Camunda8 GraphQL API get active tasks list

Hi,
As in my projects in Camunda 7 I want to create my own Tasklist application.
In Camunda 7 there are an API to get the active tasks per process instances.
In Camunda 8 I think the corresponding API is the GrahpQL API.
As per documentation, any request to GraphQL must have a token sent as Bearer.
I tried to get one access token as here:

But I get 415 Unsupported Media Type even the ContentType is application/json in the request.
I searched everywhere but no solution.

My stack is a self-managed docker-compose Camunda8.

Does anyone has an idea?
Thanks,
Valentin

Hi @valiu ,

Do you use Identity for authorization? And which version of Camunda 8 are you using?
Can you provide the docker-compose file?

Thanks in advance,

Ralf

Hi @ralfpuchert

I use docker-compose.yaml from camunda-platform/docker-compose.yaml at main · camunda/camunda-platform · GitHub modified according Camunda 8 Self Managed docker compose keycloak not start - #7 by valiu

I am on MacOS 12.4 Intel CoreI7 with Docker Desktop 4.9.1

Thanks,
Valentin

Hi @valiu,

I tried with the given docker-compose file. I needed to wait some time until all apps were available.
I get only a response if I give Tasklist at least read permissions:

These were my steps:

  1. Start the application stack: docker-compose up
  2. Checked if Tasklist (http://localhost:8082/) and Identity (http://localhost:8084/) are running by accessing the webpages (demo/demo)
  3. Add read permission to “Tasklist” application ← my observation
  4. Get a token for Tasklist from Identity with curl:
curl --location --request POST 'http://localhost:18080/auth/realms/camunda-platform/protocol/openid-connect/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_id=tasklist' \
--data-urlencode 'client_secret=XALaRPl5qwTEItdwCMiPS62nVpKs7dL7' \
--data-urlencode 'grant_type=client_credentials'

Result:

{"access_token":"eyJ...uIlkIkbVg","expires_in":300,"refresh_expires_in":0,"token_type":"Bearer","not-before-policy":0,"scope":"email profile"}
  1. Use the access_token for getting all tasks:
curl --location --request POST 'http://localhost:8082/graphql' \
--header 'Authorization: Bearer eyJh.....IlkIkbVg' \
--header 'Content-Type: application/json' \
--data-raw '{"query":"{\n  tasks(query: {}) {\n    name\n    id\n  }\n}","variables":{}}'

Result:

{
  "data" : {
    "tasks" : [ ]
  }
}

Side note:
If you use Postman (my guess due to the screenshot), you can use the Authorization tab and select Bearer Token and then paste your token:

Maybe this helps you. If not please show me your procedure to use the Tasklist API.

Thanks.
Best regards,
Ralf

1 Like

Hi @ralfpuchert

  1. the application stack is up
  2. Tasklist and Identity are running
  3. I cannot give “Tasklist application” read permission on “Tasklist API” because the button “Add permission” are not displayed

The “Tasklist API” has read and write permission declared:

Hi @valiu ,
The permission tab should be available from Identity version 8.0.4 on.
How do you get a token exactly? Do you use the URL http://localhost:18080/auth/realms/camunda-platform/protocol/openid-connect/token?

Regards

Hi @ralfpuchert

Yes, as you said above:
curl --location --request POST 'http://localhost:18080/auth/realms/camunda-platform/protocol/openid-connect/token' --header 'Content-Type: application/x-www-form-urlencoded' --data-urlencode 'client_id=tasklist' --data-urlencode 'client_secret=XALaRPl5qwTEItdwCMiPS62nVpKs7dL7' --data-urlencode 'grant_type=client_credentials'

The response is:
{"error":"unauthorized_client","error_description":"Client not enabled to retrieve service account"}

Thanks,

Hi @ralfpuchert

I give it a try with camunda 8.0.4 and it works :slight_smile:
Thanks for the hint with the read permission on Tasklist API.

So,

Best regards,
Valentin

1 Like

Hi @valiu

Thanks for letting me know. Good to hear.
Do you think there is something in the documentation which can be improved? Did you miss information?

Best regards,
Ralf

Hi @ralfpuchert

First, in the Identity component of (GitHub - camunda/camunda-platform: Camunda Platform 8) the Tasklist application I think it should be configured by default with read and write permission on the “Tasklist API”.

Then, here (Authentication | Camunda Platform 8) to the paragraph "2. Add permissions to an application for Tasklist API. " I think it should be added "Make sure that the GraphQL queries need read permission on "Tasklist API" and the mutations needs write permission"

Regards,
Valentin

1 Like

Thank you @valiu ! I’ll include your suggestions in an issue for documentation.

Regards,
Ralf