---
  - name: Prepare the OAuth Request to RH-SSO (static params)
    set_fact:
      oauth_payload: "grant_type=password"

  - name: Prepare the OAuth Request to RH-SSO (urlencode dynamic params)
    set_fact:
      oauth_payload: '{{ oauth_payload ~ "&" ~ item.key ~ "=" ~ (item.value|urlencode) }}'
    with_dict:
      client_id: '{{ sso_default_client_id }}'
      username: '{{ sso_service_username }}'
      password: '{{ sso_service_password }}'

  - name: Authenticate to RH-SSO using the service account
    uri:
      url: 'https://{{ sso_route_name }}/auth/realms/{{ sso_realm }}/protocol/openid-connect/token'
      body: '{{ oauth_payload }}'
      method: POST
      validate_certs: no
      return_content: yes
    register: response
    changed_when: false

  - name: Extract the access_token
    set_fact:
      access_token: '{{ response.json |json_query("access_token") }}'

  - debug: msg="access_token = {{ access_token }}"

  - name: Create an Initial Access Token in RH-SSO
    uri:
      url: 'https://{{ sso_route_name }}/auth/admin/realms/{{ sso_realm }}/clients-initial-access'
      validate_certs: no
      method: POST
      body: '{{ sso_initial_access_token_request }}'
      body_format: json
      headers:
        Authorization: 'Bearer {{ access_token }}'
    register: response

  - name: Extract the Initial Access Token from the RH-SSO response
    set_fact:
      initial_access_token: '{{ response.json |json_query("token") }}'

  - debug: msg="initial_access_token = {{ initial_access_token }}"

  - name: Get the current Realm configuration
    uri:
      url: 'https://{{ sso_route_name }}/auth/admin/realms/{{ sso_realm }}'
      validate_certs: no
      headers:
        Authorization: 'Bearer {{ access_token }}'
    register: response

  - name: Change the Realm configuration to extend the token lifetimes (see variable sso_default_realm_settings)
    set_fact:
      realm_config: '{{ response.json |combine(sso_default_realm_settings) }}'

  - name: Update the Realm configuration
    uri:
      url: 'https://{{ sso_route_name }}/auth/admin/realms/{{ sso_realm }}'
      validate_certs: no
      headers:
        Authorization: 'Bearer {{ access_token }}'
      method: PUT
      body: "{{ realm_config }}"
      body_format: json
      status_code: 204

  - name: Create the Demo User
    uri:
      url: https://{{ sso_route_name }}/auth/admin/realms/{{ sso_realm }}/users
      validate_certs: no
      headers:
        Authorization: 'Bearer {{ access_token }}'
      method: POST
      body: "{{ sso_demo_user }}"
      body_format: json
      status_code: "201,409"
    register: response
    changed_when: response.status == 201

  - set_fact:
      user_has_been_created: true
      user_url: "{{ response.location }}"
    when: response.status == 201

  - name: Retrieve the id of the Demo User
    uri:
      url: 'https://{{ sso_route_name }}/auth/admin/realms/{{ sso_realm }}/users?username={{ sso_demo_user.username|urlencode }}'
      validate_certs: no
      headers:
        Authorization: 'Bearer {{ access_token }}'
    register: response
    changed_when: false
    failed_when: response.status != 200 or (response.json|length != 1)
    when: user_has_been_created is not defined

  - set_fact:
      user_url: "https://{{ sso_route_name }}/auth/admin/realms/{{ sso_realm }}/users/{{ response.json[0].id }}"
    when: user_has_been_created is not defined

  - name: Set the password of the Demo User
    uri:
      url: "{{ user_url }}/reset-password"
      validate_certs: no
      headers:
        Authorization: 'Bearer {{ access_token }}'
      method: PUT
      body: "{{ sso_demo_user.credentials[0] }}"
      body_format: json
      status_code: 204