Hello we have been using Camunda 8 with the self managed docker setup. So we use Keykloak as the authorization provider since it is in the docker-compose file.
I have some questions (things that I can’t understand).
-
Is the Keykloak necessary in the functionality of Camunda? I mean, I understand that the apis need a bearer token to authorize the application. Could I create this token somehow with a different way? For example, can I have my own backend service (we are using .NET web api) and there we create the tokens with all the needed information?
-
What is Camunda asking from Keykloak? Why is it needed? How could it be ignored?
-
I would appreciate it if some one could describe the overall process of the authorization to have a better understanding of what exactly is happening. For specifically, how is Camunda “connected” to Keykloak? What happens when I try to make a request to operate or tasklist api. I would like a general picture of this functionality to see what are the alternatives.
Thank you very much for your time!
Hello @konkouts ,
currently, keycloak is the only identity provider supported with Camunda 8.
It is responsible for everything related to authentication and authorization, so every application relies on token validation and uses the token to extract user roles.
However, keycloak is very flexible and can be integrated with many other identity providers and protocols out of the box.
This makes the usage alongside Camunda 8 quite handy despite the fact that you need it to „bridge“ from Camunda 8 to your actual identity provider.
We are also planning to bring in more flexibility and natively integrate with other identity providers as well.
Jonathan
1 Like
Thanks @jonathan.lukas ,
How about implementing authentication and authorization in Camunda 8 without using Keycloak or any other third-party identity provider?
I mean develop custom code to manage user accounts, roles, and access to resources. Also create a custom database schema to store user information, implementing a custom authentication service to validate user credentials and generate access tokens, and implementing custom authorization logic to determine which users have access to which resources. In addition handle secure password storage and transmission.
Is this possible? Basically we want to create a mechanism that does a similar job as keycloak.
In that case, how can we achieve this? I mean, how can I see the things that Camunda expects from the auth token so I can use them to create one myself.
I hope my point has been made clear. Otherwise, I can try to explain it differently.
I appreciate the effort for explaining this, thank you!
Hello @konkouts ,
this is actually what we moved away from by adopting keycloak. Custom code needs maintenance and identity components are very critical in regards of security and privacy. The amount of invested time would be much higher, this is an aspect why we moved to adopting an open-source identity provider that aligns with our platform very well.
The big advantage of keycloak is that it can be integrated with most common identity providers while being capable of working as standalone identity component. This provides feature parity with Camunda Platform 7 while having even more features in place like for example m2m token management.
In general, it would be possible to create your own identity provider. It could be integrated with Camunda Platform 8, given it implements the same REST API as Keycloak does. Otherwise, a separate client implementation inside identity would be required. Are you actually planning to create your own identity provider?
Jonathan
1 Like
@jonathan.lukas the thing is that we need a more “custom” architecture. The plan is to use the Camunda components and handle the users and authentication from our own .NET backend service. So yes, the goal is to handle everything from there without using keycloak.
That being said, I am trying to understand what we need to provide to Camunda from our .NET service in order to be able to make requests to tasklist and operate api.
Do we just have to create a bearer token similar to the one created with keycloak?
Are the information that Camunda needs just the parameters used to generate the token so far? ( grant_type, client_id, client_secret).
But these information exist inside keycloak. How will these be managed otherwise?
These are the stuff that I am trying to figure out.
Hello @konkouts ,
why do you not use Keycloak as a service and use the keycloak featues of Identity federation to your own identity provider?
Jonathan
1 Like