Camunda 8 Users Managemenet

Can I create my own user authentication system and then use CandidateGroups to search for user tasks and authenticate them using my own roles. The issue I am having here is that it’s always necessary to assign a user Task before completing it. Is there any other way to bypass this without having the need to use Camunda Identity.

@Awais_Sabir Yes, you can absolutely implement your own user authentication and role system in Camunda 8 (self-managed) and still make use of candidateGroups to filter tasks per user. Camunda 8 doesn’t force you to use its identity service like in Camunda 7 — identity is now decoupled. But you’re correct that user task assignment becomes a manual concern, especially if you’re bypassing Camunda Identity or Tasklist.

Here’s a breakdown and how to handle your situation:

What You Can Do

1. Custom Authentication System

Yes. You can:

  • Authenticate users using your own backend or OAuth or JWT etc.
  • Attach user roles/groups to the token/session.
  • Use these roles to query Camunda Tasklist via REST or GraphQL by filtering tasks using candidateGroups.

2. Use Candidate Groups Without Identity

  • Camunda doesn’t care who or what the candidateGroup string is — it’s just metadata.
  • You can filter tasks for a given group (e.g., “finance-managers”) using the Tasklist API with filters like:
query {
  tasks(query: {
    candidateGroup: "finance-managers"
  }) {
    id
    name
  }
}

Your Problem: Must assign task before completion

Yes, this is expected behavior:
In Camunda 8, a task must be assigned before it can be completed (to indicate someone has “taken” it). But if you’re not using Camunda Identity or Tasklist UI, it becomes an extra step.

Solutions to Bypass Explicit Assignment

Here are some workarounds or architectural solutions:

Option 1: Auto-assign and complete in one API call

  • In your backend:
    • First assign the task to the user via REST/GraphQL.
    • Then complete it right after.
mutation {
  claimTask(taskId: "some-task-id", userId: "john.doe") {
    id
  }
}

mutation {
  completeTask(taskId: "some-task-id", variables: [{name: "approved", value: true}]) {
    id
  }
}

Your backend controls both steps, so users don’t even know there’s an “assign” under the hood.

Option 2: Model the Task to Auto-Complete Itself

If task completion is system-driven:

  • Use a service task instead of a user task.
  • Or move logic into an external worker where no human interaction is needed.

Option 3: Extend Tasklist or Build a Custom UI

  • Create your own frontend that:
    • Filters by candidateGroup
    • Assigns the task in the background
    • Completes it in a single click

This is the cleanest path if you’re avoiding Camunda Identity and Tasklist.

Not Possible / Not Recommended

  • You cannot directly complete an unassigned user task via Camunda APIs — this restriction is enforced.
  • You don’t need to use Camunda Identity, but you do need to handle assignment logic yourself.

Thanks for the help. Option 3 explains my use case in the best way.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.