Configuring Keycloak for Smart API, REST OAuth and EcoSys Connect - EcoSys - 3.1 - Installation & Upgrade - Hexagon

Configuring OAuth2 token providers for EcoSys and EcoSys Connect

Search by Category
Installation & Upgrade
EcoSys Version

This section will cover setting up Keycloak to use with EcoSys Smart API, REST OAuth and/or EcoSys Connect. After completing these steps, you can use the following values in your EcoSys/Connect environments.

  • Base URL

  • Token URL

  • Issuer URL

  • Client ID

  • Client Secret

  • Scope


  1. Login to Keycloack as an admin.

  2. By default Keycloack comes with a master realm. You can use the existing master Realm or can create a new one.

    1. Ensure that the realm being used has Require SSL set to external requests by changing to the realm and navigating to the Login tab.

  3. Create a new Client Scope.

    1. Select Client Scopes.

    2. Click the Create button.

    3. Enter a Name.

      This value is the Client Scope and will be used later during the setup.

    4. Click Save

  4. Create a new Client.

    1. Go to Clients and click the Create button

    2. Enter the Client ID

      This value is the Client ID and will be used later during the setup

    3. Set Client Protocol to ‘openid-connect’

    4. Set Root URL to your EcoSys URL

    5. Click Save

    6. Change Access type to Confidential

    7. Set Standard Flow Enabled to OFF.

    8. For SMART API and REST OAuth usage, set Service Accounts Enabled to ON.

    9. Click Save.

    10. Click the Credentials tab.

      The value from the Secret field is the Client Secret and will be used later in the EcoSys setup.

    11. Click the Client Scopes tab.

      The newly created client scope appears under Available Client Scopes list. Select the scope and then select Add Selected to add it to the Assigned Default Client Scope list.

  5. Keycloak uses the default Service Account under Clients to make a request. You must create the same user (Custom) in Ecosys. This is applicable while using Smart APIs or REST OAuth APIs.

    If multiple users need SMART API/REST OAuth API access, create a different client for each user.

    In EcoSys, go to Admin > Users and Security and create a Custom user with “service-account-ecosys” as Login Name.

  6. Keycloak has been configured for Smart API or EcoSys Connect. The required URLS are:

    • JWKS URL = http://<Keycloak Host>:<port>/auth/realms/<Keycloak Realm> /protocol/openid-connect/certs

    • Token URL = http://<Keycloak Host>:<port>/auth/realms/<Keycloak Realm> /protocol/openid-connect/token

    • Base URL/Issuer URL = http://<Keycloak Host>:<port>/auth/realms/<Keycloak Realm>