fulfillmenttools
API documentationIncident ManagementFeedback
Developer Docs
Developer Docs
  • Developer docs
  • Getting Started
    • Quickstart
    • Integration tutorial
      • Adding facilities
      • Adding listings to facilities
      • Configuring stocks
      • Carrier configuration
      • Placing orders
      • Checkout options
      • Distributed Order Management System (Routing)
      • Local fulfillment configuration
    • Free trial
  • Technical Basics
    • Access to fulfillmenttools
    • Feature status
    • Available regions
    • Backup policies
  • Connecting to fulfillmenttools
    • Client SDKs
    • commercetools connect
    • OpenID connect
      • Configure Microsoft Entra ID / Azure Active Directory
      • Configure Keycloak
  • API
    • Core concepts
      • Authentication & authorization
      • API Versioning & lifecycle
      • Assign user to jobs
      • Localization
      • Resource timestamps
      • Custom attributes
      • Article attributes
      • Recordable attributes
      • Data update guarantees
      • Rate limits & scaling
      • Retries
      • Performance on test vs. production systems
      • Load testing
    • API calls
      • Postman
      • cURL
      • GraphQL Explorer
    • GraphQL API
    • RESTful API
      • Pagination interface
      • RapiDoc
      • OpenAPI 3.0 Spec
    • Eventing
      • Structure of an event
      • Available events
        • Event flows
      • Eventing example
      • Event export
  • Integration Guides
    • Basics
      • Article categories
      • Audits
      • Facilities
      • Facility groups
      • GDPR configuration
      • Listings
      • Remote configuration
      • Receipts
      • Search
      • Subscribe to events
      • Sticker
      • Stocks
      • Storage locations
      • Tags
      • Users
    • Channel inventory
    • Inbound process
    • Outbound stocks
    • Purchase order
    • Receipt
    • Routing strategy (context-based multi-config DOMS)
    • Show sticker to clients
    • Stow jobs
  • More Integration Guides
    • Carrier management
      • Introduction to carrier configuration
      • Required data when operating carriers
      • Adding & connecting carriers to facilities
      • Custom carrier
    • Configurations for order fulfillment
      • Picking configuration
      • Packing configuration
      • Handover configuration
      • Printing and document configuration
      • Packing container types
      • Parcel tag configuration
      • Headless order fulfillment
      • Short-pick reasons
      • External documents in order fulfillment
      • Service jobs
      • Load units
      • Running sequence
    • DOMS - distributed order management system (routing)
    • External actions
    • Interfacility transfer
    • Notifications
    • Orders
      • Place your first order
      • Ship-from-store orders
      • Click-and-collect orders
      • Locked orders
      • Order with custom services
      • Bundled items in an order
      • Order process status
    • Availability & promising
    • Returns
Powered by GitBook
On this page
  • Create a Client
  • Activate Authentication and Create Credentials (Client Secret)
  • Create Client Roles
  • Linking Client Roles to users/groups
  • Adding (facility) groups to the token
  • Disable "Full scope allowed"
  • Configure Client Scopes
  • Summary
Edit on GitHub
  1. Connecting to fulfillmenttools
  2. OpenID connect

Configure Keycloak

Last updated 2 months ago

This page describes how to configure a Keycloak instance as an external IdP for the fulfillmenttools platform. Log in with an admin user to the administrator console in Keycloak; the default URL is: https://<keycloak-instance>/admin/master/console/.

Create a Client

If there are existing multiple Keycloak realms, use the dropdown (upper left corner) to select the correct realm, which should be used as external IDP for fulfillmenttools. For each fulfillmenttools environment (typically a test and a production environment), create a separate client in Keycloak.

Browse to Clients (on the left navigation pane) and select Create client to open the client configuration wizard.

In the first step of create client wizard, select an OpenID Connect type and an Client ID (e.g., fulfillmenttools-production-environment). Press Next afterward.

In the second step of the wizard activate the Implicit Flow. Press Next afterward.

In the wizard's third step, add 3 Redirect URIs. These have the pattern:

  • https://ocff-<tenantName>-<pre|prd>.firebaseapp.com/__/auth/handler

  • https://ocff-<tenantName>-<pre|prd>.web.app/__/auth/handler

  • https://pick-<tenantName>-<pre|prd>.web.app/__/auth/handler

Press Save to create the client.

OAuth Client was created successfully . The Client ID must later be supplied to the fulfillmenttools platform via API.

Activate Authentication and Create Credentials (Client Secret)

On the Client configuration page activate Client authentication and press Save.

At the top of the Client, select the Credentials tab. Select Client Id and Secret. The Client Secret must be supplied to fulfillmenttools at a later step via API.

Create Client Roles

Now, create the client roles that correspond to the fulfillmenttools roles. Navigate to Roles and press Create role.

Create 3 roles: ADMINISTRATOR, SUPERVISOR and FULFILLER. Choose an arbitrary Description. The Role name must be one of the above-mentioned roles: ADMINISTRATOR, SUPERVISOR or FULFILLER.

The app roles should look similar to this:

Linking Client Roles to users/groups

Next, link Keycloak groups to these client roles. Individual Keycloak users can be added to these groups to assign roles to users.

In the Keycloak administration console, select Groups on the left navigation pane.

Typically, there exist three Keycloak groups, one for each fulfillmenttools role. By clicking Create group, create one Keycloak group for each fulfillmenttools role (e.g., fft-role-administrator, fft-role-supervisor, fft-role-fulfiller).

Now, assign client roles to these groups. Therefore, select the created group in the Groups section.

Then, select Role mapping in the tabs and press Assign role. Create a total of three groups for a production setup, one for each role. Then, every member of the group is assigned the corresponding fulfillmenttools role.

Select the corresponding role from the client, and press Assign.

In the following screenshot, the administrator role is created. This has to be done for SUPERVISOR and FULFILLER similarly.

Adding (facility) groups to the token

fulfillmenttools models the assigned facilities to a user using Keycloak groups. In the Keycloak administration console, select the Client and the Client scopes tab. Select the <client ID>-dedicated entry:

Then, select Configure a new mapper.

Select Group Membership.

The name of the token mapper must be groups. Then press Save.

Now, all groups of a user are put into the token. The fulfillmenttools platform leverages this to identify which user is allowed to access a facility on the fulfillmenttools platform.

Disable "Full scope allowed"

In the Keycloak administration console, select the Client and the Client scopes tab. Select the <client ID>-dedicated entry:

Then, open the Scope tab and disable the Full scope allowed:

Configure Client Scopes

In the client configuration, select the Client Scopes tab. Add the email, profile, and openid scopes:

If the OpenID scope is unavailable on the Keycloak instance, create it in the admin console (Client Scopes in the left navigation pane).

Summary

Gather the following information to configure the external IDP via API:

  • CLIENT_ID

    • This is the Client ID of the Client in Keycloak

  • CLIENT_SECRET

    • This is the value of the secret created

  • Keycloak Facility Group Names

    • group names of the Keycloak groups representing a facility

  • FACILITY_ID_1, FACILITY_ID_1

    • id of the facilities in fulfillmenttools that this group should have access to

To register the OIDC provider to the fulfillmenttools platform, execute the following call:

POST https://tenant-name.api.fulfillmenttools.com/api/configurations/oidcproviders
{
    "name": "Keycloak Login",
    "status": "ACTIVE",
    "clientId": "{CLIENT_ID}",
    "clientSecret": "{CLIENT_SECRET}",
    "issuer": "https://{URL}/realms/{realm}",
    "customParameters": [],
    "assignedGroups": [
        {
            "group": "{KEYCLOAK_GROUP_NAME}",
            "facilityRefs": [
                "{FACILITY_ID_1}",
                "{FACILITY_ID_2}"
            ]
        }
    ]
}