1. Install keycloak at port 9080 with password admin/admin - sudo docker run -p 9080:8080 -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=admin quay.io/keycloak/keycloak:21.1.1 start-dev 2. Login to http://localhost:9080/admin and create realms GardenWorld - http://localhost:9080/realms/GardenWorld 3. Switch to GardenWorld realm and create client rest-api - Client authentication: on - Authorization: on - Authentication flow: default 4. Turn off "Full scope allowed" - Clients > rest-api > Client scopes > rest-api-dedicated > Scope > turn off "Full scope allowed" 5. Create client role "GardenWorld User" and "GardenWorld Admin" - Clients > rest-api > Roles > Create role: GardenWorld User - Clients > rest-api > Roles > Create role: GardenWorld Admin 6. Create group "HQ" - Groups > Create group : HQ 7. Configure Audience claim (aud) - Client scopes > roles > Mappers: Delete "Audience Resolve" - Clients > rest-api > Client scopes > rest-api-dedicated > Add mapper > By Configuration > Audience - Included Client Audience: rest-api - Turn on Add to access token 8. Create user GardenUser - Users > Create new user - Name: GardenUser - Email: user@gardenworld.com - First Name: GardenUser - Join Groups: HQ - Users > GardenUser > Credentials > Set password: 123, Temporary: off 9. Create user GardenAdmin - Users > Add user - Name: GardenAdmin - Email: admin@gardenworld.com - First Name: GardenAdmin - Join Groups: HQ - Users > GardenAdmin > Credentials > Set password: 123, Temporary: off 10. Assign role to GardenAdmin user - Users > GardenAdmin > Role mapping > Assign role > Filter by clients > GardenWorld Admin 11. Assign role to GardenUser user - Users > GardenUser > Role mapping > Assign role > Filter by clients > GardenWorld User 12. Add groups claim - Clients > rest-api > Client scopes > rest-api-dedicated > Mappers > Add mapper > By configuration > Group Membership - Name: groups - Token Claim Name: groups - Full group path: Off - Add to ID token: On - Add to access token: On - Add to userinfo: On 13. Login to iDempiere as Garden World Admin - pack in "GW Rest OpenID Connect Service.zip" 14. Import oidc-test.postman_collection.json to PostMan 15. Set clientSecret value running the POST request - Clients > rest-api > Credentials > Copy Client secret to clipboard - Postman - Create new environment - Add variable keycloakHost, set value to your keycloak server host, for e.g http://localhost:9080 - Add variable idempiereHost, set value to your iDempiere server host, for e.g https://127.0.0.1:8443 - Add variable clientSecret, pass the copied client secret value from clipboard - Save the environment and use it to run your test 16. POST "realms/{realm}/protocol/openid-connect/token GardenAdmin" will grant access to both c_tax and c_order GET. 17. POST "realms/{realm}/protocol/openid-connect/token GardenUser" will grant access to c_order GET.