Hi at all,
I have a working tasklist plugin that calls a Rest-API. I secured my Rest-Api with Keycloak, so I have to call the Rest-Api with a token. In my main application I have access to that token, but how can I give my tasklist plugin access to that token too? Saving the token to cookies and read it with the plugin seems the only solution for me, but that seems pretty unsecure right?
Thanks for your help 
Okay it seems that Keycloak is working with cookies as I expected:
https://stackoverflow.com/questions/58230403/is-it-possible-to-configure-keycloak-to-store-the-access-token-jwt-as-a-bearer-t#:~:text=My%20understanding%20(which%20may%20be,name%20’kc-access’).
So it seems to be a valid solution to get in the tasklist plugin the token with the help of a cookie.
I will try and mark this answer as a solution if it is working 
So I think I got the whole idea of Keycloak, Camunda and the tasklist plugin wrong.
I implemented SSO with Keycloak in my Camunda webapp. So when you signed on one time, a session is created and you wont have to login a second time. With this, the rest-api of my tasklist plugin is automatically secured too.
Follow this link for more infos. Under Examples/Sso_kubernetes you will find the sso example I followed
Hi @MarvinKern
I’m also facing the same scenario. My spring boot project consists of camunda (embedded) and rest controllers integrated with keycloak. I had developed a tasklist plugin that calls an api in the spring boot project.
All camunda rest api are authenticated automatically. But I’m facing 401 status for rest call from my tasklist plugin. I had observed jsessionid in request headers of rest call. Can you help me?
Thanks
Ajay
Hi,
I had the same issue. I disabled the rest-security for my controller and I just checked in the HttpServletRequest, if the request comes from a user that is in a group that is allowed to request something.
Sorry I dont have more ideas on that, I am not that deep in that topic.
Marvin