Integration with OpenId Connect using camunda-sso-jboss example


Hi, I’m looking at integrating Camunda web apps with OpenId Connect, eg, KeyCloak, such that:

  • Authorisation/authentication is via KeyCloak
  • Camunda users and groups are those from KeyCloak

I found, whose Testing section suggests it does both of these things, and I’ve been trying to get it to work under WildFly and Tomcat.

When I build camunda-webapp-jboss-sso-7.8.0.war and deploy into a wildfly-10.1.0.Final server setup as described in the above and with, or wildfly-13.0.0.Final server setup with, I get:

\"WFLYCTL0080: Failed services\" => {\"jboss.module.service.\\\"deployment.camunda-webapp-jboss-sso-7.8.0.war\\\".main\" => \"org.jboss.msc.service.StartException in service jboss.module.service.\\\"deployment.camunda-webapp-jboss-sso-7.8.0.war\\\".main: WFLYSRV0179: Failed to load module: deployment.camunda-webapp-jboss-sso-7.8.0.war:main
Caused by: org.jboss.modules.ModuleNotFoundException: org.camunda.bpm.camunda-engine:main\"},

I can deploy camunda-webapp-jboss-standalone-7.8.0.war without any issues.

I get something similar (java.lang.ClassNotFoundException: org.camunda.bpm.engine.ProcessEngineException) deploying on apache-tomcat-8.5.32 setup as described in the above with, though I am able to solve this and subsequent issues by:

  • Copying the extra jars I found in webapps\camunda-webapp-tomcat-standalone-7.8.0\WEB-INF\lib into webapps\camunda-webapp-jboss-sso-7.8.0\WEB-INF\lib

  • Copying camunda-webapp-tomcat-standalone-7.8.0’s applicationContext.xml to webapps\camunda-webapp-jboss-sso-7.8.0\WEB-INF

  • Copying the following into webapps\camunda-webapp-jboss-sso-7.8.0\WEB-INF\web.xml (again, cribbed from camunda-webapp-tomcat-standalone-7.8.0):


However, although visiting camunda at localhost:8080/camunda-webapp-jboss-sso-7.8.0 redirects to localhost:8081/auth/realms/demo/protocol/openid-connect/auth (yay! success!), after logging in via keycloak using demo/notdemo, I am taken to /app/admin/default/setup/#/setup to add users to Camunda. Camunda does not pick up the users (or roles/groups) defined in KeyCloak.

I can deploy camunda-webapp-tomcat-standalone-7.8.0.war without any issues.

I’m guessing/hoping I’m doing something dumb in deploying camunda-sso-jboss to WildFly and Tomcat, but I can’t figure what it is.

So, my questions are:

  • What have I likely done wrong in the deployments of camunda-sso-jboss?
  • Does camunda-sso-jboss really get users and groups/roles from KeyCloak?
  • If not, how is it possible to configure/implement to do so in a generic way?