Comments (5)
Hi @JetTorres,
- Do you have a user in Keycloak who is a member of the Keycloak "camunda-admin" group? Do you have a group called "camunda-admin" in Keycloak (see
administratorGroupName
of your configuration)? Upon the very first startup of your application you should see some log entries where the Identity Provider grants authorizations to that group. Creating groups and users is your part / the responsibility of Keycloak - the Identity Provider is readonly and thus only reads this information. - The user you're using to login - have you checked the user's groups? What right's does the user have? Is he allowed to use Cockpit / Tasklist / Admin?
- In order to find out what's potentially wrong with your SSO setup you can set the log level of Spring Security to debug.
from camunda-platform-7-keycloak.
Hi @VonDerBeck
-
Yes I have a user in keycloak under camunda-admin
I also have this session active in keycloak when I logged in the demo account:
-
How can I check that? The roles I had was query-group, query-user and view-user on realm-management
-
I saw these logs when I tried logging in https://pastebin.com/2VuLCvJ3
from camunda-platform-7-keycloak.
Hi @JetTorres,
your application.yml misses any camunda.bpm configuration parameters...
If you look at the SSO example, you'll find especially the following parameters:
camunda.bpm:
authorization:
enabled: true
webapp.application-path:
Wether you want to enable authorization in Camunda is your choice. Ok. But Camunda's web application path must match the paths within the Spring WebSecurity configuration. If you just copied my sample this will not match any more. Because in the example Cockpit is directly running under root. But from your log file I can see that your application is under the path camunda
:
2021-01-26 19:55:14.975 DEBUG 25816 --- [io-8081-exec-10] o.s.security.web.FilterChainProxy : /camunda/lib/ngDefine.js?bust=7.14.0 reached end of additional filter chain; proceeding with original chain
...
2021-01-26 19:55:15.328 DEBUG 25816 --- [nio-8081-exec-8] o.s.security.web.FilterChainProxy : /camunda/app/welcome/fonts/IBMPlexSans-Italic.otf at position 1 of 17 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
So it is very likely that the KeycloakAuthenticationProvider
, which is responsible for wiring Spring Security with Camunda, hasn't been involved at all. Your Camunda application hasn't any knowledge about the authenticated user and its groups. You must either consider the /camunda
application path in your Spring WebSecurity configuration (everywhere where there is /app
), or you must add the configuration
camunda.bpm:
webapp.application-path:
to your application.yml and move the Camunda Cockpit to the root path.
Does that help?
Kind regards,
Gunnar
from camunda-platform-7-keycloak.
Hi @VonDerBeck ,
I updated the settings in keycloak and specifically added this redirect URI:
Also, I updated my application.yml to explicitly call the URIs: https://pastebin.com/H92DE6Pj and added the config I missed. I ran camunda and typed it in the URL bar localhost:8081 and localhost:8081/camunda and we got this error log: https://pastebin.com/gx2TMPR6
I also tried debugging by adding breakpoints on the config classes, I noticed that it doesn't go through there.
Lastly I changed my WebAppSecurityConfig to match the path:
from camunda-platform-7-keycloak.
Setting camunda.bpm.webapp.application-path: camunda
means setting it to default. Which has no effect.
Camunda Cockpit consists of 3 paths, /app
, /api
, /lib
- these are all under /camunda/*
now. So you should cleanup your code a little bit. And check the package of the KeycloakAuthenticationProvider. If it still does not work you should debug the KeycloakAuthenticationProvider and check, if it is called and the token info can be sucessfully extracted or not.
from camunda-platform-7-keycloak.
Related Issues (20)
- Release 7.18.0 HOT 1
- Invalid parameter: redirect_uri HOT 1
- Keycloak call /auth/admin/realms/Test-Realm/users?max=250 is taking over 2 minutes HOT 6
- Only the camunda login form is displayed HOT 13
- This identity service implementation is read-only HOT 8
- Could mysql driver be added to docker-pom.xml? HOT 2
- Update for Camunda 7.19.0 HOT 2
- 7.19.0 not available in maven repository HOT 3
- Release 7.19.0 HOT 3
- Support Spring Boot 3.x / Camunda 7.20 HOT 5
- Problem with charachter "%" in client secret HOT 4
- Dependency Dashboard
- sso-kubernetes REST API authentication doesn't work locally HOT 3
- sso-kubernetes Cluster doesn't start on Kubernetes engine in Docker desktop HOT 1
- the Activation of the camunda-platform-7-keycloak stop the process of the camunda-bpm-mail mail-send connector HOT 6
- next steps after the camunda-showcase-keycloak HOT 2
- Does it support quarkus HOT 2
- Camunda stops working if loosing connection with Keycloak HOT 5
- Update Maven deployment Action HOT 1
- Add truststore support
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from camunda-platform-7-keycloak.