Camunda8 GraphQL API get active tasks list

Hi,
As in my projects in Camunda 7 I want to create my own Tasklist application.
In Camunda 7 there are an API to get the active tasks per process instances.
In Camunda 8 I think the corresponding API is the GrahpQL API.
As per documentation, any request to GraphQL must have a token sent as Bearer.
I tried to get one access token as here:
https://docs.camunda.io/docs/apis-clients/tasklist-api/overview/

image1964×1028 193 KB

But I get 415 Unsupported Media Type even the ContentType is application/json in the request.
I searched everywhere but no solution.

My stack is a self-managed docker-compose Camunda8.

Does anyone has an idea?
Thanks,
Valentin

Hi @valiu ,

Do you use Identity for authorization? And which version of Camunda 8 are you using?
Can you provide the docker-compose file?

Thanks in advance,

Ralf

Hi @ralfpuchert

I use docker-compose.yaml from camunda-platform/docker-compose.yaml at main · camunda/camunda-platform · GitHub modified according Camunda 8 Self Managed docker compose keycloak not start - #7 by valiu

I am on MacOS 12.4 Intel CoreI7 with Docker Desktop 4.9.1

Thanks,
Valentin

Hi @valiu,

I tried with the given docker-compose file. I needed to wait some time until all apps were available.
I get only a response if I give Tasklist at least read permissions:

image2886×488 34.8 KB

These were my steps:

1. Start the application stack: docker-compose up
2. Checked if Tasklist (http://localhost:8082/) and Identity (http://localhost:8084/) are running by accessing the webpages (demo/demo)
3. Add read permission to “Tasklist” application ← my observation
4. Get a token for Tasklist from Identity with curl:

curl --location --request POST 'http://localhost:18080/auth/realms/camunda-platform/protocol/openid-connect/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_id=tasklist' \
--data-urlencode 'client_secret=XALaRPl5qwTEItdwCMiPS62nVpKs7dL7' \
--data-urlencode 'grant_type=client_credentials'

Result:

{"access_token":"eyJ...uIlkIkbVg","expires_in":300,"refresh_expires_in":0,"token_type":"Bearer","not-before-policy":0,"scope":"email profile"}

5. Use the access_token for getting all tasks:

curl --location --request POST 'http://localhost:8082/graphql' \
--header 'Authorization: Bearer eyJh.....IlkIkbVg' \
--header 'Content-Type: application/json' \
--data-raw '{"query":"{\n  tasks(query: {}) {\n    name\n    id\n  }\n}","variables":{}}'

Result:

{
  "data" : {
    "tasks" : [ ]
  }
}

Side note:
If you use Postman (my guess due to the screenshot), you can use the Authorization tab and select Bearer Token and then paste your token:

image1243×538 72.4 KB

Maybe this helps you. If not please show me your procedure to use the Tasklist API.

Thanks.
Best regards,
Ralf

Hi @ralfpuchert

1. the application stack is up
2. Tasklist and Identity are running
3. I cannot give “Tasklist application” read permission on “Tasklist API” because the button “Add permission” are not displayed

image1640×496 25.1 KB

The “Tasklist API” has read and write permission declared:

image1589×459 22.1 KB

Hi @valiu ,
The permission tab should be available from Identity version 8.0.4 on.
How do you get a token exactly? Do you use the URL http://localhost:18080/auth/realms/camunda-platform/protocol/openid-connect/token?

Regards

Hi @ralfpuchert

Yes, as you said above:
curl --location --request POST 'http://localhost:18080/auth/realms/camunda-platform/protocol/openid-connect/token' --header 'Content-Type: application/x-www-form-urlencoded' --data-urlencode 'client_id=tasklist' --data-urlencode 'client_secret=XALaRPl5qwTEItdwCMiPS62nVpKs7dL7' --data-urlencode 'grant_type=client_credentials'

The response is:
{"error":"unauthorized_client","error_description":"Client not enabled to retrieve service account"}

Thanks,

Hi @ralfpuchert

I give it a try with camunda 8.0.4 and it works
Thanks for the hint with the read permission on Tasklist API.

So,

• I downloaded camunda 8.0.4 docker-compose from GitHub - camunda/camunda-platform: Camunda Platform 8
• docker compose -f docker-compose.yaml up -d
• add read permission to “Tasklist” application, as you said above:
  
  

  image1551×391 25.3 KB
• get tasklist access token:
  
  

  image1982×1406 482 KB
• run a graphql query:
  
  

  image1974×1396 236 KB

Best regards,
Valentin

Hi @valiu

Thanks for letting me know. Good to hear.
Do you think there is something in the documentation which can be improved? Did you miss information?

Best regards,
Ralf

Hi @ralfpuchert

First, in the Identity component of (GitHub - camunda/camunda-platform: Camunda Platform 8) the Tasklist application I think it should be configured by default with read and write permission on the “Tasklist API”.

Then, here (Authentication | Camunda Platform 8) to the paragraph "2. Add permissions to an application for Tasklist API. " I think it should be added "Make sure that the GraphQL queries need read permission on "Tasklist API" and the mutations needs write permission"

Regards,
Valentin

Thank you @valiu ! I’ll include your suggestions in an issue for documentation.

Regards,
Ralf

Hey @ralfpuchert,

Any plans into implementing the suggestions above? I’m struggling to configure the read/write permissions in Identity for applications from the config file but I’m not able to find anything about this.
In a more specific way I’m trying to add read/write permissions for Tasklist Api in Tasklist application from the config file to make it persistent across container recreation but I cannot find any way of doing it. Any suggestions?

Regards,
Vlad

Hey @bulivlad,

Could you describe how you want to configure it? Maybe you could put a snippet from your config file here. Generally the permissions are given in the Identity application. Tasklist validates these in combination with the user info.

Regards,
Ralf

Hey @ralfpuchert ,

I’m using the docker file from Github and getting the following Identity configuration for Tasklist Application

image1917×447 55.7 KB

The reason behind it is that with every Identity container recreation I need to manually go into the console and assign permissions - which is messing with the automated api testing

Thanks,
Vlad

Hi @bulivlad!

Unfortunately the assigning of permissions to applications via configuration is not currently supported, we have a task on our board to move towards adding this support but I am unable to say when this will be delivered.

Although I’m not aware of your testing setup, one thought would be that the Keycloak image in the docker compose file you shared relies on an in memory database which could explain why you experience having to assign the permissions repeatedly.

An alternative is to either use a database with the current image (which will provide persistence), or use an alternative image (such as the image used in the Camunda Platform Helm charts which requires a database).

An example of the updated Keycloak service and accompanying Postgres:

  postgres:
    container_name: keycloak-postgres
    image: postgres:14.5-alpine
    environment:
      POSTGRES_DB: bitnami_keycloak
      POSTGRES_USER: bn_keycloak
      POSTGRES_PASSWORD: <PASSWORD>
  keycloak:
    depends_on:
      - postgres
    container_name: keycloak
    image: bitnami/keycloak:16.1.1
    ports:
      - "18080:8080"
    environment:
      KEYCLOAK_DATABASE_HOST: keycloak-postgres
      KEYCLOAK_DATABASE_PASSWORD: <PASSWORD>
      KEYCLOAK_ADMIN_USER: admin
      KEYCLOAK_ADMIN_PASSWORD: admin
    healthcheck:
      test: ["CMD", "curl", "-f", "http://localhost:9990/health"]
      interval: 30s
      timeout: 15s
      retries: 5
      start_period: 30s

Hopefully this helps,

Ben