diff --git a/oidc-webapp/README.adoc b/oidc-webapp/README.adoc
new file mode 100644
index 0000000000..a6761f26c9
--- /dev/null
+++ b/oidc-webapp/README.adoc
@@ -0,0 +1,70 @@
+include::../shared-doc/attributes.adoc[]
+
+= oidc-webapp: Securing an application deployed to WildFly with OpenID Connect (OIDC)
+:toc: left
+:icons: font
+:idprefix:
+:idseparator: -
+:level: Beginner
+:technologies: OIDC
+:openshift: false
+
+[abstract]
+The `oidc-webapp` quickstart demonstrates a simple application, bundled and deployed as a WAR, secured with OpenID Connect (OIDC).
+
+:standalone-server-type: custom
+:serverArguments: -Djboss.socket.binding.port-offset=10
+:archiveType: war
+:mavenDeployArgs: wildfly:deploy -Dwildfly.port=10000
+
+== What is it?
+
+The `oidc-webapp` quickstart demonstrates how to secure an application deployed to {productNameFull} with OpenID Connect
+(OIDC) without needing to use the Keycloak client adapter.
+
+The OIDC configuration in this example is part of the deployment itself. Alternatively,
+this configuration could be specified via the `elytron-oidc-client` subsystem instead.
+For more details, take a look at the https://docs.wildfly.org/28/Admin_Guide.html#Elytron_OIDC_Client[documentation].
+
+// System Requirements
+include::../shared-doc/system-requirements.adoc[leveloffset=+1]
+// Use of {jbossHomeName}
+include::../shared-doc/use-of-jboss-home-name.adoc[leveloffset=+1]
+
+== Set up your Keycloak OpenID provider
+
+Follow the steps in this https://www.keycloak.org/getting-started/getting-started-docker[getting started guide] to
+start Keycloak, create a realm called `myrealm`, create a user called `myuser`, and register a client called `myclient`.
+
+After registering our client, `myclient`, we also need to configure valid redirect URIs. Simply click
+on `Clients` and then on `myclient`. In the `Valid Redirect URIs` field, enter http://localhost:8090/oidc-webapp/*.
+
+// build and run with standard server distribution
+[[build_and_run_the_quickstart_with_server_dist]]
+== Building and running the quickstart application with a {productName} server distribution
+
+First, we're going to start our WildFly instance (notice that we're specifying a port offset here
+since our Keycloak instance is already exposed on port 8080).
+
+// Start the {productName} Standalone Server
+include::../shared-doc/start-the-standalone-server.adoc[leveloffset=+2]
+// Build and Deploy the Quickstart
+include::../shared-doc/build-and-deploy-the-quickstart.adoc[leveloffset=+2]
+
+## Access the app
+
+We can access our application using `http://localhost:8090/oidc-webapp/`.
+
+Click on "Access Secured Servlet".
+
+Now, you'll be redirected to Keycloak to log in. Log in with `myuser` and the password that you
+set when configuring Keycloak.
+
+Next, you'll be redirected back to our application and you should see the "Secured Servlet" page.
+
+We were able to successfully log in to our application via the Keycloak OpenID provider!
+
+// Build and run sections for other environments/builds
+ifndef::ProductRelease,EAPXPRelease[]
+include::../shared-doc/build-and-run-the-quickstart-with-provisioned-server.adoc[leveloffset=+1]
+endif::[]
diff --git a/oidc-webapp/pom.xml b/oidc-webapp/pom.xml
new file mode 100644
index 0000000000..8016910e99
--- /dev/null
+++ b/oidc-webapp/pom.xml
@@ -0,0 +1,171 @@
+
+
+
+ 4.0.0
+
+ org.wildfly.quickstarts
+ wildfly-quickstart-parent
+
+ 3
+
+
+ oidc-webapp
+ 29.0.0.Alpha1-SNAPSHOT
+ war
+ Quickstart: OIDC Webapp
+ This quickstart demonstrates how to secure an application with OpenID Connect (OIDC) without needing to use the Keycloak client adapter
+
+
+
+ Apache License, Version 2.0
+ http://www.apache.org/licenses/LICENSE-2.0.html
+ repo
+
+
+
+
+
+ 28.0.0.Final
+ 28.0.0.Final
+ 4.1.0.Final
+ 3.0.0.Final
+
+
+
+
+ jboss-public-maven-repository
+ JBoss Public Maven Repository
+ https://repository.jboss.org/nexus/content/groups/public/
+
+ true
+ never
+
+
+ true
+ never
+
+ default
+
+
+ redhat-ga-maven-repository
+ Red Hat GA Maven Repository
+ https://maven.repository.redhat.com/ga/
+
+ true
+ never
+
+
+ true
+ never
+
+ default
+
+
+
+
+ jboss-public-maven-repository
+ JBoss Public Maven Repository
+ https://repository.jboss.org/nexus/content/groups/public/
+
+ true
+
+
+ true
+
+
+
+ redhat-ga-maven-repository
+ Red Hat GA Maven Repository
+ https://maven.repository.redhat.com/ga/
+
+ true
+
+
+ true
+
+
+
+
+
+
+
+
+ org.wildfly.bom
+ wildfly-ee-with-tools
+ ${version.server.bom}
+ pom
+ import
+
+
+
+
+
+
+
+ jakarta.servlet
+ jakarta.servlet-api
+ provided
+
+
+
+
+
+ provisioned-server
+
+
+ org.wildfly.arquillian
+ wildfly-arquillian-container-managed
+ test
+
+
+
+
+
+ org.wildfly.plugins
+ wildfly-maven-plugin
+ ${version.wildfly.maven.plugin}
+
+
+
+ org.wildfly:wildfly-galleon-pack:${version.server}
+
+
+
+ cloud-server
+ elytron-oidc-client
+
+
+
+
+
+ package
+
+
+
+
+
+
+
+
+
+
diff --git a/oidc-webapp/src/main/java/org/wildfly/quickstarts/oidc/simplewebapp/SecuredServlet.java b/oidc-webapp/src/main/java/org/wildfly/quickstarts/oidc/simplewebapp/SecuredServlet.java
new file mode 100644
index 0000000000..83f7a32883
--- /dev/null
+++ b/oidc-webapp/src/main/java/org/wildfly/quickstarts/oidc/simplewebapp/SecuredServlet.java
@@ -0,0 +1,56 @@
+/*
+ * JBoss, Home of Professional Open Source.
+ * Copyright 2017 Red Hat, Inc., and individual contributors
+ * as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.wildfly.quickstarts.oidc.simplewebapp;
+
+import java.io.IOException;
+import java.io.PrintWriter;
+import java.security.Principal;
+
+import jakarta.servlet.ServletException;
+import jakarta.servlet.annotation.WebServlet;
+import jakarta.servlet.http.HttpServlet;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+
+/**
+ * A simple secured HTTP servlet.
+ *
+ * @author Darran Lofthouse
+ */
+@WebServlet("/secured")
+public class SecuredServlet extends HttpServlet {
+
+ @Override
+ protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
+ try (PrintWriter writer = resp.getWriter()) {
+ writer.println("");
+ writer.println(" Secured Servlet");
+ writer.println(" ");
+ writer.println(" Secured Servlet
");
+ writer.println(" ");
+ writer.print(" Current Principal '");
+ Principal user = req.getUserPrincipal();
+ writer.print(user != null ? user.getName() : "NO AUTHENTICATED USER");
+ writer.print("'");
+ writer.println("
");
+ writer.println(" ");
+ writer.println("");
+ }
+ }
+
+}
diff --git a/oidc-webapp/src/main/webapp/WEB-INF/oidc.json b/oidc-webapp/src/main/webapp/WEB-INF/oidc.json
new file mode 100644
index 0000000000..8b396a2f5b
--- /dev/null
+++ b/oidc-webapp/src/main/webapp/WEB-INF/oidc.json
@@ -0,0 +1,8 @@
+{
+ "client-id" : "myclient",
+ "provider-url" : "${env.OIDC_PROVIDER_URL:http://localhost:8080}/realms/myrealm",
+ "public-client" : "true",
+ "principal-attribute" : "preferred_username",
+ "ssl-required" : "EXTERNAL"
+}
+
diff --git a/oidc-webapp/src/main/webapp/WEB-INF/web.xml b/oidc-webapp/src/main/webapp/WEB-INF/web.xml
new file mode 100644
index 0000000000..9c341e66e8
--- /dev/null
+++ b/oidc-webapp/src/main/webapp/WEB-INF/web.xml
@@ -0,0 +1,25 @@
+
+
+
+
+
+
+ secured
+ /secured
+
+
+ *
+
+
+
+
+ OIDC
+
+
+
+ *
+
+
diff --git a/oidc-webapp/src/main/webapp/index.html b/oidc-webapp/src/main/webapp/index.html
new file mode 100644
index 0000000000..0331adb6eb
--- /dev/null
+++ b/oidc-webapp/src/main/webapp/index.html
@@ -0,0 +1,6 @@
+
+
+ Hello World!
+ Access Secured Servlet
+
+
diff --git a/pom.xml b/pom.xml
index 114f040c74..4afc9b0490 100644
--- a/pom.xml
+++ b/pom.xml
@@ -339,6 +339,7 @@
microprofile-reactive-messaging-kafka
microprofile-rest-client
numberguess
+ oidc-webapp
remote-helloworld-mdb
security-domain-to-domain
servlet-async
diff --git a/shared-doc/build-and-deploy-the-quickstart.adoc b/shared-doc/build-and-deploy-the-quickstart.adoc
index 79cbb257f2..727fff14f5 100644
--- a/shared-doc/build-and-deploy-the-quickstart.adoc
+++ b/shared-doc/build-and-deploy-the-quickstart.adoc
@@ -20,6 +20,10 @@
// * To override the Maven command, define the `mavenCommand` variable,
// for example:
// :mavenCommand: clean install wildfly:deploy
+//
+// * To override the Maven deploy command arguments, define the `mavenDeployArgs` variable,
+// for example:
+// :mavenDeployArgs: wildfly:deploy -Dwildfly.port=10000
//******************************************************************************
// The archive name defaults to the artifactId if not overridden
@@ -84,11 +88,15 @@ endif::reactive-messaging[]
$ mvn {mavenCommand}
----
+ifndef::mavenDeployArgs[]
+:mavenDeployArgs: wildfly:deploy
+endif::mavenDeployArgs[]
+
. Type the following command to deploy the quickstart.
+
[source,subs="attributes+",options="nowrap"]
----
-$ mvn wildfly:deploy
+$ mvn {mavenDeployArgs}
----
ifdef::rest-client-qs[]