Camunda - SSO Keycloak (GitHub)

Hi @Karim_Gillani,

I would rather do it right or I wouldn’t do it at all.

But in case you want to spend time on an interim solution:

  • https://www.baeldung.com/spring-security-basic-authentication shows how to configure Spring Security for basic authentication
  • Your job is to add this to the overall configuration only for the URLs matching /engine-rest/**, but to keep securing everything else with OAuth2.
  • Probably the order of the BasicAuthenticationFilter compared to the one responsible for OAuth2 might be critical. Or you might need a 2nd WebSecurityConfig using a different order?

You will have to study Spring Security a little deeper to figure that out. Let us know, how you solved it :slight_smile:

I want to thank your help as I am not a java expert by any means.

I am also trying to add the camunda-bpm-mail plugin.

I added the dependencies to the docker-pom.xml
I added the mail-config.properties file
and updated camunda.local.cfg.xml with this:

<property name="processEnginePlugins">
  <list>
    <bean class="org.camunda.spin.plugin.impl.SpinProcessEnginePlugin"/>
    <bean class="org.camunda.connect.plugin.impl.ConnectProcessEnginePlugin"/>
  </list>
</property>

but it I still get the following error when I try to use it:

“Cannot find mail configuration at: classpath:/mail-config.properties”

I am guessing I haven’t told the build to save the file in the right location?

UPDATE: I set the MAIL_CONFIG environment and put the file outside of the JAR. That seemed to fix the problem. Not sure if this is the correct way or not.

Hi @Karim_Gillani
I created a fork of @VonDerBeck’s identity-plugin that provides REST-Authorization
Have a look here https://github.com/iceman91176/camunda-bpm-identity-keycloak/tree/rest-auth

Basically it is like Gunnar said, create another WebSecurityConfig, and a filter that gets groups and username from the token.

I added some more configuration parameters, have a look at application yaml.

@VonDerBeck - how do we get SSO working for a shared process engine ? Issue #4 only describes how to add the IdentityProvider to jboss/tomcat, right ? So we’ll have to use the tomcat-keycloak adapter and do it like that : https://github.com/camunda/camunda-sso-jboss/tree/keycloak, just with your KeycloakAuthenticationProvider ?

4 Likes

Hi @cbuchberger,

thanks for your work :slight_smile: I think it’s all about different flavours of the SSO example and different technology bases. For the SSO example, I concentrated on Spring Boot. It is the most suitable concept in the cloud environment. But that should not prevent using the plugin in other environments as well. We have done SSO before using Keycloak with LDAP as well, dont’ we?

You’re definitely on the right track. SSO is a concept above (additionally to) the usage of the Identity Provider Plugin. When using a shared process engine, you’ll have to use the SSO concepts for the respective technology base. Adapt to the concepts on how to do SSO on JBoss/Tomcat with Keycloak and add it to using the IdentityProvider. The Identity Provider then needs the correct User ID and groups extracted - corresponding with its configuration. Which has to be done in the KeycloakAuthenticationProvider. That part is the specific part which has to be adapted.

Hi @VonDerBeck

i created a SSO-Plugin which can be used in a shared-process engine for the various web-contexts (webapp/rest-engine)

The plugin relies on your identity-provider-plugin to provide users and groups.

I’ll provide a solution for containerized environments with that plugin, where all configuration an be done with kubernetes secrets and configmaps.

1 Like

@cbuchberger worked like a charm. Thank you. You said you were going to provide a solution for containerized environments with that plugin. I am using openshift and would love to try it.

Currently, I had to take the great work of @VonDerBeck and add:

  1. Email Connector
  2. HTTP Connector
  3. Now your additions
  4. Groovy support
  5. Update the DockerFile to accommodate no root permissions

I still have a lot of work to clear out some of the warnings in the build but it works.

Thank you both for all your help. This is such a great product.

Newby question: Can anyone let me know the easiest way to update the database when in springboot? I don’t know how to go into the JAR to run the database upgrade scripts.

@Karim_Gillani are you setting up new environment or upgrading camunda versions?

Upgrading camunda versions.

@Karim_Gillani requesting few more info like,

  • which database are you using?
  • current camunda version?
  • Target version to upgrade? (I hope that you’re interested in latest camunda v7.12)
  • Springboot version?

I am interested generally, just in case there is a database upgrade in the future.

I am moving from 7.11 – 7.12

  • which database are you using? Postgresql
  • current camunda version? 7.11
  • Target version to upgrade? 7.12
  • Springboot version?

From:

<version.camunda>7.11.0</version.camunda>
<version.camundaSpringBoot>3.3.5</version.camundaSpringBoot>
<version.springBoot>2.1.9.RELEASE</version.springBoot>

To:

<version.camunda>7.12.0</version.camunda>
<version.springBoot>2.2.1.RELEASE</version.springBoot>
<version.camundaSpringBoot>3.4.0
</version.camundaSpringBoot>

Things to do:

  1. SpringBoot pom.xml changes for camunda upgrade:

     <version.camunda>7.12.0</version.camunda>
     <version.camundaSpringBoot>3.4.x</version.camundaSpringBoot>
     <version.springBoot>2.2.x</version.springBoot>
    
  2. Below are the DB scripts for upgrading camunda versions from 7.11 to 7.12 (postgres)

  • insert into ACT_GE_SCHEMA_LOG values (‘1’, CURRENT_TIMESTAMP, ‘7.11.3’);

  • create index ACT_IDX_HI_JOB_LOG_JOB_CONF on ACT_HI_JOB_LOG(JOB_DEF_CONFIGURATION_);

  • insert into ACT_GE_SCHEMA_LOG values (‘100’, CURRENT_TIMESTAMP, ‘7.12.0’);

  • ALTER TABLE ACT_HI_OP_LOG ADD ANNOTATION_ varchar(4000);

  • ALTER TABLE ACT_RU_JOB ADD REPEAT_OFFSET_ bigint default 0;

  • ALTER TABLE ACT_HI_INCIDENT ADD HISTORY_CONFIGURATION_ varchar(255);

  • create index ACT_IDX_HI_DETAIL_VAR_INST_ID on ACT_HI_DETAIL(VAR_INST_ID_);

That’s it, just redeploy the springboot application. Camunda version upgrade is done. For zero downtime i would recommend you to read this rolling-update.

For more detailed information, you can refer below docs.

The above Db scripts can be found here in camunda nexus.

Upgrade docs: Patch Level Update | docs.camunda.org

Note: Posts related to version upgrade is off the topic discussion to original topic. I would suggest you to create new topic :slight_smile:

1 Like

This is off topic, in future for questions like this start a new thread. Thanks.

Hi @cbuchberger

I have incorporated the plugin in my tomact and added appropriate configurations. When I hit the login URL in browser (http://localhost:8080/camunda/login), the keycloak’s login page appears. Upon login with valid credentials I get redirected back to tasklist page but it says 404

In tomcat logs i see following error, which is from your custom java file.

Principal is null - auth not possible

Could you please let me know if any missing configuration results into this?

Hi @amit_goda,

that line is logged here https://github.com/iceman91176/camunda-bpm-auth-keycloak-sso/blob/8badb2642b4f6cc6325e2a327f5b0dd37787dd6a/src/main/java/org/camunda/community/auth/keycloak/filter/KeycloakAuthenticationFilter.java#L51 and basically it says what the problem is - the request’s principla is NULL. Usually the keycloak-adapter should populate the principal. So my guess is something missing in your keycloak-adapter-config and/or the keycloak-client is missing something. You could try to increase debug-level of the keycloak-adapter.

Hi @cbuchberger
Thank you for your reply. The issue was with my configuration in web.xml under respective webapps. The filters were not correctly placed in the web.xml file which resulted in the above mentioned error.

Its working now :smiley:

@cbuchberger

I have a question, the above set up is working fine. However, when we trigger any REST API from postman without authentication such as below

http://localhost:8080/engine-rest/job

The API response is as below. How can we get a 401 error code so that my client can manage redirection to the login page?

If I hit the same API directly in the browser, the page is redirected to Keycloak authentication.