One-time passcode authentication

Hello, Is there any way for implement one-time passcode authentification to access camunda application ? I have configured a LdapIdentityProviderPlugin for all company users and in additionnal, I want to authorize some guest users to access to the application, (they don’t have ldap account).

Out of the box, no. If you want to give temporary access to Cockpit or Tasklist, you will likely have to build a custom authentication provider (the community keycloak implementation could be a good place to start…)

Also, do you need to give guest access to tasklist/cockpit, or do guests only need access to a particular process instance or custom UI? If the latter, you could implement guest access using one identity provider and use a separate identity provider via your company LDAP for administrative access to cockpit/tasklist.

As an example, you could build a Springboot App using an embedded Camunda engine which exposes custom APIs using Oauth2 token authentication/authorisation and verifies these tokens against identity store ‘A’. This app could include something like a React UI to interact with a process instance. You could then install tasklist/cockpit apps on a separate node but using the same database. These administrative nodes could use the LDAP identity provider for administrative purposes…

P.S. - another ‘pattern’ is within a process instance, generate a UUID and securely deliver the UUID as a passcode to an intended participant. Hence, the UUID could be presented back and correlated against a process instance in order to interact with that process instance. Its a very simple approach, but comes with commensurate simple security posture…Another ‘feature’ of this approach, is its easy to expire the token with an interrupting timer in the process model…