First of all new user and I can only post 2 valid links, if you see httt:// its not a typo!
I have spent the past few hours today following the material located in the following link in relation to getting Camunda Platform 8 up and running on my local machine.
For the most part this has worked out pretty seamlessly, however where I am having struggles is trying to query the task list via the graphql endpoint. I believe the material in the articles are more focused on the SAAS offering rather than self hosted. See for example on this article where it there is a setting for a clusterId however if I am running as self-hosted I am not sure what that should be.
I am using Postman and with Keycloak and Identity I am able to generate a JWT token to access the Tasklist by following this(new user I cant post this article!!) article. See below
Next I use postman to create a new request to httt://localhost:8082/graphql using the bearer token returned from the previous step. However at this point I am getting 401 status codes back.
I added 2 environment variables to my configuration for the Tasklist service in the docker-compose file
- CAMUNDA_TASKLIST_CLIENT_AUDIENCE=tasklist-api
- SPRING_SECURITY_OAUTH2_RESOURCESERVER_JWT_ISSUER-URI=httt://keycloak:8080/auth/realms/camunda-platform
Is it that SPRING_SECURITY_OAUTH2_RESOURCESERVER_JWT_ISSUER-URI is incorrect? Is the audience correct? Do I need to supply a clusterId if I am running locally with docker-compose? I am simply just trying to use the keycloak/identity services included in the docker-compose setup to get me up and running. Any help would be greatly appreciated!!
An update: I have gotten a bit further by replacing an environment variable in the docker-compose file from my original post:
SPRING_SECURITY_OAUTH2_RESOURCESERVER_JWT_ISSUER-URI=httt://keycloak:8080/auth/realms/camunda-platform has been removed and replaced with SPRING_SECURITY_OAUTH2_RESOURCESERVER_JWT_JWK-SET-URI=http://keycloak:8080/auth/realms/camunda-platform/protocol/openid-connect/certs
This seems to authenticate me but the Tasklist blows up then with this error message:
2022-05-21 11:04:10.009 ERROR 1 — [nio-8080-exec-7] c.C.[.[.[.[configuredGraphQLHttpServlet] : Servlet.service() for servlet [configuredGraphQLHttpServlet] in context with path threw exception
java.lang.NullPointerException: null
at org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationProvider.authenticate(JwtAuthenticationProvider.java:90) ~[spring-security-oauth2-resource-server-5.5.5.jar:5.5.5]
at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:182) ~[spring-security-core-5.5.5.jar:5.5.5]
at org.springframework.security.oauth2.server.resource.web.BearerTokenAuthenticationFilter.doFilterInternal(BearerTokenAuthenticationFilter.java:130) ~[spring-security-oauth2-resource-server-5.5.5.jar:5.5.5]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) ~[spring-web-5.3.13.jar:5.3.13]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336) ~[spring-security-web-5.5.5.jar:5.5.5]
at or
My setup for docker-compose for Tasklist service is as follows:
tasklist: # https://docs.camunda.io/docs/self-managed/platform-deployment/docker/#tasklist
image: camunda/tasklist:${CAMUNDA_PLATFORM_VERSION:-8.0.2}
container_name: tasklist
ports:
- "8082:8080"
environment: # https://docs.camunda.io/docs/self-managed/tasklist-deployment/configuration/
- CAMUNDA_TASKLIST_ZEEBE_GATEWAYADDRESS=zeebe:26500
- CAMUNDA_TASKLIST_ELASTICSEARCH_URL=http://elasticsearch:9200
- CAMUNDA_TASKLIST_ZEEBEELASTICSEARCH_URL=http://elasticsearch:9200
# For more information regarding configuration with Identity see:
# https://docs.camunda.io/docs/self-managed/tasklist-deployment/authentication/#identity
# - SPRING_PROFILES_ACTIVE=ccsm works for demo/demo basic auth
- SPRING_PROFILES_ACTIVE=identity-auth
- CAMUNDA_TASKLIST_IDENTITY_ISSUER_URL=http://localhost:18080/auth/realms/camunda-platform
- CAMUNDA_TASKLIST_IDENTITY_ISSUER_BACKEND_URL=http://keycloak:8080/auth/realms/camunda-platform
- CAMUNDA_TASKLIST_IDENTITY_CLIENTID=tasklist
- CAMUNDA_TASKLIST_IDENTITY_CLIENTSECRET=XALaRPl5qwTEItdwCMiPS62nVpKs7dL7
- CAMUNDA_TASKLIST_IDENTITY_AUDIENCE=tasklist-api
# API access:
- CAMUNDA_TASKLIST_CLIENT_AUDIENCE=tasklist-api
- SPRING_SECURITY_OAUTH2_RESOURCESERVER_JWT_JWK-SET-URI=http://keycloak:8080/auth/realms/camunda-platform/protocol/openid-connect/certs
networks:
- camunda-platform
- identity-network
depends_on:
- zeebe
- identity
- elasticsearch
And from postman
It looks like its attempting to redirect me to an API login.
Does anyone know what I am missing here?
