Camunda + Oauth2?

I’m very (VERY) new to camunda, so please bear with me :slight_smile: I’m listing these scenarios based on what I’ve done on other BPM tools.

Does Camunda support an oauth2 based authentication/authorization ?

Authentication
Basically, users to cockpit would be allowed to single sign on (redirected to the oauth2 url) page, and then the token returned will then be sent to the BPM engine (server), which will use the token to verify against the security provider to validate the user details

Authorization
Camunda will be configured to get its list of users and groups from LDAP endpoint, and when authentication happens, it will map the right username to the right available groups. These groups can then be used inside Camunda to restrict access to activities for instance, based on the group/team user belongs to

I can probably only give you a vague direction to look in, but the WildFly distribution of Camunda contains a commented section in the standalone.xml file for LDAP. Given the presence of that section, I would assume other Java containers would support this.

We have implemented a custom authorization mechanism using an custom internal back end security provider, but your use oauth2 would probably be easier as it is standards based. The new version of Camunda may offer some help here also.

I would look to the container (Tomcat, WildFly, etc.) documentation for natively support authorization mechanisms and then supplant Camunda’s mechanism with one of those. You’ll need to adhere to the resource model they support as that’s how things are secured within Camunda. There are various references to this in the documentation.

Thanks mppfor_manu

Do you have any code you could share for the custom auth you worked on?

I can’t really share the code without an internal, legal release. Let me see if I can get a general description of what we done.

As platforms go, Keycloak provides some plug-ins for various Camunda containers. I’ve tested this on Wildfly - it works.

So, regarding Camunda’s built-in roles… you could try some brute-force mapping between the OpenID provider and Camunda. I haven’t tried this approach yet. But, Keycloak has a nice web-based UI to help facilitate the approach.

You could also try to centralize identity/LDAP for both Camunda and Keycloak (at least for testing).

Hi @prax I want to the same thing as you. Were you able to do it and how ? Thanks