Camunda - SSO Keycloak (GitHub)

Hi everyone,

i wanted to share this project for sso integration with keycloak (and maybe others in the future) on tomcat (not sure if this works on wildfly too).

Best regards
Philipp

4 Likes

I also made some improvements to the camunda docker image:
https://github.com/camunda/docker-camunda-bpm-platform/pull/83

It also contains a list of all changes i already made / am still planning to make.

One of the changes is that camunda-sso is fully integrated and can be configured/enabled by setting the KEYCLOAK environment variables.

Repo: https://github.com/PhilippHeuer/docker-camunda-bpm-platform
Container Registry: https://gitlab.com/PhilippHeuer/docker-camunda-bpm-platform/container_registry

I will not push it to docker hub as i hope it gets accepted into the docker camunda main repo. If you want to use it you can use it out of the gitlab registry or build the image yourself (for enterprise).

2 Likes

Hi Philipp,

Did you ever get the Keycloak integration accepted in the main repo? I would love to use that with the latest version.

Hi @Karim_Gillani

sadly no - but i don’t think thats easily possible since i really changed a lot from the default image. And they need to keep some form of backwards-compatiblitly and can’t just change everything like i did for me - even though most of those changes are really useful. (Like automated Db-Migrations, etc.)

I didnt find the time to create smaller PR’s yet though as i’ve been busy with other projects recently - but still have this on my todo list

@PhilippHeuerThanks for the reply. I tried to pull out just the keycloak stuff and add it to 7.11 but it doesn’t seem to work. I guess the web.xml isn’t backwards compatible?

Please let me know if you have 7.11 working with Keycloak. Also, I tried building from your docker container to Openshift but lots of weird errors. Just going through them now.

Another member of the community has created a keycloak extension. it might be worth taking a look to see if that solves the problem:

@Karim_Gillani For an overview of what the Keycloak Identity Provider Plugin mentioned by Niall does, see https://blog.camunda.com/post/2019/08/keycloak-identity-provider-extension/. There are several usage scenarios. An enhanced scenario including SSO is covered as well. Hope this helps.

1 Like

That looks pretty nice - if there is a official plugin to integrate sso now i would also prefer to use that.

I can’t find instructions on how this can be used in a shared engine (docker image w. tomcat) - or is it spring boot only?

@PhilippHeuer

The plugin will work as well with a shared engine on Tomcat / Wildfly. Unfortunately, documentation and an example for this use case is still missing. Please have a look at https://github.com/camunda/camunda-bpm-identity-keycloak/issues/4 - which discusses the installation approach. And let me know, if this helps.

Gunnar

@VonDerBeck Thank you for the information. Any chance you can provide a sample configuration needed in the bpm-platform.xml located inside the folder $TOMCAT_HOME/conf?

Also, does this also need the applicaton.yaml file put in the conf folder as well?

Nevermind, I figured it out.

I added the following to the bpm-platform.xml:

  <plugin>
	<class>org.camunda.bpm.extension.keycloak.plugin.KeycloakIdentityProviderPlugin</class>
	<properties>
	  <property name="keycloakIssuerUrl"></property>
	  <property name="keycloakAdminUrl"></property>
	  <property name="clientId"></property>
	  <property name="clientSecret"></property>
	  <property name="useEmailAsCamundaUserId"></property>
	  <property name="administratorGroupName"></property>
	  
    </properties>
  </plugin>

Can this be called from environment variables instead?

I was missing one crucial part, I needed to add the “admin” role to the service account. That seemed to fix most of the issues:

  1. Now I can login with email
  2. I can see all users/groups
  3. No more engine.rest errors.

I do have a couple of other question though…

  1. is there an easy way to have the engine-rest api be protected by keycloak authentication?
  2. is there an easy way to have the keycloak login page instead of the camuda login page? I can’t sign into my sso keycloak accounts with the current page.

In Spring Boot there is a very simple way due to Spring’s OAuth2 module. A complete SSO sample can be found here https://github.com/camunda/camunda-bpm-identity-keycloak/tree/master/examples/sso-kubernetes. More flavours can be found starting here: https://github.com/camunda-consulting/code/tree/master/snippets/springboot-keycloak-sso.
For any other platform than Spring mechanisms are slightly different. But the main idea will remain the same: you will have to implement some sort of security filter. A concrete sample for JBoss can be found here: https://github.com/camunda/camunda-sso-jboss.
General information on securing Camunda can be found here: https://camunda.com/best-practices/securing-camunda/.

1 Like

Just built the sso-kubernetes example. Worked like a charm locally with my Keycloak instance!! I will try to make a build in OpenShift based on this.

Thank you for all the hard work and effort on this project!!!

1 Like

So, I finally got the docker instance to build in Openshift and it’s working.

One question, the data modeler can’t upload process instances. It kicks out an error (I believe its Error 403 - forbidden) Is there a trick to getting it to work? I can list users, delete process-list ids using the curl command. It seems like part of it is open and part is not?

Hi @Karim_Gillani,

the sso-kubernetes example does not yet consider security aspects of the REST interface. You will have to implement a security filter for the Camunda REST API

An example how to do this for the web application is https://github.com/camunda/camunda-bpm-identity-keycloak/blob/master/examples/sso-kubernetes/src/main/java/org/camunda/bpm/extension/keycloak/showcase/sso/KeycloakAuthenticationProvider.java. REST will be similar. If I can spare some time, I will add it to the sso example one day.

That should give you at least a direction to go.

Regards
Gunnar

@VonDerBeck thank you for the info. I will try to figure it out. For now, is there an easy way to disable authentication for rest-engine or use http basic authentication and adding a basic user in the dB?

I tried to add authorization “anonymous” to process create option and now I get a 405 Method Not allowed error.

Is the Engine-rest api build part of the demo? is the URL supposed to be localhost:8080/camunda/engine-rest?

Hi @Karim_Gillani,

the engine’s REST API is included in the demo.

  • Generall security configuration of the showcase can be found in org.camunda.bpm.extension.keycloak.showcase.sso.WebAppSecurityConfig.
  • There is no security for REST API endpoint (http://<myhost>/camunda/engine-rest/engine) at the current state of the demo
  • Please set logging of org.springframework.security to DEBUG in order to find out what’s wrong.

Hint: you might want to switch off CSRF for the engine’s REST API:

@ConditionalOnMissingClass("org.springframework.test.context.junit4.SpringJUnit4ClassRunner")
@Configuration 
@EnableOAuth2Sso
public class WebAppSecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
	
	http
	.csrf().ignoringAntMatchers("/api/**", "/engine-rest/**")
	.and()    	
	.antMatcher("/**")
	.authorizeRequests()
	  .antMatchers("/app/**")
	  .authenticated()
	.anyRequest()
	.permitAll()
	;
}

After that all requests to the REST API including the upload of process deployments should work wthout any autorization.

Please be aware, that you should prevent accessing the REST API for unauthorized people. Hence a security filter for the REST API is inevitable in production.

Gunnar

Worked like a charm for our Demo thank you.

We will look at implementing SSO authentication for Production. For the interim, is there a file I can modify to enable basic authentication in the mean time? Would it be the same file?