camunda login still showing after logging in keycloak about camunda-platform-7-keycloak HOT 5 CLOSED

Hi @JetTorres,

1. Do you have a user in Keycloak who is a member of the Keycloak "camunda-admin" group? Do you have a group called "camunda-admin" in Keycloak (see administratorGroupName of your configuration)? Upon the very first startup of your application you should see some log entries where the Identity Provider grants authorizations to that group. Creating groups and users is your part / the responsibility of Keycloak - the Identity Provider is readonly and thus only reads this information.
2. The user you're using to login - have you checked the user's groups? What right's does the user have? Is he allowed to use Cockpit / Tasklist / Admin?
3. In order to find out what's potentially wrong with your SSO setup you can set the log level of Spring Security to debug.

from camunda-platform-7-keycloak.

Hi @VonDerBeck

1. Yes I have a user in keycloak under camunda-admin
   
   
   I also have this session active in keycloak when I logged in the demo account:
   

2. How can I check that? The roles I had was query-group, query-user and view-user on realm-management

3. I saw these logs when I tried logging in https://pastebin.com/2VuLCvJ3

from camunda-platform-7-keycloak.

Hi @JetTorres,

your application.yml misses any camunda.bpm configuration parameters...

If you look at the SSO example, you'll find especially the following parameters:

camunda.bpm:
  authorization:
    enabled: true
  webapp.application-path:

Wether you want to enable authorization in Camunda is your choice. Ok. But Camunda's web application path must match the paths within the Spring WebSecurity configuration. If you just copied my sample this will not match any more. Because in the example Cockpit is directly running under root. But from your log file I can see that your application is under the path camunda:

2021-01-26 19:55:14.975 DEBUG 25816 --- [io-8081-exec-10] o.s.security.web.FilterChainProxy        : /camunda/lib/ngDefine.js?bust=7.14.0 reached end of additional filter chain; proceeding with original chain
...
2021-01-26 19:55:15.328 DEBUG 25816 --- [nio-8081-exec-8] o.s.security.web.FilterChainProxy        : /camunda/app/welcome/fonts/IBMPlexSans-Italic.otf at position 1 of 17 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'

So it is very likely that the KeycloakAuthenticationProvider, which is responsible for wiring Spring Security with Camunda, hasn't been involved at all. Your Camunda application hasn't any knowledge about the authenticated user and its groups. You must either consider the /camunda application path in your Spring WebSecurity configuration (everywhere where there is /app), or you must add the configuration

camunda.bpm:
  webapp.application-path:

to your application.yml and move the Camunda Cockpit to the root path.

Does that help?

Kind regards,
Gunnar

from camunda-platform-7-keycloak.

Hi @VonDerBeck ,

I updated the settings in keycloak and specifically added this redirect URI:

Also, I updated my application.yml to explicitly call the URIs: https://pastebin.com/H92DE6Pj and added the config I missed. I ran camunda and typed it in the URL bar localhost:8081 and localhost:8081/camunda and we got this error log: https://pastebin.com/gx2TMPR6

I also tried debugging by adding breakpoints on the config classes, I noticed that it doesn't go through there.
Lastly I changed my WebAppSecurityConfig to match the path:

from camunda-platform-7-keycloak.

Setting camunda.bpm.webapp.application-path: camunda means setting it to default. Which has no effect.

Camunda Cockpit consists of 3 paths, /app, /api, /lib - these are all under /camunda/* now. So you should cleanup your code a little bit. And check the package of the KeycloakAuthenticationProvider. If it still does not work you should debug the KeycloakAuthenticationProvider and check, if it is called and the token info can be sucessfully extracted or not.

from camunda-platform-7-keycloak.