Hi,
As in my projects in Camunda 7 I want to create my own Tasklist application.
In Camunda 7 there are an API to get the active tasks per process instances.
In Camunda 8 I think the corresponding API is the GrahpQL API.
As per documentation, any request to GraphQL must have a token sent as Bearer.
I tried to get one access token as here: https://docs.camunda.io/docs/apis-clients/tasklist-api/overview/
I tried with the given docker-compose file. I needed to wait some time until all apps were available.
I get only a response if I give Tasklist at least read permissions:
Yes, as you said above: curl --location --request POST 'http://localhost:18080/auth/realms/camunda-platform/protocol/openid-connect/token' --header 'Content-Type: application/x-www-form-urlencoded' --data-urlencode 'client_id=tasklist' --data-urlencode 'client_secret=XALaRPl5qwTEItdwCMiPS62nVpKs7dL7' --data-urlencode 'grant_type=client_credentials'
The response is: {"error":"unauthorized_client","error_description":"Client not enabled to retrieve service account"}
First, in the Identity component of (GitHub - camunda/camunda-platform: Camunda Platform 8) the Tasklist application I think it should be configured by default with read and write permission on the “Tasklist API”.
Then, here (Authentication | Camunda Platform 8) to the paragraph "2. Add permissions to an application for Tasklist API. " I think it should be added "Make sure that the GraphQL queries need read permission on "Tasklist API" and the mutations needs write permission"
Any plans into implementing the suggestions above? I’m struggling to configure the read/write permissions in Identity for applications from the config file but I’m not able to find anything about this.
In a more specific way I’m trying to add read/write permissions for Tasklist Api in Tasklist application from the config file to make it persistent across container recreation but I cannot find any way of doing it. Any suggestions?
Could you describe how you want to configure it? Maybe you could put a snippet from your config file here. Generally the permissions are given in the Identity application. Tasklist validates these in combination with the user info.
.
I’m actually trying to find a way to give Tasklist client access to Tasklist API without interacting with Identity console - maybe through a config file or smth?
The reason behind it is that with every Identity container recreation I need to manually go into the console and assign permissions - which is messing with the automated api testing
Unfortunately the assigning of permissions to applications via configuration is not currently supported, we have a task on our board to move towards adding this support but I am unable to say when this will be delivered.
Although I’m not aware of your testing setup, one thought would be that the Keycloak image in the docker compose file you shared relies on an in memory database which could explain why you experience having to assign the permissions repeatedly.
An alternative is to either use a database with the current image (which will provide persistence), or use an alternative image (such as the image used in the Camunda Platform Helm charts which requires a database).
An example of the updated Keycloak service and accompanying Postgres: