1. Install keycloak at port 9080 with password admin/admin
- sudo docker run -p 9080:8080 -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=admin quay.io/keycloak/keycloak:21.1.1 start-dev

2. Login to http://localhost:9080/admin and create realms GardenWorld
- http://localhost:9080/realms/GardenWorld

3. Switch to GardenWorld realm and create client rest-api
- Client authentication: on
- Authorization: on
- Authentication flow: default

4. Turn off "Full scope allowed"
- Clients > rest-api > Client scopes > rest-api-dedicated > Scope > turn off "Full scope allowed"

5. Create client role "GardenWorld User" and "GardenWorld Admin"
- Clients > rest-api > Roles > Create role: GardenWorld User
- Clients > rest-api > Roles > Create role: GardenWorld Admin

6. Create group "HQ"
- Groups > Create group : HQ

7. Configure Audience claim (aud)
- Client scopes > roles > Mappers: Delete "Audience Resolve"
- Clients > rest-api >  Client scopes > rest-api-dedicated > Add mapper > By Configuration > Audience
  - Included Client Audience: rest-api
  - Turn on Add to access token

8. Create user GardenUser
- Users > Create new user
- Name: GardenUser
- Email: user@gardenworld.com
- First Name: GardenUser
- Join Groups: HQ
- Users > GardenUser > Credentials > Set password: 123, Temporary: off

9. Create user GardenAdmin
- Users > Add user
- Name: GardenAdmin
- Email: admin@gardenworld.com
- First Name: GardenAdmin
- Join Groups: HQ
- Users > GardenAdmin > Credentials > Set password: 123, Temporary: off

10. Assign role to GardenAdmin user
- Users > GardenAdmin > Role mapping > Assign role > Filter by clients > GardenWorld Admin

11. Assign role to GardenUser user
- Users > GardenUser > Role mapping > Assign role > Filter by clients > GardenWorld User

12. Add groups claim
- Clients > rest-api >  Client scopes > rest-api-dedicated > Mappers > Add mapper > By configuration > Group Membership
  - Name: groups
  - Token Claim Name: groups
  - Full group path: Off
  - Add to ID token: On
  - Add to access token: On
  - Add to userinfo: On

13. Login to iDempiere as Garden World Admin
- pack in "GW Rest OpenID Connect Service.zip"

14. Import oidc-test.postman_collection.json to PostMan

15. Set clientSecret value running the POST request
- Clients > rest-api > Credentials > Copy Client secret to clipboard
- Postman
  - Create new environment
  - Add variable keycloakHost, set value to your keycloak server host, for e.g http://localhost:9080
  - Add variable idempiereHost, set value to your iDempiere server host, for e.g https://127.0.0.1:8443
  - Add variable clientSecret, pass the copied client secret value from clipboard
  - Save the environment and use it to run your test 

16. POST "realms/{realm}/protocol/openid-connect/token GardenAdmin" will grant access to both c_tax and c_order GET.

17. POST "realms/{realm}/protocol/openid-connect/token GardenUser" will grant access to c_order GET.

