My project uses Camunda 7 + Spring boot 3.x to manage the workflows. I am stuck on an issue related to authentication. I’m sure there must be a way around this. Any help would be deeply appreciated. Below are the points to highlight
The app is already protected by a custom OAuth server - I am able to integrate the OAuth using our custom spring security extension.
The problem comes after this point. After Authentication - I set the user and groups using a container-based auth provider which works fine as long as I enable the session management to be stateful.
My App cannot be stateful as there are multiple instances of the app running behind a load balancer. So, session management gets messy, which is why I prefer a stateless approach as the authentication is already taken care of by my oAuth security interceptor(when the req lands Camunda filters, the security context is already set with UserDetails). When I set the session creation as stateless, each request is tied to a new JSESSIONID by Camunda.
So, My question is, is it possible to bypass the session-based logic in the Camunda web app and just map the User and UserGroups from the spring security’s user detail object so that I can access the camunda-UI(Also, I don’t see a need for a session in my app as the auth is already taken care by my framework).
Hey @jonathan.lukas , thanks for the quick response. I have already gone through the Camunda OAuth integration. Though I haven’t tried it, I believe it would not work out for us because our auth framework uses org-specific aspects(e.g., we don’t have scopes instead, we have/call them roles, we have different ways of generating tokens - kerberos, cert based, etc…).
That is why I was wondering If I could simply bypass the session management as the entire app is SSO protected anyway (for the first time the auth framework redirects the user to the auth server login and redirects back with the token). By bypass, I mean, parse the token and set the Camunda User, Groups, Tenants, etc, in a filter or something.
I tried overriding Camunda AuthenticationFilter to get rid of the session. However, the CookieConfigurer sets the session anyway. So, I was worried I was hitting the wrong place. I hope now you are able to follow my query.
While, I try out the OAuth(even though I doubt if it works for my use case ), If it is possible to get rid of the session/achieve my above requirement, kindly let help me with some info.
Unfortunately, our internal artifact repo has version only till 7.21.3(we are trying to get the latest versions synced).
I believe this is a very common use case for microservice architecture apps and I wonder how it is done in general.
Correct me if I am wrong, camunda 7.x is designed to use sessions. If so, does it also support/have a feature to support shared sessions? coz, microservice apps will have different processes and will not work with session-based auth.
Likewise, a lot of organizations may have their own auth framework, which may not play along with the camunda auth. In those cases, how do we disable the camunda auth yet gain access to cockpit?
), If it is possible to get rid of the session/achieve my above requirement, kindly let help me with some info.