters/oidc/cli-sso/login.sh b/adapters/oidc/cli-sso/login.sh
new file mode 100755
index 0000000..ff33a01
--- /dev/null
+++ b/adapters/oidc/cli-sso/login.sh
@@ -0,0 +1,10 @@
+#!/bin/sh
+export KC_AUTH_SERVER=http://localhost:8080/auth
+export KC_REALM=master
+export KC_CLIENT=cli
+
+export KC_ACCESS_TOKEN=`java -DKEYCLOAK_AUTH_SERVER=$KC_AUTH_SERVER -DKEYCLOAK_REALM=$KC_REALM -DKEYCLOAK_CLIENT=$KC_CLIENT -jar target/keycloak-cli-sso-3.3.0.CR1-SNAPSHOT.jar login`
+
+
+
+

diff --git a/adapters/oidc/cli-sso/logout.sh b/adapters/oidc/cli-sso/logout.sh
new file mode 100644
index 0000000..ca99f88
--- /dev/null
+++ b/adapters/oidc/cli-sso/logout.sh
@@ -0,0 +1,9 @@
+#!/bin/sh
+
+java -DKEYCLOAK_AUTH_SERVER=$KC_AUTH_SERVER -DKEYCLOAK_REALM=$KC_REALM -DKEYCLOAK_CLIENT=$KC_CLIENT -jar target/keycloak-cli-sso-3.3.0.CR1-SNAPSHOT.jar logout
+
+unset KC_ACCESS_TOKEN
+
+
+
+

diff --git a/adapters/oidc/cli-sso/pom.xml b/adapters/oidc/cli-sso/pom.xml
new file mode 100755
index 0000000..216c3b7
--- /dev/null
+++ b/adapters/oidc/cli-sso/pom.xml
@@ -0,0 +1,84 @@
+<?xml version="1.0"?>
+<!--
+  ~ Copyright 2016 Red Hat, Inc. and/or its affiliates
+  ~ and other contributors as indicated by the @author tags.
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~ http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+    <parent>
+        <artifactId>keycloak-parent</artifactId>
+        <groupId>org.keycloak</groupId>
+        <version>3.3.0.CR1-SNAPSHOT</version>
+        <relativePath>../../../pom.xml</relativePath>
+    </parent>
+    <modelVersion>4.0.0</modelVersion>
+
+    <artifactId>keycloak-cli-sso</artifactId>
+    <name>Keycloak CLI SSO Framework</name>
+    <description/>
+
+    <dependencies>
+        <dependency>
+            <groupId>org.keycloak</groupId>
+            <artifactId>keycloak-installed-adapter</artifactId>
+        </dependency>
+     </dependencies>
+
+    <build>
+        <plugins>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-compiler-plugin</artifactId>
+                <configuration>
+                    <source>${maven.compiler.source}</source>
+                    <target>${maven.compiler.target}</target>
+                </configuration>
+            </plugin>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-shade-plugin</artifactId>
+                <version>3.0.0</version>
+                <configuration>
+                    <transformers>
+                        <transformer implementation="org.apache.maven.plugins.shade.resource.ManifestResourceTransformer">
+                            <mainClass>org.keycloak.adapters.KeycloakCliSsoMain</mainClass>
+                        </transformer>
+                    </transformers>
+
+                    <filters>
+                        <filter>
+                            <artifact>*:*</artifact>
+                            <excludes>
+                                <exclude>META-INF/*.SF</exclude>
+                                <exclude>META-INF/*.DSA</exclude>
+                                <exclude>META-INF/*.RSA</exclude>
+                            </excludes>
+                        </filter>
+                    </filters>
+                </configuration>
+                <executions>
+                    <execution>
+                        <phase>package</phase>
+                        <goals>
+                            <goal>shade</goal>
+                        </goals>
+                    </execution>
+                </executions>
+            </plugin>
+        </plugins>
+    </build>
+
+</project>

diff --git a/adapters/oidc/cli-sso/README.md b/adapters/oidc/cli-sso/README.md
new file mode 100755
index 0000000..fb0fdbe
--- /dev/null
+++ b/adapters/oidc/cli-sso/README.md
@@ -0,0 +1,9 @@
+CLI Single Sign On
+===================================
+
+This java-based utility is meant for providing Keycloak integration to 
+command line applications that are either written in Java or another language.  The
+idea is that the Java app provided by this utility performs a login for a specific
+client, parses responses, and exports an access token as an environment variable
+that can be used by the command line utility you are accessing.
+

diff --git a/adapters/oidc/cli-sso/src/main/java/org/keycloak/adapters/KeycloakCliSsoMain.java b/adapters/oidc/cli-sso/src/main/java/org/keycloak/adapters/KeycloakCliSsoMain.java
new file mode 100644
index 0000000..3aaeb9b
--- /dev/null
+++ b/adapters/oidc/cli-sso/src/main/java/org/keycloak/adapters/KeycloakCliSsoMain.java
@@ -0,0 +1,45 @@
+/*
+ * Copyright 2016 Red Hat, Inc. and/or its affiliates
+ * and other contributors as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.adapters;
+
+import org.keycloak.adapters.installed.KeycloakCliSso;
+import org.keycloak.adapters.installed.KeycloakInstalled;
+import org.keycloak.common.util.Time;
+import org.keycloak.representations.AccessTokenResponse;
+import org.keycloak.representations.adapters.config.AdapterConfig;
+import org.keycloak.util.JsonSerialization;
+
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.FileOutputStream;
+import java.io.IOException;
+import java.nio.file.Paths;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+
+/**
+ * @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
+ * @version $Revision: 1 $
+ */
+public class KeycloakCliSsoMain extends KeycloakCliSso {
+
+    public static void main(String[] args) throws Exception {
+        new KeycloakCliSsoMain().mainCmd(args);
+    }
+}

diff --git a/adapters/oidc/installed/pom.xml b/adapters/oidc/installed/pom.xml
index b509be4..3c14afa 100755
--- a/adapters/oidc/installed/pom.xml
+++ b/adapters/oidc/installed/pom.xml
@@ -21,7 +21,7 @@
     <parent>
         <artifactId>keycloak-parent</artifactId>
         <groupId>org.keycloak</groupId>
-        <version>3.2.0.CR1-SNAPSHOT</version>
+        <version>3.3.0.CR1-SNAPSHOT</version>
         <relativePath>../../../pom.xml</relativePath>
     </parent>
     <modelVersion>4.0.0</modelVersion>

diff --git a/adapters/oidc/installed/src/main/java/org/keycloak/adapters/installed/KeycloakCliSso.java b/adapters/oidc/installed/src/main/java/org/keycloak/adapters/installed/KeycloakCliSso.java
new file mode 100644
index 0000000..3c1d365
--- /dev/null
+++ b/adapters/oidc/installed/src/main/java/org/keycloak/adapters/installed/KeycloakCliSso.java
@@ -0,0 +1,266 @@
+/*
+ * Copyright 2016 Red Hat, Inc. and/or its affiliates
+ * and other contributors as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.adapters.installed;
+
+import org.keycloak.adapters.KeycloakDeployment;
+import org.keycloak.adapters.KeycloakDeploymentBuilder;
+import org.keycloak.adapters.ServerRequest;
+import org.keycloak.common.util.Time;
+import org.keycloak.representations.AccessTokenResponse;
+import org.keycloak.representations.adapters.config.AdapterConfig;
+import org.keycloak.util.JsonSerialization;
+
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.FileOutputStream;
+import java.io.IOException;
+import java.nio.file.Paths;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+
+/**
+ *
+ *
+ *
+ * @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
+ * @version $Revision: 1 $
+ */
+public class KeycloakCliSso {
+
+    public void mainCmd(String[] args) throws Exception {
+        if (args.length != 1) {
+            printHelp();
+            return;
+        }
+
+        if (args[0].equalsIgnoreCase("login")) {
+            login();
+        } else if (args[0].equalsIgnoreCase("login-manual")) {
+            loginManual();
+        } else if (args[0].equalsIgnoreCase("token")) {
+            token();
+        } else if (args[0].equalsIgnoreCase("logout")) {
+            logout();
+        } else if (args[0].equalsIgnoreCase("env")) {
+            System.out.println(System.getenv().toString());
+        } else {
+            printHelp();
+        }
+    }
+
+
+    public void printHelp() {
+        System.err.println("Commands:");
+        System.err.println("  login - login with desktop browser if available, otherwise do manual login.  Output is access token.");
+        System.err.println("  login-manual - manual login");
+        System.err.println("  token - print access token if logged in");
+        System.err.println("  logout - logout.");
+        System.exit(1);
+    }
+
+    public AdapterConfig getConfig() {
+        String url = System.getProperty("KEYCLOAK_AUTH_SERVER");
+        if (url == null) {
+            System.err.println("KEYCLOAK_AUTH_SERVER property not set");
+            System.exit(1);
+        }
+        String realm = System.getProperty("KEYCLOAK_REALM");
+        if (realm == null) {
+            System.err.println("KEYCLOAK_REALM property not set");
+            System.exit(1);
+
+        }
+        String client = System.getProperty("KEYCLOAK_CLIENT");
+        if (client == null) {
+            System.err.println("KEYCLOAK_CLIENT property not set");
+            System.exit(1);
+        }
+        String secret = System.getProperty("KEYCLOAK_CLIENT_SECRET");
+
+
+
+        AdapterConfig config = new AdapterConfig();
+        config.setAuthServerUrl(url);
+        config.setRealm(realm);
+        config.setResource(client);
+        config.setSslRequired("external");
+        if (secret != null) {
+            Map<String, Object> creds = new HashMap<>();
+            creds.put("secret", secret);
+            config.setCredentials(creds);
+        } else {
+            config.setPublicClient(true);
+        }
+        return config;
+    }
+
+    public boolean checkToken() throws Exception {
+        String token = getTokenResponse();
+        if (token == null) return false;
+
+
+        if (token != null) {
+            Matcher m = Pattern.compile("\\{.*\\}\\z").matcher(token);
+            if (m.find()) {
+                String json = m.group(0);
+                try {
+                    AccessTokenResponse tokenResponse = JsonSerialization.readValue(json, AccessTokenResponse.class);
+                    if (Time.currentTime() < tokenResponse.getExpiresIn()) {
+                        return true;
+                    }
+                    AdapterConfig config = getConfig();
+                    KeycloakInstalled installed = new KeycloakInstalled(KeycloakDeploymentBuilder.build(config));
+                    installed.refreshToken(tokenResponse.getRefreshToken());
+                    processResponse(installed);
+                    return true;
+                } catch (Exception e) {
+                    System.err.println("Error processing existing token");
+                    e.printStackTrace();
+                }
+
+            }
+        }
+        return false;
+
+    }
+
+    private String getTokenResponse() throws IOException {
+        String token = null;
+        File tokenFile = getTokenFilePath();
+        if (tokenFile.exists()) {
+            FileInputStream fis = new FileInputStream(tokenFile);
+            byte[] data = new byte[(int) tokenFile.length()];
+            fis.read(data);
+            fis.close();
+            token = new String(data, "UTF-8");
+        }
+        return token;
+    }
+
+    public void token() throws Exception {
+        String token = getTokenResponse();
+        if (token == null) {
+            System.err.println("There is no token for client");
+            System.exit(1);
+        } else {
+            Matcher m = Pattern.compile("\\{.*\\}\\z").matcher(token);
+            if (m.find()) {
+                String json = m.group(0);
+                try {
+                    AccessTokenResponse tokenResponse = JsonSerialization.readValue(json, AccessTokenResponse.class);
+                    if (Time.currentTime() < tokenResponse.getExpiresIn()) {
+                        System.out.println(tokenResponse.getToken());
+                        return;
+                    } else {
+                        System.err.println("token in response file is expired");
+                        System.exit(1);
+                    }
+                } catch (Exception e) {
+                    System.err.println("Failure processing token response file");
+                    e.printStackTrace();
+                    System.exit(1);
+                }
+            } else {
+                System.err.println("Could not find json within token response file");
+                System.exit(1);
+            }
+        }
+    }
+
+    public void login() throws Exception {
+        if (checkToken()) return;
+        AdapterConfig config = getConfig();
+        KeycloakInstalled installed = new KeycloakInstalled(KeycloakDeploymentBuilder.build(config));
+        installed.login();
+        processResponse(installed);
+    }
+
+    public String getHome() {
+        String home = System.getenv("HOME");
+        if (home == null) {
+            home = System.getProperty("HOME");
+            if (home == null) {
+                home = Paths.get("").toAbsolutePath().normalize().toString();
+            }
+        }
+        return home;
+    }
+
+    public File getTokenDirectory() {
+        return Paths.get(getHome(), System.getProperty("basepath", ".keycloak-sso"), System.getProperty("KEYCLOAK_REALM")).toFile();
+    }
+
+    public File getTokenFilePath() {
+        return Paths.get(getHome(), System.getProperty("basepath", ".keycloak-sso"), System.getProperty("KEYCLOAK_REALM"), System.getProperty("KEYCLOAK_CLIENT") + ".json").toFile();
+    }
+
+    private void processResponse(KeycloakInstalled installed) throws IOException {
+        AccessTokenResponse tokenResponse = installed.getTokenResponse();
+        tokenResponse.setExpiresIn(Time.currentTime() + tokenResponse.getExpiresIn());
+        tokenResponse.setIdToken(null);
+        String output = JsonSerialization.writeValueAsString(tokenResponse);
+        getTokenDirectory().mkdirs();
+        FileOutputStream fos = new FileOutputStream(getTokenFilePath());
+        fos.write(output.getBytes("UTF-8"));
+        fos.flush();
+        fos.close();
+        System.out.println(tokenResponse.getToken());
+    }
+
+    public void loginManual() throws Exception {
+        if (checkToken()) return;
+        AdapterConfig config = getConfig();
+        KeycloakDeployment deployment = KeycloakDeploymentBuilder.build(config);
+        KeycloakInstalled installed = new KeycloakInstalled(deployment);
+        installed.loginManual();
+        processResponse(installed);
+    }
+
+    public void logout() throws Exception {
+        String token = getTokenResponse();
+        if (token != null) {
+            Matcher m = Pattern.compile("\\{.*\\}\\z").matcher(token);
+            if (m.find()) {
+                String json = m.group(0);
+                try {
+                    AccessTokenResponse tokenResponse = JsonSerialization.readValue(json, AccessTokenResponse.class);
+                    if (Time.currentTime() > tokenResponse.getExpiresIn()) {
+                        System.err.println("Login is expired");
+                        System.exit(1);
+                    }
+                    AdapterConfig config = getConfig();
+                    KeycloakDeployment deployment = KeycloakDeploymentBuilder.build(config);
+                    ServerRequest.invokeLogout(deployment, tokenResponse.getRefreshToken());
+                    for (File fp : getTokenDirectory().listFiles()) fp.delete();
+                    System.out.println("logout complete");
+                } catch (Exception e) {
+                    System.err.println("Failure processing token response file");
+                    e.printStackTrace();
+                    System.exit(1);
+                }
+            } else {
+                System.err.println("Could not find json within token response file");
+                System.exit(1);
+            }
+        } else {
+            System.err.println("Not logged in");
+            System.exit(1);
+        }
+    }
+}

diff --git a/adapters/oidc/installed/src/main/java/org/keycloak/adapters/installed/KeycloakInstalled.java b/adapters/oidc/installed/src/main/java/org/keycloak/adapters/installed/KeycloakInstalled.java
index 9834fe2..61ca06e 100644
--- a/adapters/oidc/installed/src/main/java/org/keycloak/adapters/installed/KeycloakInstalled.java
+++ b/adapters/oidc/installed/src/main/java/org/keycloak/adapters/installed/KeycloakInstalled.java
@@ -17,6 +17,7 @@
 
 package org.keycloak.adapters.installed;
 
+import org.apache.commons.codec.Charsets;
 import org.keycloak.OAuth2Constants;
 import org.keycloak.OAuthErrorException;
 import org.keycloak.adapters.KeycloakDeployment;
@@ -24,6 +25,7 @@ import org.keycloak.adapters.KeycloakDeploymentBuilder;
 import org.keycloak.adapters.ServerRequest;
 import org.keycloak.adapters.rotation.AdapterRSATokenVerifier;
 import org.keycloak.common.VerificationException;
+import org.keycloak.common.util.KeycloakUriBuilder;
 import org.keycloak.jose.jws.JWSInput;
 import org.keycloak.jose.jws.JWSInputException;
 import org.keycloak.representations.AccessToken;
@@ -43,6 +45,7 @@ import java.net.ServerSocket;
 import java.net.Socket;
 import java.net.URI;
 import java.net.URISyntaxException;
+import java.util.Locale;
 import java.util.UUID;
 import java.util.concurrent.TimeUnit;
 
@@ -51,6 +54,11 @@ import java.util.concurrent.TimeUnit;
  */
 public class KeycloakInstalled {
 
+    public interface HttpResponseWriter {
+        void success(PrintWriter pw, KeycloakInstalled ki);
+        void failure(PrintWriter pw, KeycloakInstalled ki);
+    }
+
     private static final String KEYCLOAK_JSON = "META-INF/keycloak.json";
 
     private KeycloakDeployment deployment;
@@ -59,12 +67,18 @@ public class KeycloakInstalled {
         LOGGED_MANUAL, LOGGED_DESKTOP
     }
 
+    private AccessTokenResponse tokenResponse;
     private String tokenString;
     private String idTokenString;
     private IDToken idToken;
     private AccessToken token;
     private String refreshToken;
     private Status status;
+    private Locale locale;
+    private HttpResponseWriter loginResponseWriter;
+    private HttpResponseWriter logoutResponseWriter;
+
+
 
     public KeycloakInstalled() {
         InputStream config = Thread.currentThread().getContextClassLoader().getResourceAsStream(KEYCLOAK_JSON);
@@ -75,6 +89,92 @@ public class KeycloakInstalled {
         deployment = KeycloakDeploymentBuilder.build(config);
     }
 
+    public KeycloakInstalled(KeycloakDeployment deployment) {
+        this.deployment = deployment;
+    }
+
+    private static HttpResponseWriter defaultLoginWriter = new HttpResponseWriter() {
+        @Override
+        public void success(PrintWriter pw, KeycloakInstalled ki) {
+            pw.println("HTTP/1.1 200 OK");
+            pw.println("Content-Type: text/html");
+            pw.println();
+            pw.println("<html><h1>Login completed.</h1><div>");
+            pw.println("This browser will remain logged in until you close it, logout, or the session expires.");
+            pw.println("</div></html>");
+            pw.flush();
+
+        }
+
+        @Override
+        public void failure(PrintWriter pw, KeycloakInstalled ki) {
+            pw.println("HTTP/1.1 200 OK");
+            pw.println("Content-Type: text/html");
+            pw.println();
+            pw.println("<html><h1>Login attempt failed.</h1><div>");
+            pw.println("</div></html>");
+            pw.flush();
+
+        }
+    };
+    private static HttpResponseWriter defaultLogoutWriter = new HttpResponseWriter() {
+        @Override
+        public void success(PrintWriter pw, KeycloakInstalled ki) {
+            pw.println("HTTP/1.1 200 OK");
+            pw.println("Content-Type: text/html");
+            pw.println();
+            pw.println("<html><h1>Logout completed.</h1><div>");
+            pw.println("You may close this browser tab.");
+            pw.println("</div></html>");
+            pw.flush();
+
+        }
+
+        @Override
+        public void failure(PrintWriter pw, KeycloakInstalled ki) {
+            pw.println("HTTP/1.1 200 OK");
+            pw.println("Content-Type: text/html");
+            pw.println();
+            pw.println("<html><h1>Logout failed.</h1><div>");
+            pw.println("You may close this browser tab.");
+            pw.println("</div></html>");
+            pw.flush();
+
+        }
+    };
+
+    public HttpResponseWriter getLoginResponseWriter() {
+        if (loginResponseWriter == null) {
+            return defaultLoginWriter;
+        } else {
+            return loginResponseWriter;
+        }
+    }
+
+    public HttpResponseWriter getLogoutResponseWriter() {
+        if (logoutResponseWriter == null) {
+            return defaultLogoutWriter;
+        } else {
+            return logoutResponseWriter;
+        }
+    }
+
+    public void setLoginResponseWriter(HttpResponseWriter loginResponseWriter) {
+        this.loginResponseWriter = loginResponseWriter;
+    }
+
+    public void setLogoutResponseWriter(HttpResponseWriter logoutResponseWriter) {
+        this.logoutResponseWriter = logoutResponseWriter;
+    }
+
+    public Locale getLocale() {
+        return locale;
+    }
+
+    public void setLocale(Locale locale) {
+        this.locale = locale;
+    }
+
     public void login() throws IOException, ServerRequest.HttpFailure, VerificationException, InterruptedException, OAuthErrorException, URISyntaxException {
         if (isDesktopSupported()) {
             loginDesktop();
@@ -108,19 +208,22 @@ public class KeycloakInstalled {
     }
 
     public void loginDesktop() throws IOException, VerificationException, OAuthErrorException, URISyntaxException, ServerRequest.HttpFailure, InterruptedException {
-        CallbackListener callback = new CallbackListener();
+        CallbackListener callback = new CallbackListener(getLoginResponseWriter());
         callback.start();
 
         String redirectUri = "http://localhost:" + callback.server.getLocalPort();
         String state = UUID.randomUUID().toString();
 
-        String authUrl = deployment.getAuthUrl().clone()
+        KeycloakUriBuilder builder = deployment.getAuthUrl().clone()
                 .queryParam(OAuth2Constants.RESPONSE_TYPE, OAuth2Constants.CODE)
                 .queryParam(OAuth2Constants.CLIENT_ID, deployment.getResourceName())
                 .queryParam(OAuth2Constants.REDIRECT_URI, redirectUri)
                 .queryParam(OAuth2Constants.STATE, state)
-                .queryParam(OAuth2Constants.SCOPE, OAuth2Constants.SCOPE_OPENID)
-                .build().toString();
+                .queryParam(OAuth2Constants.SCOPE, OAuth2Constants.SCOPE_OPENID);
+        if (locale != null) {
+            builder.queryParam(OAuth2Constants.UI_LOCALES_PARAM, locale.getLanguage());
+        }
+        String authUrl = builder.build().toString();
 
         Desktop.getDesktop().browse(new URI(authUrl));
 
@@ -144,7 +247,7 @@ public class KeycloakInstalled {
     }
 
     private void logoutDesktop() throws IOException, URISyntaxException, InterruptedException {
-        CallbackListener callback = new CallbackListener();
+        CallbackListener callback = new CallbackListener(getLogoutResponseWriter());
         callback.start();
 
         String redirectUri = "http://localhost:" + callback.server.getLocalPort();
@@ -167,9 +270,6 @@ public class KeycloakInstalled {
     }
 
     public void loginManual(PrintStream printer, Reader reader) throws IOException, ServerRequest.HttpFailure, VerificationException {
-        CallbackListener callback = new CallbackListener();
-        callback.start();
-
         String redirectUri = "urn:ietf:wg:oauth:2.0:oob";
 
         String authUrl = deployment.getAuthUrl().clone()
@@ -208,7 +308,14 @@ public class KeycloakInstalled {
         parseAccessToken(tokenResponse);
     }
 
+    public void refreshToken(String refreshToken)  throws IOException, ServerRequest.HttpFailure, VerificationException {
+        AccessTokenResponse tokenResponse = ServerRequest.invokeRefresh(deployment, refreshToken);
+        parseAccessToken(tokenResponse);
+
+    }
+
     private void parseAccessToken(AccessTokenResponse tokenResponse) throws VerificationException {
+        this.tokenResponse = tokenResponse;
         tokenString = tokenResponse.getToken();
         refreshToken = tokenResponse.getRefreshToken();
         idTokenString = tokenResponse.getIdToken();
@@ -240,6 +347,10 @@ public class KeycloakInstalled {
         return refreshToken;
     }
 
+    public AccessTokenResponse getTokenResponse() {
+        return tokenResponse;
+    }
+
     public boolean isDesktopSupported() {
         return Desktop.isDesktopSupported();
     }
@@ -248,6 +359,8 @@ public class KeycloakInstalled {
         return deployment;
     }
 
+
+
     private void processCode(String code, String redirectUri) throws IOException, ServerRequest.HttpFailure, VerificationException {
         AccessTokenResponse tokenResponse = ServerRequest.invokeAccessCodeToToken(deployment, code, redirectUri, null);
         parseAccessToken(tokenResponse);
@@ -269,6 +382,7 @@ public class KeycloakInstalled {
         return sb.toString();
     }
 
+
     public class CallbackListener extends Thread {
 
         private ServerSocket server;
@@ -283,14 +397,19 @@ public class KeycloakInstalled {
 
         private String state;
 
-        public CallbackListener() throws IOException {
+        private Socket socket;
+
+        private HttpResponseWriter writer;
+
+        public CallbackListener(HttpResponseWriter writer) throws IOException {
+            this.writer = writer;
             server = new ServerSocket(0);
         }
 
         @Override
         public void run() {
             try {
-                Socket socket = server.accept();
+                socket = server.accept();
 
                 BufferedReader br = new BufferedReader(new InputStreamReader(socket.getInputStream()));
                 String request = br.readLine();
@@ -314,10 +433,15 @@ public class KeycloakInstalled {
                     }
                 }
 
-                PrintWriter pw = new PrintWriter(new OutputStreamWriter(socket.getOutputStream()));
-                pw.println("Please close window and return to application");
-                pw.flush();
+                OutputStreamWriter out = new OutputStreamWriter(socket.getOutputStream());
+                PrintWriter pw = new PrintWriter(out);
 
+                if (error == null) {
+                    writer.success(pw, KeycloakInstalled.this);
+                } else {
+                    writer.failure(pw, KeycloakInstalled.this);
+                }
+                pw.flush();
                 socket.close();
             } catch (IOException e) {
                 errorException = e;
@@ -328,6 +452,8 @@ public class KeycloakInstalled {
             } catch (IOException e) {
             }
         }
+
     }
 
+
 }

diff --git a/adapters/oidc/jaxrs-oauth-client/pom.xml b/adapters/oidc/jaxrs-oauth-client/pom.xml
index bcd585f..6f46e7c 100755
--- a/adapters/oidc/jaxrs-oauth-client/pom.xml
+++ b/adapters/oidc/jaxrs-oauth-client/pom.xml
@@ -21,7 +21,7 @@
     <parent>
         <artifactId>keycloak-parent</artifactId>
         <groupId>org.keycloak</groupId>
-        <version>3.2.0.CR1-SNAPSHOT</version>
+        <version>3.3.0.CR1-SNAPSHOT</version>
         <relativePath>../../../pom.xml</relativePath>
     </parent>
     <modelVersion>4.0.0</modelVersion>

diff --git a/adapters/oidc/jetty/jetty8.1/pom.xml b/adapters/oidc/jetty/jetty8.1/pom.xml
index 7a3fa0c..3124755 100755
--- a/adapters/oidc/jetty/jetty8.1/pom.xml
+++ b/adapters/oidc/jetty/jetty8.1/pom.xml
@@ -21,7 +21,7 @@
     <parent>
 		<artifactId>keycloak-parent</artifactId>
 		<groupId>org.keycloak</groupId>
-        <version>3.2.0.CR1-SNAPSHOT</version>
+        <version>3.3.0.CR1-SNAPSHOT</version>
 		<relativePath>../../../../pom.xml</relativePath>
 	</parent>
 	<modelVersion>4.0.0</modelVersion>

diff --git a/adapters/oidc/jetty/jetty9.1/pom.xml b/adapters/oidc/jetty/jetty9.1/pom.xml
index 1c3edd0..c5a4784 100755
--- a/adapters/oidc/jetty/jetty9.1/pom.xml
+++ b/adapters/oidc/jetty/jetty9.1/pom.xml
@@ -21,7 +21,7 @@
     <parent>
 		<artifactId>keycloak-parent</artifactId>
 		<groupId>org.keycloak</groupId>
-        <version>3.2.0.CR1-SNAPSHOT</version>
+        <version>3.3.0.CR1-SNAPSHOT</version>
 		<relativePath>../../../../pom.xml</relativePath>
 	</parent>
 	<modelVersion>4.0.0</modelVersion>

diff --git a/adapters/oidc/jetty/jetty9.2/pom.xml b/adapters/oidc/jetty/jetty9.2/pom.xml
index 6d34e8b..f8b6335 100755
--- a/adapters/oidc/jetty/jetty9.2/pom.xml
+++ b/adapters/oidc/jetty/jetty9.2/pom.xml
@@ -21,7 +21,7 @@
     <parent>
 		<artifactId>keycloak-parent</artifactId>
 		<groupId>org.keycloak</groupId>
-        <version>3.2.0.CR1-SNAPSHOT</version>
+        <version>3.3.0.CR1-SNAPSHOT</version>
 		<relativePath>../../../../pom.xml</relativePath>
 	</parent>
 	<modelVersion>4.0.0</modelVersion>

diff --git a/adapters/oidc/jetty/jetty9.3/pom.xml b/adapters/oidc/jetty/jetty9.3/pom.xml
index 0077b8d..c4cb374 100644
--- a/adapters/oidc/jetty/jetty9.3/pom.xml
+++ b/adapters/oidc/jetty/jetty9.3/pom.xml
@@ -21,7 +21,7 @@
     <parent>
 		<artifactId>keycloak-parent</artifactId>
 		<groupId>org.keycloak</groupId>
-        <version>3.2.0.CR1-SNAPSHOT</version>
+        <version>3.3.0.CR1-SNAPSHOT</version>
 		<relativePath>../../../../pom.xml</relativePath>
 	</parent>
 	<modelVersion>4.0.0</modelVersion>

diff --git a/adapters/oidc/jetty/jetty9.4/pom.xml b/adapters/oidc/jetty/jetty9.4/pom.xml
index 377ddc0..acb36c6 100644
--- a/adapters/oidc/jetty/jetty9.4/pom.xml
+++ b/adapters/oidc/jetty/jetty9.4/pom.xml
@@ -21,7 +21,7 @@
     <parent>
 		<artifactId>keycloak-parent</artifactId>
 		<groupId>org.keycloak</groupId>
-        <version>3.2.0.CR1-SNAPSHOT</version>
+        <version>3.3.0.CR1-SNAPSHOT</version>
 		<relativePath>../../../../pom.xml</relativePath>
 	</parent>
 	<modelVersion>4.0.0</modelVersion>

diff --git a/adapters/oidc/jetty/jetty-core/pom.xml b/adapters/oidc/jetty/jetty-core/pom.xml
index 2f0ad16..3ee1c5e 100755
--- a/adapters/oidc/jetty/jetty-core/pom.xml
+++ b/adapters/oidc/jetty/jetty-core/pom.xml
@@ -21,7 +21,7 @@
     <parent>
 		<artifactId>keycloak-parent</artifactId>
 		<groupId>org.keycloak</groupId>
-        <version>3.2.0.CR1-SNAPSHOT</version>
+        <version>3.3.0.CR1-SNAPSHOT</version>
 		<relativePath>../../../../pom.xml</relativePath>
 	</parent>
 	<modelVersion>4.0.0</modelVersion>

diff --git a/adapters/oidc/jetty/pom.xml b/adapters/oidc/jetty/pom.xml
index ede26fc..5ec0c16 100755
--- a/adapters/oidc/jetty/pom.xml
+++ b/adapters/oidc/jetty/pom.xml
@@ -20,7 +20,7 @@
     <parent>
         <artifactId>keycloak-parent</artifactId>
         <groupId>org.keycloak</groupId>
-        <version>3.2.0.CR1-SNAPSHOT</version>
+        <version>3.3.0.CR1-SNAPSHOT</version>
         <relativePath>../../../pom.xml</relativePath>
     </parent>
     <name>Keycloak Jetty Integration</name>

diff --git a/adapters/oidc/js/pom.xml b/adapters/oidc/js/pom.xml
index 7d939c7..8b4cc67 100755
--- a/adapters/oidc/js/pom.xml
+++ b/adapters/oidc/js/pom.xml
@@ -21,7 +21,7 @@
 	<parent>
 		<artifactId>keycloak-parent</artifactId>
 		<groupId>org.keycloak</groupId>
-		<version>3.2.0.CR1-SNAPSHOT</version>
+		<version>3.3.0.CR1-SNAPSHOT</version>
         <relativePath>../../../pom.xml</relativePath>
 	</parent>
 	<modelVersion>4.0.0</modelVersion>

diff --git a/adapters/oidc/js/src/main/resources/keycloak.js b/adapters/oidc/js/src/main/resources/keycloak.js
index 89b15b8..a784936 100755
--- a/adapters/oidc/js/src/main/resources/keycloak.js
+++ b/adapters/oidc/js/src/main/resources/keycloak.js
@@ -33,6 +33,13 @@
             interval: 5
         };
 
+        var scripts = document.getElementsByTagName('script');
+        for (var i = 0; i < scripts.length; i++) {
+            if ((scripts[i].src.indexOf('keycloak.js') !== -1 || scripts[i].src.indexOf('keycloak.min.js') !== -1) && scripts[i].src.indexOf('version=') !== -1) {
+                kc.iframeVersion = scripts[i].src.substring(scripts[i].src.indexOf('version=') + 8).split('&')[0];
+            }
+        }
+
         kc.init = function (initOptions) {
             kc.authenticated = false;
 
@@ -831,6 +838,10 @@
             }
 
             var src = getRealmUrl() + '/protocol/openid-connect/login-status-iframe.html';
+            if (kc.iframeVersion) {
+                src = src + '?version=' + kc.iframeVersion;
+            }
+
             iframe.setAttribute('src', src );
             iframe.style.display = 'none';
             document.body.appendChild(iframe);

diff --git a/adapters/oidc/js/src/main/resources/login-status-iframe.html b/adapters/oidc/js/src/main/resources/login-status-iframe.html
index b1012f7..f58f76a 100755
--- a/adapters/oidc/js/src/main/resources/login-status-iframe.html
+++ b/adapters/oidc/js/src/main/resources/login-status-iframe.html
@@ -28,7 +28,7 @@
         } else  if (!init) {
             var req = new XMLHttpRequest();
 
-            var url = location.href + "/init";
+            var url = location.href.split("?")[0] + "/init";
             url += "?client_id=" + encodeURIComponent(clientId);
             url += "&origin=" + encodeURIComponent(origin);
 

diff --git a/adapters/oidc/osgi-adapter/pom.xml b/adapters/oidc/osgi-adapter/pom.xml
index 7bb5004..26a90ec 100755
--- a/adapters/oidc/osgi-adapter/pom.xml
+++ b/adapters/oidc/osgi-adapter/pom.xml
@@ -21,7 +21,7 @@
     <parent>
         <artifactId>keycloak-parent</artifactId>
         <groupId>org.keycloak</groupId>
-        <version>3.2.0.CR1-SNAPSHOT</version>
+        <version>3.3.0.CR1-SNAPSHOT</version>
         <relativePath>../../../pom.xml</relativePath>
     </parent>
     <modelVersion>4.0.0</modelVersion>

diff --git a/adapters/oidc/pom.xml b/adapters/oidc/pom.xml
index d68f359..9207401 100755
--- a/adapters/oidc/pom.xml
+++ b/adapters/oidc/pom.xml
@@ -20,7 +20,7 @@
     <parent>
         <artifactId>keycloak-parent</artifactId>
         <groupId>org.keycloak</groupId>
-        <version>3.2.0.CR1-SNAPSHOT</version>
+        <version>3.3.0.CR1-SNAPSHOT</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
     <name>Keycloak OIDC Client Adapter Modules</name>
@@ -34,6 +34,7 @@
         <module>adapter-core</module>
         <module>as7-eap6</module>
         <module>installed</module>
+        <module>cli-sso</module>
         <module>jaxrs-oauth-client</module>
         <module>jetty</module>
         <module>js</module>

diff --git a/adapters/oidc/servlet-filter/pom.xml b/adapters/oidc/servlet-filter/pom.xml
index 053710b..3d81dc7 100755
--- a/adapters/oidc/servlet-filter/pom.xml
+++ b/adapters/oidc/servlet-filter/pom.xml
@@ -21,7 +21,7 @@
     <parent>
         <artifactId>keycloak-parent</artifactId>
         <groupId>org.keycloak</groupId>
-        <version>3.2.0.CR1-SNAPSHOT</version>
+        <version>3.3.0.CR1-SNAPSHOT</version>
         <relativePath>../../../pom.xml</relativePath>
     </parent>
     <modelVersion>4.0.0</modelVersion>

diff --git a/adapters/oidc/servlet-filter/src/main/java/org/keycloak/adapters/servlet/KeycloakOIDCFilter.java b/adapters/oidc/servlet-filter/src/main/java/org/keycloak/adapters/servlet/KeycloakOIDCFilter.java
index 2763ff1..c51b9db 100755
--- a/adapters/oidc/servlet-filter/src/main/java/org/keycloak/adapters/servlet/KeycloakOIDCFilter.java
+++ b/adapters/oidc/servlet-filter/src/main/java/org/keycloak/adapters/servlet/KeycloakOIDCFilter.java
@@ -54,72 +54,96 @@ import java.util.regex.Pattern;
  */
 public class KeycloakOIDCFilter implements Filter {
 
+    private final static Logger log = Logger.getLogger("" + KeycloakOIDCFilter.class);
+
     public static final String SKIP_PATTERN_PARAM = "keycloak.config.skipPattern";
 
+    public static final String CONFIG_RESOLVER_PARAM = "keycloak.config.resolver";
+
+    public static final String CONFIG_FILE_PARAM = "keycloak.config.file";
+
+    public static final String CONFIG_PATH_PARAM = "keycloak.config.path";
+
     protected AdapterDeploymentContext deploymentContext;
+
     protected SessionIdMapper idMapper = new InMemorySessionIdMapper();
+
     protected NodesRegistrationManagement nodesRegistrationManagement;
+
     protected Pattern skipPattern;
 
-    private final static Logger log = Logger.getLogger(""+KeycloakOIDCFilter.class);
+    private final KeycloakConfigResolver definedconfigResolver;
+
+    /**
+     * Constructor that can be used to define a {@code KeycloakConfigResolver} that will be used at initialization to
+     * provide the {@code KeycloakDeployment}.
+     * @param definedconfigResolver the resolver
+     */
+    public KeycloakOIDCFilter(KeycloakConfigResolver definedconfigResolver) {
+        this.definedconfigResolver = definedconfigResolver;
+    }
+
+    public KeycloakOIDCFilter() {
+        this(null);
+    }
 
     @Override
     public void init(final FilterConfig filterConfig) throws ServletException {
-
         String skipPatternDefinition = filterConfig.getInitParameter(SKIP_PATTERN_PARAM);
         if (skipPatternDefinition != null) {
             skipPattern = Pattern.compile(skipPatternDefinition, Pattern.DOTALL);
         }
 
-        String configResolverClass = filterConfig.getInitParameter("keycloak.config.resolver");
-        if (configResolverClass != null) {
-            try {
-                KeycloakConfigResolver configResolver = (KeycloakConfigResolver) getClass().getClassLoader().loadClass(configResolverClass).newInstance();
-                deploymentContext = new AdapterDeploymentContext(configResolver);
-                log.log(Level.INFO, "Using {0} to resolve Keycloak configuration on a per-request basis.", configResolverClass);
-            } catch (Exception ex) {
-                log.log(Level.FINE, "The specified resolver {0} could NOT be loaded. Keycloak is unconfigured and will deny all requests. Reason: {1}", new Object[]{configResolverClass, ex.getMessage()});
-                deploymentContext = new AdapterDeploymentContext(new KeycloakDeployment());
-            }
+        if (definedconfigResolver != null) {
+            deploymentContext = new AdapterDeploymentContext(definedconfigResolver);
+            log.log(Level.INFO, "Using {0} to resolve Keycloak configuration on a per-request basis.", definedconfigResolver.getClass());
         } else {
-            String fp = filterConfig.getInitParameter("keycloak.config.file");
-            InputStream is = null;
-            if (fp != null) {
+            String configResolverClass = filterConfig.getInitParameter(CONFIG_RESOLVER_PARAM);
+            if (configResolverClass != null) {
                 try {
-                    is = new FileInputStream(fp);
-                } catch (FileNotFoundException e) {
-                    throw new RuntimeException(e);
+                    KeycloakConfigResolver configResolver = (KeycloakConfigResolver) getClass().getClassLoader().loadClass(configResolverClass).newInstance();
+                    deploymentContext = new AdapterDeploymentContext(configResolver);
+                    log.log(Level.INFO, "Using {0} to resolve Keycloak configuration on a per-request basis.", configResolverClass);
+                } catch (Exception ex) {
+                    log.log(Level.FINE, "The specified resolver {0} could NOT be loaded. Keycloak is unconfigured and will deny all requests. Reason: {1}", new Object[]{configResolverClass, ex.getMessage()});
+                    deploymentContext = new AdapterDeploymentContext(new KeycloakDeployment());
                 }
             } else {
-                String path = "/WEB-INF/keycloak.json";
-                String pathParam = filterConfig.getInitParameter("keycloak.config.path");
-                if (pathParam != null) path = pathParam;
-                is = filterConfig.getServletContext().getResourceAsStream(path);
+                String fp = filterConfig.getInitParameter(CONFIG_FILE_PARAM);
+                InputStream is = null;
+                if (fp != null) {
+                    try {
+                        is = new FileInputStream(fp);
+                    } catch (FileNotFoundException e) {
+                        throw new RuntimeException(e);
+                    }
+                } else {
+                    String path = "/WEB-INF/keycloak.json";
+                    String pathParam = filterConfig.getInitParameter(CONFIG_PATH_PARAM);
+                    if (pathParam != null) path = pathParam;
+                    is = filterConfig.getServletContext().getResourceAsStream(path);
+                }
+                KeycloakDeployment kd = createKeycloakDeploymentFrom(is);
+                deploymentContext = new AdapterDeploymentContext(kd);
+                log.fine("Keycloak is using a per-deployment configuration.");
             }
-            KeycloakDeployment kd = createKeycloakDeploymentFrom(is);
-            deploymentContext = new AdapterDeploymentContext(kd);
-            log.fine("Keycloak is using a per-deployment configuration.");
         }
         filterConfig.getServletContext().setAttribute(AdapterDeploymentContext.class.getName(), deploymentContext);
         nodesRegistrationManagement = new NodesRegistrationManagement();
     }
 
     private KeycloakDeployment createKeycloakDeploymentFrom(InputStream is) {
-
         if (is == null) {
             log.fine("No adapter configuration. Keycloak is unconfigured and will deny all requests.");
             return new KeycloakDeployment();
         }
-
         return KeycloakDeploymentBuilder.build(is);
     }
 
 
     @Override
     public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {
-
         log.fine("Keycloak OIDC Filter");
-        //System.err.println("Keycloak OIDC Filter: " + ((HttpServletRequest)req).getRequestURL().toString());
         HttpServletRequest request = (HttpServletRequest) req;
         HttpServletResponse response = (HttpServletResponse) res;
 
@@ -201,7 +225,7 @@ public class KeycloakOIDCFilter implements Filter {
      *
      * @param request the request to check
      * @return {@code true} if the request should not be handled,
-     *         {@code false} otherwise.
+     * {@code false} otherwise.
      */
     private boolean shouldSkip(HttpServletRequest request) {
 

diff --git a/adapters/oidc/servlet-oauth-client/pom.xml b/adapters/oidc/servlet-oauth-client/pom.xml
index 836186f..bb709f1 100755
--- a/adapters/oidc/servlet-oauth-client/pom.xml
+++ b/adapters/oidc/servlet-oauth-client/pom.xml
@@ -21,7 +21,7 @@
     <parent>
         <artifactId>keycloak-parent</artifactId>
         <groupId>org.keycloak</groupId>
-        <version>3.2.0.CR1-SNAPSHOT</version>
+        <version>3.3.0.CR1-SNAPSHOT</version>
         <relativePath>../../../pom.xml</relativePath>
     </parent>
     <modelVersion>4.0.0</modelVersion>

diff --git a/adapters/oidc/spring-boot/pom.xml b/adapters/oidc/spring-boot/pom.xml
index abd1512..6a720f6 100755
--- a/adapters/oidc/spring-boot/pom.xml
+++ b/adapters/oidc/spring-boot/pom.xml
@@ -21,7 +21,7 @@
   <parent>
     <artifactId>keycloak-parent</artifactId>
     <groupId>org.keycloak</groupId>
-    <version>3.2.0.CR1-SNAPSHOT</version>
+    <version>3.3.0.CR1-SNAPSHOT</version>
     <relativePath>../../../pom.xml</relativePath>
   </parent>
   <modelVersion>4.0.0</modelVersion>

diff --git a/adapters/oidc/spring-boot-container-bundle/pom.xml b/adapters/oidc/spring-boot-container-bundle/pom.xml
index 4f68494..49cab4e 100644
--- a/adapters/oidc/spring-boot-container-bundle/pom.xml
+++ b/adapters/oidc/spring-boot-container-bundle/pom.xml
@@ -4,7 +4,7 @@
     <parent>
       <artifactId>keycloak-parent</artifactId>
       <groupId>org.keycloak</groupId>
-      <version>3.2.0.CR1-SNAPSHOT</version>
+      <version>3.3.0.CR1-SNAPSHOT</version>
       <relativePath>../../../pom.xml</relativePath>
     </parent>
     <artifactId>spring-boot-container-bundle</artifactId>

diff --git a/adapters/oidc/spring-security/pom.xml b/adapters/oidc/spring-security/pom.xml
index d1a975a..b304cd5 100755
--- a/adapters/oidc/spring-security/pom.xml
+++ b/adapters/oidc/spring-security/pom.xml
@@ -21,7 +21,7 @@
     <parent>
         <artifactId>keycloak-parent</artifactId>
         <groupId>org.keycloak</groupId>
-        <version>3.2.0.CR1-SNAPSHOT</version>
+        <version>3.3.0.CR1-SNAPSHOT</version>
         <relativePath>../../../pom.xml</relativePath>
     </parent>
     <modelVersion>4.0.0</modelVersion>

diff --git a/adapters/oidc/spring-security/src/main/java/org/keycloak/adapters/springsecurity/facade/SimpleHttpFacade.java b/adapters/oidc/spring-security/src/main/java/org/keycloak/adapters/springsecurity/facade/SimpleHttpFacade.java
index cb9ddcd..2c9876e 100755
--- a/adapters/oidc/spring-security/src/main/java/org/keycloak/adapters/springsecurity/facade/SimpleHttpFacade.java
+++ b/adapters/oidc/spring-security/src/main/java/org/keycloak/adapters/springsecurity/facade/SimpleHttpFacade.java
@@ -19,6 +19,9 @@ package org.keycloak.adapters.springsecurity.facade;
 
 import org.keycloak.KeycloakSecurityContext;
 import org.keycloak.adapters.OIDCHttpFacade;
+import org.keycloak.adapters.spi.KeycloakAccount;
+import org.keycloak.adapters.springsecurity.account.SimpleKeycloakAccount;
+import org.keycloak.adapters.springsecurity.token.KeycloakAuthenticationToken;
 import org.springframework.security.core.context.SecurityContext;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.util.Assert;
@@ -57,7 +60,8 @@ public class SimpleHttpFacade implements OIDCHttpFacade {
         SecurityContext context = SecurityContextHolder.getContext();
 
         if (context != null && context.getAuthentication() != null) {
-            return (KeycloakSecurityContext) context.getAuthentication().getDetails();
+            KeycloakAuthenticationToken authentication = (KeycloakAuthenticationToken) context.getAuthentication();
+            return authentication.getAccount().getKeycloakSecurityContext();
         }
 
         return null;

diff --git a/adapters/oidc/spring-security/src/test/java/org/keycloak/adapters/springsecurity/facade/SimpleHttpFacadeTest.java b/adapters/oidc/spring-security/src/test/java/org/keycloak/adapters/springsecurity/facade/SimpleHttpFacadeTest.java
new file mode 100644
index 0000000..28c6ce8
--- /dev/null
+++ b/adapters/oidc/spring-security/src/test/java/org/keycloak/adapters/springsecurity/facade/SimpleHttpFacadeTest.java
@@ -0,0 +1,41 @@
+package org.keycloak.adapters.springsecurity.facade;
+
+import org.junit.Before;
+import org.junit.Test;
+import org.keycloak.adapters.RefreshableKeycloakSecurityContext;
+import org.keycloak.adapters.spi.KeycloakAccount;
+import org.keycloak.adapters.springsecurity.account.SimpleKeycloakAccount;
+import org.keycloak.adapters.springsecurity.token.KeycloakAuthenticationToken;
+import org.mockito.internal.util.collections.Sets;
+import org.springframework.mock.web.MockHttpServletRequest;
+import org.springframework.mock.web.MockHttpServletResponse;
+import org.springframework.security.core.context.SecurityContext;
+import org.springframework.security.core.context.SecurityContextHolder;
+
+import java.security.Principal;
+import java.util.Set;
+
+import static org.junit.Assert.assertNotNull;
+import static org.mockito.Mockito.mock;
+
+public class SimpleHttpFacadeTest {
+
+    @Before
+    public void setup() {
+        SecurityContext springSecurityContext = SecurityContextHolder.createEmptyContext();
+        SecurityContextHolder.setContext(springSecurityContext);
+        Set<String> roles = Sets.newSet("user");
+        Principal principal = mock(Principal.class);
+        RefreshableKeycloakSecurityContext keycloakSecurityContext = mock(RefreshableKeycloakSecurityContext.class);
+        KeycloakAccount account = new SimpleKeycloakAccount(principal, roles, keycloakSecurityContext);
+        KeycloakAuthenticationToken token = new KeycloakAuthenticationToken(account);
+        springSecurityContext.setAuthentication(token);
+    }
+
+    @Test
+    public void shouldRetrieveKeycloakSecurityContext() {
+        SimpleHttpFacade facade = new SimpleHttpFacade(new MockHttpServletRequest(), new MockHttpServletResponse());
+
+        assertNotNull(facade.getSecurityContext());
+    }
+}

diff --git a/adapters/oidc/tomcat/pom.xml b/adapters/oidc/tomcat/pom.xml
index d691c1d..d733dbd 100755
--- a/adapters/oidc/tomcat/pom.xml
+++ b/adapters/oidc/tomcat/pom.xml
@@ -20,7 +20,7 @@
     <parent>
         <artifactId>keycloak-parent</artifactId>
         <groupId>org.keycloak</groupId>
-        <version>3.2.0.CR1-SNAPSHOT</version>
+        <version>3.3.0.CR1-SNAPSHOT</version>
         <relativePath>../../../pom.xml</relativePath>
     </parent>
     <name>Keycloak Tomcat Integration</name>

diff --git a/adapters/oidc/tomcat/tomcat6/pom.xml b/adapters/oidc/tomcat/tomcat6/pom.xml
index 47972ac..d0b7059 100755
--- a/adapters/oidc/tomcat/tomcat6/pom.xml
+++ b/adapters/oidc/tomcat/tomcat6/pom.xml
@@ -21,7 +21,7 @@
     <parent>
 		<artifactId>keycloak-tomcat-integration-pom</artifactId>
 		<groupId>org.keycloak</groupId>
-		<version>3.2.0.CR1-SNAPSHOT</version>
+		<version>3.3.0.CR1-SNAPSHOT</version>
 		<relativePath>../pom.xml</relativePath>
 	</parent>
 	<modelVersion>4.0.0</modelVersion>

diff --git a/adapters/oidc/tomcat/tomcat7/pom.xml b/adapters/oidc/tomcat/tomcat7/pom.xml
index 01f12ef..d425305 100755
--- a/adapters/oidc/tomcat/tomcat7/pom.xml
+++ b/adapters/oidc/tomcat/tomcat7/pom.xml
@@ -21,7 +21,7 @@
     <parent>
 		<artifactId>keycloak-tomcat-integration-pom</artifactId>
 		<groupId>org.keycloak</groupId>
-		<version>3.2.0.CR1-SNAPSHOT</version>
+		<version>3.3.0.CR1-SNAPSHOT</version>
 		<relativePath>../pom.xml</relativePath>
 	</parent>
 	<modelVersion>4.0.0</modelVersion>

diff --git a/adapters/oidc/tomcat/tomcat8/pom.xml b/adapters/oidc/tomcat/tomcat8/pom.xml
index ef6ea29..8bf8606 100755
--- a/adapters/oidc/tomcat/tomcat8/pom.xml
+++ b/adapters/oidc/tomcat/tomcat8/pom.xml
@@ -21,7 +21,7 @@
     <parent>
 		<artifactId>keycloak-tomcat-integration-pom</artifactId>
 		<groupId>org.keycloak</groupId>
-		<version>3.2.0.CR1-SNAPSHOT</version>
+		<version>3.3.0.CR1-SNAPSHOT</version>
 		<relativePath>../pom.xml</relativePath>
 	</parent>
 	<modelVersion>4.0.0</modelVersion>

diff --git a/adapters/oidc/tomcat/tomcat-core/pom.xml b/adapters/oidc/tomcat/tomcat-core/pom.xml
index 397f622..c47cc4d 100755
--- a/adapters/oidc/tomcat/tomcat-core/pom.xml
+++ b/adapters/oidc/tomcat/tomcat-core/pom.xml
@@ -21,7 +21,7 @@
     <parent>
 		<artifactId>keycloak-tomcat-integration-pom</artifactId>
 		<groupId>org.keycloak</groupId>
-		<version>3.2.0.CR1-SNAPSHOT</version>
+		<version>3.3.0.CR1-SNAPSHOT</version>
 		<relativePath>../pom.xml</relativePath>
 	</parent>
 	<modelVersion>4.0.0</modelVersion>

diff --git a/adapters/oidc/undertow/pom.xml b/adapters/oidc/undertow/pom.xml
index 048e249..ccdc34e 100755
--- a/adapters/oidc/undertow/pom.xml
+++ b/adapters/oidc/undertow/pom.xml
@@ -21,7 +21,7 @@
     <parent>
         <artifactId>keycloak-parent</artifactId>
         <groupId>org.keycloak</groupId>
-        <version>3.2.0.CR1-SNAPSHOT</version>
+        <version>3.3.0.CR1-SNAPSHOT</version>
         <relativePath>../../../pom.xml</relativePath>
     </parent>
     <modelVersion>4.0.0</modelVersion>

diff --git a/adapters/oidc/wildfly/pom.xml b/adapters/oidc/wildfly/pom.xml
index d6a2184..e93be16 100755
--- a/adapters/oidc/wildfly/pom.xml
+++ b/adapters/oidc/wildfly/pom.xml
@@ -20,7 +20,7 @@
     <parent>
         <artifactId>keycloak-parent</artifactId>
         <groupId>org.keycloak</groupId>
-        <version>3.2.0.CR1-SNAPSHOT</version>
+        <version>3.3.0.CR1-SNAPSHOT</version>
         <relativePath>../../../pom.xml</relativePath>
     </parent>
     <name>Keycloak WildFly Integration</name>

diff --git a/adapters/oidc/wildfly/wf8-subsystem/pom.xml b/adapters/oidc/wildfly/wf8-subsystem/pom.xml
index e3e2c34..2afcf14 100755
--- a/adapters/oidc/wildfly/wf8-subsystem/pom.xml
+++ b/adapters/oidc/wildfly/wf8-subsystem/pom.xml
@@ -21,7 +21,7 @@
     <parent>
         <groupId>org.keycloak</groupId>
         <artifactId>keycloak-parent</artifactId>
-        <version>3.2.0.CR1-SNAPSHOT</version>
+        <version>3.3.0.CR1-SNAPSHOT</version>
         <relativePath>../../../../pom.xml</relativePath>
     </parent>
 

diff --git a/adapters/oidc/wildfly/wildfly-adapter/pom.xml b/adapters/oidc/wildfly/wildfly-adapter/pom.xml
index 89d3870..686661d 100644
--- a/adapters/oidc/wildfly/wildfly-adapter/pom.xml
+++ b/adapters/oidc/wildfly/wildfly-adapter/pom.xml
@@ -21,7 +21,7 @@
     <parent>
         <artifactId>keycloak-parent</artifactId>
         <groupId>org.keycloak</groupId>
-        <version>3.2.0.CR1-SNAPSHOT</version>
+        <version>3.3.0.CR1-SNAPSHOT</version>
         <relativePath>../../../../pom.xml</relativePath>
     </parent>
     <modelVersion>4.0.0</modelVersion>

diff --git a/adapters/oidc/wildfly/wildfly-subsystem/pom.xml b/adapters/oidc/wildfly/wildfly-subsystem/pom.xml
index 596f00f..1d8e6cf 100755
--- a/adapters/oidc/wildfly/wildfly-subsystem/pom.xml
+++ b/adapters/oidc/wildfly/wildfly-subsystem/pom.xml
@@ -21,7 +21,7 @@
     <parent>
         <groupId>org.keycloak</groupId>
         <artifactId>keycloak-parent</artifactId>
-        <version>3.2.0.CR1-SNAPSHOT</version>
+        <version>3.3.0.CR1-SNAPSHOT</version>
         <relativePath>../../../../pom.xml</relativePath>
     </parent>
 

diff --git a/adapters/oidc/wildfly/wildfly-subsystem/src/main/java/org/keycloak/subsystem/adapter/extension/KeycloakAdapterConfigService.java b/adapters/oidc/wildfly/wildfly-subsystem/src/main/java/org/keycloak/subsystem/adapter/extension/KeycloakAdapterConfigService.java
index e96a5e5..5a71e61 100755
--- a/adapters/oidc/wildfly/wildfly-subsystem/src/main/java/org/keycloak/subsystem/adapter/extension/KeycloakAdapterConfigService.java
+++ b/adapters/oidc/wildfly/wildfly-subsystem/src/main/java/org/keycloak/subsystem/adapter/extension/KeycloakAdapterConfigService.java
@@ -37,6 +37,8 @@ import static org.jboss.as.controller.descriptions.ModelDescriptionConstants.ADD
 public final class KeycloakAdapterConfigService {
 
     private static final String CREDENTIALS_JSON_NAME = "credentials";
+    
+    private static final String REDIRECT_REWRITE_RULE_JSON_NAME = "redirect-rewrite-rule";
 
     private static final KeycloakAdapterConfigService INSTANCE = new KeycloakAdapterConfigService();
 
@@ -129,6 +131,56 @@ public final class KeycloakAdapterConfigService {
         ModelNode deployment = this.secureDeployments.get(deploymentNameFromOp(operation));
         return deployment.get(CREDENTIALS_JSON_NAME);
     }
+    
+     public void addRedirectRewriteRule(ModelNode operation, ModelNode model) {
+        ModelNode redirectRewritesRules = redirectRewriteRuleFromOp(operation);
+        if (!redirectRewritesRules.isDefined()) {
+            redirectRewritesRules = new ModelNode();
+        }
+
+        String redirectRewriteRuleName = redirectRewriteRule(operation);
+        if (!redirectRewriteRuleName.contains(".")) {
+            redirectRewritesRules.get(redirectRewriteRuleName).set(model.get("value").asString());
+        } else {
+            String[] parts = redirectRewriteRuleName.split("\\.");
+            String provider = parts[0];
+            String property = parts[1];
+            ModelNode redirectRewriteRule = redirectRewritesRules.get(provider);
+            if (!redirectRewriteRule.isDefined()) {
+                redirectRewriteRule = new ModelNode();
+            }
+            redirectRewriteRule.get(property).set(model.get("value").asString());
+            redirectRewritesRules.set(provider, redirectRewriteRule);
+        }
+
+        ModelNode deployment = this.secureDeployments.get(deploymentNameFromOp(operation));
+        deployment.get(REDIRECT_REWRITE_RULE_JSON_NAME).set(redirectRewritesRules);
+    }
+
+    public void removeRedirectRewriteRule(ModelNode operation) {
+        ModelNode redirectRewritesRules = redirectRewriteRuleFromOp(operation);
+        if (!redirectRewritesRules.isDefined()) {
+            throw new RuntimeException("Can not remove redirect rewrite rule.  No rules defined for deployment in op " + operation.toString());
+        }
+
+        String ruleName = credentialNameFromOp(operation);
+        redirectRewritesRules.remove(ruleName);
+    }
+
+    public void updateRedirectRewriteRule(ModelNode operation, String attrName, ModelNode resolvedValue) {
+        ModelNode redirectRewritesRules = redirectRewriteRuleFromOp(operation);
+        if (!redirectRewritesRules.isDefined()) {
+            throw new RuntimeException("Can not update redirect rewrite rule.  No rules defined for deployment in op " + operation.toString());
+        }
+
+        String ruleName = credentialNameFromOp(operation);
+        redirectRewritesRules.get(ruleName).set(resolvedValue);
+    }
+
+    private ModelNode redirectRewriteRuleFromOp(ModelNode operation) {
+        ModelNode deployment = this.secureDeployments.get(deploymentNameFromOp(operation));
+        return deployment.get(REDIRECT_REWRITE_RULE_JSON_NAME);
+    }
 
     private String realmNameFromOp(ModelNode operation) {
         return valueFromOpAddress(RealmDefinition.TAG_NAME, operation);
@@ -141,6 +193,10 @@ public final class KeycloakAdapterConfigService {
     private String credentialNameFromOp(ModelNode operation) {
         return valueFromOpAddress(CredentialDefinition.TAG_NAME, operation);
     }
+    
+    private String redirectRewriteRule(ModelNode operation) {
+        return valueFromOpAddress(RedirecRewritetRuleDefinition.TAG_NAME, operation);
+    }
 
     private String valueFromOpAddress(String addrElement, ModelNode operation) {
         String deploymentName = getValueOfAddrElement(operation.get(ADDRESS), addrElement);

diff --git a/adapters/oidc/wildfly/wildfly-subsystem/src/main/java/org/keycloak/subsystem/adapter/extension/KeycloakExtension.java b/adapters/oidc/wildfly/wildfly-subsystem/src/main/java/org/keycloak/subsystem/adapter/extension/KeycloakExtension.java
index 541454a..d04e72d 100755
--- a/adapters/oidc/wildfly/wildfly-subsystem/src/main/java/org/keycloak/subsystem/adapter/extension/KeycloakExtension.java
+++ b/adapters/oidc/wildfly/wildfly-subsystem/src/main/java/org/keycloak/subsystem/adapter/extension/KeycloakExtension.java
@@ -48,6 +48,7 @@ public class KeycloakExtension implements Extension {
     static final RealmDefinition REALM_DEFINITION = new RealmDefinition();
     static final SecureDeploymentDefinition SECURE_DEPLOYMENT_DEFINITION = new SecureDeploymentDefinition();
     static final CredentialDefinition CREDENTIAL_DEFINITION = new CredentialDefinition();
+     static final RedirecRewritetRuleDefinition REDIRECT_RULE_DEFINITON = new RedirecRewritetRuleDefinition();
 
     public static StandardResourceDescriptionResolver getResourceDescriptionResolver(final String... keyPrefix) {
         StringBuilder prefix = new StringBuilder(SUBSYSTEM_NAME);
@@ -77,6 +78,7 @@ public class KeycloakExtension implements Extension {
         registration.registerSubModel(REALM_DEFINITION);
         ManagementResourceRegistration secureDeploymentRegistration = registration.registerSubModel(SECURE_DEPLOYMENT_DEFINITION);
         secureDeploymentRegistration.registerSubModel(CREDENTIAL_DEFINITION);
+        secureDeploymentRegistration.registerSubModel(REDIRECT_RULE_DEFINITON);
 
         subsystem.registerXMLElementWriter(PARSER);
     }

diff --git a/adapters/oidc/wildfly/wildfly-subsystem/src/main/java/org/keycloak/subsystem/adapter/extension/KeycloakSubsystemParser.java b/adapters/oidc/wildfly/wildfly-subsystem/src/main/java/org/keycloak/subsystem/adapter/extension/KeycloakSubsystemParser.java
index d4ddc02..79555e3 100755
--- a/adapters/oidc/wildfly/wildfly-subsystem/src/main/java/org/keycloak/subsystem/adapter/extension/KeycloakSubsystemParser.java
+++ b/adapters/oidc/wildfly/wildfly-subsystem/src/main/java/org/keycloak/subsystem/adapter/extension/KeycloakSubsystemParser.java
@@ -96,12 +96,17 @@ class KeycloakSubsystemParser implements XMLStreamConstants, XMLElementReader<Li
                 PathElement.pathElement(SecureDeploymentDefinition.TAG_NAME, name));
         addSecureDeployment.get(ModelDescriptionConstants.OP_ADDR).set(addr.toModelNode());
         List<ModelNode> credentialsToAdd = new ArrayList<ModelNode>();
+        List<ModelNode> redirectRulesToAdd = new ArrayList<ModelNode>();
         while (reader.hasNext() && nextTag(reader) != END_ELEMENT) {
             String tagName = reader.getLocalName();
             if (tagName.equals(CredentialDefinition.TAG_NAME)) {
                 readCredential(reader, addr, credentialsToAdd);
                 continue;
             }
+            if (tagName.equals(RedirecRewritetRuleDefinition.TAG_NAME)) {
+                readRewriteRule(reader, addr, redirectRulesToAdd);
+                continue;
+            }
 
             SimpleAttributeDefinition def = SecureDeploymentDefinition.lookup(tagName);
             if (def == null) throw new XMLStreamException("Unknown secure-deployment tag " + tagName);
@@ -111,6 +116,7 @@ class KeycloakSubsystemParser implements XMLStreamConstants, XMLElementReader<Li
         // Must add credentials after the deployment is added.
         resourcesToAdd.add(addSecureDeployment);
         resourcesToAdd.addAll(credentialsToAdd);
+        resourcesToAdd.addAll(redirectRulesToAdd);
     }
 
     public void readCredential(XMLExtendedStreamReader reader, PathAddress parent, List<ModelNode> credentialsToAdd) throws XMLStreamException {
@@ -149,6 +155,43 @@ class KeycloakSubsystemParser implements XMLStreamConstants, XMLElementReader<Li
             }
         }
     }
+    
+       public void readRewriteRule(XMLExtendedStreamReader reader, PathAddress parent, List<ModelNode> rewriteRuleToToAdd) throws XMLStreamException {
+        String name = readNameAttribute(reader);
+
+        Map<String, String> values = new HashMap<>();
+        String textValue = null;
+        while (reader.hasNext()) {
+            int next = reader.next();
+            if (next == CHARACTERS) {
+                // text value of redirect rule element
+                String text = reader.getText();
+                if (text == null || text.trim().isEmpty()) {
+                    continue;
+                }
+                textValue = text;
+            } else if (next == START_ELEMENT) {
+                String key = reader.getLocalName();
+                reader.next();
+                String value = reader.getText();
+                reader.next();
+
+                values.put(key, value);
+            } else if (next == END_ELEMENT) {
+                break;
+            }
+        }
+
+        if (textValue != null) {
+            ModelNode addRedirectRule = getRedirectRuleToAdd(parent, name, textValue);
+            rewriteRuleToToAdd.add(addRedirectRule);
+        } else {
+            for (Map.Entry<String, String> entry : values.entrySet()) {
+                ModelNode addRedirectRule = getRedirectRuleToAdd(parent, name + "." + entry.getKey(), entry.getValue());
+                rewriteRuleToToAdd.add(addRedirectRule);
+            }
+        }
+    }
 
     private ModelNode getCredentialToAdd(PathAddress parent, String name, String value) {
         ModelNode addCredential = new ModelNode();
@@ -158,6 +201,15 @@ class KeycloakSubsystemParser implements XMLStreamConstants, XMLElementReader<Li
         addCredential.get(CredentialDefinition.VALUE.getName()).set(value);
         return addCredential;
     }
+    
+    private ModelNode getRedirectRuleToAdd(PathAddress parent, String name, String value) {
+        ModelNode addRedirectRule = new ModelNode();
+        addRedirectRule.get(ModelDescriptionConstants.OP).set(ModelDescriptionConstants.ADD);
+        PathAddress addr = PathAddress.pathAddress(parent, PathElement.pathElement(RedirecRewritetRuleDefinition.TAG_NAME, name));
+        addRedirectRule.get(ModelDescriptionConstants.OP_ADDR).set(addr.toModelNode());
+        addRedirectRule.get(RedirecRewritetRuleDefinition.VALUE.getName()).set(value);
+        return addRedirectRule;
+    }
 
     // expects that the current tag will have one single attribute called "name"
     private String readNameAttribute(XMLExtendedStreamReader reader) throws XMLStreamException {
@@ -219,6 +271,11 @@ class KeycloakSubsystemParser implements XMLStreamConstants, XMLElementReader<Li
             if (credentials.isDefined()) {
                 writeCredentials(writer, credentials);
             }
+            
+            ModelNode redirectRewriteRule = deploymentElements.get(RedirecRewritetRuleDefinition.TAG_NAME);
+            if (redirectRewriteRule.isDefined()) {
+                writeRedirectRules(writer, redirectRewriteRule);
+            }
 
             writer.writeEndElement();
         }
@@ -265,6 +322,34 @@ class KeycloakSubsystemParser implements XMLStreamConstants, XMLElementReader<Li
             writer.writeEndElement();
         }
     }
+    
+      private void writeRedirectRules(XMLExtendedStreamWriter writer, ModelNode redirectRules) throws XMLStreamException {
+        Map<String, Object> parsed = new LinkedHashMap<>();
+        for (Property redirectRule : redirectRules.asPropertyList()) {
+            String ruleName = redirectRule.getName();
+            String ruleValue = redirectRule.getValue().get(RedirecRewritetRuleDefinition.VALUE.getName()).asString();
+            parsed.put(ruleName, ruleValue);
+        }
+
+        for (Map.Entry<String, Object> entry : parsed.entrySet()) {
+            writer.writeStartElement(RedirecRewritetRuleDefinition.TAG_NAME);
+            writer.writeAttribute("name", entry.getKey());
+
+            Object value = entry.getValue();
+            if (value instanceof String) {
+                writeCharacters(writer, (String) value);
+            } else {
+                Map<String, String> redirectRulesProps = (Map<String, String>) value;
+                for (Map.Entry<String, String> prop : redirectRulesProps.entrySet()) {
+                    writer.writeStartElement(prop.getKey());
+                    writeCharacters(writer, prop.getValue());
+                    writer.writeEndElement();
+                }
+            }
+
+            writer.writeEndElement();
+        }
+    }
 
     // code taken from org.jboss.as.controller.AttributeMarshaller
     private void writeCharacters(XMLExtendedStreamWriter writer, String content) throws XMLStreamException {

diff --git a/adapters/oidc/wildfly/wildfly-subsystem/src/main/java/org/keycloak/subsystem/adapter/extension/RedirecRewritetRuleDefinition.java b/adapters/oidc/wildfly/wildfly-subsystem/src/main/java/org/keycloak/subsystem/adapter/extension/RedirecRewritetRuleDefinition.java
new file mode 100644
index 0000000..a9095c7
--- /dev/null
+++ b/adapters/oidc/wildfly/wildfly-subsystem/src/main/java/org/keycloak/subsystem/adapter/extension/RedirecRewritetRuleDefinition.java
@@ -0,0 +1,61 @@
+/*
+ * Copyright 2016 Red Hat, Inc. and/or its affiliates
+ * and other contributors as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.keycloak.subsystem.adapter.extension;
+
+import org.jboss.as.controller.AttributeDefinition;
+import org.jboss.as.controller.PathElement;
+import org.jboss.as.controller.SimpleAttributeDefinitionBuilder;
+import org.jboss.as.controller.SimpleResourceDefinition;
+import org.jboss.as.controller.operations.common.GenericSubsystemDescribeHandler;
+import org.jboss.as.controller.operations.validation.StringLengthValidator;
+import org.jboss.as.controller.registry.ManagementResourceRegistration;
+import org.jboss.dmr.ModelType;
+
+/**
+ *
+ * @author sblanc
+ */
+public class RedirecRewritetRuleDefinition extends SimpleResourceDefinition {
+
+    public static final String TAG_NAME = "redirect-rewrite-rule";
+
+    protected static final AttributeDefinition VALUE =
+            new SimpleAttributeDefinitionBuilder("value", ModelType.STRING, false)
+            .setAllowExpression(true)
+            .setValidator(new StringLengthValidator(1, Integer.MAX_VALUE, false, true))
+            .build();
+
+    public RedirecRewritetRuleDefinition() {
+        super(PathElement.pathElement(TAG_NAME),
+                KeycloakExtension.getResourceDescriptionResolver(TAG_NAME),
+                new RedirectRewriteRuleAddHandler(VALUE),
+                RedirectRewriteRuleRemoveHandler.INSTANCE);
+    }
+
+    @Override
+    public void registerOperations(ManagementResourceRegistration resourceRegistration) {
+        super.registerOperations(resourceRegistration);
+        resourceRegistration.registerOperationHandler(GenericSubsystemDescribeHandler.DEFINITION, GenericSubsystemDescribeHandler.INSTANCE);
+    }
+
+    @Override
+    public void registerAttributes(ManagementResourceRegistration resourceRegistration) {
+        super.registerAttributes(resourceRegistration);
+        resourceRegistration.registerReadWriteAttribute(VALUE, null, new RedirectRewriteRuleReadWriteAttributeHandler());
+    }
+}

diff --git a/adapters/oidc/wildfly/wildfly-subsystem/src/main/java/org/keycloak/subsystem/adapter/extension/RedirectRewriteRuleAddHandler.java b/adapters/oidc/wildfly/wildfly-subsystem/src/main/java/org/keycloak/subsystem/adapter/extension/RedirectRewriteRuleAddHandler.java
new file mode 100644
index 0000000..2fc25f7
--- /dev/null
+++ b/adapters/oidc/wildfly/wildfly-subsystem/src/main/java/org/keycloak/subsystem/adapter/extension/RedirectRewriteRuleAddHandler.java
@@ -0,0 +1,38 @@
+/*
+ * Copyright 2016 Red Hat, Inc. and/or its affiliates
+ * and other contributors as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.keycloak.subsystem.adapter.extension;
+
+import org.jboss.as.controller.AbstractAddStepHandler;
+import org.jboss.as.controller.AttributeDefinition;
+import org.jboss.as.controller.OperationContext;
+import org.jboss.as.controller.OperationFailedException;
+import org.jboss.dmr.ModelNode;
+
+public class RedirectRewriteRuleAddHandler extends AbstractAddStepHandler {
+
+    public RedirectRewriteRuleAddHandler(AttributeDefinition... attributes) {
+        super(attributes);
+    }
+
+    @Override
+    protected void performRuntime(OperationContext context, ModelNode operation, ModelNode model) throws OperationFailedException {
+        KeycloakAdapterConfigService ckService = KeycloakAdapterConfigService.getInstance();
+        ckService.addRedirectRewriteRule(operation, context.resolveExpressions(model));
+    }
+
+}

diff --git a/adapters/oidc/wildfly/wildfly-subsystem/src/main/java/org/keycloak/subsystem/adapter/extension/RedirectRewriteRuleReadWriteAttributeHandler.java b/adapters/oidc/wildfly/wildfly-subsystem/src/main/java/org/keycloak/subsystem/adapter/extension/RedirectRewriteRuleReadWriteAttributeHandler.java
new file mode 100644
index 0000000..171e755
--- /dev/null
+++ b/adapters/oidc/wildfly/wildfly-subsystem/src/main/java/org/keycloak/subsystem/adapter/extension/RedirectRewriteRuleReadWriteAttributeHandler.java
@@ -0,0 +1,44 @@
+/*
+ * Copyright 2016 Red Hat, Inc. and/or its affiliates
+ * and other contributors as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.subsystem.adapter.extension;
+
+import org.jboss.as.controller.AbstractWriteAttributeHandler;
+import org.jboss.as.controller.OperationContext;
+import org.jboss.as.controller.OperationFailedException;
+import org.jboss.dmr.ModelNode;
+
+public class RedirectRewriteRuleReadWriteAttributeHandler extends AbstractWriteAttributeHandler<KeycloakAdapterConfigService> {
+
+    @Override
+    protected boolean applyUpdateToRuntime(OperationContext context, ModelNode operation, String attributeName,
+                                           ModelNode resolvedValue, ModelNode currentValue, AbstractWriteAttributeHandler.HandbackHolder<KeycloakAdapterConfigService> hh) throws OperationFailedException {
+
+        KeycloakAdapterConfigService ckService = KeycloakAdapterConfigService.getInstance();
+        ckService.updateRedirectRewriteRule(operation, attributeName, resolvedValue);
+
+        hh.setHandback(ckService);
+
+        return false;
+    }
+
+    @Override
+    protected void revertUpdateToRuntime(OperationContext context, ModelNode operation, String attributeName,
+                                         ModelNode valueToRestore, ModelNode valueToRevert, KeycloakAdapterConfigService ckService) throws OperationFailedException {
+        ckService.updateRedirectRewriteRule(operation, attributeName, valueToRestore);
+    }
+
+}

diff --git a/adapters/oidc/wildfly/wildfly-subsystem/src/main/java/org/keycloak/subsystem/adapter/extension/RedirectRewriteRuleRemoveHandler.java b/adapters/oidc/wildfly/wildfly-subsystem/src/main/java/org/keycloak/subsystem/adapter/extension/RedirectRewriteRuleRemoveHandler.java
new file mode 100644
index 0000000..de17c96
--- /dev/null
+++ b/adapters/oidc/wildfly/wildfly-subsystem/src/main/java/org/keycloak/subsystem/adapter/extension/RedirectRewriteRuleRemoveHandler.java
@@ -0,0 +1,36 @@
+/*
+ * Copyright 2016 Red Hat, Inc. and/or its affiliates
+ * and other contributors as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.subsystem.adapter.extension;
+
+import org.jboss.as.controller.AbstractRemoveStepHandler;
+import org.jboss.as.controller.OperationContext;
+import org.jboss.as.controller.OperationFailedException;
+import org.jboss.dmr.ModelNode;
+
+public class RedirectRewriteRuleRemoveHandler extends AbstractRemoveStepHandler {
+
+    public static RedirectRewriteRuleRemoveHandler INSTANCE = new RedirectRewriteRuleRemoveHandler();
+
+    private RedirectRewriteRuleRemoveHandler() {}
+
+    @Override
+    protected void performRuntime(OperationContext context, ModelNode operation, ModelNode model) throws OperationFailedException {
+        KeycloakAdapterConfigService ckService = KeycloakAdapterConfigService.getInstance();
+        ckService.removeRedirectRewriteRule(operation);
+    }
+
+}