Hello,
I’m trying to set up a self hosted environment of Camunda for development, but run into some issue/question.
(Using the camunda/camunda-platform github docker-compose for it (version is 8.5).)
I know that Keycloak can be excluded when I use my own OIDC provider. But is Identity needed?
I’ve found different statements about it, in forum topics:
Identity 8.4.3 - Failing to connect to an OpenID Connect provider - Microsoft Entra ID This one’s written in Febr 22: “When using a custom OIDC provider, Identity isn’t needed at all. You don’t need to start that container/pod.”
Identity: What is the purpose? May 28. Here it states: “I think the simplest way to think of Identity is that it acts as the glue between an OIDC provider (Keycloak by default, but supports others) and the rest of the Camunda stack.”
So is it needed or not?
If needed, how can i configure it in the docker-compose file, so that it would use my own provider, instead of Keycloak.
I’ve tried to paste and fill these environments somewhere in the docker-compose (Connect to an OpenID Connect provider | Camunda 8 Docs).
But it’s not clear. In which service(s) do I need to use them? If I copied them into the identity service, it still tried to connect to keycloak, no option to change it it seems.
CAMUNDA_IDENTITY_TYPE=GENERIC
CAMUNDA_IDENTITY_BASE_URL=<IDENTITY_URL>
CAMUNDA_IDENTITY_ISSUER=<URL_OF_ISSUER>
CAMUNDA_IDENTITY_ISSUER_BACKEND_URL=<URL_OF_ISSUER> // this is used for container to container communication
CAMUNDA_IDENTITY_CLIENT_ID=<Client ID from Step 2>
CAMUNDA_IDENTITY_CLIENT_SECRET=<Client secret from Step 2>
CAMUNDA_IDENTITY_AUDIENCE=<Audience from Step 2>
IDENTITY_INITIAL_CLAIM_NAME=<Initial claim name if not using the default "oid">
IDENTITY_INITIAL_CLAIM_VALUE=<Initial claim value>
When I tried the Camunda stack without the Identity and Keycloak, the closest point that I could reach is if I tried to enter the Operate page, my custom OIDC’s login page came in. I logged in, but after it called back the http://localhost:8081/identity-callback url, Operate gave me a nopermission page. In the log it throws a 404 error, without an error body. It’s unclear to me what gave this error 404.
I feel that the docker-compose part of this custom OIDC provider is not documented well enough.
Please help me with some instruction or docs on how to connect it correctly.
Thanks in advance,
Bence