Integration of camunda with keycloak SSO

Hi @VonDerBeck ,
Is there any way to disable this api http://localhost:8080/camunda/engine-rest/user as this api doesn’t support authentication bearer token and just displays all the list of users

Hi @Tanmay_Naik,

for hints on how to integrate authentication for the REST API see my previous post #32 Integration of camunda with keycloak SSO :

The basic principles can be taken from Camunda’s SSO example (https://github.com/camunda-consulting/code/tree/master/snippets/springboot-security-sso )

It’s all very well documented and worth reading.

Cheers
Gunnar

Hi @VonDerBeck,
I have integrated the rest api part from the given link provided by you.

but i am not able to authenticate the url which is http:localhost:8080/engine-rest/user

Following is the screeshot

In the configuration class i have set the InitParamter to the KeycloakAuthenticationProvider . Need help

Hi @VonDerBeck,
I have changed a piece of code for WebAppSecurityConfig which leads to login page of keycloak when i hit the url - http://localhost:8080/engine-rest/user

@Override
protected void configure(HttpSecurity http) throws Exception {

	http
	.csrf().ignoringAntMatchers("/api/**")
	.and()
    .antMatcher("/**")
    .authorizeRequests()
      .antMatchers("/app/**")
      .authenticated()
      .antMatchers("/engine-rest/**")
      .authenticated()
    .anyRequest()
      .permitAll()
    ;

}

Hi @Tanmay_Naik,

glad you made it :+1:

2 Likes

@VonDerBeck ,
i wanted to configure mysql instead of h2 and redis database in your repository . https://github.com/camunda/camunda-bpm-identity-keycloak/ which i have cloned.
Awaiting for your reply !!

Hi @Tanmay_Naik,

in order to configure MySQL instead of H2 simply go to your application.yaml and change the JDBC URL connection parameters accordingly. General help for this taks can be found within the Spring documentation. Articles on www.baeldung.com are a good reading as well. Camunda’s documentation can be bound here: https://docs.camunda.org/manual/7.11/user-guide/process-engine/database/#database-configuration

Redis integration is an interesting part, but for the sample project not yet ready. So for now the challenge is up to you.

Generally spoken, the sample project is only a basic showcase giving you a start especially on how to configure the Keycloak Identity Provider plugin in such an environment. It is not intended to cover absolutely everything related to Identity Management and all other aspects of Spring Boot. Even if I certainly add new aspects every now and then when time allows.

Hi @VonDerBeck,
Find below the screenshot of application.yaml file !

after successfully run of the project am not able to see any tables got created in mysql .

Awaiting for your reply !!

Hi @VonDerBeck ,
So when i debugged after changing the configuration to mysql , i found that in your plugin there is the embedded data source as h2 DB which is initialising and not taking the url of mysql. Attaching you the screenshot

Hi @VonDerBeck
So still i am playing with the properties

again its taking the embedded datasource

I tried with dbcp datasource also

Hi @Tanmay_Naik,

  1. Have you added the appropriate Spring Boot Datasource dependencies including the MySQL driver package to your pom.xml?
  2. Can you explain what spring.jpa config is good for? Camunda doesn’t use JPA. In case you want to use your own persistence in your business services I would recommend to use a separate database schema and a seperate datasource.
  3. The driver class name should not be required
  4. You have no password?
  5. In your database you have a schema named camunda?
  6. Don’t use root as user, but create your own database user with appropriate access rights to the camunda schema
  7. Do you have any exceptions?

Hope this helps.
Cheers
Gunnar

Hi @VonDerBeck ,
1) yes I have added the dependency of mysql in pom.xml
2) jpa config is good for persistence of layer , ohk got u that camunda doesn’t use jpa
3) ohk got u
4) yes I was not having password as it is on my local
5) yes in my database I have schema named camunda
6) sure
7) nope no exceptions

So when I start the project I login to mysql I am not able to see tables ,like keycloak creates dynamic tables by adding the data source in xml file

When I debugged the Java file I saw the embedded data source thing , so that’s y I was playing to set the properties file to use mysql instead of h2 database but facing blocker .

Hi @VonDerBeck,
Below is the screenshot of the updated yaml file


and also the screenshot of pom.xml file

Hi @Tanmay_Naik,

sadly it’s not possible to see what’s wrong remotely. If you have a look at the example the datasource has been defined as follows:

spring.datasource:
  url: ${JDBC_URL:jdbc:h2:./camunda-db;DB_CLOSE_DELAY=-1;MVCC=TRUE;DB_CLOSE_ON_EXIT=FALSE}
  username: ${JDBC_USER:sa}
  password: ${JDBC_PASSWORD:sa} 

Then go to k8s\deployment.yaml you’ll find

       env:
       - name: JDBC_URL
         value: jdbc:postgresql://postgres-service:5432/camunda
       - name: JDBC_USER
         value: camunda
       - name: JDBC_PASSWORD
         value: camunda1!

Which is the setting for postgres. It should work similar with MySQL. There is nothing more to do. Everything else is neither Camunda nor plugin specific but plain Spring Boot. Your error will be somewhere in your local setup where you have forgotten about something you added but you shouldn’t. First get rid off everything you don’t need but played around with. And if it still does not work you should set the log level to debug wich will give you an idea what to look for.

Please have a look at https://github.com/camunda/camunda-bpm-identity-keycloak/blob/master/examples/sso-kubernetes/pom.xml

I think you’re missing the spring-boot-starter-jdbc dependency. Without it Spring Boot will fall back to H2.

The final consolidated example and officially published extension can now be found here:

Hi @VonDerBeck ,
Thanks !! it worked .
And also Congratulations for your plugin which is public-ally available now .

Hi @VonDerBeck,
If there is any chance to contribute this code in your repo.

 @Override
protected void configure(HttpSecurity http) throws Exception {


	http
	.csrf().ignoringAntMatchers("/api/**")
	.and()
    .antMatcher("/**")
    .authorizeRequests()
      .antMatchers("/app/**")
      .authenticated()
      .antMatchers("/engine-rest/**")
      .authenticated()
    .anyRequest()
      .permitAll()
    ; }

Hi @Tanmay_Naik,

you’re free to enhance your own application in every aspect you like. The intention of the showcase was to give you a basic quick start on how to configure the Identity Provider Plugin. Not everything else.

Above you have added security for the REST interface. This is likely not everything you have to do. Please have a look at https://github.com/camunda-consulting/code/tree/master/snippets/springboot-security-sso which provides you with additional required code snippets (e.g. StatelessUserAuthenticationFilter and others) for accomplishing that task.

@VonDerBeck ok cool