Hi, I am trying to configure camunda web modeler 8.8.4 with open id connect, but I am facing an issue that there’s no scopes property, and this results in web modeler always sends to the identity provider the autorization request with default scopes (openid profile email) and this results in expected audiences not found in response, and then I am not able to login to web modeler.
I tried:
OAUTH2_SCOPE
OAUTH2_SCOPES
CAMUNDA_IDENTITY_AUTH_SCOPES
OIDC_SCOPES
but with no luck.
My Docker file is:
services:
orchestration:
image: camunda/camunda:${CAMUNDA_VERSION}
container_name: orchestration
ports:
- "26500:26500"
- "9600:9600"
- "8088:8080"
environment:
CAMUNDA_DATABASE_INDEX_NUMBER_OF_REPLICAS: 0
CAMUNDA_IDENTITY_BASEURL: http://identity:8084
CAMUNDA_SECURITY_AUTHORIZATIONS_ENABLED: true
CAMUNDA_SECURITY_AUTHENTICATION_METHOD: oidc
CAMUNDA_SECURITY_AUTHENTICATION_UNPROTECTEDAPI: false
CAMUNDA_SECURITY_INITIALIZATION_DEFAULTROLES_ADMIN_USERS_0: ${ADMIN_USER}
CAMUNDA_SECURITY_INITIALIZATION_DEFAULTROLES_ADMIN_GROUPS_0: ${ADMIN_GROUP}
CAMUNDA_SECURITY_INITIALIZATION_DEFAULTROLES_ADMIN_CLIENTS_0: ${ZEEBE_API_CLIENT_ID}
CAMUNDA_SECURITY_AUTHENTICATION_OIDC_CLIENTID: ${CAMUNDA_WEB_CLIENT_ID}
CAMUNDA_SECURITY_AUTHENTICATION_OIDC_CLIENTSECRET: ${CAMUNDA_WEB_CLIENT_SECRET}
CAMUNDA_SECURITY_AUTHENTICATION_OIDC_ISSUERURI: ${IDM_URL}
CAMUNDA_SECURITY_AUTHENTICATION_OIDC_REDIRECTURI: http://${HOST}/sso-callback
CAMUNDA_SECURITY_AUTHENTICATION_OIDC_AUDIENCES: camunda-api-audience,zeebe-api-audience,${CAMUNDA_WEB_CLIENT_ID}
CAMUNDA_SECURITY_AUTHENTICATION_OIDC_SCOPE: openid,profile,offline_access,camunda-api-scope,web-modeler-api
CAMUNDA_SECURITY_AUTHENTICATION_OIDC_USERNAMECLAIM: preferred_username
CAMUNDA_SECURITY_AUTHENTICATION_OIDC_CLIENTIDCLAIM: client_id
CAMUNDA_SECURITY_AUTHENTICATION_OIDC_GROUPSCLAIM: role
JAVA_TOOL_OPTIONS: "-Xms512m -Xmx512m -Djavax.net.ssl.trustStore=/opt/certs/customTrustStore.jks -Djavax.net.ssl.trustStorePassword=changeit -Djavax.net.ssl.trustStoreType=JKS"
env_file:
- path: .env
required: true
restart: unless-stopped
healthcheck:
test:
[
"CMD-SHELL",
"timeout 60s bash -c ':> /dev/tcp/127.0.0.1/9600' || exit 1",
]
interval: 30s
timeout: 60s
retries: 5
start_period: 30s
volumes:
- orchestration:/usr/local/zeebe/data
- "./.orchestration/application.yaml:/usr/local/camunda/config/application.yaml"
- "/app/camunda/customTrustStore.jks:/opt/certs/customTrustStore.jks:ro"
networks:
- camunda-platform
extra_hosts:
- "host.docker.internal:host-gateway"
depends_on:
elasticsearch:
condition: service_healthy
connectors:
image: camunda/connectors-bundle:${CAMUNDA_CONNECTORS_VERSION}
container_name: connectors
ports:
- "8086:8080"
environment:
CAMUNDA_CLIENT_MODE: self-managed
CAMUNDA_CLIENT_RESTADDRESS: http://orchestration:8080
CAMUNDA_CLIENT_GRPCADDRESS: http://orchestration:26500
CAMUNDA_CLIENT_AUTH_METHOD: oidc
CAMUNDA_CLIENT_AUTH_TOKENURL: ${IDM_URL}/connect/token
CAMUNDA_CLIENT_AUTH_CLIENTID: ${ZEEBE_API_CLIENT_ID}
CAMUNDA_CLIENT_AUTH_CLIENTSECRET: ${ZEEBE_API_CLIENT_SECRET}
JAVA_TOOL_OPTIONS: "-Djavax.net.ssl.trustStore=/opt/certs/customTrustStore.jks -Djavax.net.ssl.trustStorePassword=changeit -Djavax.net.ssl.trustStoreType=JKS"
env_file: connector-secrets.txt
restart: unless-stopped
healthcheck:
test:
["CMD", "curl", "-f", "http://localhost:8080/actuator/health/readiness"]
interval: 30s
timeout: 60s
retries: 5
start_period: 30s
volumes:
- "/app/camunda/customTrustStore.jks:/opt/certs/customTrustStore.jks:ro"
networks:
- camunda-platform
extra_hosts:
- "host.docker.internal:host-gateway"
depends_on:
orchestration:
condition: service_healthy
optimize:
image: camunda/optimize:${CAMUNDA_OPTIMIZE_VERSION}
container_name: optimize
ports:
- "8083:8090"
environment:
#LOGGING_LEVEL_ROOT: DEBUG
#LOGGING_LEVEL_IO_CAMUNDA: DEBUG
#LOGGING_LEVEL_ORG_SPRINGFRAMEWORK_SECURITY: DEBUG
#LOGGING_LEVEL_IO_CAMUNDA_IDENTITY_SDK: DEBUG
#LOGGING_LEVEL_IO_CAMUNDA_IDENTITY_SDK_IMPL_REST: DEBUG
#LOGGING_LEVEL_IO_CAMUNDA_IDENTITY_SDK_IMPL_REST_RESTCLIENT: DEBUG
CAMUNDA_OPTIMIZE_CONTEXT_PATH: /optimize
SERVER_FORWARD_HEADERS_STRATEGY: framework
HOST: ${HOST}
OPTIMIZE_ELASTICSEARCH_HOST: elasticsearch
OPTIMIZE_ELASTICSEARCH_HTTP_PORT: "9200"
CAMUNDA_IDENTITY_TYPE: GENERIC
SPRING_PROFILES_ACTIVE: oidc
CAMUNDA_IDENTITY_ISSUER: ${IDM_URL}
CAMUNDA_IDENTITY_ISSUER_BACKEND_URL: ${IDM_URL}
CAMUNDA_IDENTITY_CLIENT_ID: ${CAMUNDA_OPTIMIZE_CLIENT_ID}
CAMUNDA_IDENTITY_CLIENT_SECRET: ${CAMUNDA_OPTIMIZE_CLIENT_SECRET}
CAMUNDA_IDENTITY_AUDIENCE: optimize-api
CAMUNDA_IDENTITY_AUTH_SCOPES: openid profile roles offline_access GovernmentDelegationSystemAPI optimize-api
CAMUNDA_OPTIMIZE_IDENTITY_AUDIENCE: optimize-api
CAMUNDA_OPTIMIZE_IDENTITY_BASE_URL: http://identity:8084
CAMUNDA_IDENTITY_BASEURL: http://identity:8084
management.endpoints.web.exposure.include: health,configprops
MANAGEMENT_ENDPOINT_CONFIGPROPS_SHOW_VALUES: ALWAYS
management.endpoint.health.probes.enabled: "true"
JAVA_TOOL_OPTIONS: "-Djavax.net.ssl.trustStore=/opt/certs/customTrustStore.jks -Djavax.net.ssl.trustStorePassword=changeit -Djavax.net.ssl.trustStoreType=JKS"
healthcheck:
test: ["CMD", "curl", "-f", "http://localhost:8090/api/readyz"]
interval: 30s
timeout: 5s
retries: 5
start_period: 30s
volumes:
- "/app/camunda/customTrustStore.jks:/opt/certs/customTrustStore.jks:ro"
- "./.optimize/environment-config.yaml:/optimize/config/environment-config.yaml"
restart: on-failure
networks:
- camunda-platform
extra_hosts:
- "host.docker.internal:host-gateway"
depends_on:
identity:
condition: service_healthy
elasticsearch:
condition: service_healthy
identity:
container_name: identity
image: camunda/identity:${CAMUNDA_IDENTITY_VERSION}
ports:
- "8084:8084"
environment:
#LOGGING_LEVEL_ROOT: DEBUG
#LOGGING_LEVEL_IO_CAMUNDA: DEBUG
#LOGGING_LEVEL_IO_CAMUNDA_IDENTITY_SDK: DEBUG
#LOGGING_LEVEL_ORG_SPRINGFRAMEWORK_SECURITY: DEBUG
#LOGGING_LEVEL_ORG_SPRINGFRAMEWORK_WEB: DEBUG
HOST: ${HOST}
SERVER_FORWARD_HEADERS_STRATEGY: framework
IDENTITY_URL: ${CAMUNDA_IDENTITY_URL}
CAMUNDA_IDENTITY_BASE_URL: ${CAMUNDA_IDENTITY_URL}
SERVER_PORT: 8084
IDENTITY_INITIAL_CLAIM_NAME: preferred_username
IDENTITY_INITIAL_CLAIM_VALUE: ${ADMIN_USER}
IDENTITY_DATABASE_HOST: postgres
IDENTITY_DATABASE_PORT: 5432
IDENTITY_DATABASE_NAME: ${POSTGRES_DB}
IDENTITY_DATABASE_USERNAME: ${POSTGRES_USER}
IDENTITY_DATABASE_PASSWORD: ${POSTGRES_PASSWORD}
management.endpoints.web.exposure.include: health,configprops
management.endpoint.health.probes.enabled: true
MANAGEMENT_ENDPOINT_CONFIGPROPS_SHOW_VALUES: ALWAYS
SPRING_PROFILES_ACTIVE: oidc
CAMUNDA_IDENTITY_TYPE: GENERIC
CAMUNDA_IDENTITY_ISSUER: ${IDM_URL}
CAMUNDA_IDENTITY_ISSUER_BACKEND_URL: ${IDM_URL}
CAMUNDA_IDENTITY_CLIENT_ID: ${CAMUNDA_IDENTITY_CLIENT_ID}
CAMUNDA_IDENTITY_CLIENT_SECRET: ${CAMUNDA_IDENTITY_CLIENT_SECRET}
CAMUNDA_IDENTITY_AUDIENCE: camunda-api-audience
CAMUNDA_IDENTITY_AUTH_SCOPES: openid profile offline_access camunda-api-scope
JAVA_TOOL_OPTIONS: "-Djavax.net.ssl.trustStore=/opt/certs/customTrustStore.jks -Djavax.net.ssl.trustStorePassword=changeit -Djavax.net.ssl.trustStoreType=JKS"
healthcheck:
test:
[
"CMD",
"wget",
"-q",
"--tries=1",
"--spider",
"http://localhost:8082/actuator/health",
]
interval: 15s
timeout: 60s
retries: 30
start_period: 60s
restart: unless-stopped
volumes:
- "/app/camunda/customTrustStore.jks:/opt/certs/customTrustStore.jks:ro"
networks:
- camunda-platform
- identity-network
extra_hosts:
- "host.docker.internal:host-gateway"
postgres:
container_name: postgres
image: postgres:${POSTGRES_VERSION}
ports:
- "5432:5432"
environment:
POSTGRES_DB: ${POSTGRES_DB}
POSTGRES_USER: ${POSTGRES_USER}
POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
restart: unless-stopped
healthcheck:
test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]
interval: 10s
timeout: 60s
retries: 5
start_period: 10s
volumes:
- postgres:/var/lib/postgresql/data
networks:
- identity-network
extra_hosts:
- "host.docker.internal:host-gateway"
elasticsearch:
image: docker.elastic.co/elasticsearch/elasticsearch:${ELASTIC_VERSION}
container_name: elasticsearch
ports:
- "9200:9200"
- "9300:9300"
environment:
- bootstrap.memory_lock=true
- discovery.type=single-node
- xpack.security.enabled=false
- cluster.routing.allocation.disk.threshold_enabled=false
- "ES_JAVA_OPTS=-Xms512m -Xmx512m"
ulimits:
memlock:
soft: -1
hard: -1
restart: unless-stopped
healthcheck:
test:
[
"CMD-SHELL",
"curl -s http://localhost:9200/_cluster/health | grep -E '\"status\":\"(yellow|green)\"' || exit 1",
]
interval: 30s
timeout: 60s
retries: 5
start_period: 60s
volumes:
- elastic:/usr/share/elasticsearch/data
networks:
- camunda-platform
extra_hosts:
- "host.docker.internal:host-gateway"
web-modeler-db:
container_name: web-modeler-db
image: postgres:${POSTGRES_VERSION}
pull_policy: never
restart: on-failure
healthcheck:
test: ["CMD", "pg_isready", "-d", "${WEBMODELER_DB_NAME}", "-U", "${WEBMODELER_DB_USER}"]
interval: 10s
timeout: 5s
retries: 5
start_period: 10s
environment:
POSTGRES_DB: ${WEBMODELER_DB_NAME}
POSTGRES_USER: ${WEBMODELER_DB_USER}
POSTGRES_PASSWORD: ${WEBMODELER_DB_PASSWORD}
networks:
- web-modeler
extra_hosts:
- "host.docker.internal:host-gateway"
volumes:
- postgres-web:/var/lib/postgresql/data
web-modeler-restapi:
container_name: web-modeler-restapi
image: camunda/web-modeler-restapi:${CAMUNDA_WEB_MODELER_VERSION}
pull_policy: never
restart: on-failure
depends_on:
web-modeler-db:
condition: service_healthy
identity:
condition: service_healthy
healthcheck:
test: [ "CMD", "wget", "-O-", "--no-verbose", "--tries=1", "http://localhost:8091/health/readiness" ]
interval: 30s
timeout: 5s
retries: 5
start_period: 60s
environment:
SERVER_SERVLET_CONTEXT_PATH: /modeler-api
RESTAPI_SERVER_URL: http://${HOST}/modeler
LOGGING_LEVEL_IO_CAMUNDA_MODELER: DEBUG
CAMUNDA_IDENTITY_BASEURL: http://identity:8084/
CAMUNDA_IDENTITY_AUDIENCE: web-modeler
CAMUNDA_IDENTITY_AUTH_SCOPES: openid profile roles offline_access GovernmentDelegationSystemAPI web-modeler
SPRING_DATASOURCE_URL: jdbc:postgresql://web-modeler-db:5432/${WEBMODELER_DB_NAME}
SPRING_DATASOURCE_USERNAME: ${WEBMODELER_DB_USER}
SPRING_DATASOURCE_PASSWORD: ${WEBMODELER_DB_PASSWORD}
SPRING_PROFILES_INCLUDE: default-logging
RESTAPI_PUSHER_HOST: web-modeler-websockets
RESTAPI_PUSHER_PORT: "8060"
RESTAPI_PUSHER_APP_ID: ${WEBMODELER_PUSHER_APP_ID}
RESTAPI_PUSHER_KEY: ${WEBMODELER_PUSHER_KEY}
RESTAPI_PUSHER_SECRET: ${WEBMODELER_PUSHER_SECRET}
RESTAPI_OAUTH2_TOKEN_ISSUER: ${IDM_URL}
RESTAPI_OAUTH2_TOKEN_ISSUER_BACKEND_URL: ${IDM_URL}
RESTAPI_OAUTH2_TOKEN_CLAIM_USERNAME: preferred_username
CAMUNDA_MODELER_SECURITY_JWT_AUDIENCE_INTERNAL_API: web-modeler
CAMUNDA_MODELER_SECURITY_JWT_AUDIENCE_PUBLIC_API: web-modeler-api
RESTAPI_OAUTH2_TOKEN_AUDIENCE: web-modeler
RESTAPI_OAUTH2_SCOPES: openid profile email offline_access web-modeler
RESTAPI_MAIL_HOST: mailpit
RESTAPI_MAIL_PORT: 1025
RESTAPI_MAIL_ENABLE_TLS: "false"
RESTAPI_MAIL_FROM_ADDRESS: ${WEBMODELER_MAIL_FROM_ADDRESS}
CAMUNDA_MODELER_CLUSTERS_0_ID: "local-orchestration"
CAMUNDA_MODELER_CLUSTERS_0_NAME: "Local Orchestration instance"
CAMUNDA_MODELER_CLUSTERS_0_VERSION: ${CAMUNDA_VERSION}
CAMUNDA_MODELER_CLUSTERS_0_URL_GRPC: grpc://orchestration:26500
CAMUNDA_MODELER_CLUSTERS_0_URL_REST: http://orchestration:8080
CAMUNDA_MODELER_CLUSTERS_0_URL_WEBAPP: http://localhost:8088
CAMUNDA_MODELER_CLUSTERS_0_AUTHENTICATION: BEARER_TOKEN
CAMUNDA_MODELER_CLUSTERS_0_AUTHORIZATIONS_ENABLED: ${RESOURCE_AUTHORIZATIONS_ENABLED}
management.endpoints.web.exposure.include: health,configprops
management.endpoint.health.probes.enabled: true
MANAGEMENT_ENDPOINT_CONFIGPROPS_SHOW_VALUES: ALWAYS
JAVA_TOOL_OPTIONS: "-Xms512m -Xmx512m -Djavax.net.ssl.trustStore=/opt/certs/customTrustStore.jks -Djavax.net.ssl.trustStorePassword=changeit -Djavax.net.ssl.trustStoreType=JKS"
networks:
- web-modeler
- camunda-platform
volumes:
- "/app/camunda/customTrustStore.jks:/opt/certs/customTrustStore.jks:ro"
extra_hosts:
- "host.docker.internal:host-gateway"
web-modeler-webapp:
container_name: web-modeler-webapp
image: camunda/web-modeler-webapp:${CAMUNDA_WEB_MODELER_VERSION}
pull_policy: never
ports:
- "8070:8070"
restart: on-failure
depends_on:
web-modeler-restapi:
condition: service_healthy
healthcheck:
test: [ "CMD", "wget", "-O-", "--no-verbose", "--tries=1", "http://localhost:8071/health/readiness" ]
interval: 30s
timeout: 5s
retries: 5
start_period: 30s
environment:
NODE_EXTRA_CA_CERTS: /opt/certs/idmCertPem.pem
SERVER_SERVLET_CONTEXT_PATH: /modeler
RESTAPI_URL: http://${HOST}/modeler-api
SERVER_URL: http://${HOST}/modeler
RESTAPI_HOST: web-modeler-restapi
SERVER_HTTPS_ONLY: "false"
PUSHER_APP_ID: ${WEBMODELER_PUSHER_APP_ID}
PUSHER_KEY: ${WEBMODELER_PUSHER_KEY}
PUSHER_SECRET: ${WEBMODELER_PUSHER_SECRET}
PUSHER_HOST: web-modeler-websockets
PUSHER_PORT: "8060"
CLIENT_PUSHER_HOST: localhost
CLIENT_PUSHER_PORT: "8060"
CLIENT_PUSHER_FORCE_TLS: "false"
CLIENT_PUSHER_KEY: ${WEBMODELER_PUSHER_KEY}
OAUTH2_CLIENT_ID: ${CAMUNDA_WEB_MODELER_CLIENT_ID}
OAUTH2_CLIENT_SECRET: ${CAMUNDA_WEB_MODELER_CLIENT_SECRET}
OAUTH2_JWKS_URL: ${IDM_URL}/.well-known/openid-configuration/jwks
OAUTH2_TOKEN_AUDIENCE: web-modeler
OAUTH2_TOKEN_ISSUER: ${IDM_URL}
#OAUTH2_SCOPE: openid profile email offline_access web-modeler
#OAUTH2_SCOPES: openid profile email offline_access web-modeler
#CAMUNDA_IDENTITY_AUTH_SCOPES: openid profile email offline_access web-modeler
#OIDC_SCOPES: openid profile email offline_access web-modeler
CAMUNDA_IDENTITY_USERNAMECLAIM: preferred_username
IDENTITY_BASE_URL: http://identity:8084/
PLAY_ENABLED: "true"
JAVA_TOOL_OPTIONS: "-Xms512m -Xmx512m -Djavax.net.ssl.trustStore=/opt/certs/customTrustStore.jks -Djavax.net.ssl.trustStorePassword=changeit -Djavax.net.ssl.trustStoreType=JKS"
networks:
- web-modeler
- camunda-platform
volumes:
- "/app/camunda/customTrustStore.jks:/opt/certs/customTrustStore.jks:ro"
- "/app/camunda/idmCertPem.pem:/opt/certs/idmCertPem.pem:ro"
extra_hosts:
- "host.docker.internal:host-gateway"
web-modeler-websockets:
container_name: web-modeler-websockets
image: camunda/web-modeler-websockets:${CAMUNDA_WEB_MODELER_VERSION}
pull_policy: never
ports:
- "8060:8060"
restart: on-failure
healthcheck:
test: ["CMD", "wget", "-q", "--tries=1", "--spider", "http://127.0.0.1:8060/up"]
interval: 30s
timeout: 5s
retries: 5
start_period: 30s
environment:
APP_NAME: "Web Modeler Self-Managed WebSockets"
APP_DEBUG: "true"
PUSHER_APP_ID: ${WEBMODELER_PUSHER_APP_ID}
PUSHER_APP_KEY: ${WEBMODELER_PUSHER_KEY}
PUSHER_APP_SECRET: ${WEBMODELER_PUSHER_SECRET}
networks:
- web-modeler
extra_hosts:
- "host.docker.internal:host-gateway"
volumes:
orchestration:
elastic:
postgres:
postgres-web:
networks:
camunda-platform:
identity-network:
web-modeler: