Planon SDK

Technical references : Authentication methods : Authentication : OpenID Connect (OIDC) : Default configuration per client : Planon SDK

Planon SDK

SDK supports both the authorization code with a public client and Proof Key for code exchange (PKCE) flow, as well as a client credentials flow.

It depends on the type of integration required, which grant type is preferred. For system-to-system integration, typically the client credentials grant is recommended. For an integration that requires (end-)user interaction, it is recommended to make use of the authorization code flow.

To use SDK with OIDC please configure your cloud environment via the Environment Management Gadget on the SSO tab and enable OpenID Connect for the SDK solution.

Additional Keycloak configuration is needed. Please add a public client with the settings as described below to use authorization code flow:

Authorization code flow

Setting	Value
Client type	openid-connect
Client ID	“replace by a self-chosen name”
Client authentication	Off
Authentication flow	Standard flow
Root URL	https://yourcloudenvironmenturl/sdk
Valid redirect URIs	“url of the interface calling the sdk interface”
Proof Key for Code Exchange Code Challenge Method	Choose your preference and match with interfacing system (plain or S256)

For system-to-system authentication, the following template can be used.

Client credentials

Setting	Value
Client type	openid-connect
Client ID	“replace by a self-chosen name”
Client authentication	On
Authentication flow	Service accounts role
Root URL	https://yourcloudenvironmenturl/sdk
Valid redirect URIs	“url of the interface calling the sdk interface”
Proof Key for Code Exchange Code Challenge Method	Choose your preference and match with interfacing system (plain or S256)

When using the client credentials flow, a service account user must be present in Planon. Example

If the client name is sdk-example1, a user with account name service-account-sdk-example1 must be present and active within the Planon application.

To get access to the SDK service via OpenID Connect, take the following steps:

1. Retrieve an access token at the Authentication service via the client created in the installation steps.

2. Send the access token as a Bearer token to the Planon SDK service.

Technical information - SDK

Client credentials flow

Authorization code flow

Troubleshooting

Error	Description
401 Unauthorized	Either no access token or an already expired access token has been sent to Planon SDK service.
500 Internal error	The user account does not exist or is not active in the Planon application.