camunda 8.7.6 onprem setup - Issue on trying model UI open - UT005023 /internal-api/projects 500 Error

Camunda 8 Topics
,
1

Hi I have done on prem setup with camunda 8.7.6. My all components works except Web Modeler. For which UI opens but not able to create New Project. Create gives error with 500. Log shows below error - “message”:“UT005023: Exception handling request to /internal-api/projects”,“context”:“default”,“exception”:"jakarta.servlet.ServletException: Request processing failed: java.lang.IllegalStateException: invalid issuer url

2

Based on the error you’re encountering, this is a Problem with your Camunda 8.7.6 Web Modeler on-premises setup. The “UT005023: Exception handling request to /internal-api/projects” error with “invalid issuer url” indicates a misconfiguration in your authentication setup.

Root Cause

The error is related to JWT token validation failing due to an incorrect or inaccessible issuer URL configuration in your Web Modeler components.

Solution Steps

1. Check Your Issuer URL Configuration

You need to verify the issuer URL settings in both Web Modeler components:

For the webapp component:

  • Check the OAUTH2_TOKEN_ISSUER environment variable

For the restapi component:

  • Check SPRING_SECURITY_OAUTH2_RESOURCESERVER_JWT_ISSUER_URI
  • Optionally check RESTAPI_OAUTH2_TOKEN_ISSUER_BACKEND_URL

2. Ensure URL Consistency

The issuer URL must:

  • Match exactly what your OIDC provider (Keycloak/Identity) provides
  • Be accessible from the Web Modeler containers
  • Match the issuer claim in JWT tokens

Example for Keycloak:

OAUTH2_TOKEN_ISSUER=https://keycloak.example.com/auth/realms/camunda-platform
SPRING_SECURITY_OAUTH2_RESOURCESERVER_JWT_ISSUER_URI=https://keycloak.example.com/auth/realms/camunda-platform

3. Common Issues to Check

  • Internal vs External URLs: Don’t mix internal container URLs (e.g., http://keycloak:8080/...) with external URLs (e.g., https://keycloak.example.com/...)
  • Protocol mismatch: Ensure http vs https is consistent
  • Network accessibility: Verify the Web Modeler containers can reach the OIDC endpoints
  • Proxy configuration: If behind a proxy, ensure proper proxy settings for both components

4. Debugging Steps

To help diagnose the issue, please share (with sensitive data redacted):

  1. Your issuer-related environment variables for both webapp and restapi components
  2. The issuer claim from a sample JWT token
  3. Your Identity/Keycloak configuration

References

Could you please share your current issuer URL configuration (redacted as needed) so I can provide more specific guidance?