Microtec DevOps

Appearance

Realm Configuration Reference

This page documents the OIDC configuration, client IDs, token lifetimes, and authentication flow settings for both Keycloak realms used in Microtec ERP.

Realm Overview

microtec Realm

Realm-Level Settings

SettingValueNotes
Realm IDmicrotecCannot change after creation
Display NameMicrotec ERPShown on login page
Enabledtrue
Login Thememicrotec-rtlCustom RTL-aware theme
Account Thememicrotec-rtl
Email Thememicrotec-emailBranded email templates
Default LocalearArabic
Supported Localesar, en
Registration AllowedfalseSelf-registration disabled
Forgot PasswordtrueVia email OTP
Remember Metrue30-day persistent session

Token Lifetime Settings

Token TypeLifetimeNotes
Access Token1800s (30 min)Short-lived for security
Refresh Token28800s (8 hrs)Renewed on each use
SSO Session Max36000s (10 hrs)Working day coverage
SSO Session Idle7200s (2 hrs)Inactivity timeout
Offline Session Max5184000s (60 days)Mobile apps
Client Session Max3600s (1 hr)Per-client override possible

Client Registrations (microtec)

All 9 MFE apps register as public OIDC clients (no client secret — browser apps cannot keep secrets) in the microtec realm:

Client IDPortRedirect URIs
erp-home4401{domain}/erp-home/*, http://localhost:4401/*
apps-accounting4402{domain}/accounting/*, http://localhost:4402/*
apps-hr4403{domain}/hr/*, http://localhost:4403/*
apps-finance4404{domain}/finance/*, http://localhost:4404/*
apps-sales4405{domain}/sales/*, http://localhost:4405/*
apps-purchase4406{domain}/purchase/*, http://localhost:4406/*
apps-inventory4407{domain}/inventory/*, http://localhost:4407/*
app-distribution4408{domain}/distribution/*, http://localhost:4408/*
fixed-assets4409{domain}/fixed-assets/*, http://localhost:4409/*

Domain by Environment

Replace {domain} with the environment-specific domain:

EnvDomain
devhttps://microtec-test.com
stagehttps://microtecstage.com
uathttps://microtec-uat.com
prodhttps://onlinemicrotec.com.sa

OIDC Flow Configuration per Client

All microtec realm clients use the same flow settings:

json
{
  "protocol": "openid-connect",
  "publicClient": true,
  "standardFlowEnabled": true,
  "implicitFlowEnabled": false,
  "directAccessGrantsEnabled": false,
  "serviceAccountsEnabled": false,
  "authorizationServicesEnabled": false
}

Direct Access Grants Disabled

directAccessGrantsEnabled is false on all browser clients. This prevents password grants (no OAuth2 password flow). This is intentional — browser apps must use the authorization code + PKCE flow.

Default Client Scopes (microtec)

Every client in the microtec realm automatically receives these scopes:

ScopeClaims Added to Token
openidStandard OIDC claims
profilename, given_name, family_name, picture
emailemail, email_verified
rolesrealm_access.roles, resource_access.{client}.roles
tenanttenantId, tenantName (custom scope via seeding SPI)
localelocale (ar/en)

businessowner Realm

Realm-Level Settings

SettingValueNotes
Realm IDbusinessowner
Display NameMicrotec Business Portal
Login Thememicrotec-boDifferent theme, LTR-first
Default LocaleenEnglish default for BO portal
Supported Localesar, en
Registration AllowedfalseInvite-only; accounts created by admins
Forgot Passwordtrue

Token Lifetime Settings

Token TypeLifetimeDifference from microtec realm
Access Token3600s (1 hr)Longer (admin tasks take more time)
Refresh Token28800s (8 hrs)Standard work session
SSO Session Max28800s (8 hrs)
SSO Session Idle3600s (1 hr)

Client Registrations (businessowner)

Client IDPortPurpose
bussiness-owners4301Business Owner portal
bo-mobileBO mobile app (if enabled)
bo-backend-serviceConfidential client for backend calls

bussiness-owners Spelling

The client ID bussiness-owners (double-s) is intentional — it matches the Angular project name in FrontApps/projects/. Do NOT correct the spelling as it would require renaming the Angular workspace and all Keycloak configurations.

OIDC Configuration (businessowner)

json
{
  "clientId": "bussiness-owners",
  "protocol": "openid-connect",
  "publicClient": true,
  "standardFlowEnabled": true,
  "directAccessGrantsEnabled": false,
  "redirectUris": [
    "https://businessowner.{domain}/*",
    "http://localhost:4301/*"
  ],
  "webOrigins": ["*"]
}

Authentication Flow Priority

Both realms (microtec and businessowner) use the same customized browser flow. Priority determines execution order within each ALTERNATIVE step group.

PriorityAuthenticatorConfig
10Multi-Account Cookie (MAC)kc.MAC.encryptionKey set
20CookieDefault config
30Identity Provider RedirectordefaultProvider not set

Backchannel Logout

Backchannel logout (RFC 7009 + OIDC Session Management) is implemented in both realms. When a user logs out from any app:

  1. Keycloak sends a POST logout request to each registered client's backchannelLogoutUrl
  2. Each Angular app clears its local session/token storage
  3. The MAC cookie is cleared via the multi-account SPI

Backchannel logout URL pattern per app:

https://{domain}/{app-path}/auth/backchannel-logout

Already Implemented

Backchannel logout is already coded and verified in the frontend shared-lib (FrontApps/libs/shared-lib/src/lib/auth/). No additional configuration required.

Role Structure

microtec Realm Roles 

realm roles:
├── erp-user              # Base role for all ERP users
├── erp-admin             # Module administration
├── tenant-owner          # Company owner, can manage users
├── system-admin          # Cross-tenant admin (Microtec staff)
└── readonly-user         # View-only access

client roles (per app):
apps-accounting:
├── accounting-user
├── accounting-manager
└── accounting-viewer

businessowner Realm Roles 

realm roles:
├── bo-user               # Standard BO portal user
├── bo-admin              # Full BO admin
├── support-agent         # Microtec support staff
└── readonly              # Reporting/audit access

Internal Documentation — Microtec Platform Team