Camunda - SSO Keycloak (GitHub)

I was missing one crucial part, I needed to add the “admin” role to the service account. That seemed to fix most of the issues:

  1. Now I can login with email
  2. I can see all users/groups
  3. No more engine.rest errors.

I do have a couple of other question though…

  1. is there an easy way to have the engine-rest api be protected by keycloak authentication?
  2. is there an easy way to have the keycloak login page instead of the camuda login page? I can’t sign into my sso keycloak accounts with the current page.

In Spring Boot there is a very simple way due to Spring’s OAuth2 module. A complete SSO sample can be found here https://github.com/camunda/camunda-bpm-identity-keycloak/tree/master/examples/sso-kubernetes. More flavours can be found starting here: https://github.com/camunda-consulting/code/tree/master/snippets/springboot-keycloak-sso.
For any other platform than Spring mechanisms are slightly different. But the main idea will remain the same: you will have to implement some sort of security filter. A concrete sample for JBoss can be found here: https://github.com/camunda/camunda-sso-jboss.
General information on securing Camunda can be found here: https://camunda.com/best-practices/securing-camunda/.

1 Like

Just built the sso-kubernetes example. Worked like a charm locally with my Keycloak instance!! I will try to make a build in OpenShift based on this.

Thank you for all the hard work and effort on this project!!!

1 Like

So, I finally got the docker instance to build in Openshift and it’s working.

One question, the data modeler can’t upload process instances. It kicks out an error (I believe its Error 403 - forbidden) Is there a trick to getting it to work? I can list users, delete process-list ids using the curl command. It seems like part of it is open and part is not?

Hi @Karim_Gillani,

the sso-kubernetes example does not yet consider security aspects of the REST interface. You will have to implement a security filter for the Camunda REST API

An example how to do this for the web application is https://github.com/camunda/camunda-bpm-identity-keycloak/blob/master/examples/sso-kubernetes/src/main/java/org/camunda/bpm/extension/keycloak/showcase/sso/KeycloakAuthenticationProvider.java. REST will be similar. If I can spare some time, I will add it to the sso example one day.

That should give you at least a direction to go.

Regards
Gunnar

@VonDerBeck thank you for the info. I will try to figure it out. For now, is there an easy way to disable authentication for rest-engine or use http basic authentication and adding a basic user in the dB?

I tried to add authorization “anonymous” to process create option and now I get a 405 Method Not allowed error.

Is the Engine-rest api build part of the demo? is the URL supposed to be localhost:8080/camunda/engine-rest?

Hi @Karim_Gillani,

the engine’s REST API is included in the demo.

  • Generall security configuration of the showcase can be found in org.camunda.bpm.extension.keycloak.showcase.sso.WebAppSecurityConfig.
  • There is no security for REST API endpoint (http://<myhost>/camunda/engine-rest/engine) at the current state of the demo
  • Please set logging of org.springframework.security to DEBUG in order to find out what’s wrong.

Hint: you might want to switch off CSRF for the engine’s REST API:

@ConditionalOnMissingClass("org.springframework.test.context.junit4.SpringJUnit4ClassRunner")
@Configuration 
@EnableOAuth2Sso
public class WebAppSecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
	
	http
	.csrf().ignoringAntMatchers("/api/**", "/engine-rest/**")
	.and()    	
	.antMatcher("/**")
	.authorizeRequests()
	  .antMatchers("/app/**")
	  .authenticated()
	.anyRequest()
	.permitAll()
	;
}

After that all requests to the REST API including the upload of process deployments should work wthout any autorization.

Please be aware, that you should prevent accessing the REST API for unauthorized people. Hence a security filter for the REST API is inevitable in production.

Gunnar

Worked like a charm for our Demo thank you.

We will look at implementing SSO authentication for Production. For the interim, is there a file I can modify to enable basic authentication in the mean time? Would it be the same file?

Hi @Karim_Gillani,

I would rather do it right or I wouldn’t do it at all.

But in case you want to spend time on an interim solution:

  • https://www.baeldung.com/spring-security-basic-authentication shows how to configure Spring Security for basic authentication
  • Your job is to add this to the overall configuration only for the URLs matching /engine-rest/**, but to keep securing everything else with OAuth2.
  • Probably the order of the BasicAuthenticationFilter compared to the one responsible for OAuth2 might be critical. Or you might need a 2nd WebSecurityConfig using a different order?

You will have to study Spring Security a little deeper to figure that out. Let us know, how you solved it :slight_smile:

I want to thank your help as I am not a java expert by any means.

I am also trying to add the camunda-bpm-mail plugin.

I added the dependencies to the docker-pom.xml
I added the mail-config.properties file
and updated camunda.local.cfg.xml with this:

<property name="processEnginePlugins">
  <list>
    <bean class="org.camunda.spin.plugin.impl.SpinProcessEnginePlugin"/>
    <bean class="org.camunda.connect.plugin.impl.ConnectProcessEnginePlugin"/>
  </list>
</property>

but it I still get the following error when I try to use it:

“Cannot find mail configuration at: classpath:/mail-config.properties”

I am guessing I haven’t told the build to save the file in the right location?

UPDATE: I set the MAIL_CONFIG environment and put the file outside of the JAR. That seemed to fix the problem. Not sure if this is the correct way or not.

Hi @Karim_Gillani
I created a fork of @VonDerBeck’s identity-plugin that provides REST-Authorization
Have a look here https://github.com/iceman91176/camunda-bpm-identity-keycloak/tree/rest-auth

Basically it is like Gunnar said, create another WebSecurityConfig, and a filter that gets groups and username from the token.

I added some more configuration parameters, have a look at application yaml.

@VonDerBeck - how do we get SSO working for a shared process engine ? Issue #4 only describes how to add the IdentityProvider to jboss/tomcat, right ? So we’ll have to use the tomcat-keycloak adapter and do it like that : https://github.com/camunda/camunda-sso-jboss/tree/keycloak, just with your KeycloakAuthenticationProvider ?

4 Likes

Hi @cbuchberger,

thanks for your work :slight_smile: I think it’s all about different flavours of the SSO example and different technology bases. For the SSO example, I concentrated on Spring Boot. It is the most suitable concept in the cloud environment. But that should not prevent using the plugin in other environments as well. We have done SSO before using Keycloak with LDAP as well, dont’ we?

You’re definitely on the right track. SSO is a concept above (additionally to) the usage of the Identity Provider Plugin. When using a shared process engine, you’ll have to use the SSO concepts for the respective technology base. Adapt to the concepts on how to do SSO on JBoss/Tomcat with Keycloak and add it to using the IdentityProvider. The Identity Provider then needs the correct User ID and groups extracted - corresponding with its configuration. Which has to be done in the KeycloakAuthenticationProvider. That part is the specific part which has to be adapted.

Hi @VonDerBeck

i created a SSO-Plugin which can be used in a shared-process engine for the various web-contexts (webapp/rest-engine)

The plugin relies on your identity-provider-plugin to provide users and groups.

I’ll provide a solution for containerized environments with that plugin, where all configuration an be done with kubernetes secrets and configmaps.

1 Like

@cbuchberger worked like a charm. Thank you. You said you were going to provide a solution for containerized environments with that plugin. I am using openshift and would love to try it.

Currently, I had to take the great work of @VonDerBeck and add:

  1. Email Connector
  2. HTTP Connector
  3. Now your additions
  4. Groovy support
  5. Update the DockerFile to accommodate no root permissions

I still have a lot of work to clear out some of the warnings in the build but it works.

Thank you both for all your help. This is such a great product.

Newby question: Can anyone let me know the easiest way to update the database when in springboot? I don’t know how to go into the JAR to run the database upgrade scripts.

@Karim_Gillani are you setting up new environment or upgrading camunda versions?

Upgrading camunda versions.

@Karim_Gillani requesting few more info like,

  • which database are you using?
  • current camunda version?
  • Target version to upgrade? (I hope that you’re interested in latest camunda v7.12)
  • Springboot version?

I am interested generally, just in case there is a database upgrade in the future.

I am moving from 7.11 – 7.12

  • which database are you using? Postgresql
  • current camunda version? 7.11
  • Target version to upgrade? 7.12
  • Springboot version?

From:

<version.camunda>7.11.0</version.camunda>
<version.camundaSpringBoot>3.3.5</version.camundaSpringBoot>
<version.springBoot>2.1.9.RELEASE</version.springBoot>

To:

<version.camunda>7.12.0</version.camunda>
<version.springBoot>2.2.1.RELEASE</version.springBoot>
<version.camundaSpringBoot>3.4.0
</version.camundaSpringBoot>