Authentication self-managed

Hey! I tried for a long time to make progress, but I am stuck. I am relatively new to Camunda, Java and Spring. I set up a Self-managed-installation and set the authentication mode to “identity” instead of none, so that I have to authenticate via keycloak and identity.
Next, I was looking for a sample project to learn how all this works. I tried an open source spring boot task list solution. It worked with “authentication mode: none” but with “authentication mode: identity” it caused problems starting the application. I tried further projects but unfortunately, I can’t get beyond authentication. In most sample Projects/starting guides there is a given way for SAAS or non-authentication self-managed but not for authentication self-managed.

In this github project (GitHub - camunda-community-hub/camunda-8-lowcode-ui-template: A Camunda 8 client with a custom tasklist integrated with a custom version of form-js), the application.yaml file looks like this:

spring:
servlet.multipart:
max-file-size: 10MB
max-request-size: 30MB

security.oauth2:
enabled: false
# client:
# registration.customTaskList:
# client-id: customTasklist
# client-secret: xxx
# authorization-grant-type: authorization_code
# scope: openid, profile
# redirect-uri: http://localhost:8080/login/oauth2/code/customTaskList
# provider.customTaskList.issuer-uri: http://localhost:18080/auth/realms/camunda-platform

I got the error, that “bearer token was expected but not found”.

I am clueless about the authentication.

I would be very grateful for every tipp or help to understand this better.

Hi @Azudemlex, welcome to the forum. Because you’ve enabled Identity, that means the components are expecting you to authenticate using OAuth. You need to create the client credentials within Identity, and use the client ID and secret value to get a bearer token. This is a standard OAuth authentication flow, not specific to Camunda. There’s some further examples in the spring-zeebe repository here.

3 Likes

Thank you very much!
I will give it a try :slight_smile:

Sorry for bothering again.

I spent a lot of time trying to find a solution.

I set up a simple maven project with this main:

@SpringBootApplication
public class FirstSpringApplication {
	
       @Autowired
	private ZeebeClient client;

	
	public static void main(String[] args) {
		SpringApplication.run(FirstSpringApplication.class, args);
}

I tried the suggested solution for oidc in springboot, having this form:

camunda:
  client:
    mode: oidc
    tenant-ids:
    - <default>
    auth:
      oidc-type: keycloak
      issuer: http://host/auth/realms/camunda-platform
    zeebe:
      enabled: true
      gateway-url: http://host:443
      base-url: http://host:443
      prefer-rest-over-grpc: false
      audience: zeebe-api
    operate:
      enabled: true
      base-url: http://host:operate
      audience: operate-api
    tasklist:
      enabled: true
      base-url: http://host:tasklist
      audience: tasklist-api
    optimize:
      enabled: true
      base-url: http://host:optimize
      audience: optimize-api
    identity:
      enabled: true
      base-url: http://host:identity
      audience: identity-api

It said: unable to determine authentication.

I tried it in the same structure, but provided the client credentials as well:

camunda:
  client:
    mode: oidc
    tenant-ids:
    - <123456>
    auth:
      plaintext: false
      oidc-type: keycloak
      issuer: https://host/auth/realms/camunda-platform
      client-id: customapplication
      client-secret: xxsecretxx
    zeebe:
      enabled: true
      gateway-url: https://host:443
      base-url: https://host:443
      prefer-rest-over-grpc: false
      audience: zeebe-api
    operate:
      enabled: true
      base-url: https://host/operate
      audience: operate-api
    tasklist:
      enabled: true
      base-url: https://host/tasklist
      audience: tasklist-api
    optimize:
      enabled: true
      base-url: https://host/optimize
      audience: optimize-api
    identity:
      enabled: true
      base-url: https://host/identity4
      audience: identity-api

I got this error again:

2024-06-07T15:47:34.682+02:00 ERROR 29456 --- [           main] i.c.c.auth.DefaultNoopAuthentication     : Unable to determine authentication. Please check your configuration
2024-06-07T15:47:34.697+02:00  WARN 29456 --- [           main] i.m.c.i.simple.SimpleMeterRegistry       : A MeterFilter is being configured after a Meter has been registered to this registry. All MeterFilters should
 be configured before any Meters are registered. If that is not possible or you have a use case where it should be allowed, let the Micrometer maintainers know at https://github.com/micrometer-metrics/micrometer/issu
es/4920. Enable DEBUG level logging on this logger to see a stack trace of the call configuring this MeterFilter.
2024-06-07T15:47:34.698+02:00  WARN 29456 --- [           main] i.m.c.i.simple.SimpleMeterRegistry       : A MeterFilter is being configured after a Meter has been registered to this registry. All MeterFilters should
 be configured before any Meters are registered. If that is not possible or you have a use case where it should be allowed, let the Micrometer maintainers know at https://github.com/micrometer-metrics/micrometer/issu
es/4920. Enable DEBUG level logging on this logger to see a stack trace of the call configuring this MeterFilter.
2024-06-07T15:47:34.722+02:00  INFO 29456 --- [           main] z.s.c.c.ZeebeClientProdAutoConfiguration : Creating ZeebeClient using ZeebeClientConfiguration [ZeebeClientConfiguration{properties=ZeebeClientConfigura
tionProperties{environment=ApplicationEnvironment {activeProfiles=[], defaultProfiles=[default], propertySources=[ConfigurationPropertySourcesPropertySource {name='configurationProperties'}, PropertiesPropertySource 
{name='systemProperties'}, OriginAwareSystemEnvironmentPropertySource {name='systemEnvironment'}, RandomValuePropertySource {name='random'}, OriginTrackedMapPropertySource {name='Config resource 'class path resource 
[application.yaml]' via location 'optional:classpath:/''}]}, connectionMode='null', defaultTenantId='<default>', defaultJobWorkerTenantIds=[<default>], applyEnvironmentVariableOverrides=false, enabled=true, broker=Br
oker{gatewayAddress='null, grpcAddress=null, restAddress=null, keepAlive=PT45S}, cloud=Cloud{clusterId='null', clientId='null', clientSecret='null', region='bru-2', scope='null', baseUrl='zeebe.camunda.io', authUrl='
https://login.cloud.camunda.io/oauth/token', port=443, credentialsCachePath='null'}, worker=Worker{maxJobsActive=32, threads=1, defaultName='null', defaultType='null', override={}}, message=Message{timeToLive=PT1H, m
axMessageSize=4194304}, security=Security{plaintext=false, overrideAuthority='null', certPath='null'}, job=Job{timeout=PT5M, pollInterval=PT0.1S}, ownsJobWorkerExecutor=true, defaultJobWorkerStreamEnabled=false, requ
estTimeout=PT10S}, commonConfigurationProperties=CommonConfigurationProperties{keycloak=Keycloak{url='null', realm='null', tokenUrl='null'}} Client{clientId='***', clientSecret='***', username='***', password='***', 
enabled=false, url='null', authUrl='null', baseUrl='null'}, authentication=io.camunda.common.auth.DefaultNoopAuthentication@5d43409a, jsonMapper=io.camunda.zeebe.client.impl.ZeebeObjectMapper@6ede46f6, interceptors=[
]}]

I remarked, that a lot of properties are filled with null, so I thought, maybe the structure has changed. I’ve tried this as well:

zeebe:
  client: 
    broker:
      gatewayAddress: host:443
    security:
      plaintext: false
    client:
      authUrl: xxx
      client-id: xxx
      client-secret: xxx

And a lot of other constellations. I could not find anything that works to connect to zeebe.

I would be grateful (once again) for a helpful solution.
Right now, I consider trying to use plain Java and going away from Spring (altough it looked way more comfortable).

Hi @Azudemlex - what version of Camunda Self-Managed are you using, and what version of spring-zeebe are you using?

Hey there!

Regarding Identity, you need to create users and groups along with their roles in Keycloak (your IAM solution) which is installed via Docker Compose.

Regarding Zeebe, you may need to read the official docs, the section on building your own client.

Hey Nathan! The Cluster runs on version 8.4.

I’ve tried this dependency:

io.camunda
spring-boot-starter-camunda-sdk
8.5.0

And afterwards this dependency:

io.camunda.spring
spring-boot-starter-camunda
8.4.0

Combined with:

org.springframework.boot
spring-boot-starter

// Update:
I set up zeebe 8.5.0 so that it fits the requirements of the Getting started | Camunda 8 Docs instructions.

I pushed my simple Spring app on Github:
www.github.com/AzumLex/springAppTest/tree/main

// Update
Hey, I think it works now!
At first, I tried it the way like it’s in the examples.
Then I mixed it up and combined the old way with the new spring 8.5.0 sdk.

Now I did everything as it’s shown in the guide (Getting started | Camunda 8 Docs instructions) and tried it on the right zeebe version and it seems to work. It still shows: unable to determine authentication, but afterwards, the bpmn gets deployed. I suppose that’s working.

Thank you for your help!

@Azudemlex - without seeing the code, I suspect the primary problem was a version mismatch, with spring-zeebe expecting Zeebe >=8.5.0 and you had 8.4.0. If you have any suggestions on how we could improve the documentation, that would be fantastic! You can either share it here and I can take it back to our documentation team, or you can open an issue at GitHub - camunda/camunda-docs: Camunda 8 Documentation, including all components and features describing what you encountered and your suggestions.

@nathan.loding
I have thought about my errors and what could have been helpful.

I had two environments, one with 8.4 and one with 8.5.

At first, I tried some of the community applications for the 8.4 cluster but it was hard to begin, because the 8.4 cluster is secured. So I set up a new system with 8.5 and no securing to make it easier. I did not realize the big difference between version 4 and 5 and tried the same code for 8.5 what again did not work properly.

I tried to follow the guide (Getting started | Camunda 8 Docs), but I was confused because in order to connect to a self-managed-cluster I need to set the “zeebe.client.cloud…” value. At first, I thought it is only for cloud because it’s similar to the connection to a cloud cluster.

So I combined the connection settings from the community hub (GitHub - camunda-community-hub/spring-zeebe: Easily use the Zeebe Java Client in your Spring or Spring Boot projects) in the community. In the community hub, there is already an entry in the “version compatibility”, but the authentication guide below references to the 8.4 version.

Somehow, I did confuse the structure. Now, with that in mind, I think the official documentation is great and working with 8.5 is definitely more comfortable. For me as a beginner, it would have been helpful to have a note with that information or something that makes this structure more clearly.

1 Like

Thanks for taking the time to share this feedback, @Azudemlex! I’ll share this with our docs team!

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.