Hi @VonDerBeck,
Can we have a call ? Like GoToMeeting call
Hi @Tanmay_Naik,
sadly I’m running out of time today. If you want to have a look at a prepared test setup for Keycloak matching the original showcase configuration use the following docker image:
image: gunnaraccso/keycloak.server:5.0.0
It has a prepared configuration with Camunda Client, Groups, User etc.
1 Like
Hi @VonDerBeck ,
i have taken pull of your image , and run it on docker .
I have this in my yaml file
plugin.identity.keycloak:
keycloakIssuerUrl: ${keycloak.url.plugin}/auth/realms/master
keycloakAdminUrl: ${keycloak.url.plugin}/auth/admin/realms/master
clientId: camunda-identity-service
clientSecret: 7d3c845d-f652-4bed-9797-d6d20b7623da
useEmailAsCamundaUserId: true
useUsernameAsCamundaUserId: false
administratorGroupName: camunda-admin
disableSSLCertificateValidation: true
After running this camunda page after redirect is not visible shows 401 unauthorized
Hi @Tanmay_Naik
HTTP 401 is “unauthorized”.
- Please be aware that, once logged in, SSO stores and keeps your session. So in order to check if SSO is working you must e.g. not have logged in into Keycloak with the Keylcoak admin and try to use the same browser to login into Camunda using another user. Always try to start with a fresh clean browser. An easy way to do this is to use the “new private window” / “new incognito window” functionality of your browser.
- The next thing to be aware of is that you have a configuration for the identity plugin (
plugin.identity.keycloak) and another configuration for the SSO OAuth2 Client part of Spring (security.oauth2). - Hint: the plugin will work without the OAuth2 SSO part as well, you will then have to use the Camunda Login Page, behind the scenes you will get authenticated against Keycloak. This approach will allow you to login / logout into Camunda just like you are used to when using Camunda standalone.
In case there are any questions left please have a look at the Spring Boot OAuth2 documentation(e.g. https://spring.io/guides/tutorials/spring-boot-oauth2/, https://www.baeldung.com/sso-spring-security-oauth2). The only Camunda specific part can be found within the OAuth2 KeycloakAuthenticationProvider when it comes to extracting the userId and querying for the corresponding groups. All the rest of the setup is Spring Security / OAuth2 standard.
Kind regards
Gunnar
Ohh!!! Cool . @VonDerBeck I have question . Question is that when i use this url http://localhost:8080/engine-rest/user it doest’nt give me list of users
Hi @Tanmay_Naik,
sadly the REST-API hasn’t been configured so far in the sample project. It’s on the TODO list.
Some hints:
- within the example the config option
camunda.bpm.authorization.enabledis set totrue - see Camunda Documentation: “When are Authorizations checked”
- the missing part within the showcase is an AuthenticationProvider for the REST part. The basic principles can be taken from Camunda’s SSO example (https://github.com/camunda-consulting/code/tree/master/snippets/springboot-security-sso)
I still have to deal with the details myself, but it shouldn’t be too difficult.
Regards
Gunnar
1 Like
Hi @VonDerBeck ,
In project of camunda-showcase-keycloak we are configuring client-id hardcoded , secret-key as hardcoaded , Is there anyway to get this dynamic
Hi @Tanmay_Naik,
these parameters are configurable in application.yaml.
- this means that you have all mechanisms from Spring Boot at hand - including the configuration of such parameters using environment variables. For an example see parameters
KEYCLOAK_URL_xxxetc. - as a consequence it’s configurable using e.g. standard Kubernetes features like secrets, configmap, …
Just change the example according to your own needs. The provided example setup shows the main wiring and main aspects, it does not cover all production aspects.
Regards
Gunnar
Hi @VonDerBeck , I am not able to create Tenants in camunda , as well as i am not able see the tab add Tenants under admin panel
Hi @VonDerBeck, So i created Tenant from code got this error
I have gone through the java doc where it says that identity service implementation provides read-only access to the user repository, false otherwise
So Through camunda UI I was not able to see create Tenant button .
So would i enable this tab of Tenants
@VonDerBeck
see the yaml file too
i am login in with user which is a admin user created in keycloak and have all the access
Hi @Tanmay_Naik,
one of the current limitations of the Keycloak Identity Provider is, that tenants are currently not yet supported. See documentation of the plugin.
And please be aware, that this is a ReadOnly Identity Provider, which means you are not allowed to create users, groups, etc. using the Camunda admin frontend.
Cheers
Gunnar
Hi @Tanmay_Naik,
the question is not if there is a way.
You either want to manage your groups & users within your application and stick with the integrated original identity service or you want to manage groups & users outside your applications in some kind of external identity system like LDAP, Keycloak, Auth0, … The latter approach means that Camunda is only reading groups & users.
Writing from Camunda to Keycloak is a really bad idea and I would neither support nor recommend to do such things.
Cheers
Gunnar
2 Likes
Hi @VonDerBeck ,
yes i wanted to manage groups & users outside our application with external identity system ie for keycloak . Thanks got my answer , i will follow as you said. 
Hi @VonDerBeck ,
Is there any way to disable this api http://localhost:8080/camunda/engine-rest/user as this api doesn’t support authentication bearer token and just displays all the list of users
Hi @Tanmay_Naik,
for hints on how to integrate authentication for the REST API see my previous post #32 Integration of camunda with keycloak SSO - #32 by VonDerBeck :
The basic principles can be taken from Camunda’s SSO example (https://github.com/camunda-consulting/code/tree/master/snippets/springboot-security-sso )
- In order to understand Camunda’s REST-API please have a look at the documentation (e.g. Get Users | docs.camunda.org).
- The Spring Boot Integration parts can be found here: Spring Boot Integration | docs.camunda.org. The different Spring-Boot-Starter projects are listed there as well - the REST API is one these components and can thus be activated / deactivated separately by managing the dependencies in your
pom.xml.
It’s all very well documented and worth reading.
Cheers
Gunnar
Hi @VonDerBeck,
I have integrated the rest api part from the given link provided by you.
but i am not able to authenticate the url which is http:localhost:8080/engine-rest/user
Following is the screeshot
In the configuration class i have set the InitParamter to the KeycloakAuthenticationProvider . Need help
Hi @VonDerBeck,
I have changed a piece of code for WebAppSecurityConfig which leads to login page of keycloak when i hit the url - http://localhost:8080/engine-rest/user
@Override
protected void configure(HttpSecurity http) throws Exception {http .csrf().ignoringAntMatchers("/api/**") .and() .antMatcher("/**") .authorizeRequests() .antMatchers("/app/**") .authenticated() .antMatchers("/engine-rest/**") .authenticated() .anyRequest() .permitAll() ; }
