@tidecloak/create-nextjs 0.0.1

package/template-ts-app/app/home/page.tsx

@@ -0,0 +1,101 @@
+'use client'
+
+import { useTideCloak } from '@tidecloak/nextjs'
+import { useState, useCallback } from 'react'
+import tcConfig from "../../tidecloak.json"
+
+
+export default function HomePage() {
+  const { logout, getValueFromIdToken, hasRealmRole, token } = useTideCloak()
+  const username = getValueFromIdToken('preferred_username') ?? '…'
+  const hasDefaultRole = hasRealmRole(`default-roles-${tcConfig["realm"]}`)
+
+  const [verifyResult, setVerifyResult] = useState<string | null>(null)
+  const [verifying, setVerifying] = useState(false)
+
+  const onLogout = useCallback(() => {
+    logout()
+  }, [logout])
+
+  const onVerify = useCallback(async () => {
+    setVerifying(true)
+    setVerifyResult(null)
+    try {
+      const res = await fetch('/api/protected', {
+        method: 'GET',
+        headers: {
+          Authorization: `Bearer ${token}`,
+        },
+      })
+      const data = await res.json()
+      if (res.ok) {
+        setVerifyResult(`✅ Authorized: vuid=${data.vuid}, key=${data.userkey}`)
+      } else {
+        setVerifyResult(`❌ ${res.status} - ${data.error || res.statusText}`)
+      }
+    } catch (err: any) {
+      setVerifyResult(`❌ Network error: ${err.message}`)
+    } finally {
+      setVerifying(false)
+    }
+  }, [])
+
+  return (
+    <div style={containerStyle}>
+      <div style={cardStyle}>
+        <h1 style={{ margin: 0, fontSize: '1.5rem' }}>Hello, {username}!</h1>
+        <p style={{ margin: '0.5rem 0', color: '#555' }}>
+          Has default roles? <strong>{hasDefaultRole ? 'Yes' : 'No'}</strong>
+        </p>
+
+        <button onClick={onLogout} style={buttonStyle}>
+          Log out
+        </button>
+
+        <button
+          onClick={onVerify}
+          style={{ ...buttonStyle, marginTop: '0.5rem' }}
+          disabled={verifying}
+        >
+          {verifying ? 'Verifying…' : 'Verify Token'}
+        </button>
+
+        {verifyResult && (
+          <p style={{ marginTop: '1rem', color: verifyResult.startsWith('✅') ? 'green' : 'red' }}>
+            {verifyResult}
+          </p>
+        )}
+      </div>
+    </div>
+  )
+}
+
+const containerStyle: React.CSSProperties = {
+  minHeight: '100vh',
+  display: 'flex',
+  alignItems: 'center',
+  justifyContent: 'center',
+  background: '#f5f5f5',
+  margin: 0,
+}
+
+const cardStyle: React.CSSProperties = {
+  background: '#fff',
+  padding: '2rem',
+  borderRadius: '8px',
+  boxShadow: '0 4px 12px rgba(0,0,0,0.1)',
+  textAlign: 'center',
+  maxWidth: '360px',
+  width: '100%',
+}
+
+const buttonStyle: React.CSSProperties = {
+  marginTop: '1rem',
+  padding: '0.75rem 1.5rem',
+  fontSize: '1rem',
+  borderRadius: '4px',
+  border: 'none',
+  background: '#0070f3',
+  color: '#fff',
+  cursor: 'pointer',
+}

package/template-ts-app/app/layout.tsx

@@ -0,0 +1,24 @@
+import type { Metadata } from 'next'
+import type { ReactNode } from 'react'
+import { Provider } from './provider'
+
+export const metadata: Metadata = {
+  title: 'My Tidecloak App',
+  description: 'A Next.js starter with Tidecloak',
+}
+
+interface RootLayoutProps {
+  children: ReactNode
+}
+
+export default function RootLayout({ children }: RootLayoutProps): JSX.Element {
+  return (
+    <html lang="en">
+      <body>
+        <Provider>
+          {children}
+        </Provider>
+      </body>
+    </html>
+  )
+}

package/template-ts-app/app/page.tsx

@@ -0,0 +1,65 @@
+'use client'
+
+import { useCallback, type CSSProperties } from 'react'
+import { useTideCloak } from '@tidecloak/nextjs'
+import { useRouter } from 'next/navigation'
+import { useEffect } from 'react'
+
+const containerStyle: CSSProperties = {
+  minHeight: '100vh',
+  display: 'flex',
+  alignItems: 'center',
+  justifyContent: 'center',
+  background: '#f5f5f5',
+  margin: 0,
+}
+
+const cardStyle: CSSProperties = {
+  background: '#fff',
+  padding: '2rem',
+  borderRadius: '8px',
+  boxShadow: '0 4px 12px rgba(0,0,0,0.1)',
+  textAlign: 'center',
+  maxWidth: '360px',
+  width: '100%',
+}
+
+const buttonStyle: CSSProperties = {
+  marginTop: '1rem',
+  padding: '0.75rem 1.5rem',
+  fontSize: '1rem',
+  borderRadius: '4px',
+  border: 'none',
+  background: '#0070f3',
+  color: '#fff',
+  cursor: 'pointer',
+}
+
+export default function LoginPage(): JSX.Element {
+  const { login, authenticated } = useTideCloak()
+  const router = useRouter()
+
+  const onLogin = useCallback(() => {
+    login()
+  }, [login])
+
+  useEffect(() => {
+    if (authenticated) {
+      router.push('/home')
+    }
+  }, [authenticated])
+
+  return (
+    <div style={containerStyle}>
+        <div style={cardStyle}>
+          <h1 style={{ margin: 0, fontSize: '1.75rem' }}>Welcome!</h1>
+          <p style={{ color: '#555', marginTop: '0.5rem' }}>
+            Please log in to continue.
+          </p>
+          <button onClick={onLogin} style={buttonStyle}>
+            Log In
+          </button>
+        </div>
+    </div>
+  )
+}

package/template-ts-app/app/provider.tsx

@@ -0,0 +1,23 @@
+'use client'
+
+import React, { type ReactNode } from 'react'
+import {
+  TideCloakProvider,
+  type TideCloakConfig,
+} from '@tidecloak/nextjs'
+import tcConfig from '../tidecloak.json'
+
+interface ProviderProps {
+  children: ReactNode
+}
+
+export function Provider({ children }: ProviderProps): JSX.Element {
+  // If tidecloak.json isn’t already typed, you can cast it:
+  const config = tcConfig as unknown as TideCloakConfig
+
+  return (
+    <TideCloakProvider config={config}>
+      {children}
+    </TideCloakProvider>
+  )
+}

package/template-ts-app/init/.env.example

@@ -0,0 +1,8 @@
+TIDECLOAK_LOCAL_URL="http://localhost:8080"
+CLIENT_NAME="myclient"
+CLIENT_APP_URL="http://localhost:3000"
+REALM_JSON_PATH="./realm.json"
+NEW_REALM_NAME="nextjs-test"
+KC_USER="admin"
+KC_PASSWORD="password" 
+# ADAPTER_OUTPUT_PATH=""

package/template-ts-app/init/realm.json

@@ -0,0 +1,162 @@
+{
+    "realm": "nextjs-test",
+    "accessTokenLifespan": 600,
+    "enabled": true,
+    "sslRequired": "external",
+    "registrationAllowed": false,
+    "duplicateEmailsAllowed": true,
+    "roles": {
+        "realm": [
+            {
+                "name": "appUser",
+                "description": "Standard application user"
+            },
+            {
+                "name": "_tide_dob.selfencrypt",
+                "description": "Tide E2EE self-encrypt DoB data"
+            },
+            {
+                "name": "_tide_dob.selfdecrypt",
+                "description": "Tide E2EE self-decrypt DoB data"
+            },
+            {
+                "name": "default-roles-nextjs-test",
+                "description": "${role_default-roles}",
+                "composite": true,
+                "composites": {
+                    "realm": [
+                        "_tide_dob.selfencrypt",
+                        "_tide_dob.selfdecrypt",
+                        "appUser"
+                    ]
+                }
+            }
+        ],
+        "client": {
+            "myclient": []
+        }
+    },
+    "defaultRole": {
+        "name": "default-roles-nextjs-test",
+        "description": "${role_default-roles}",
+        "composite": true,
+        "clientRole": false
+    },
+    "clients": [
+        {
+            "clientId": "myclient",
+            "enabled": true,
+            "redirectUris": [
+                "http://localhost:3000",
+                "http://localhost:3000/*",
+                "http://localhost:3000/silent-check-sso.html",
+                "http://localhost:3000/auth/redirect"
+            ],
+            "webOrigins": [
+                "http://localhost:3000"
+            ],
+            "standardFlowEnabled": true,
+            "implicitFlowEnabled": false,
+            "publicClient": true,
+            "fullScopeAllowed": true,
+            "protocolMappers": [
+                {
+                    "name": "Tide User Key",
+                    "protocol": "openid-connect",
+                    "protocolMapper": "oidc-usermodel-attribute-mapper",
+                    "consentRequired": false,
+                    "config": {
+                        "introspection.token.claim": "true",
+                        "userinfo.token.claim": "true",
+                        "user.attribute": "tideUserKey",
+                        "lightweight.claim": "true",
+                        "id.token.claim": "true",
+                        "access.token.claim": "true",
+                        "claim.name": "tideuserkey",
+                        "jsonType.label": "String"
+                    }
+                },
+                {
+                    "name": "Tide IGA Role Mapper",
+                    "protocol": "openid-connect",
+                    "protocolMapper": "tide-roles-mapper",
+                    "consentRequired": false,
+                    "config": {
+                        "lightweight.claim": "true",
+                        "access.token.claim": "true"
+                    }
+                },
+                {
+                    "name": "Tide vuid",
+                    "protocol": "openid-connect",
+                    "protocolMapper": "oidc-usermodel-attribute-mapper",
+                    "consentRequired": false,
+                    "config": {
+                        "introspection.token.claim": "true",
+                        "userinfo.token.claim": "true",
+                        "user.attribute": "vuid",
+                        "lightweight.claim": "true",
+                        "id.token.claim": "true",
+                        "access.token.claim": "true",
+                        "claim.name": "vuid",
+                        "jsonType.label": "String"
+                    }
+                }
+            ]
+        }
+    ],
+    "components": {
+        "org.keycloak.userprofile.UserProfileProvider": [
+            {
+              "providerId": "declarative-user-profile",
+              "config": {
+                "kc.user.profile.config": [
+                    "{\"attributes\":[{\"name\":\"username\",\"displayName\":\"${username}\",\"validations\":{\"length\":{\"min\":3,\"max\":255},\"username-prohibited-characters\":{},\"up-username-not-idn-homograph\":{}},\"permissions\":{\"view\":[\"admin\",\"user\"],\"edit\":[\"admin\",\"user\"]},\"multivalued\":false},{\"name\":\"email\",\"displayName\":\"${email}\",\"validations\":{\"email\":{},\"length\":{\"max\":255}},\"permissions\":{\"view\":[\"admin\",\"user\"],\"edit\":[\"admin\",\"user\"]},\"multivalued\":false},{\"name\":\"firstName\",\"displayName\":\"${firstName}\",\"permissions\":{\"view\":[\"admin\",\"user\"],\"edit\":[\"admin\",\"user\"]},\"multivalued\":false},{\"name\":\"lastName\",\"displayName\":\"${lastName}\",\"permissions\":{\"view\":[\"admin\",\"user\"],\"edit\":[\"admin\",\"user\"]},\"multivalued\":false}],\"groups\":[{\"name\":\"user-metadata\",\"displayHeader\":\"User metadata\",\"displayDescription\":\"Attributes, which refer to user metadata\"}]}"
+                ]
+              }
+            }
+        ]
+    },
+    "authenticationFlows": [
+        {
+            "alias": "tidebrowser",
+            "providerId": "basic-flow",
+            "topLevel": true,
+            "authenticationExecutions": [
+                {
+                    "authenticator": "auth-cookie",
+                    "authenticatorFlow": false,
+                    "requirement": "ALTERNATIVE",
+                    "priority": 10,
+                    "userSetupAllowed": false
+                },
+                {
+                    "authenticatorConfig": "tide browser",
+                    "authenticator": "identity-provider-redirector",
+                    "authenticatorFlow": false,
+                    "requirement": "ALTERNATIVE",
+                    "priority": 25,
+                    "userSetupAllowed": false
+                }
+            ]
+        }
+    ],
+    "authenticatorConfig": [
+        {
+            "alias": "tide browser",
+            "config": {
+                "defaultProvider": "tide"
+            }
+        }
+    ],
+    "browserFlow": "tidebrowser",
+    "requiredActions": [
+        {
+            "alias": "link-tide-account-action",
+            "name": "Link Tide Account",
+            "providerId": "link-tide-account-action",
+            "enabled": true
+        }
+    ],
+    "keycloakVersion": "26.1.4"
+}

package/template-ts-app/init/tcinit.sh

@@ -0,0 +1,261 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# ─────────────────────────────────────────────────────────────────────────────
+# Determine paths
+# ─────────────────────────────────────────────────────────────────────────────
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+PROJECT_ROOT="$(cd "${SCRIPT_DIR}/.." && pwd)"
+
+# Load overrides from .env in the project root
+if [ -f "${PROJECT_ROOT}/.env.example" ]; then
+  # shellcheck disable=SC1090
+  source "${PROJECT_ROOT}/.env.example"
+fi
+
+# ─────────────────────────────────────────────────────────────────────────────
+# Defaults (override via env)
+# ─────────────────────────────────────────────────────────────────────────────
+TIDECLOAK_LOCAL_URL="${TIDECLOAK_LOCAL_URL:-http://localhost:8080}"
+CLIENT_APP_URL="${CLIENT_APP_URL:-http://localhost:3000}"
+REALM_JSON_PATH="${REALM_JSON_PATH:-${SCRIPT_DIR}/realm.json}"
+ADAPTER_OUTPUT_PATH="${ADAPTER_OUTPUT_PATH:-${PROJECT_ROOT}/tidecloak.json}"
+NEW_REALM_NAME="${NEW_REALM_NAME:-nextjs-test}"
+REALM_MGMT_CLIENT_ID="realm-management"
+ADMIN_ROLE_NAME="tide-realm-admin"
+KC_USER="${KC_USER:-admin}"
+KC_PASSWORD="${KC_PASSWORD:-password}"
+CLIENT_NAME="${CLIENT_NAME:-myclient}"
+
+# ─────────────────────────────────────────────────────────────────────────────
+# sed -i portability
+# ─────────────────────────────────────────────────────────────────────────────
+if sed --version >/dev/null 2>&1; then
+  SED_INPLACE=(-i)
+else
+  SED_INPLACE=(-i '')
+fi
+
+# ─────────────────────────────────────────────────────────────────────────────
+# Helper: grab an admin token
+# ─────────────────────────────────────────────────────────────────────────────
+get_admin_token() {
+  curl -s -X POST "${TIDECLOAK_LOCAL_URL}/realms/master/protocol/openid-connect/token" \
+       -H "Content-Type: application/x-www-form-urlencoded" \
+       -d "username=${KC_USER}" \
+       -d "password=${KC_PASSWORD}" \
+       -d "grant_type=password" \
+       -d "client_id=admin-cli" \
+    | jq -r .access_token
+}
+
+# ─────────────────────────────────────────────────────────────────────────────
+# Step 1: prepare realm JSON
+# ─────────────────────────────────────────────────────────────────────────────
+REALM_NAME="${NEW_REALM_NAME}"
+echo "${REALM_NAME}" > "${PROJECT_ROOT}/.realm_name"
+
+TMP_REALM_JSON="$(mktemp)"
+cp "${REALM_JSON_PATH}" "${TMP_REALM_JSON}"
+
+# replace placeholders
+sed "${SED_INPLACE[@]}" "s|http://localhost:3000|${CLIENT_APP_URL}|g" "${TMP_REALM_JSON}"
+sed "${SED_INPLACE[@]}" "s|nextjs-test|${REALM_NAME}|g"      "${TMP_REALM_JSON}"
+sed "${SED_INPLACE[@]}" "s|myclient|${CLIENT_NAME}|g"        "${TMP_REALM_JSON}"
+
+# ─────────────────────────────────────────────────────────────────────────────
+# Step 2: create realm (allow 409 if already exists)
+# ─────────────────────────────────────────────────────────────────────────────
+TOKEN="$(get_admin_token)"
+echo "🌍 Creating realm..."
+status=$(curl -s -o /dev/null -w "%{http_code}" \
+  -X POST "${TIDECLOAK_LOCAL_URL}/admin/realms" \
+  -H "Authorization: Bearer ${TOKEN}" \
+  -H "Content-Type: application/json" \
+  --data-binary @"${TMP_REALM_JSON}")
+
+if [[ ${status} == 2* || ${status} -eq 409 ]]; then
+  echo "✅ Realm created (or already exists)."
+else
+  echo "❌ Realm creation failed (HTTP ${status})" >&2
+  exit 1
+fi
+
+# ─────────────────────────────────────────────────────────────────────────────
+# Step 3: initialize Tide realm + IGA
+# ─────────────────────────────────────────────────────────────────────────────
+TOKEN="$(get_admin_token)"
+echo "🔐 Initializing Tide realm + IGA..."
+
+response=$(curl -i -X POST "${TIDECLOAK_LOCAL_URL}/admin/realms/${REALM_NAME}/vendorResources/setUpTideRealm" \
+  -H "Authorization: Bearer ${TOKEN}" \
+  -H "Content-Type: application/x-www-form-urlencoded" \
+  --data-urlencode "email=email@tide.org" 2>&1)
+
+# parse status code from response
+status=$(printf "%s" "${response}" | awk '/HTTP\/1\.[01]/ { code=$2 } END { print code }')
+if [[ "${status}" != "200" && "${status}" != "201" && "${status}" != "204" ]]; then
+  echo "❌ setUpTideRealm failed with HTTP ${status}" >&2
+  exit 1
+fi
+
+# toggle IGA
+curl -s -X POST "${TIDECLOAK_LOCAL_URL}/admin/realms/${REALM_NAME}/tide-admin/toggle-iga" \
+     -H "Authorization: Bearer ${TOKEN}" \
+     -H "Content-Type: application/x-www-form-urlencoded" \
+     --data-urlencode "isIGAEnabled=true" \
+  > /dev/null
+
+echo "✅ Tide realm + IGA done."
+
+# ─────────────────────────────────────────────────────────────────────────────
+# Approve & commit change-sets
+# ─────────────────────────────────────────────────────────────────────────────
+approve_and_commit() {
+  local TYPE=$1
+  echo "🔄 Processing ${TYPE} change-sets..."
+  TOKEN="$(get_admin_token)"
+  curl -s -X GET "${TIDECLOAK_LOCAL_URL}/admin/realms/${REALM_NAME}/tide-admin/change-set/${TYPE}/requests" \
+       -H "Authorization: Bearer ${TOKEN}" \
+    | jq -c '.[]' | while read -r req; do
+        payload=$(jq -n \
+          --arg id  "$(jq -r .draftRecordId   <<< "${req}")" \
+          --arg cst "$(jq -r .changeSetType   <<< "${req}")" \
+          --arg at  "$(jq -r .actionType      <<< "${req}")" \
+          '{changeSetId:$id,changeSetType:$cst,actionType:$at}')
+
+        curl -s -X POST "${TIDECLOAK_LOCAL_URL}/admin/realms/${REALM_NAME}/tide-admin/change-set/sign" \
+             -H "Authorization: Bearer ${TOKEN}" \
+             -H "Content-Type: application/json" \
+             -d "${payload}" \
+          > /dev/null
+
+        curl -s -X POST "${TIDECLOAK_LOCAL_URL}/admin/realms/${REALM_NAME}/tide-admin/change-set/commit" \
+             -H "Authorization: Bearer ${TOKEN}" \
+             -H "Content-Type: application/json" \
+             -d "${payload}" \
+          > /dev/null
+      done
+  echo "✅ ${TYPE^} change-sets done."
+}
+approve_and_commit clients
+
+# ─────────────────────────────────────────────────────────────────────────────
+# Step 4: create admin user + assign role
+# ─────────────────────────────────────────────────────────────────────────────
+TOKEN="$(get_admin_token)"
+echo "👤 Creating admin user..."
+curl -s -X POST "${TIDECLOAK_LOCAL_URL}/admin/realms/${REALM_NAME}/users" \
+     -H "Authorization: Bearer ${TOKEN}" \
+     -H "Content-Type: application/json" \
+     -d '{"username":"admin","email":"admin@tidecloak.com","firstName":"admin","lastName":"user","enabled":true}' \
+  > /dev/null
+
+USER_ID=$(curl -s -X GET \
+  "${TIDECLOAK_LOCAL_URL}/admin/realms/${REALM_NAME}/users?username=admin" \
+  -H "Authorization: Bearer ${TOKEN}" \
+  | jq -r '.[0].id')
+
+CLIENT_UUID=$(curl -s -X GET \
+  "${TIDECLOAK_LOCAL_URL}/admin/realms/${REALM_NAME}/clients?clientId=${REALM_MGMT_CLIENT_ID}" \
+  -H "Authorization: Bearer ${TOKEN}" \
+  | jq -r '.[0].id')
+
+ROLE_JSON=$(curl -s -X GET \
+  "${TIDECLOAK_LOCAL_URL}/admin/realms/${REALM_NAME}/clients/${CLIENT_UUID}/roles/${ADMIN_ROLE_NAME}" \
+  -H "Authorization: Bearer ${TOKEN}")
+
+curl -s -X POST "${TIDECLOAK_LOCAL_URL}/admin/realms/${REALM_NAME}/users/${USER_ID}/role-mappings/clients/${CLIENT_UUID}" \
+     -H "Authorization: Bearer ${TOKEN}" \
+     -H "Content-Type: application/json" \
+     -d "[${ROLE_JSON}]" \
+  > /dev/null
+
+echo "✅ Admin user & role done."
+
+# ─────────────────────────────────────────────────────────────────────────────
+# Step 5: generate invite link + wait
+# ─────────────────────────────────────────────────────────────────────────────
+TOKEN="$(get_admin_token)"
+echo "🔗 Generating invite link..."
+INVITE_LINK=$(curl -s -X POST \
+  "${TIDECLOAK_LOCAL_URL}/admin/realms/${REALM_NAME}/tideAdminResources/get-required-action-link?userId=${USER_ID}&lifespan=43200" \
+  -H "Authorization: Bearer ${TOKEN}" \
+  -H "Content-Type: application/json" \
+  -d '["link-tide-account-action"]')
+
+echo "🔗 Invite link: ${INVITE_LINK}"
+echo "→ Send this link to the user so they can link their account."
+
+MAX_TRIES=3
+attempt=1
+while true; do
+  echo -n "Checking link status (attempt ${attempt}/${MAX_TRIES})… "
+  ATTRS=$(curl -s -X GET \
+    "${TIDECLOAK_LOCAL_URL}/admin/realms/${REALM_NAME}/users?username=admin" \
+    -H "Authorization: Bearer ${TOKEN}")
+
+  KEY=$(jq -r '.[0].attributes.tideUserKey[0] // empty' <<< "${ATTRS}")
+  VUID=$(jq -r '.[0].attributes.vuid[0]        // empty' <<< "${ATTRS}")
+
+  if [[ -n "${KEY}" && -n "${VUID}" ]]; then
+    echo "✅ Linked!"
+    break
+  fi
+
+  if (( attempt >= MAX_TRIES )); then
+    echo "⚠️  Max retries reached (${MAX_TRIES}). Moving on."
+    break
+  fi
+
+  read -t 30 -p "Not linked yet; press ENTER to retry or wait 30s…" || true
+  echo
+  ((attempt++))
+done
+
+approve_and_commit users
+
+# ─────────────────────────────────────────────────────────────────────────────
+# Step 6: update CustomAdminUIDomain
+# ─────────────────────────────────────────────────────────────────────────────
+TOKEN="$(get_admin_token)"
+echo "🌐 Updating CustomAdminUIDomain..."
+
+INST_JSON=$(curl -s -X GET \
+  "${TIDECLOAK_LOCAL_URL}/admin/realms/${REALM_NAME}/identity-provider/instances/tide" \
+  -H "Authorization: Bearer ${TOKEN}")
+
+UPDATED_JSON=$(jq --arg d "${CLIENT_APP_URL}" '.config.CustomAdminUIDomain = $d' <<< "${INST_JSON}")
+
+curl -s -X PUT "${TIDECLOAK_LOCAL_URL}/admin/realms/${REALM_NAME}/identity-provider/instances/tide" \
+     -H "Authorization: Bearer ${TOKEN}" \
+     -H "Content-Type: application/json" \
+     -d "${UPDATED_JSON}" \
+  > /dev/null
+
+curl -s -X POST "${TIDECLOAK_LOCAL_URL}/admin/realms/${REALM_NAME}/vendorResources/sign-idp-settings" \
+     -H "Authorization: Bearer ${TOKEN}" \
+  > /dev/null
+
+echo "✅ CustomAdminUIDomain updated + signed."
+
+
+# ─────────────────────────────────────────────────────────────────────────────
+# Step 7: fetch adapter config + cleanup
+# ─────────────────────────────────────────────────────────────────────────────
+TOKEN="$(get_admin_token)"
+echo "📥 Fetching adapter config…"
+CLIENT_UUID=$(curl -s -X GET \
+  "${TIDECLOAK_LOCAL_URL}/admin/realms/${REALM_NAME}/clients?clientId=${CLIENT_NAME}" \
+  -H "Authorization: Bearer ${TOKEN}" \
+  | jq -r '.[0].id')
+
+curl -s -X GET \
+  "${TIDECLOAK_LOCAL_URL}/admin/realms/${REALM_NAME}/vendorResources/get-installations-provider?clientId=${CLIENT_UUID}&providerId=keycloak-oidc-keycloak-json" \
+  -H "Authorization: Bearer ${TOKEN}" \
+  > "${ADAPTER_OUTPUT_PATH}"
+
+echo "✅ Adapter config saved to ${ADAPTER_OUTPUT_PATH}"
+rm -f "${PROJECT_ROOT}/.realm_name" "${TMP_REALM_JSON}"
+
+echo "🎉 All done!"