labs / tiddlers / content / labs / 04 / _Labs_04_Using
Next you will be modifying the `OIDCServer` class in your NetBeans project to use Keycloak.

1. Switch to NetBeans.

1. Check that your basic authentication service is not running (stop it if necessary).

1. Open the `service.OIDCServer` class definition.

1. Find the code that sets the various properties of the auth provider (e.g. the `config.setRealm()` call).

1. Update those settings to match your Keycloak configuration. For the client secret, you can find this in Keycloak under the `COMP210` client details, under Credentials (click the Copy to Clipboard button).

1. Start the service by right-clicking the `OIDCServer` class and choosing Run File.

	Note that the routes displayed by Jooby in the NetBeans output pane include `/callback` and `/logout`.  These are added by the pac4j security framework and provide *webhook endpoints*---authorisation providers like Keycloak can use these routes to send authorisation tokens to the web service, or inform the service that the tokens have been invalidated by the user logging out.

	This time we can use a web browser.  Open the following URL:
	Your browser will be redirected to the realm's sign in page. Log in as `doris`.

	Whoops --- `403/Forbidden`.  We forgot to add the MANAGER role to the user.

1. Back in Keycloak, go into the user settings and add the MANAGER and EMPLOYEE roles to the Doris, and just the EMPLOYEE role to Boris. Then re-check the behaviour of the system.

	Note that you will need to logout the user's sessions to force the service to sign the user in again to get the updated profile.  Do this via the <<menu "Sessions">> tab for the user, and click <<menu "Logout all sessions">>.

1. Revisit the restricted pages in your Web browser. This time it should work.