Authentication self-managed

Hey! I tried for a long time to make progress, but I am stuck. I am relatively new to Camunda, Java and Spring. I set up a Self-managed-installation and set the authentication mode to “identity” instead of none, so that I have to authenticate via keycloak and identity.
Next, I was looking for a sample project to learn how all this works. I tried an open source spring boot task list solution. It worked with “authentication mode: none” but with “authentication mode: identity” it caused problems starting the application. I tried further projects but unfortunately, I can’t get beyond authentication. In most sample Projects/starting guides there is a given way for SAAS or non-authentication self-managed but not for authentication self-managed.

In this github project (GitHub - camunda-community-hub/camunda-8-lowcode-ui-template: A Camunda 8 client with a custom tasklist integrated with a custom version of form-js), the application.yaml file looks like this:

spring:
servlet.multipart:
max-file-size: 10MB
max-request-size: 30MB

security.oauth2:
enabled: false
# client:
# registration.customTaskList:
# client-id: customTasklist
# client-secret: xxx
# authorization-grant-type: authorization_code
# scope: openid, profile
# redirect-uri: http://localhost:8080/login/oauth2/code/customTaskList
# provider.customTaskList.issuer-uri: http://localhost:18080/auth/realms/camunda-platform

I got the error, that “bearer token was expected but not found”.

I am clueless about the authentication.

I would be very grateful for every tipp or help to understand this better.

Hi @Azudemlex, welcome to the forum. Because you’ve enabled Identity, that means the components are expecting you to authenticate using OAuth. You need to create the client credentials within Identity, and use the client ID and secret value to get a bearer token. This is a standard OAuth authentication flow, not specific to Camunda. There’s some further examples in the spring-zeebe repository here.

3 Likes

Thank you very much!
I will give it a try :slight_smile:

Sorry for bothering again.

I spent a lot of time trying to find a solution.

I set up a simple maven project with this main:

@SpringBootApplication
public class FirstSpringApplication {
	
       @Autowired
	private ZeebeClient client;

	
	public static void main(String[] args) {
		SpringApplication.run(FirstSpringApplication.class, args);
}

I tried the suggested solution for oidc in springboot, having this form:

camunda:
  client:
    mode: oidc
    tenant-ids:
    - <default>
    auth:
      oidc-type: keycloak
      issuer: http://host/auth/realms/camunda-platform
    zeebe:
      enabled: true
      gateway-url: http://host:443
      base-url: http://host:443
      prefer-rest-over-grpc: false
      audience: zeebe-api
    operate:
      enabled: true
      base-url: http://host:operate
      audience: operate-api
    tasklist:
      enabled: true
      base-url: http://host:tasklist
      audience: tasklist-api
    optimize:
      enabled: true
      base-url: http://host:optimize
      audience: optimize-api
    identity:
      enabled: true
      base-url: http://host:identity
      audience: identity-api

It said: unable to determine authentication.

I tried it in the same structure, but provided the client credentials as well:

camunda:
  client:
    mode: oidc
    tenant-ids:
    - <123456>
    auth:
      plaintext: false
      oidc-type: keycloak
      issuer: https://host/auth/realms/camunda-platform
      client-id: customapplication
      client-secret: xxsecretxx
    zeebe:
      enabled: true
      gateway-url: https://host:443
      base-url: https://host:443
      prefer-rest-over-grpc: false
      audience: zeebe-api
    operate:
      enabled: true
      base-url: https://host/operate
      audience: operate-api
    tasklist:
      enabled: true
      base-url: https://host/tasklist
      audience: tasklist-api
    optimize:
      enabled: true
      base-url: https://host/optimize
      audience: optimize-api
    identity:
      enabled: true
      base-url: https://host/identity4
      audience: identity-api

I got this error again:

2024-06-07T15:47:34.682+02:00 ERROR 29456 --- [           main] i.c.c.auth.DefaultNoopAuthentication     : Unable to determine authentication. Please check your configuration
2024-06-07T15:47:34.697+02:00  WARN 29456 --- [           main] i.m.c.i.simple.SimpleMeterRegistry       : A MeterFilter is being configured after a Meter has been registered to this registry. All MeterFilters should
 be configured before any Meters are registered. If that is not possible or you have a use case where it should be allowed, let the Micrometer maintainers know at https://github.com/micrometer-metrics/micrometer/issu
es/4920. Enable DEBUG level logging on this logger to see a stack trace of the call configuring this MeterFilter.
2024-06-07T15:47:34.698+02:00  WARN 29456 --- [           main] i.m.c.i.simple.SimpleMeterRegistry       : A MeterFilter is being configured after a Meter has been registered to this registry. All MeterFilters should
 be configured before any Meters are registered. If that is not possible or you have a use case where it should be allowed, let the Micrometer maintainers know at https://github.com/micrometer-metrics/micrometer/issu
es/4920. Enable DEBUG level logging on this logger to see a stack trace of the call configuring this MeterFilter.
2024-06-07T15:47:34.722+02:00  INFO 29456 --- [           main] z.s.c.c.ZeebeClientProdAutoConfiguration : Creating ZeebeClient using ZeebeClientConfiguration [ZeebeClientConfiguration{properties=ZeebeClientConfigura
tionProperties{environment=ApplicationEnvironment {activeProfiles=[], defaultProfiles=[default], propertySources=[ConfigurationPropertySourcesPropertySource {name='configurationProperties'}, PropertiesPropertySource 
{name='systemProperties'}, OriginAwareSystemEnvironmentPropertySource {name='systemEnvironment'}, RandomValuePropertySource {name='random'}, OriginTrackedMapPropertySource {name='Config resource 'class path resource 
[application.yaml]' via location 'optional:classpath:/''}]}, connectionMode='null', defaultTenantId='<default>', defaultJobWorkerTenantIds=[<default>], applyEnvironmentVariableOverrides=false, enabled=true, broker=Br
oker{gatewayAddress='null, grpcAddress=null, restAddress=null, keepAlive=PT45S}, cloud=Cloud{clusterId='null', clientId='null', clientSecret='null', region='bru-2', scope='null', baseUrl='zeebe.camunda.io', authUrl='
https://login.cloud.camunda.io/oauth/token', port=443, credentialsCachePath='null'}, worker=Worker{maxJobsActive=32, threads=1, defaultName='null', defaultType='null', override={}}, message=Message{timeToLive=PT1H, m
axMessageSize=4194304}, security=Security{plaintext=false, overrideAuthority='null', certPath='null'}, job=Job{timeout=PT5M, pollInterval=PT0.1S}, ownsJobWorkerExecutor=true, defaultJobWorkerStreamEnabled=false, requ
estTimeout=PT10S}, commonConfigurationProperties=CommonConfigurationProperties{keycloak=Keycloak{url='null', realm='null', tokenUrl='null'}} Client{clientId='***', clientSecret='***', username='***', password='***', 
enabled=false, url='null', authUrl='null', baseUrl='null'}, authentication=io.camunda.common.auth.DefaultNoopAuthentication@5d43409a, jsonMapper=io.camunda.zeebe.client.impl.ZeebeObjectMapper@6ede46f6, interceptors=[
]}]

I remarked, that a lot of properties are filled with null, so I thought, maybe the structure has changed. I’ve tried this as well:

zeebe:
  client: 
    broker:
      gatewayAddress: host:443
    security:
      plaintext: false
    client:
      authUrl: xxx
      client-id: xxx
      client-secret: xxx

And a lot of other constellations. I could not find anything that works to connect to zeebe.

I would be grateful (once again) for a helpful solution.
Right now, I consider trying to use plain Java and going away from Spring (altough it looked way more comfortable).

Hi @Azudemlex - what version of Camunda Self-Managed are you using, and what version of spring-zeebe are you using?

Hey there!

Regarding Identity, you need to create users and groups along with their roles in Keycloak (your IAM solution) which is installed via Docker Compose.

Regarding Zeebe, you may need to read the official docs, the section on building your own client.

Hey Nathan! The Cluster runs on version 8.4.

I’ve tried this dependency:

io.camunda
spring-boot-starter-camunda-sdk
8.5.0

And afterwards this dependency:

io.camunda.spring
spring-boot-starter-camunda
8.4.0

Combined with:

org.springframework.boot
spring-boot-starter

// Update:
I set up zeebe 8.5.0 so that it fits the requirements of the Getting started | Camunda 8 Docs instructions.

I pushed my simple Spring app on Github:
www.github.com/AzumLex/springAppTest/tree/main

// Update
Hey, I think it works now!
At first, I tried it the way like it’s in the examples.
Then I mixed it up and combined the old way with the new spring 8.5.0 sdk.

Now I did everything as it’s shown in the guide (Getting started | Camunda 8 Docs instructions) and tried it on the right zeebe version and it seems to work. It still shows: unable to determine authentication, but afterwards, the bpmn gets deployed. I suppose that’s working.

Thank you for your help!

@Azudemlex - without seeing the code, I suspect the primary problem was a version mismatch, with spring-zeebe expecting Zeebe >=8.5.0 and you had 8.4.0. If you have any suggestions on how we could improve the documentation, that would be fantastic! You can either share it here and I can take it back to our documentation team, or you can open an issue at GitHub - camunda/camunda-docs: Camunda 8 Documentation, including all components and features describing what you encountered and your suggestions.