My project uses Camunda 7 + Spring boot 3.x to manage the workflows. I am stuck on an issue related to authentication. I’m sure there must be a way around this. Any help would be deeply appreciated. Below are the points to highlight
The app is already protected by a custom OAuth server - I am able to integrate the OAuth using our custom spring security extension.
The problem comes after this point. After Authentication - I set the user and groups using a container-based auth provider which works fine as long as I enable the session management to be stateful.
My App cannot be stateful as there are multiple instances of the app running behind a load balancer. So, session management gets messy, which is why I prefer a stateless approach as the authentication is already taken care of by my oAuth security interceptor(when the req lands Camunda filters, the security context is already set with UserDetails). When I set the session creation as stateless, each request is tied to a new JSESSIONID by Camunda.
So, My question is, is it possible to bypass the session-based logic in the Camunda web app and just map the User and UserGroups from the spring security’s user detail object so that I can access the camunda-UI(Also, I don’t see a need for a session in my app as the auth is already taken care by my framework).
Unfortunately, our internal artifact repo has version only till 7.21.3(we are trying to get the latest versions synced).
I believe this is a very common use case for microservice architecture apps and I wonder how it is done in general.
Correct me if I am wrong, camunda 7.x is designed to use sessions. If so, does it also support/have a feature to support shared sessions? coz, microservice apps will have different processes and will not work with session-based auth.
Likewise, a lot of organizations may have their own auth framework, which may not play along with the camunda auth. In those cases, how do we disable the camunda auth yet gain access to cockpit?