Keycloak authenticationKeycloak
Find below some information on the steps to use the API with a Keycloak server configured.

This is not currently active !
The documentation here present how to integrate with the 5.1 version for Docup/DocSyndic group brandings only (Q2 2026).

Get keycloak server access

Authentication
You ask IHM your current branding configuration to get Keycloak server info

  • GET /brandings/my?applicationURL=xxx
- the parameter applicationURL should be your user branding.
It sould be immo.doc-up.online, moncourrier.doc-up.online, moncourrier.docsyndic.fr in production environment
It sould be test-immo.doc-up.online, test-moncourrier@doc-up.online, moncourrier-test.docsyndic.fr in test environment

Get the authenticatorFrontURL and the clientId from the response
{
    "result": {
        "name": "..",
        "properties": {...},
        "id": "..",
        "virtualHost": ,
        "applicationName": "..",
        "authenticationRealm": {...},
        "logoImageURL": ,
        "clientId": "CLIENTID",
        "authenticatorFrontURL": "AUTHENTICATORFRONTURL",
        "backgroundImageURL": 
    }
}

Authenticate on Keycloak

Get the token
  • POST authenticatorFrontURL/protocol/openid-connect/token
  • Be careful the body of this request is x-www-form-urlencoded
  • client_id:clientId
  • grant_type: password
  • user_name:<my-user-email>
  • password:<my-user-password>
- The Content-Type is a x-www-form-urlencoded.
- keep the access_token and the refresh_token
{
    "access_token": "eyJhbGciOiJSUzIW5VamxpSHZFMDZpY1ZhRGNJIn0.eyJleHAi...",
    "expires_in": 300,
    "refresh_expires_in": 1800,
    "refresh_token": "eyJhbGciOiJIUzUxMiIsInR5cCIZGIzOWY0NTYifQ.eyJleHAiOjE3Nj...",
    "token_type": "Bearer",
    "not-before-policy": 0,
    "session_state": "cfbf5da0-cf75-4158-8432-e98ebf66540a",
    "scope": "profile email"
}
The token is valid 5 minutes. If you need to refresh it, consider a 20 seconds margin before the expiration
Refresh the token
  • POST authenticatorFrontURL/protocol/openid-connect/token
  • Be careful the body of this request is x-www-form-urlencoded
  • client_id:clientId
  • grant_type: refresh_token
  • refresh_token:refreshTokenValue
- The Content-Type is a x-www-form-urlencoded.
- Do not forget the header Autorization : Bearer access_token/
- Get the access_token and the refresh_token
{
    "access_token": "eyJhbGciOiJSUzIW5VamxpSHZFMDZpY1ZhRGNJIn0.eyJleHAi...",
    "expires_in": 300,
    "refresh_expires_in": 1800,
    "refresh_token": "eyJhbGciOiJIUzUxMiIsInR5cCIZGIzOWY0NTYifQ.eyJleHAiOjE3Nj...",
    "token_type": "Bearer",
    "not-before-policy": 0,
    "session_state": "cfbf5da0-cf75-4158-8432-e98ebf66540a",
    "scope": "profile email"
}

GO to IHM with the Keycloak token

Authorization rely now on the Bearer, this replaces default X-Auth-Token
Check authentication
  • POST /authentication/check?withProfileDetail=true
- use withProfileDetail=true to get the complete list of services

And with this call, you should have the same information as previously in the IHM internal authentications mechanism (not Keycloak based).
All that remains is for you to update your API calls by replacing the X-Auth-Token with the Bearer.

Logout

Logout
  • authenticatorFrontURL/protocol/openid-connect/logout
  • Be careful the body of this request is x-www-form-urlencoded
  • client_id:clientId
  • refresh_token:refreshTokenValue
- Do not forget the header Authorization : Bearer access_token
- It will return a 202 status, no content
- If authenticate made on Keycloak server, the logout must be made on the keycloak too. You do not call the IntelligentHybridMail logout