# Example #4

## Setup

First, log into the Keycloak Server as "admin/admin"

    http://localhost:9090
    
Set up a "test" client with the "openid-connect" protocol.

On the "test" client settings page,

    Access Type             -> confidential
    Valid Redirect URIs     -> *
    Web Origins             -> *
    
On the "test" client Installation page, select Keycloak OIDC JSON and make a copy of these values.  You will need:

    - realm
    - auth_server_url
    - secret
    
Click on Users and create a user:

    Username                -> test
    Email                   -> test@test.com
    First Name              -> Test
    Last Name               -> User
    
Once saved, click on Credentials and make sure they have a password set up.
Make sure that Temporary is OFF.
    
Now go to http://localhost and log in to Cloud CMS as "admin/admin".
Create a project and create an application within the project.
Download your API keys and save them in this directory as gitana.json.

Edit app.js and fill in the "keycloak1" provider info to match the values from Keycloak OIDC JSON.

Start up app.js

    node app.js
    
Go to http://localhost:4000


## How it works

This is a session-less, stateless Node application that relies on an external SSO cookie to establish the authenticated user.  Each request
is assumed to be unauthenticated and is then challenged by the filter to assert that the end user is authenticated.

The authentication filter is selected by calling:

    var auth = app.auth("default");

The "default" authentication filter is configured in the `filters` block.  It identifies a request adapter and a provider.  The request adapter
interprets the incoming request and picks out any authentication state.  

The "jwt" adapter is configured to look for a JWT cookie in the "JWT" cookie.  The cookie is untrusted by default which means that anything derived
from it must first be verified by calling over to the authentication provider (in this case, the "keycloak" provider).

If a cookie doesn't exist, the user is redirected to the Keycloak server to log in.  They are then redirected back to the `/auth/keycloak/callback`
endpoint.  The `autoCreate` option causes a Cloud CMS user to be created automatically for this Keycloak identity.  The newly created user is also
authenticated to Cloud CMS.

The request is then redirected to `successRedirect` or `index.html`.

The filter chain will now run straight through without any issue.  At the end of the filter chain, the default behavior of the application server
is to set:

    req.user = (authenticated gitana user)
    
As such, to log out, you simply delete the cookie.  To log in, you create a new cookie.  This example provides two methods:

    /cookie/create
    /cookie/delete
    
To help demonstrate this.  Links are provided in the web pages.
