Camunda Keycloak configuration error

Community Community Extensions
1

Hi ,
@VonDerBeck
I am trying integrate Key-Cloak with camunda but facing some issue while running camunda spring boot application.
I have followed steps as mentioned in this github repository.

GitHub - camunda-community-hub/camunda-bpm-identity-keycloak: Camunda Keycloak Identity Provider Plugin

And receiving error mesage as "Unable to resolve Configuration with the provided Issuer of “http://localhost:9000/auth/realms/camunda

Please find attached ErrorLog file for detailed errors.
ErrorLog.txt (32.0 KB)

Also I have attached application.yaml file for reference.
application_yml.txt (2.0 KB)

2

@yatish do you have Keycloak running under localhost:9000 (localhost! port 9000!) and setup a realm named camunda?

It looks like you are trying to implement SSO? Have you had a look at camunda-bpm-identity-keycloak/examples/sso-kubernetes at master · camunda-community-hub/camunda-bpm-i?

3

do you have Keycloak running under localhost:9000 (localhost! port 9000!) and setup a realm named camunda

Keycloak running on port 9000 with realm name as ‘camunda’.

It looks like you are trying to implement SSO?

Yes I am trying to implement SSO. I had already looked upon above github repo and receiving similar error mesage as "Unable to resolve Configuration with the provided Issuer of “http://localhost:9000/auth/realms/camunda”

@VonDerBeck Please let me know if you need any additional information from my side.

4

This is clearly a problem of your Spring Security configuration. Together with your individual Keycloak setup. So far it has nothing to do with the Keycloak Identity Provider Plugin.

Some hints from your stacktrace:

Caused by: java.lang.IllegalArgumentException: Unable to resolve Configuration with the provided Issuer of "http://localhost:9000/auth/realms/camunda"
	at org.springframework.security.oauth2.client.registration.ClientRegistrations.getBuilder(ClientRegistrations.java:221) ~[spring-security-oauth2-client-5.4.5.jar:5.4.5]
    ...
Caused by: java.lang.RuntimeException: com.nimbusds.oauth2.sdk.ParseException: Unexpected type of JSON object member with key mtls_endpoint_aliases
	at org.springframework.security.oauth2.client.registration.ClientRegistrations.parse(ClientRegistrations.java:232) ~[spring-security-oauth2-client-5.4.5.jar:5.4.5]
    ...
Caused by: com.nimbusds.oauth2.sdk.ParseException: Unexpected type of JSON object member with key mtls_endpoint_aliases
	at com.nimbusds.oauth2.sdk.util.JSONObjectUtils.getGeneric(JSONObjectUtils.java:161) ~[oauth2-oidc-sdk-8.36.jar:8.36]
    ...
Caused by: com.nimbusds.oauth2.sdk.ParseException: Unexpected type: class java.util.LinkedHashMap

Spring Security is not able to parse information received from Keycloak. Especially the content of mtls_endpoint_aliases. This is what you should look for.

Hope this helps

5

Is there any additional configuration I have to do on keycloak portal?
Any help into right direction will be appreciate ,as don’t have much exposure on SSO part.

6

Do you have Docker available?

Then you can go to Keycloak Identity Provider Plugin / Camunda Platform Run - Docker Sample Setup and have a look at the Docker sample setup. Even if this uses Camunda BPM Run you’ll have a working Keycloak sample setup included as well.

1 Like
7

Hi @VonDerBeck ,

I was able resolve above mtls_endpoint_aliases error by adding latest com.nimbusds.oauth2-oidc-sdk depedancy in pom.xml. Below is resolved issue link.

connect2id / OAuth 2.0 SDK with OpenID Connect extensions / issues / #369 - JsonUtils: Cannot parse LinkedHashMap<String,Object> to JsonObject — Bitbucket

Now I can start my camunda spring boot application.

  1. When I go to (http://localhost:8080/login) it show below URL on page.

http://localhost:9000/auth/realms/camunda

Camunda Login
Camunda Login1683×717 11.8 KB

  1. Once I click on above url, it giving me below error as “Invalid parameter: redirect_uri”.
    Here is whole URL content (http://localhost:9000/auth/realms/camunda/protocol/openid-connect/auth?response_type=code&client_id=camunda-identity-service&scope=openid%20profile%20email&state=9o9njwhQiQOYLzqlTDtliIgIS68VebRPMJcqFDD_cyM%3D&redirect_uri=http://localhost:8080/login/oauth2/code/keycloak&nonce=4MfGXVejcYWsCnzA5vuGlncIEhHzW0hf4UOz83Lju9o)

KeyclockSSO Error
KeyclockSSO Error1729×829 65.7 KB

Is there any configuration am I missing on keyclock server?

8

@yatish:

You have to adjust the “Valid Redirect URIs” configuration of the corresponding client service in Keycloak.
For example if your root context is under http://localhost:8080/camunda then try to set the valid Redirect URIs to http://localhost:8080/camunda/* and afterwards go to http://localhost:8080/camunda, login with Keycloak and watch Camunda’s welcome page showing up. In real environments or other setups adjust accordingly.

9

Hello together,

I am aware of the problem and have solved it in my setup by managing this depenency:

      <dependencyManagement>
		<dependencies>
			...
			<dependency>
				<groupId>com.nimbusds</groupId>
				<artifactId>oauth2-oidc-sdk</artifactId>
				<version>9.11</version>
			</dependency>
		</dependencies>
	</dependencyManagement>

The problem comes with deserialisation of nested objects inside the init routine.

I hope this helps

Jonathan

1 Like
10