We have created realm - camunda-platform in keycloak and configured all the required client and secret.
But somehow Identity is failing to connect keycloak, getting below error -
ERROR 1 — [ main] i.c.i.i.k.c.KeycloakConfiguration : HTTP 403 Forbidden
I have used below env configs -
CAMUNDA_OPERATE_IDENTITY_CLIENTSECRET : abcd
CAMUNDA_OPTIMIZE_IDENTITY_CLIENTSECRET : abcd
CAMUNDA_TASKLIST_IDENTITY_CLIENTSECRET : abcd
DB_DATABASE_TEST : Keycloak
DB_HOST_TEST : abcd
DB_PASSWORD_TEST : abcd
DB_USER_TEST : abcd
IDENTITY_CLIENT_SECRET : abcd
KEYCLOAK_CLIENTS_0_SECRET : abcd
KEYCLOAK_INIT_OPERATE_SECRET : abcd
KEYCLOAK_INIT_OPTIMIZE_SECRET : abcd
KEYCLOAK_INIT_TASKLIST_SECRET : abcd
KEYCLOAK_PASSWORD_TEST : admin
KEYCLOAK_USER_TEST : admin
KEYCLOAK_USERS_0_PASSWORD :demo
Please let me know what I am doing wrong.
We have deployed on Openshift, and all the modules are indevidual deployments.
Please help on this issue, I am stuck from last few days, not able to find the issue.
Hello @yogeshwer ,
this looks like it could be related to this: Server Administration Guide
Default is “external requests”.
Identity will try to connect to keycloak using http://, whereas keycloak will then check for the IP address Identity uses. If it is “private”, Keycloak will allow the connection, otherwise it will refuse it.
You can change this setting in the keycloak master realm.
I hope this helps
Jonathan
Hi @jonathan.lukas ,
Thank you for the response.
It is “private”, so it should allow connections right ?
But still we are getting same issue, Is it something related to user and roles ?
Hello @yogeshwer ,
are you using the helm charts? If so, the user should be configured properly.
If not, please double-check whether the credentials are correct. For completeness, here are the env variables that are set by the Helm charts:
IDENTITY_URL: https://***
IDENTITY_BASE_PATH: ***
KEYCLOAK_USERS_0_USERNAME: demo
KEYCLOAK_USERS_0_PASSWORD: demo
KEYCLOAK_USERS_0_EMAIL: demo@example.org
KEYCLOAK_USERS_0_FIRST_NAME: Demo
KEYCLOAK_USERS_0_LAST_NAME: User
KEYCLOAK_USERS_0_ROLES_0: Identity
KEYCLOAK_USERS_0_ROLES_1: Operate
KEYCLOAK_INIT_OPERATE_SECRET: <set to the key 'operate-secret' in secret 'camunda-platform-operate-identity-secret'> Optional: false
KEYCLOAK_INIT_OPERATE_ROOT_URL: https://***
KEYCLOAK_USERS_0_ROLES_2: Tasklist
KEYCLOAK_INIT_TASKLIST_SECRET: <set to the key 'tasklist-secret' in secret 'camunda-platform-tasklist-identity-secret'> Optional: false
KEYCLOAK_INIT_TASKLIST_ROOT_URL: https://***
KEYCLOAK_USERS_0_ROLES_3: Optimize
KEYCLOAK_INIT_OPTIMIZE_SECRET: <set to the key 'optimize-secret' in secret 'camunda-platform-optimize-identity-secret'> Optional: false
KEYCLOAK_INIT_OPTIMIZE_ROOT_URL: https://***
KEYCLOAK_USERS_0_ROLES_4: Web Modeler
KEYCLOAK_INIT_WEBMODELER_ROOT_URL: https://***
SERVER_PORT: 8080
KEYCLOAK_URL: http://camunda-platform-key:80/auth
IDENTITY_AUTH_PROVIDER_ISSUER_URL: https://***/auth/realms/camunda-platform
IDENTITY_AUTH_PROVIDER_BACKEND_URL: http://camunda-platform-key:80/auth/realms/camunda-platform
KEYCLOAK_SETUP_USER: admin
KEYCLOAK_SETUP_PASSWORD: <set to the key 'admin-password' in secret 'camunda-platform-keycloak'> Optional: false
Jonathan
Hi @jonathan.lukas ,
We are getting below exception after setting up all the above configuration -
This generated password is for development use only. Your security configuration must be updated before running your application in production.
2023-03-15 11:08:57.994 INFO 1 — [ main] i.c.i.Application : Started Application in 18.085 seconds (process running for 22.009)
2023-03-15 11:09:03.794 ERROR 1 — [ main] o.s.b.SpringApplication : Application run failed
java.lang.IllegalStateException: Failed to execute ApplicationRunner
at org.springframework.boot.SpringApplication.callRunner(SpringApplication.java:761) ~[spring-boot-3.0.1.jar!/:3.0.1]
at org.springframework.boot.SpringApplication.callRunners(SpringApplication.java:748) ~[spring-boot-3.0.1.jar!/:3.0.1]
at org.springframework.boot.SpringApplication.run(SpringApplication.java:315) ~[spring-boot-3.0.1.jar!/:3.0.1]
at org.springframework.boot.SpringApplication.run(SpringApplication.java:1302) ~[spring-boot-3.0.1.jar!/:3.0.1]
at org.springframework.boot.SpringApplication.run(SpringApplication.java:1291) ~[spring-boot-3.0.1.jar!/:3.0.1]
at io.camunda.identity.Application.main(Application.java:18) ~[classes!/:?]
at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:?]
at jdk.internal.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) ~[?:?]
at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) ~[?:?]
at java.lang.reflect.Method.invoke(Unknown Source) ~[?:?]
at org.springframework.boot.loader.MainMethodRunner.run(MainMethodRunner.java:49) ~[identity.jar:?]
at org.springframework.boot.loader.Launcher.launch(Launcher.java:95) ~[identity.jar:?]
at org.springframework.boot.loader.Launcher.launch(Launcher.java:58) ~[identity.jar:?]
at org.springframework.boot.loader.JarLauncher.main(JarLauncher.java:65) ~[identity.jar:?]
Caused by: java.lang.NullPointerException: Cannot invoke “String.isBlank()” because the return value of “io.camunda.identity.impl.keycloak.config.record.KeycloakClient.rootUrl()” is null
at io.camunda.identity.impl.keycloak.initializer.service.ClientInitializationService.validateClientRootUrl(ClientInitializationService.java:168) ~[classes!/:?]
at io.camunda.identity.impl.keycloak.initializer.service.ClientInitializationService.processClient(ClientInitializationService.java:62) ~[classes!/:?]
at java.util.ArrayList.forEach(Unknown Source) ~[?:?]
at io.camunda.identity.impl.keycloak.initializer.service.ClientInitializationService.process(ClientInitializationService.java:57) ~[classes!/:?]
at io.camunda.identity.impl.keycloak.initializer.KeycloakClientInitializer.run(KeycloakClientInitializer.java:34) ~[classes!/:?]
at org.springframework.boot.SpringApplication.callRunner(SpringApplication.java:758) ~[spring-boot-3.0.1.jar!/:3.0.1]
… 13 more
Hello @yogeshwer ,
how do you setup your identity instance? Are you using Helm charts?
Jonathan
Hi @jonathan.lukas ,
We are not using Helm charts.
we did individual docker image deployments with all the required environment variable.
Hello @yogeshwer ,
I would recommend to use the Helm charts, as they cover the default setup.
There is even a whole section about Openshift in our docs:
Jonathan
@jonathan.lukas ,
Thank you for the suggestion. We tried but there are few limitations in openshift.
that is the reason we started with individual deployments.
Other thinsgs are working well. I think we are just missing something small.
If you can just share the details required to configure in Keycloak and identity(config you have shared), it will be great help.
Thanks & Regards,
Yogeshwer Ganeshe
Hello @yogeshwer ,
which problems are you facing?
Using a pre-defined helm chart will save you a lot of maintenance effort in the future, so I would suggest you get it installed.
Jonathan
Hi @jonathan.lukas ,
There are some limitations in our Openshift environment, not able to use helm.
When we are trying to connect from identity pod, getting below output -
/app $ curl http://keycloak:8080/realms/camunda-platform
{“realm”:“camunda-platform”,“public_key”:<PUBLIC_KEY>,“token-service”:"https://keycloak:8080/realms/camunda-platform/protocol/openid-connect",“account-service”:“https://keycloak:8080/realms/camunda-platform/account”,“tokens-not-before”:0}/app
It means we are able to get keycloak realm from identity pod.
But still not able to connect from application -
2023-03-15 11:09:03.794 ERROR 1 — [ main] o.s.b.SpringApplication : Application run failed
java.lang.IllegalStateException: Failed to execute ApplicationRunner
Caused by: java.lang.NullPointerException: Cannot invoke “String.isBlank()” because the return value of “io.camunda.identity.impl.keycloak.config.record.KeycloakClient.rootUrl()” is null
Just want to understand where to configure this rootUrl ?
Hello @yogeshwer ,
if you are able to get the keycloak realm, identity was able to connect once to configure the keycloak.
Can you confirm this?
Regarding the Helm charts:
You could create a kubectl yml file from the helm charts, deploying this.
Jonathan
Hello @yogeshwer ,
just one more thing to consider:
Do you have setup valid pairs of KEYCLOAK_INIT_*_ROOT_URL and KEYCLOAK_INIT_*_SECRET?
Config for reference:
If there is a client secret entered but no root url, this could cause the issue.
Jonathan
Hi @yogeshwer,
your configuration seems to be off, there are environment variables that do not exist. These are the parts that you need to connect to an existing Keycloak (see Connect to an existing Keycloak instance | Camunda Platform 8 Docs):
KEYCLOAK_URL: http://keycloak:8080/auth
KEYCLOAK_REALM: camunda-platform
IDENTITY_AUTH_PROVIDER_BACKEND_URL: http://keycloak:8080/realms/camunda-platform
IDENTITY_AUTH_PROVIDER_BACKEND_URL: https://public-keycloak.url/realms/camunda-platform
IDENTITY_CLIENT_ID: camunda-identity
IDENTITY_CLIENT_SECRET: --the-secret--
Additionally you will need your database configuration
IDENTITY_DATABASE_HOST: Keycloak
IDENTITY_DATABASE_PORT: 5432
IDENTITY_DATABASE_NAME: --database-name--
IDENTITY_DATABASE_PASSWORD: --password--
IDENTITY_DATABASE_USERNAME: --username--
You also need to tell Identity where it’s application can be accessed:
IDENTITY_URL: https://your.identity
In the end you obviously want initialize other C8 apps, but you are missing their urls (this is most likely where the exception from your logs come from):
KEYCLOAK_INIT_OPERATE_ROOT_URL: https://your.operate
KEYCLOAK_INIT_OPERATE_SECRET : abcd
KEYCLOAK_INIT_OPTIMIZE_ROOT_URL: https://your.operate
KEYCLOAK_INIT_OPTIMIZE_SECRET : abcd
KEYCLOAK_INIT_TASKLIST_ROOT_URL: https://your.operate
KEYCLOAK_INIT_TASKLIST_SECRET : abcd
If you want to add a test user (with access to Identity, Operate, Optimize and Tasklist)
KEYCLOAK_USERS_0_USERNAME: demo
KEYCLOAK_USERS_0_PASSWORD: demo
KEYCLOAK_USERS_0_EMAIL: demo@example.org
KEYCLOAK_USERS_0_FIRST_NAME: Demo
KEYCLOAK_USERS_0_LAST_NAME: User
KEYCLOAK_USERS_0_ROLES_0: Identity
KEYCLOAK_USERS_0_ROLES_1: Operate
KEYCLOAK_USERS_0_ROLES_2: Optimize
KEYCLOAK_USERS_0_ROLES_3: Tasklist
Best,
Dimitri
1 Like
Thank you Guys, Issue is resolved 
1 Like