Integration with OpenId Connect using camunda-sso-jboss example


#1

Hi, I’m looking at integrating Camunda web apps with OpenId Connect, eg, KeyCloak, such that:

  • Authorisation/authentication is via KeyCloak
  • Camunda users and groups are those from KeyCloak

I found https://github.com/camunda/camunda-sso-jboss/blob/keycloak/README.md, whose Testing section suggests it does both of these things, and I’ve been trying to get it to work under WildFly and Tomcat.

When I build camunda-webapp-jboss-sso-7.8.0.war and deploy into a wildfly-10.1.0.Final server setup as described in the above README.md and https://www.keycloak.org/docs/3.0/securing_apps/topics/oidc/java/jboss-adapter.html with keycloak-wildfly-adapter-dist-3.0.0.Final.zip, or wildfly-13.0.0.Final server setup with keycloak-wildfly-adapter-dist-4.2.1.Final.zip, I get:

\"WFLYCTL0080: Failed services\" => {\"jboss.module.service.\\\"deployment.camunda-webapp-jboss-sso-7.8.0.war\\\".main\" => \"org.jboss.msc.service.StartException in service jboss.module.service.\\\"deployment.camunda-webapp-jboss-sso-7.8.0.war\\\".main: WFLYSRV0179: Failed to load module: deployment.camunda-webapp-jboss-sso-7.8.0.war:main
Caused by: org.jboss.modules.ModuleNotFoundException: org.camunda.bpm.camunda-engine:main\"},

I can deploy camunda-webapp-jboss-standalone-7.8.0.war without any issues.

I get something similar (java.lang.ClassNotFoundException: org.camunda.bpm.engine.ProcessEngineException) deploying on apache-tomcat-8.5.32 setup as described in the above README.md with keycloak-wildfly-adapter-dist-4.2.1.Final.zip, though I am able to solve this and subsequent issues by:

  • Copying the extra jars I found in webapps\camunda-webapp-tomcat-standalone-7.8.0\WEB-INF\lib into webapps\camunda-webapp-jboss-sso-7.8.0\WEB-INF\lib

  • Copying camunda-webapp-tomcat-standalone-7.8.0’s applicationContext.xml to webapps\camunda-webapp-jboss-sso-7.8.0\WEB-INF

  • Copying the following into webapps\camunda-webapp-jboss-sso-7.8.0\WEB-INF\web.xml (again, cribbed from camunda-webapp-tomcat-standalone-7.8.0):

    <context-param>
      <param-name>contextConfigLocation</param-name>
      <param-value>/WEB-INF/applicationContext.xml</param-value>
    </context-param>
    
    <listener>
      <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
    </listener>
    

However, although visiting camunda at localhost:8080/camunda-webapp-jboss-sso-7.8.0 redirects to localhost:8081/auth/realms/demo/protocol/openid-connect/auth (yay! success!), after logging in via keycloak using demo/notdemo, I am taken to /app/admin/default/setup/#/setup to add users to Camunda. Camunda does not pick up the users (or roles/groups) defined in KeyCloak.

I can deploy camunda-webapp-tomcat-standalone-7.8.0.war without any issues.

I’m guessing/hoping I’m doing something dumb in deploying camunda-sso-jboss to WildFly and Tomcat, but I can’t figure what it is.

So, my questions are:

  • What have I likely done wrong in the deployments of camunda-sso-jboss?
  • Does camunda-sso-jboss really get users and groups/roles from KeyCloak?
  • If not, how is it possible to configure/implement to do so in a generic way?

Thanks…