diff --git a/elytron-oidc-client/src/main/java/org/wildfly/extension/elytron/oidc/OidcActivationProcessor.java b/elytron-oidc-client/src/main/java/org/wildfly/extension/elytron/oidc/OidcActivationProcessor.java
index cc3fefcbad5a..9e1aa31f0a7c 100644
--- a/elytron-oidc-client/src/main/java/org/wildfly/extension/elytron/oidc/OidcActivationProcessor.java
+++ b/elytron-oidc-client/src/main/java/org/wildfly/extension/elytron/oidc/OidcActivationProcessor.java
@@ -37,7 +37,7 @@
  */
 class OidcActivationProcessor implements DeploymentUnitProcessor {
 
-    private static final String OIDC_AUTH_METHOD = "OIDC";
+    public static final String OIDC_AUTH_METHOD = "OIDC";
 
     @Override
     public void deploy(DeploymentPhaseContext phaseContext) throws DeploymentUnitProcessingException {
diff --git a/elytron-oidc-client/src/main/java/org/wildfly/extension/elytron/oidc/VirtualHttpServerMechanismFactoryNameProcessor.java b/elytron-oidc-client/src/main/java/org/wildfly/extension/elytron/oidc/VirtualHttpServerMechanismFactoryNameProcessor.java
index acd34829eb3c..9b0cf7570d11 100644
--- a/elytron-oidc-client/src/main/java/org/wildfly/extension/elytron/oidc/VirtualHttpServerMechanismFactoryNameProcessor.java
+++ b/elytron-oidc-client/src/main/java/org/wildfly/extension/elytron/oidc/VirtualHttpServerMechanismFactoryNameProcessor.java
@@ -18,6 +18,7 @@
 import org.jboss.as.server.security.AdvancedSecurityMetaData;
 import org.jboss.as.server.security.SecurityMetaData;
 import org.jboss.as.web.common.WarMetaData;
+import org.jboss.metadata.web.spec.LoginConfigMetaData;
 import org.jboss.msc.service.ServiceName;
 
 /**
@@ -35,8 +36,12 @@ public void deploy(DeploymentPhaseContext phaseContext) throws DeploymentUnitPro
         if (warMetaData == null) {
             return;
         }
+
+        LoginConfigMetaData loginConfig = warMetaData.getMergedJBossWebMetaData().getLoginConfig();
         SecurityMetaData securityMetaData = deploymentUnit.getAttachment(ATTACHMENT_KEY);
-        if (securityMetaData != null && isVirtualMechanismFactoryRequired(deploymentUnit)) {
+        if (securityMetaData != null
+                && (loginConfig != null && OidcActivationProcessor.OIDC_AUTH_METHOD.equals(loginConfig.getAuthMethod()))
+                && isVirtualMechanismFactoryRequired(deploymentUnit)) {
             AdvancedSecurityMetaData advancedSecurityMetaData = new AdvancedSecurityMetaData();
             advancedSecurityMetaData.setHttpServerAuthenticationMechanismFactory(virtualMechanismFactoryName(deploymentUnit));
             ServiceName virtualDomainName = virtualDomainName(deploymentUnit);
diff --git a/testsuite/integration/elytron-oidc-client/src/test/java/org/wildfly/test/integration/elytron/oidc/client/OidcBaseTest.java b/testsuite/integration/elytron-oidc-client/src/test/java/org/wildfly/test/integration/elytron/oidc/client/OidcBaseTest.java
index d98885ec98db..d30a349dd830 100644
--- a/testsuite/integration/elytron-oidc-client/src/test/java/org/wildfly/test/integration/elytron/oidc/client/OidcBaseTest.java
+++ b/testsuite/integration/elytron-oidc-client/src/test/java/org/wildfly/test/integration/elytron/oidc/client/OidcBaseTest.java
@@ -18,16 +18,19 @@
 import static org.wildfly.security.http.oidc.Oidc.AuthenticationRequestFormat.OAUTH2;
 import static org.wildfly.test.integration.elytron.oidc.client.KeycloakConfiguration.ALLOWED_ORIGIN;
 
+import java.io.File;
 import java.io.IOException;
 import java.net.HttpURLConnection;
 import java.net.URI;
 import java.net.URL;
 import java.nio.charset.StandardCharsets;
+import java.util.ArrayList;
 import java.util.LinkedList;
 import java.util.List;
 
 import org.apache.http.Header;
 import org.apache.http.HttpResponse;
+import static org.apache.http.HttpStatus.SC_OK;
 import org.apache.http.NameValuePair;
 import org.apache.http.client.CookieStore;
 import org.apache.http.client.HttpClient;
@@ -43,6 +46,7 @@
 import org.apache.http.message.BasicNameValuePair;
 import org.apache.http.protocol.BasicHttpContext;
 import org.apache.http.protocol.HttpContext;
+import org.apache.http.util.EntityUtils;
 import org.jboss.arquillian.container.test.api.OperateOnDeployment;
 import org.jboss.as.arquillian.api.ServerSetupTask;
 import org.jboss.as.arquillian.container.ManagementClient;
@@ -52,6 +56,7 @@
 import org.jboss.as.test.integration.management.ManagementOperations;
 import org.jboss.as.test.integration.security.common.servlets.SimpleSecuredServlet;
 import org.jboss.as.test.integration.security.common.servlets.SimpleServlet;
+import org.jboss.as.test.shared.ManagementServerSetupTask;
 import org.jboss.as.test.shared.TestSuiteEnvironment;
 import org.jboss.as.test.shared.util.AssumeTestGroupUtil;
 import org.jboss.as.version.Stability;
@@ -64,6 +69,7 @@
 import org.keycloak.representations.idm.RealmRepresentation;
 import org.wildfly.common.iteration.CodePointIterator;
 import org.wildfly.security.jose.util.JsonSerialization;
+import org.wildfly.test.integration.elytron.oidc.client.deployment.OidcWithDeploymentConfigTest;
 import org.wildfly.test.integration.elytron.oidc.client.subsystem.SimpleServletWithScope;
 
 import io.restassured.RestAssured;
@@ -87,6 +93,8 @@ public abstract class OidcBaseTest {
     public static final String AUTH_SERVER_URL_APP = "AuthServerUrlOidcApp";
     public static final String WRONG_PROVIDER_URL_APP = "WrongProviderUrlOidcApp";
     public static final String WRONG_SECRET_APP = "WrongSecretOidcApp";
+    public static final String FORM_WITH_OIDC_EAR_APP = "FormWithOidcApp";
+    public static final String FORM_WITH_OIDC_OIDC_APP = "oidc";
     public static final String DIRECT_ACCCESS_GRANT_ENABLED_CLIENT = "DirectAccessGrantEnabledClient";
     public static final String BEARER_ONLY_AUTH_SERVER_URL_APP = "AuthServerUrlBearerOnlyApp";
     public static final String BEARER_ONLY_PROVIDER_URL_APP = "ProviderUrlBearerOnlyApp";
@@ -117,6 +125,20 @@ public abstract class OidcBaseTest {
     public static final String INVALID_SIGNATURE_ALGORITHM_APP = "InvalidSignatureAlgorithmApp";
     public static final String PS_SIGNED_REQUEST_URI_APP = "PsSignedRequestUriApp";
     public static final String MISSING_SECRET_APP = "MissingSecretApp";
+    public static final String FORM_USER="user1";
+    public static final String FORM_PASSWORD="password1";
+    protected static final String ERROR_PAGE_CONTENT = "Error!";
+
+    // Avoid problem on windows with path
+    public static final String USERS_PATH = new File(
+            OidcWithDeploymentConfigTest.class.getResource("users.properties").getFile()).getAbsolutePath()
+            .replace("\\", "/");
+    public static final String ROLES_PATH = new File(
+            OidcWithDeploymentConfigTest.class.getResource("roles.properties").getFile()).getAbsolutePath()
+            .replace("\\", "/");
+    public static final String ORIGINAL_USERS_PATH = "application-users.properties";
+    public static final String ORIGINAL_ROLES_PATH = "application-roles.properties";
+    public static final String RELATIVE_TO = "jboss.server.config.dir";
 
     private final Stability desiredStability;
 
@@ -493,6 +515,71 @@ public void testOpenIDWithMissingSecretHmacSigningAlgorithm() throws Exception {
                 "/" + MISSING_SECRET_APP + SimpleSecuredServlet.SERVLET_PATH).toURI(), true);
     }
 
+    @Test
+    @OperateOnDeployment(FORM_WITH_OIDC_EAR_APP)
+    public void testFormWithOidc() throws Exception {
+        // oidc login
+        // EAR declares context-root to be oidc
+        loginToApp(FORM_WITH_OIDC_OIDC_APP,
+                org.wildfly.test.integration.elytron.oidc.client.KeycloakConfiguration.ALICE,
+                org.wildfly.test.integration.elytron.oidc.client.KeycloakConfiguration.ALICE_PASSWORD,
+                HttpURLConnection.HTTP_OK, SimpleServlet.RESPONSE_BODY);
+
+        // login with Form wfly user acct
+        testFormCredentials();
+    }
+    private void testFormCredentials() throws Exception {
+        URI requestUri = new URI("http://"+CLIENT_HOST_NAME+":"+CLIENT_PORT
+                +"/form"+"/"+SimpleSecuredServlet.class.getSimpleName()
+                +"/j_security_check");
+        HttpClient httpClient = HttpClients.createDefault();
+        HttpPost getMethod = new HttpPost(requestUri);
+
+        List<NameValuePair> nvps = new ArrayList<NameValuePair>();
+        nvps.add(new BasicNameValuePair("j_username", FORM_USER));
+        nvps.add(new BasicNameValuePair("j_password", FORM_PASSWORD));
+
+        getMethod.setEntity(new UrlEncodedFormEntity(nvps, StandardCharsets.UTF_8));
+
+        HttpResponse response = httpClient.execute(getMethod);
+        int statusCode = response.getStatusLine().getStatusCode();
+        assertTrue("Expected code == OK but got " + statusCode +
+                " for request=" + requestUri, statusCode == HttpURLConnection.HTTP_MOVED_TEMP);
+    }
+
+    @Test
+    @OperateOnDeployment(FORM_WITH_OIDC_EAR_APP)
+    public void testInvalidFormWithOidcCredentials() throws Exception {
+        // login with Form wfly user acct
+        testInvalidFormCredentials();
+        // oidc login
+        // EAR declares context-root to be oidc
+        loginToApp(FORM_WITH_OIDC_OIDC_APP,
+                org.wildfly.test.integration.elytron.oidc.client.KeycloakConfiguration.ALICE,
+                "WRONG_PASSWORD", HttpURLConnection.HTTP_OK, "Invalid username or password");
+    }
+    public void testInvalidFormCredentials() throws Exception {
+        URI requestUri = new URI("http://"+CLIENT_HOST_NAME+":"+CLIENT_PORT
+                +"/form"+"/"+SimpleSecuredServlet.class.getSimpleName()
+                +"/j_security_check");
+        HttpClient httpClient = HttpClients.createDefault();
+        HttpPost getMethod = new HttpPost(requestUri);
+
+        List<NameValuePair> nvps = new ArrayList<NameValuePair>();
+        nvps.add(new BasicNameValuePair("j_username", "Not"+FORM_USER));
+        nvps.add(new BasicNameValuePair("j_password", "Not"+FORM_PASSWORD));
+
+        getMethod.setEntity(new UrlEncodedFormEntity(nvps, StandardCharsets.UTF_8));
+
+        HttpResponse response = httpClient.execute(getMethod);
+        int statusCode = response.getStatusLine().getStatusCode();
+        assertEquals("For request=" + requestUri +"  Unexpected status code in HTTP response.",
+                SC_OK,  statusCode );
+        String errorMsg = EntityUtils.toString(response.getEntity());
+        assertTrue("Expected HTTP response to contain " + ERROR_PAGE_CONTENT
+                + "  response msg is: " + errorMsg, errorMsg.contains(ERROR_PAGE_CONTENT));
+    }
+
     public static void loginToApp(String appName, String username, String password, int expectedStatusCode, String expectedText) throws Exception {
         loginToApp(username, password, expectedStatusCode, expectedText, true,
                 new URL("http", TestSuiteEnvironment.getHttpAddress(), TestSuiteEnvironment.getHttpPort(),
@@ -886,4 +973,35 @@ protected static <T extends OidcBaseTest> void addSystemProperty(ManagementClien
         add.get(VALUE).set(clazz.getName());
         ManagementOperations.executeOperation(client.getControllerClient(), add);
     }
+
+    public static class WildFlyServerSetupTask extends ManagementServerSetupTask {
+        public WildFlyServerSetupTask() {
+            super(createContainerConfigurationBuilder()
+                    .setupScript(createScriptBuilder()
+                            .startBatch()
+                            .add(String.format("/subsystem=elytron/properties-realm=ApplicationRealm:write-attribute(name=users-properties.path,value=\"%s\")",
+                                    USERS_PATH))
+                            .add("/subsystem=elytron/properties-realm=ApplicationRealm:write-attribute(name=users-properties.plain-text,value=true)")
+                            .add("/subsystem=elytron/properties-realm=ApplicationRealm:undefine-attribute(name=users-properties.relative-to)")
+                            .add(String.format("/subsystem=elytron/properties-realm=ApplicationRealm:write-attribute(name=groups-properties.path,value=\"%s\")",
+                                    ROLES_PATH))
+                            .add("/subsystem=elytron/properties-realm=ApplicationRealm:undefine-attribute(name=groups-properties.relative-to)")
+                            .endBatch()
+                            .build())
+                    .tearDownScript(createScriptBuilder()
+                            .startBatch()
+                            .add(String.format("/subsystem=elytron/properties-realm=ApplicationRealm:write-attribute(name=users-properties.path,value=\"%s\")",
+                                    ORIGINAL_USERS_PATH))
+                            .add(String.format("/subsystem=elytron/properties-realm=ApplicationRealm:write-attribute(name=users-properties.relative-to,value=\"%s\")",
+                                    RELATIVE_TO))
+                            .add("/subsystem=elytron/properties-realm=ApplicationRealm:undefine-attribute(name=users-properties.plain-text)")
+                            .add(String.format("/subsystem=elytron/properties-realm=ApplicationRealm:write-attribute(name=groups-properties.path,value=\"%s\")",
+                                    ORIGINAL_ROLES_PATH))
+                            .add(String.format("/subsystem=elytron/properties-realm=ApplicationRealm:write-attribute(name=groups-properties.relative-to,value=\"%s\")",
+                                    RELATIVE_TO))
+                            .endBatch()
+                            .build())
+                    .build());
+        }
+    }
 }
diff --git a/testsuite/integration/elytron-oidc-client/src/test/java/org/wildfly/test/integration/elytron/oidc/client/deployment/OidcWithDeploymentConfigTest.java b/testsuite/integration/elytron-oidc-client/src/test/java/org/wildfly/test/integration/elytron/oidc/client/deployment/OidcWithDeploymentConfigTest.java
index f2cc958f4485..2191f5c1606a 100644
--- a/testsuite/integration/elytron-oidc-client/src/test/java/org/wildfly/test/integration/elytron/oidc/client/deployment/OidcWithDeploymentConfigTest.java
+++ b/testsuite/integration/elytron-oidc-client/src/test/java/org/wildfly/test/integration/elytron/oidc/client/deployment/OidcWithDeploymentConfigTest.java
@@ -31,6 +31,8 @@
 import org.jboss.dmr.ModelNode;
 import org.jboss.shrinkwrap.api.ShrinkWrap;
 import org.jboss.shrinkwrap.api.spec.WebArchive;
+import org.jboss.shrinkwrap.api.spec.EnterpriseArchive;
+import org.jboss.shrinkwrap.api.Archive;
 import org.junit.Test;
 import org.junit.runner.RunWith;
 import org.wildfly.test.integration.elytron.oidc.client.KeycloakConfiguration;
@@ -45,7 +47,9 @@
  */
 @RunWith(Arquillian.class)
 @RunAsClient
-@ServerSetup({ OidcWithDeploymentConfigTest.PreviewStabilitySetupTask.class, OidcWithDeploymentConfigTest.KeycloakAndSystemPropertySetup.class })
+@ServerSetup({ OidcWithDeploymentConfigTest.PreviewStabilitySetupTask.class,
+        OidcWithDeploymentConfigTest.KeycloakAndSystemPropertySetup.class,
+        OidcBaseTest.WildFlyServerSetupTask.class})
 public class OidcWithDeploymentConfigTest extends OidcBaseTest {
 
     private static final String OIDC_PROVIDER_URL = "oidc.provider.url";
@@ -115,6 +119,7 @@ public class OidcWithDeploymentConfigTest extends OidcBaseTest {
         APP_NAMES.put(PS_SIGNED_REQUEST_URI_APP, KeycloakConfiguration.ClientAppType.OIDC_CLIENT);
         APP_NAMES.put(INVALID_SIGNATURE_ALGORITHM_FILE, KeycloakConfiguration.ClientAppType.OIDC_CLIENT);
         APP_NAMES.put(MISSING_SECRET_APP, KeycloakConfiguration.ClientAppType.OIDC_CLIENT);
+        APP_NAMES.put(FORM_WITH_OIDC_OIDC_APP, KeycloakConfiguration.ClientAppType.OIDC_CLIENT);
     }
 
     public OidcWithDeploymentConfigTest() {
@@ -350,6 +355,39 @@ public static WebArchive createOpenIDWithMissingSecretHmacSigningAlgorithm() {
                 .addAsWebInfResource(OidcWithDeploymentConfigTest.class.getPackage(), MISSING_SECRET_WITH_HMAC_ALGORITHM_FILE, "oidc.json");
     }
 
+    @Deployment(name = FORM_WITH_OIDC_EAR_APP, managed = false, testable = false)
+    public static Archive<?> createFormWithOidcDeployment() {
+        final EnterpriseArchive ear = ShrinkWrap.create(EnterpriseArchive.class, FORM_WITH_OIDC_EAR_APP+".ear");
+        ear.addAsManifestResource(OidcWithDeploymentConfigTest.class.getPackage(),
+                FORM_WITH_OIDC_EAR_APP+"_application.xml", "application.xml");
+
+        final WebArchive form = ShrinkWrap.create(WebArchive.class, "form.war");
+        form.addClasses(SimpleServlet.class);
+        form.addClasses(SimpleSecuredServlet.class);
+        form.addAsWebInfResource(OidcWithDeploymentConfigTest.class.getPackage(),
+                FORM_WITH_OIDC_EAR_APP + "_form_web.xml", "web.xml");
+        form.addAsWebInfResource(OidcWithDeploymentConfigTest.class.getPackage(),
+                FORM_WITH_OIDC_EAR_APP + "_form_jboss-web.xml", "jboss-web.xml");
+        form.addAsWebResource(OidcWithDeploymentConfigTest.class.getPackage(),
+                FORM_WITH_OIDC_EAR_APP + "_login.jsp", "login.jsp");
+        form.addAsWebResource(OidcWithDeploymentConfigTest.class.getPackage(),
+                FORM_WITH_OIDC_EAR_APP + "_error.jsp", "error.jsp");
+
+        ear.addAsModule(form);
+
+        final WebArchive oidc = ShrinkWrap.create(WebArchive.class, "oidc.war");
+        oidc.addClasses(SimpleServlet.class);
+        oidc.addClasses(SimpleSecuredServlet.class);
+        oidc.addAsWebInfResource(OidcWithDeploymentConfigTest.class.getPackage(),
+                FORM_WITH_OIDC_EAR_APP+"_oidc_web.xml", "web.xml");
+        oidc.addAsWebInfResource(OidcWithDeploymentConfigTest.class.getPackage(),
+                FORM_WITH_OIDC_EAR_APP+"_oidc_jboss-web.xml", "jboss-web.xml");
+        oidc.addAsWebInfResource(OidcWithDeploymentConfigTest.class.getPackage(),
+                FORM_WITH_OIDC_EAR_APP+"_oidc_oidc.json", "oidc.json");
+        ear.addAsModule(oidc);
+        return ear;
+    }
+
     @Test
     @InSequence(1)
     public void testWrongPasswordWithProviderUrl() throws Exception {
@@ -567,6 +605,28 @@ public void testCorsRequestWithEnableCorsWithInvalidOrigin() throws Exception {
         }
     }
 
+    @Test
+    @InSequence(27)
+    public void testFormWithOidc() throws Exception {
+        try {
+            deployer.deploy(FORM_WITH_OIDC_EAR_APP);
+            super.testFormWithOidc();
+        } finally {
+            deployer.undeploy(FORM_WITH_OIDC_EAR_APP);
+        }
+    }
+
+    @Test
+    @InSequence(28)
+    public void testInvalidFormWithOidcCredentials() throws Exception {
+        try {
+            deployer.deploy(FORM_WITH_OIDC_EAR_APP);
+            super.testInvalidFormWithOidcCredentials();
+        } finally {
+            deployer.undeploy(FORM_WITH_OIDC_EAR_APP);
+        }
+    }
+
     @Test
     public void testOpenIDScope() throws Exception {
         try{
diff --git a/testsuite/integration/elytron-oidc-client/src/test/java/org/wildfly/test/integration/elytron/oidc/client/deployment/roles.properties b/testsuite/integration/elytron-oidc-client/src/test/java/org/wildfly/test/integration/elytron/oidc/client/deployment/roles.properties
new file mode 100644
index 000000000000..446d56d82fc9
--- /dev/null
+++ b/testsuite/integration/elytron-oidc-client/src/test/java/org/wildfly/test/integration/elytron/oidc/client/deployment/roles.properties
@@ -0,0 +1,7 @@
+#
+# Copyright The WildFly Authors
+# SPDX-License-Identifier: Apache-2.0
+#
+
+## rls user1=role1
+user1=JBossAdmin
diff --git a/testsuite/integration/elytron-oidc-client/src/test/java/org/wildfly/test/integration/elytron/oidc/client/deployment/users.properties b/testsuite/integration/elytron-oidc-client/src/test/java/org/wildfly/test/integration/elytron/oidc/client/deployment/users.properties
new file mode 100644
index 000000000000..64718714147e
--- /dev/null
+++ b/testsuite/integration/elytron-oidc-client/src/test/java/org/wildfly/test/integration/elytron/oidc/client/deployment/users.properties
@@ -0,0 +1,6 @@
+#
+# Copyright The WildFly Authors
+# SPDX-License-Identifier: Apache-2.0
+#
+
+user1=password1
\ No newline at end of file
diff --git a/testsuite/integration/elytron-oidc-client/src/test/java/org/wildfly/test/integration/elytron/oidc/client/subsystem/OidcWithSubsystemConfigTest.java b/testsuite/integration/elytron-oidc-client/src/test/java/org/wildfly/test/integration/elytron/oidc/client/subsystem/OidcWithSubsystemConfigTest.java
index 33ec949debce..93b50b507981 100644
--- a/testsuite/integration/elytron-oidc-client/src/test/java/org/wildfly/test/integration/elytron/oidc/client/subsystem/OidcWithSubsystemConfigTest.java
+++ b/testsuite/integration/elytron-oidc-client/src/test/java/org/wildfly/test/integration/elytron/oidc/client/subsystem/OidcWithSubsystemConfigTest.java
@@ -44,13 +44,16 @@
 import org.jboss.as.test.shared.ServerReload;
 import org.jboss.as.version.Stability;
 import org.jboss.dmr.ModelNode;
+import org.jboss.shrinkwrap.api.Archive;
 import org.jboss.shrinkwrap.api.ShrinkWrap;
+import org.jboss.shrinkwrap.api.spec.EnterpriseArchive;
 import org.jboss.shrinkwrap.api.spec.WebArchive;
 import org.junit.Test;
 import org.junit.runner.RunWith;
 import org.wildfly.extension.elytron.oidc.ElytronOidcExtension;
 import org.wildfly.test.integration.elytron.oidc.client.KeycloakConfiguration;
 import org.wildfly.test.integration.elytron.oidc.client.OidcBaseTest;
+import org.wildfly.test.integration.elytron.oidc.client.deployment.OidcWithDeploymentConfigTest;
 import org.wildfly.test.stabilitylevel.StabilityServerSetupSnapshotRestoreTasks;
 
 /**
@@ -60,7 +63,9 @@
  */
 @RunWith(Arquillian.class)
 @RunAsClient
-@ServerSetup({ OidcWithSubsystemConfigTest.PreviewStabilitySetupTask.class, OidcWithSubsystemConfigTest.KeycloakAndSubsystemSetup.class })
+@ServerSetup({ OidcWithSubsystemConfigTest.PreviewStabilitySetupTask.class,
+        OidcWithSubsystemConfigTest.KeycloakAndSubsystemSetup.class,
+        OidcBaseTest.WildFlyServerSetupTask.class})
 public class OidcWithSubsystemConfigTest extends OidcBaseTest {
 
     private static final String SUBSYSTEM_OVERRIDE_APP = "SubsystemOverrideOidcApp";
@@ -99,6 +104,7 @@ public class OidcWithSubsystemConfigTest extends OidcBaseTest {
         APP_NAMES.put(PS_SIGNED_RSA_ENCRYPTED_REQUEST_APP, KeycloakConfiguration.ClientAppType.OIDC_CLIENT);
         APP_NAMES.put(PS_SIGNED_REQUEST_URI_APP, KeycloakConfiguration.ClientAppType.OIDC_CLIENT);
         APP_NAMES.put(INVALID_SIGNATURE_ALGORITHM_APP, KeycloakConfiguration.ClientAppType.OIDC_CLIENT);
+        APP_NAMES.put(FORM_WITH_OIDC_OIDC_APP, KeycloakConfiguration.ClientAppType.OIDC_CLIENT);
     }
 
     public OidcWithSubsystemConfigTest() {
@@ -280,6 +286,37 @@ public static WebArchive createOpenIDWithMissingSecretHmacSigningAlgorithm() {
                 .addClasses(SimpleSecuredServlet.class);
     }
 
+    @Deployment(name = FORM_WITH_OIDC_EAR_APP)
+    public static Archive<?> createFormWithOidcDeployment() {
+        final EnterpriseArchive ear = ShrinkWrap.create(EnterpriseArchive.class, FORM_WITH_OIDC_EAR_APP+".ear");
+        ear.addAsManifestResource(OidcWithDeploymentConfigTest.class.getPackage(),
+                FORM_WITH_OIDC_EAR_APP+"_application.xml", "application.xml");
+
+        final WebArchive form = ShrinkWrap.create(WebArchive.class, "form.war");
+        form.addClasses(SimpleServlet.class);
+        form.addClasses(SimpleSecuredServlet.class);
+        form.addAsWebInfResource(OidcWithDeploymentConfigTest.class.getPackage(),
+                FORM_WITH_OIDC_EAR_APP + "_form_web.xml", "web.xml");
+        form.addAsWebInfResource(OidcWithDeploymentConfigTest.class.getPackage(),
+                FORM_WITH_OIDC_EAR_APP + "_form_jboss-web.xml", "jboss-web.xml");
+        form.addAsWebResource(OidcWithDeploymentConfigTest.class.getPackage(),
+                FORM_WITH_OIDC_EAR_APP + "_login.jsp", "login.jsp");
+        form.addAsWebResource(OidcWithDeploymentConfigTest.class.getPackage(),
+                FORM_WITH_OIDC_EAR_APP + "_error.jsp", "error.jsp");
+
+        ear.addAsModule(form);
+
+        final WebArchive oidc = ShrinkWrap.create(WebArchive.class, "oidc.war");
+        oidc.addClasses(SimpleServlet.class);
+        oidc.addClasses(SimpleSecuredServlet.class);
+        oidc.addAsWebInfResource(OidcWithDeploymentConfigTest.class.getPackage(),
+                FORM_WITH_OIDC_EAR_APP+"_oidc_web.xml", "web.xml");
+        oidc.addAsWebInfResource(OidcWithDeploymentConfigTest.class.getPackage(),
+                FORM_WITH_OIDC_EAR_APP+"_oidc_jboss-web.xml", "jboss-web.xml");
+        ear.addAsModule(oidc);
+        return ear;
+    }
+
     @Test
     @OperateOnDeployment(SUBSYSTEM_OVERRIDE_APP)
     public void testSubsystemOverride() throws Exception {
@@ -647,6 +684,18 @@ public void setup(ManagementClient managementClient, String containerId) throws
             operation.get("request-object-signing-algorithm").set(HMAC_SHA256);
             Utils.applyUpdate(operation, client);
 
+            // only config the WAR that is in the EAR
+            operation = createOpNode(SECURE_DEPLOYMENT_ADDRESS + FORM_WITH_OIDC_OIDC_APP + ".war", ModelDescriptionConstants.ADD);
+            operation.get("client-id").set(FORM_WITH_OIDC_OIDC_APP);
+            operation.get("public-client").set(false);
+            operation.get("provider").set(KEYCLOAK_PROVIDER);
+            operation.get("ssl-required").set("EXTERNAL");
+            Utils.applyUpdate(operation, client);
+
+            operation = createOpNode(SECURE_DEPLOYMENT_ADDRESS + FORM_WITH_OIDC_OIDC_APP + ".war/credential=secret", ModelDescriptionConstants.ADD);
+            operation.get("secret").set(CLIENT_SECRET);
+            Utils.applyUpdate(operation, client);
+
             ServerReload.executeReloadAndWaitForCompletion(managementClient);
         }
 
diff --git a/testsuite/integration/elytron-oidc-client/src/test/resources/org/wildfly/test/integration/elytron/oidc/client/deployment/FormWithOidcApp_application.xml b/testsuite/integration/elytron-oidc-client/src/test/resources/org/wildfly/test/integration/elytron/oidc/client/deployment/FormWithOidcApp_application.xml
new file mode 100644
index 000000000000..d342ab22bc14
--- /dev/null
+++ b/testsuite/integration/elytron-oidc-client/src/test/resources/org/wildfly/test/integration/elytron/oidc/client/deployment/FormWithOidcApp_application.xml
@@ -0,0 +1,21 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Copyright The WildFly Authors
+  ~ SPDX-License-Identifier: Apache-2.0
+  -->
+<application xmlns="https://jakarta.ee/xml/ns/jakartaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="https://jakarta.ee/xml/ns/jakartaee https://jakarta.ee/xml/ns/jakartaee/application_10.xsd" version="10">
+  <display-name>ear</display-name>
+  <module>
+    <web>
+      <web-uri>form.war</web-uri>
+      <context-root>/form</context-root>
+    </web>
+  </module>
+  <module>
+    <web>
+      <web-uri>oidc.war</web-uri>
+      <context-root>/oidc</context-root>
+    </web>
+  </module>
+  <library-directory>lib</library-directory>
+</application>
\ No newline at end of file
diff --git a/testsuite/integration/elytron-oidc-client/src/test/resources/org/wildfly/test/integration/elytron/oidc/client/deployment/FormWithOidcApp_error.jsp b/testsuite/integration/elytron-oidc-client/src/test/resources/org/wildfly/test/integration/elytron/oidc/client/deployment/FormWithOidcApp_error.jsp
new file mode 100644
index 000000000000..4b44f6e303cb
--- /dev/null
+++ b/testsuite/integration/elytron-oidc-client/src/test/resources/org/wildfly/test/integration/elytron/oidc/client/deployment/FormWithOidcApp_error.jsp
@@ -0,0 +1,12 @@
+<html> <head> <title>Error!</title></head>
+<body>
+
+<font size='4' color='red'>
+  The username and password you supplied are not valid.
+</p>
+Click <a href='<%= response.encodeURL("login.jsp") %>'>here</a>
+to retry login
+
+</body>
+</form>
+</html>
\ No newline at end of file
diff --git a/testsuite/integration/elytron-oidc-client/src/test/resources/org/wildfly/test/integration/elytron/oidc/client/deployment/FormWithOidcApp_form_jboss-web.xml b/testsuite/integration/elytron-oidc-client/src/test/resources/org/wildfly/test/integration/elytron/oidc/client/deployment/FormWithOidcApp_form_jboss-web.xml
new file mode 100644
index 000000000000..a9d129a289ee
--- /dev/null
+++ b/testsuite/integration/elytron-oidc-client/src/test/resources/org/wildfly/test/integration/elytron/oidc/client/deployment/FormWithOidcApp_form_jboss-web.xml
@@ -0,0 +1,12 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Copyright The WildFly Authors
+  ~ SPDX-License-Identifier: Apache-2.0
+  -->
+<!DOCTYPE jboss-web PUBLIC
+        "-//JBoss//DTD Web Application 5.0//EN"
+        "http://www.jboss.org/j2ee/dtd/jboss-web_5_0.dtd">
+<jboss-web>
+   <security-domain>other</security-domain>
+      <context-root>/form</context-root>
+   </jboss-web>
diff --git a/testsuite/integration/elytron-oidc-client/src/test/resources/org/wildfly/test/integration/elytron/oidc/client/deployment/FormWithOidcApp_form_web.xml b/testsuite/integration/elytron-oidc-client/src/test/resources/org/wildfly/test/integration/elytron/oidc/client/deployment/FormWithOidcApp_form_web.xml
new file mode 100644
index 000000000000..fedf078f8edd
--- /dev/null
+++ b/testsuite/integration/elytron-oidc-client/src/test/resources/org/wildfly/test/integration/elytron/oidc/client/deployment/FormWithOidcApp_form_web.xml
@@ -0,0 +1,32 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Copyright The WildFly Authors
+  ~ SPDX-License-Identifier: Apache-2.0
+  -->
+<web-app version="6.0" xmlns="https://jakarta.ee/xml/ns/jakartaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+   xsi:schemaLocation="https://jakarta.ee/xml/ns/jakartaee https://jakarta.ee/xml/ns/jakartaee/web-app_6_0.xsd">
+
+   <security-constraint>
+        <web-resource-collection>
+            <web-resource-name>SimpleSecuredServlet</web-resource-name>
+            <url-pattern>/SimpleSecuredServlet</url-pattern>
+        </web-resource-collection>
+        <auth-constraint>
+            <role-name>*</role-name>
+        </auth-constraint>   
+    </security-constraint>
+
+   <login-config>
+      <auth-method>FORM</auth-method>
+       <realm-name>other</realm-name>
+       <form-login-config>
+           <form-login-page>/login.jsp</form-login-page>
+           <form-error-page>/error.jsp</form-error-page>
+       </form-login-config>
+   </login-config>
+
+   <security-role>
+       <role-name>*</role-name>
+   </security-role>
+</web-app>
+
diff --git a/testsuite/integration/elytron-oidc-client/src/test/resources/org/wildfly/test/integration/elytron/oidc/client/deployment/FormWithOidcApp_login.jsp b/testsuite/integration/elytron-oidc-client/src/test/resources/org/wildfly/test/integration/elytron/oidc/client/deployment/FormWithOidcApp_login.jsp
new file mode 100644
index 000000000000..f5df0b07ae13
--- /dev/null
+++ b/testsuite/integration/elytron-oidc-client/src/test/resources/org/wildfly/test/integration/elytron/oidc/client/deployment/FormWithOidcApp_login.jsp
@@ -0,0 +1,16 @@
+<html><head><title>Login Page</title></head>
+<body>
+<font size='5' color='blue'>Please Login</font><hr>
+
+<form action='j_security_check' method='post'>
+<table>
+ <tr><td>Name:</td>
+   <td><input type='text' name='j_username'></td></tr>
+ <tr><td>Password:</td>
+   <td><input type='password' name='j_password' size='8'></td>
+ </tr>
+</table>
+<br>
+  <input type='submit' value='login'>
+</form></body>
+ </html>
\ No newline at end of file
diff --git a/testsuite/integration/elytron-oidc-client/src/test/resources/org/wildfly/test/integration/elytron/oidc/client/deployment/FormWithOidcApp_oidc_jboss-web.xml b/testsuite/integration/elytron-oidc-client/src/test/resources/org/wildfly/test/integration/elytron/oidc/client/deployment/FormWithOidcApp_oidc_jboss-web.xml
new file mode 100644
index 000000000000..c9cd5b74817e
--- /dev/null
+++ b/testsuite/integration/elytron-oidc-client/src/test/resources/org/wildfly/test/integration/elytron/oidc/client/deployment/FormWithOidcApp_oidc_jboss-web.xml
@@ -0,0 +1,13 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Copyright The WildFly Authors
+  ~ SPDX-License-Identifier: Apache-2.0
+  -->
+<!DOCTYPE jboss-web PUBLIC
+        "-//JBoss//DTD Web Application 5.0//EN"
+        "http://www.jboss.org/j2ee/dtd/jboss-web_5_0.dtd">
+<jboss-web>
+
+   <security-domain>other</security-domain>
+   <jacc-star-role-allow>true</jacc-star-role-allow>
+</jboss-web>
diff --git a/testsuite/integration/elytron-oidc-client/src/test/resources/org/wildfly/test/integration/elytron/oidc/client/deployment/FormWithOidcApp_oidc_oidc.json b/testsuite/integration/elytron-oidc-client/src/test/resources/org/wildfly/test/integration/elytron/oidc/client/deployment/FormWithOidcApp_oidc_oidc.json
new file mode 100644
index 000000000000..c3fbce7504ee
--- /dev/null
+++ b/testsuite/integration/elytron-oidc-client/src/test/resources/org/wildfly/test/integration/elytron/oidc/client/deployment/FormWithOidcApp_oidc_oidc.json
@@ -0,0 +1,10 @@
+{
+    "client-id" : "oidc",
+    "provider-url" : "${oidc.provider.url}",
+    "public-client" : "false",
+    "ssl-required" : "EXTERNAL",
+    "credentials" : {
+    "secret" : "longerclientsecretthatisstleast256bitslong"
+}
+}
+
diff --git a/testsuite/integration/elytron-oidc-client/src/test/resources/org/wildfly/test/integration/elytron/oidc/client/deployment/FormWithOidcApp_oidc_web.xml b/testsuite/integration/elytron-oidc-client/src/test/resources/org/wildfly/test/integration/elytron/oidc/client/deployment/FormWithOidcApp_oidc_web.xml
new file mode 100644
index 000000000000..85d7e29d5011
--- /dev/null
+++ b/testsuite/integration/elytron-oidc-client/src/test/resources/org/wildfly/test/integration/elytron/oidc/client/deployment/FormWithOidcApp_oidc_web.xml
@@ -0,0 +1,27 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Copyright The WildFly Authors
+  ~ SPDX-License-Identifier: Apache-2.0
+  -->
+<web-app version="6.0" xmlns="https://jakarta.ee/xml/ns/jakartaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="https://jakarta.ee/xml/ns/jakartaee https://jakarta.ee/xml/ns/jakartaee/web-app_6_0.xsd">
+
+   <security-constraint>
+        <web-resource-collection>
+            <web-resource-name>SimpleSecuredServlet</web-resource-name>
+            <url-pattern>/SimpleSecuredServlet</url-pattern>
+        </web-resource-collection>
+        <auth-constraint>
+            <role-name>*</role-name>
+        </auth-constraint>   
+    </security-constraint>
+
+   <login-config>
+      <auth-method>OIDC</auth-method>
+   </login-config>
+
+   <security-role>
+       <role-name>*</role-name>
+   </security-role>
+</web-app>
+
diff --git a/undertow/src/main/java/org/wildfly/extension/undertow/deployment/UndertowDeploymentProcessor.java b/undertow/src/main/java/org/wildfly/extension/undertow/deployment/UndertowDeploymentProcessor.java
index 846470d53f48..d94b70b7fff1 100644
--- a/undertow/src/main/java/org/wildfly/extension/undertow/deployment/UndertowDeploymentProcessor.java
+++ b/undertow/src/main/java/org/wildfly/extension/undertow/deployment/UndertowDeploymentProcessor.java
@@ -280,21 +280,24 @@ public void deploy(final DeploymentPhaseContext phaseContext) throws DeploymentU
         }
 
         final SecurityMetaData securityMetaData = deploymentUnit.getAttachment(ATTACHMENT_KEY);
-        if (isVirtualDomainRequired(deploymentUnit) || isVirtualMechanismFactoryRequired(deploymentUnit)) {
-            securityDomain = builder.requires(securityMetaData.getSecurityDomain());
-        } else if(securityDomainName != null) {
+        if (securityDomainName != null) {
             if (mappedSecurityDomain.test(securityDomainName)) {
                 applySecurityFunction = builder.requires(capabilitySupport.getCapabilityServiceName(Capabilities.CAPABILITY_APPLICATION_SECURITY_DOMAIN, securityDomainName));
             } else {
                 throw ROOT_LOGGER.deploymentConfiguredForLegacySecurity();
             }
         }
-        if (isVirtualMechanismFactoryRequired(deploymentUnit)) {
-            if (securityMetaData instanceof AdvancedSecurityMetaData) {
-                mechanismFactorySupplier = builder.requires(((AdvancedSecurityMetaData) securityMetaData).getHttpServerAuthenticationMechanismFactory());
+        else if (isVirtualDomainRequired(deploymentUnit) || isVirtualMechanismFactoryRequired(deploymentUnit)) {
+            securityDomain = builder.requires(securityMetaData.getSecurityDomain());
+
+            if (isVirtualMechanismFactoryRequired(deploymentUnit)) {
+                if (securityMetaData instanceof AdvancedSecurityMetaData) {
+                    mechanismFactorySupplier = builder.requires(((AdvancedSecurityMetaData) securityMetaData).getHttpServerAuthenticationMechanismFactory());
+                }
             }
         }
 
+
         Supplier<ControlPoint> controlPoint = RequestControllerActivationMarker.isRequestControllerEnabled(deploymentUnit) ? builder.requires(ControlPointService.serviceName(Optional.ofNullable(parentDeploymentUnit).orElse(deploymentUnit).getName(), UndertowExtension.SUBSYSTEM_NAME)) : null;
 
         SharedSessionManagerConfig sharedSessionManagerConfig = parentDeploymentUnit != null ? parentDeploymentUnit.getAttachment(SharedSessionManagerConfig.ATTACHMENT_KEY) : null;