Connection with secured Camunda 8 fails

BPMN & Modeling Discussion & Questions
1

Hey,

we currently try to deploy a dummy model with the Modeler on a Camunda Platform 8.2.6, secured by Camunda Identity. The Zeebe Gateway is available on localhost:26500 with a Port Forward from Kubernetes (port 26500). Keycloak is available via an Ingress on https://camunda-keycloak-<redacted> We can also receive the realm information on https://camunda-keycloak-<redacted>/realms/camunda-platform successfully.

Unfortunately, we keep getting “Unknown error. Please check Zeebe cluster status”.

In the logs of the Modeler we found the following:

ERROR app:zeebe-api Failed to connect with config (secrets omitted): {
  endpoint: {
    type: 'oauth',
    url: 'http://localhost:26500',
    clientId: 'localmodellerconnection',
    oauthURL: 'https://camunda-keycloak-<redacted>/realms/camunda-platform'
  }
} HTTPError: Response code 405 (Method Not Allowed)
    at Request.<anonymous> (<redacted>\camunda_modeler\resources\app.asar\node_modules\got\dist\source\as-promise\index.js:118:42)
    at process.processTicksAndRejections (node:internal/process/task_queues:96:5) {
  code: 'ERR_NON_2XX_3XX_RESPONSE',
  timings: {
    start: 1686302149447,
    socket: 1686302149448,
    lookup: 1686302149488,
    connect: 1686302149509,
    secureConnect: 1686302149557,
    upload: 1686302149557,
    response: 1686302149579,
    end: 1686302149579,
    error: undefined,
    abort: undefined,
    phases: {
      wait: 1,
      dns: 40,
      tcp: 21,
      tls: 48,
      request: 0,
      firstByte: 22,
      download: 0,
      total: 132
    }
  }
}

Error in Modeler UI:

image
image381×897 21.7 KB

Application API access:

image
image1261×427 16.5 KB

Application:

image
image906×505 13.7 KB

It seems like the error 405 (Method not allowed) comes from Keycloak. Do you have any idea how to fix this?

Kind regards, Florian

2

I enabled the debugging flags in the lastest modeler version 5.12.0:

2023-06-14T14:42:31.900Z oauth Requesting token from token endpoint...
ERROR app:zeebe-api Failed to connect with config (secrets omitted): {
  endpoint: {
    type: 'oauth',
    url: 'http://localhost:26500',
    clientId: 'localmodellerconnection',
    oauthURL: '<redacted>/realms/camunda-platform'
  }
} HTTPError: Response code 405 (Method Not Allowed)
    at Request.<anonymous> (<redacted>\camunda_modeler\resources\app.asar\node_modules\got\dist\source\as-pr`
omise\index.js:118:42)
    at process.processTicksAndRejections (node:internal/process/task_queues:96:5) {
  code: 'ERR_NON_2XX_3XX_RESPONSE',
  timings: {
    start: 1686753751906,
    socket: 1686753751906,
    lookup: 1686753751907,
    connect: 1686753751918,
    secureConnect: 1686753751930,
    upload: 1686753751930,
    response: 1686753751944,
    end: 1686753751944,
    error: undefined,
    abort: undefined,
    phases: {
      wait: 0,
      dns: 1,
      tcp: 11,
      tls: 12,
      request: 0,
      firstByte: 14,
      download: 0,
      total: 38
    }
  }
}

It seems like a call to Keycloak is failing with the 405. The connection to Zeebe itself seems to be working:

D 2023-06-14T14:42:02.704Z | subchannel_refcount | (11) 127.0.0.1:26500 refcount 0 -> 1
D 2023-06-14T14:42:02.704Z | subchannel_refcount | (10) ::1:26500 refcount 1 -> 2
D 2023-06-14T14:42:02.704Z | subchannel_refcount | (11) 127.0.0.1:26500 refcount 1 -> 2
D 2023-06-14T14:42:02.704Z | pick_first | Start connecting to subchannel with address ::1:26500
D 2023-06-14T14:42:02.704Z | pick_first | IDLE -> CONNECTING
D 2023-06-14T14:42:02.704Z | resolving_load_balancer | dns:localhost:26500 CONNECTING -> CONNECTING
D 2023-06-14T14:42:02.704Z | connectivity_state | (9) dns:localhost:26500 CONNECTING -> CONNECTING
D 2023-06-14T14:42:02.705Z | subchannel | (10) ::1:26500 IDLE -> CONNECTING
D 2023-06-14T14:42:02.705Z | pick_first | CONNECTING -> CONNECTING
D 2023-06-14T14:42:02.705Z | resolving_load_balancer | dns:localhost:26500 CONNECTING -> CONNECTING
D 2023-06-14T14:42:02.705Z | connectivity_state | (9) dns:localhost:26500 CONNECTING -> CONNECTING
D 2023-06-14T14:42:02.706Z | subchannel | (10) ::1:26500 CONNECTING -> READY
D 2023-06-14T14:42:02.706Z | pick_first | Pick subchannel with address ::1:26500
D 2023-06-14T14:42:02.706Z | pick_first | CONNECTING -> READY
D 2023-06-14T14:42:02.706Z | resolving_load_balancer | dns:localhost:26500 CONNECTING -> READY
D 2023-06-14T14:42:02.706Z | connectivity_state | (9) dns:localhost:26500 CONNECTING -> READY
D 2023-06-14T14:42:02.706Z | subchannel_refcount | (10) ::1:26500 refcount 2 -> 3
D 2023-06-14T14:42:02.706Z | subchannel_refcount | (10) ::1:26500 refcount 3 -> 2
D 2023-06-14T14:42:02.706Z | subchannel_refcount | (11) 127.0.0.1:26500 refcount 2 -> 1
3

Hello @floricdev ,

please try appending the actual token endpoint to the oauthurl:

realms/camunda-platform/protocol/openid-connect/token

I hope this helps

Jonathan

4

Thanks a lot. This worked perfectly.

I think it would really help to add this to your documentation.

Thanks a lot.

Kind regards, Florian

5

Hi @floricdev ,

added this one here: Replace interceptor link with hint to add full oauth url by jonathanlukas · Pull Request #2265 · camunda/camunda-platform-docs · GitHub

Jonathan

1 Like
6

Thanks Jonatha,

to be honest, I completely missed this part with the interceptor. But this value should help. :slight_smile:

1 Like
7

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.