Key Clock Configuration Issue

I was trying to run the following example. I create Client and Users in Keycloak… when i start the application the following error is shown.

Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name ‘processEngineFactoryBean’: FactoryBean threw exception on object creation; nested exception is org.camunda.bpm.engine.impl.identity.IdentityProviderException: Unable to query users
at org.springframework.beans.factory.support.FactoryBeanRegistrySupport.doGetObjectFromFactoryBean(FactoryBeanRegistrySupport.java:176) ~[spring-beans-5.2.9.RELEASE.jar:5.2.9.RELEASE]
at org.springframework.beans.factory.support.FactoryBeanRegistrySupport.getObjectFromFactoryBean(FactoryBeanRegistrySupport.java:101) ~[spring-beans-5.2.9.RELEASE.jar:5.2.9.RELEASE]
at org.springframework.beans.factory.support.AbstractBeanFactory.getObjectForBeanInstance(AbstractBeanFactory.java:1828) ~[spring-beans-5.2.9.RELEASE.jar:5.2.9.RELEASE]
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.getObjectForBeanInstance(AbstractAutowireCapableBeanFactory.java:1265) ~[spring-beans-5.2.9.RELEASE.jar:5.2.9.RELEASE]
at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:334) ~[spring-beans-5.2.9.RELEASE.jar:5.2.9.RELEASE]
at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:202) ~[spring-beans-5.2.9.RELEASE.jar:5.2.9.RELEASE]
at org.springframework.beans.factory.config.DependencyDescriptor.resolveCandidate(DependencyDescriptor.java:276) ~[spring-beans-5.2.9.RELEASE.jar:5.2.9.RELEASE]
at org.springframework.beans.factory.support.DefaultListableBeanFactory.doResolveDependency(DefaultListableBeanFactory.java:1307) ~[spring-beans-5.2.9.RELEASE.jar:5.2.9.RELEASE]
at org.springframework.beans.factory.support.DefaultListableBeanFactory.resolveDependency(DefaultListableBeanFactory.java:1227) ~[spring-beans-5.2.9.RELEASE.jar:5.2.9.RELEASE]
at org.springframework.beans.factory.annotation.AutowiredAnnotationBeanPostProcessor$AutowiredFieldElement.inject(AutowiredAnnotationBeanPostProcessor.java:640) ~[spring-beans-5.2.9.RELEASE.jar:5.2.9.RELEASE]
… 85 common frames omitted
Caused by: org.camunda.bpm.engine.impl.identity.IdentityProviderException: Unable to query users
at org.camunda.bpm.extension.keycloak.KeycloakUserService.requestUsersWithoutGroupId(KeycloakUserService.java:276) ~[camunda-bpm-identity-keycloak-all-2.0.0.jar:2.0.0]
at org.camunda.bpm.extension.keycloak.KeycloakIdentityProviderSession.findUserByQueryCriteria(KeycloakIdentityProviderSession.java:130) ~[camunda-bpm-identity-keycloak-all-2.0.0.jar:2.0.0]
at org.camunda.bpm.extension.keycloak.KeycloakUserQuery.executeList(KeycloakUserQuery.java:38) ~[camunda-bpm-identity-keycloak-all-2.0.0.jar:2.0.0]
at org.camunda.bpm.engine.impl.AbstractQuery.evaluateExpressionsAndExecuteList(AbstractQuery.java:219) ~[camunda-engine-7.14.0.jar:7.14.0]
at org.camunda.bpm.engine.impl.AbstractQuery.executeSingleResult(AbstractQuery.java:241) ~[camunda-engine-7.14.0.jar:7.14.0]
at org.camunda.bpm.engine.impl.AbstractQuery.execute(AbstractQuery.java:195) ~[camunda-engine-7.14.0.jar:7.14.0]
at org.camunda.bpm.engine.impl.interceptor.CommandExecutorImpl.execute(CommandExecutorImpl.java:28) ~[camunda-engine-7.14.0.jar:7.14.0]
at org.camunda.bpm.engine.impl.interceptor.CommandContextInterceptor.execute(CommandContextInterceptor.java:110) ~[camunda-engine-7.14.0.jar:7.14.0]
at org.camunda.bpm.engine.spring.SpringTransactionInterceptor$1.doInTransaction(SpringTransactionInterceptor.java:46) ~[camunda-engine-spring-7.14.0.jar:7.14.0]
at org.springframework.transaction.support.TransactionTemplate.execute(TransactionTemplate.java:140) ~[spring-tx-5.2.9.RELEASE.jar:5.2.9.RELEASE]
at org.camunda.bpm.engine.spring.SpringTransactionInterceptor.execute(SpringTransactionInterceptor.java:44) ~[camunda-engine-spring-7.14.0.jar:7.14.0]
at org.camunda.bpm.engine.impl.interceptor.ProcessApplicationContextInterceptor.execute(ProcessApplicationContextInterceptor.java:70) ~[camunda-engine-7.14.0.jar:7.14.0]
at org.camunda.bpm.engine.impl.interceptor.CommandCounterInterceptor.execute(CommandCounterInterceptor.java:35) ~[camunda-engine-7.14.0.jar:7.14.0]
at org.camunda.bpm.engine.impl.interceptor.LogInterceptor.execute(LogInterceptor.java:33) ~[camunda-engine-7.14.0.jar:7.14.0]
at org.camunda.bpm.engine.impl.AbstractQuery.executeResult(AbstractQuery.java:160) ~[camunda-engine-7.14.0.jar:7.14.0]
at org.camunda.bpm.engine.impl.AbstractQuery.singleResult(AbstractQuery.java:136) ~[camunda-engine-7.14.0.jar:7.14.0]
at org.camunda.bpm.spring.boot.starter.configuration.impl.custom.CreateAdminUserConfiguration.userAlreadyExists(CreateAdminUserConfiguration.java:93) ~[camunda-bpm-spring-boot-starter-7.14.0.jar:7.14.0]
at org.camunda.bpm.spring.boot.starter.configuration.impl.custom.CreateAdminUserConfiguration.postProcessEngineBuild(CreateAdminUserConfiguration.java:60) ~[camunda-bpm-spring-boot-starter-7.14.0.jar:7.14.0]
at org.camunda.bpm.engine.impl.cfg.CompositeProcessEnginePlugin.postProcessEngineBuild(CompositeProcessEnginePlugin.java:107) ~[camunda-engine-7.14.0.jar:7.14.0]
at org.camunda.bpm.engine.impl.cfg.ProcessEngineConfigurationImpl.invokePostProcessEngineBuild(ProcessEngineConfigurationImpl.java:1267) ~[camunda-engine-7.14.0.jar:7.14.0]
at org.camunda.bpm.engine.impl.cfg.ProcessEngineConfigurationImpl.buildProcessEngine(ProcessEngineConfigurationImpl.java:974) ~[camunda-engine-7.14.0.jar:7.14.0]
at org.camunda.bpm.engine.spring.SpringTransactionsProcessEngineConfiguration.buildProcessEngine(SpringTransactionsProcessEngineConfiguration.java:67) ~[camunda-engine-spring-7.14.0.jar:7.14.0]
at org.camunda.bpm.engine.spring.ProcessEngineFactoryBean.getObject(ProcessEngineFactoryBean.java:55) ~[camunda-engine-spring-7.14.0.jar:7.14.0]
at org.camunda.bpm.engine.spring.ProcessEngineFactoryBean.getObject(ProcessEngineFactoryBean.java:34) ~[camunda-engine-spring-7.14.0.jar:7.14.0]
at org.springframework.beans.factory.support.FactoryBeanRegistrySupport.doGetObjectFromFactoryBean(FactoryBeanRegistrySupport.java:169) ~[spring-beans-5.2.9.RELEASE.jar:5.2.9.RELEASE]
… 94 common frames omitted
Caused by: keycloakjar.org.springframework.web.client.HttpClientErrorException$Forbidden: 403 Forbidden: [{“error”:“unknown_error”}]
at keycloakjar.org.springframework.web.client.HttpClientErrorException.create(HttpClientErrorException.java:109) ~[camunda-bpm-identity-keycloak-all-2.0.0.jar:2.0.0]
at keycloakjar.org.springframework.web.client.DefaultResponseErrorHandler.handleError(DefaultResponseErrorHandler.java:184) ~[camunda-bpm-identity-keycloak-all-2.0.0.jar:2.0.0]
at keycloakjar.org.springframework.web.client.DefaultResponseErrorHandler.handleError(DefaultResponseErrorHandler.java:125) ~[camunda-bpm-identity-keycloak-all-2.0.0.jar:2.0.0]
at keycloakjar.org.springframework.web.client.ResponseErrorHandler.handleError(ResponseErrorHandler.java:63) ~[camunda-bpm-identity-keycloak-all-2.0.0.jar:2.0.0]
at keycloakjar.org.springframework.web.client.RestTemplate.handleResponse(RestTemplate.java:782) ~[camunda-bpm-identity-keycloak-all-2.0.0.jar:2.0.0]
at keycloakjar.org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:740) ~[camunda-bpm-identity-keycloak-all-2.0.0.jar:2.0.0]
at keycloakjar.org.springframework.web.client.RestTemplate.execute(RestTemplate.java:674) ~[camunda-bpm-identity-keycloak-all-2.0.0.jar:2.0.0]
at keycloakjar.org.springframework.web.client.RestTemplate.exchange(RestTemplate.java:583) ~[camunda-bpm-identity-keycloak-all-2.0.0.jar:2.0.0]
at org.camunda.bpm.extension.keycloak.KeycloakUserService.requestUserById(KeycloakUserService.java:352) ~[camunda-bpm-identity-keycloak-all-2.0.0.jar:2.0.0]
at org.camunda.bpm.extension.keycloak.KeycloakUserService.requestUsersWithoutGroupId(KeycloakUserService.java:224) ~[camunda-bpm-identity-keycloak-all-2.0.0.jar:2.0.0]
… 118 common frames omitted

Hi @eazhages,

Thank you for raising this topic. Can you please format your post according to the guidelines posted here: FAQ - Camunda BPM Forum?

From the logs, it seems that the process engine can’t use the identity provider to query for users. The IdentityProvider mentioned in the logs is an interface that is implemented by the Keycloak plugin and is used by the process engine to interface with Keycloak and obtain user information.

I would suggest checking your configuration for any errors.

Best,
Nikola

Hi @nikola.koevski
application.txt (2.3 KB)
pom.txt (5.0 KB)

Here i attached my application configuration yaml file and pom.xml. And my Keycloak Configuration is

image3199×1814 315 KB

image3146×1244 240 KB

My Camunda and Springboot versions are
Spring-Boot: (v2.3.4.RELEASE)
Camunda BPM: (v7.14.0)
Camunda BPM Spring Boot Starter: (v7.14.0)

Camunda Identity Keycloak jar version is : camunda-bpm-identity-keycloak-2.1.0-SNAPSHOT.jar

There are mainly two exceptions are thrown

1. org.camunda.bpm.engine.impl.identity.IdentityProviderException: Unable to query users
   at org.camunda.bpm.extension.keycloak.KeycloakUserService.requestUsersWithoutGroupId(KeycloakUserService.java:276) ~[camunda-bpm-identity-keycloak-2.1.0-SNAPSHOT.jar:2.1.0-SNAPSHOT]

2. Caused by: org.springframework.web.client.HttpClientErrorException$Forbidden: 403 Forbidden: [{“error”:“unknown_error”}]
   at org.springframework.web.client.HttpClientErrorException.create(HttpClientErrorException.java:109) ~[spring-web-5.2.9.RELEASE.jar:5.2.9.RELEASE]

@eazhages, as the Keycloak Identity Provider Plugin is a community extension, I am not that familiar with it, so I can’t provide a lot of input on the configuration you provided. Maybe @VonDerBeck knows more?

One thing that I noticed is the camunda.webapp.application-path property. You haven’t provided a value there, so it shoud default to /camunda (Process Engine Configuration | docs.camunda.org). Can you confirm that your URLs are correct?

Best,
Nikola

Hi @eazhages,
you get 403 Forbidden. Hence I would check the following:
1.) is the configured client ID and client secret correct?
2.) configuration of Keylcoak issuer URL and Keycloak admin URL
3.) Within Keycloak, have you done the following (see documentation):

grafik873×347 69.4 KB

Does that help?
Gunnar

hi @VonDerBeck.
Yes. Its help. After setting Client Roles 403 Forbidden is resolved.
Thanks for your support.

Hi @VonDerBeck
I was following the below git code

Now, after the application up, the page redirects to the Keycloak login page. But after login from Keyclock , the page doesn’t redirect to my camunda dashboard page.

My application port number: 7070
Keycloak server port number: 9080

this is my application configuration yml file.
applicationYML.txt (2.1 KB)

application_properties.txt (403 Bytes)

Any my keycloak client configuration is

image3327×1965 366 KB

image2687×1725 142 KB

image3107×2067 279 KB

After login, its doesn’t redirect to Camunda dashboard page.

image3497×1374 169 KB

image2391×1465 124 KB

I also have this session active in keycloak after I logged in to the testaccount:

image3211×1819 239 KB

How to solve it?

Hi @eazhages,

You have modified a lot of the basic URL configurations compared to the original setup of the sample. It is very likely that your URL setup is not consistent. Please check them again.

Hmm… One thing: why have you modified the spring.security.oauth2.client.keycloak.redirect-uri to the hard coded value http://localhost:7070/app/*?? This way the authentication code from Keycloak won’t reach Spring Security. The original value has been "{baseUrl}/{action}/oauth2/code/{registrationId}". See Spring Security documentation for more details on that. It is highly probable that Spring Security is now unable to continue the OAuth 2 authentication flow. Hence you get the result you have.

Best,
Gunnar

Thanks. Let me check the configuration.

what is the base URL (is this my application url ? http://localhost:7070), action, and registrationId ?

Can you send one sample URL for this : {baseUrl}/{action}/oauth2/code/{registrationId}

Why not leave this to Spring Security?

spring.security:
  oauth2:
    client:
      registration:
        keycloak:
          provider: keycloak
          client-id: ${keycloak.client.id}
          client-secret: ${keycloak.client.secret}
          authorization-grant-type: authorization_code
          redirect-uri: "{baseUrl}/{action}/oauth2/code/{registrationId}"
          scope: openid, profile, email

Ok, registrationId in this case is keycloak, action might be login, and baseUrl is the base url of your application. Spring Security is able to build the redirect uri dynamicallly. This way you are more independent from other setup changes.

hi @VonDerBeck.
Thanks for your support… After setting redirect-URI, Its working fine… After login the page is landing on camunda dashboard.

This is my redirect-uri : http://localhost:7070/login/oauth2/code/keycloak

Thanks VonDerBeck

Hi @VonDerBeck, your support and explanations were extremely useful to me also. I’m sure this thread should help many others. Thank you!