Camunda8 GraphQL API get active tasks list

valiu · July 16, 2022, 9:06am

Hi,
As in my projects in Camunda 7 I want to create my own Tasklist application.
In Camunda 7 there are an API to get the active tasks per process instances.
In Camunda 8 I think the corresponding API is the GrahpQL API.
As per documentation, any request to GraphQL must have a token sent as Bearer.
I tried to get one access token as here:

But I get 415 Unsupported Media Type even the ContentType is application/json in the request.
I searched everywhere but no solution.

My stack is a self-managed docker-compose Camunda8.

Does anyone has an idea?
Thanks,
Valentin

ralfpuchert · July 18, 2022, 8:29am

Hi @valiu ,

Do you use Identity for authorization? And which version of Camunda 8 are you using?
Can you provide the docker-compose file?

Thanks in advance,

Ralf

valiu · July 18, 2022, 8:38am

Hi @ralfpuchert

I use docker-compose.yaml from camunda-platform/docker-compose.yaml at main · camunda/camunda-platform · GitHub modified according Camunda 8 Self Managed docker compose keycloak not start - #7 by valiu

I am on MacOS 12.4 Intel CoreI7 with Docker Desktop 4.9.1

Thanks,
Valentin

ralfpuchert · July 18, 2022, 12:23pm

Hi @valiu,

I tried with the given docker-compose file. I needed to wait some time until all apps were available.
I get only a response if I give Tasklist at least read permissions:

These were my steps:

Start the application stack: docker-compose up
Checked if Tasklist (http://localhost:8082/) and Identity (http://localhost:8084/) are running by accessing the webpages (demo/demo)
Add read permission to “Tasklist” application ← my observation
Get a token for Tasklist from Identity with curl:

curl --location --request POST 'http://localhost:18080/auth/realms/camunda-platform/protocol/openid-connect/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_id=tasklist' \
--data-urlencode 'client_secret=XALaRPl5qwTEItdwCMiPS62nVpKs7dL7' \
--data-urlencode 'grant_type=client_credentials'

Result:

{"access_token":"eyJ...uIlkIkbVg","expires_in":300,"refresh_expires_in":0,"token_type":"Bearer","not-before-policy":0,"scope":"email profile"}

Use the access_token for getting all tasks:

curl --location --request POST 'http://localhost:8082/graphql' \
--header 'Authorization: Bearer eyJh.....IlkIkbVg' \
--header 'Content-Type: application/json' \
--data-raw '{"query":"{\n  tasks(query: {}) {\n    name\n    id\n  }\n}","variables":{}}'

Result:

{
  "data" : {
    "tasks" : [ ]
  }
}

Side note:
If you use Postman (my guess due to the screenshot), you can use the Authorization tab and select Bearer Token and then paste your token:

Maybe this helps you. If not please show me your procedure to use the Tasklist API.

Thanks.
Best regards,
Ralf

valiu · July 18, 2022, 4:30pm

Hi @ralfpuchert

the application stack is up
Tasklist and Identity are running
I cannot give “Tasklist application” read permission on “Tasklist API” because the button “Add permission” are not displayed

The “Tasklist API” has read and write permission declared:

ralfpuchert · July 19, 2022, 7:02am

Hi @valiu ,
The permission tab should be available from Identity version 8.0.4 on.
How do you get a token exactly? Do you use the URL http://localhost:18080/auth/realms/camunda-platform/protocol/openid-connect/token?

Regards

valiu · July 19, 2022, 7:26am

Hi @ralfpuchert

Yes, as you said above:
curl --location --request POST 'http://localhost:18080/auth/realms/camunda-platform/protocol/openid-connect/token' --header 'Content-Type: application/x-www-form-urlencoded' --data-urlencode 'client_id=tasklist' --data-urlencode 'client_secret=XALaRPl5qwTEItdwCMiPS62nVpKs7dL7' --data-urlencode 'grant_type=client_credentials'

The response is:
{"error":"unauthorized_client","error_description":"Client not enabled to retrieve service account"}

Thanks,

valiu · July 19, 2022, 9:42am

Hi @ralfpuchert

I give it a try with camunda 8.0.4 and it works
Thanks for the hint with the read permission on Tasklist API.

So,

I downloaded camunda 8.0.4 docker-compose from GitHub - camunda/camunda-platform: Camunda Platform 8
docker compose -f docker-compose.yaml up -d
add read permission to “Tasklist” application, as you said above:

image1551×391 25.3 KB
get tasklist access token:

image1982×1406 482 KB
run a graphql query:

image1974×1396 236 KB

Best regards,
Valentin

ralfpuchert · July 20, 2022, 8:09am

Hi @valiu

Thanks for letting me know. Good to hear.
Do you think there is something in the documentation which can be improved? Did you miss information?

Best regards,
Ralf

valiu · July 20, 2022, 10:21am

Hi @ralfpuchert

First, in the Identity component of (GitHub - camunda/camunda-platform: Camunda Platform 8) the Tasklist application I think it should be configured by default with read and write permission on the “Tasklist API”.

Then, here (Authentication | Camunda Platform 8) to the paragraph "2. Add permissions to an application for Tasklist API. " I think it should be added "Make sure that the GraphQL queries need read permission on "Tasklist API" and the mutations needs write permission"

Regards,
Valentin

ralfpuchert · July 20, 2022, 12:51pm

Thank you @valiu ! I’ll include your suggestions in an issue for documentation.

Regards,
Ralf