Entra as OID, identity startup issue

Camunda 8 Topics Discussion & Questions
1

Hello All,

I would like to get some help regarding to changing from Keycloak authentication to Entra authentication.
We started this journey by changing the related identity configuration based on the documentation: Connect to an OpenID Connect provider | Camunda 8 Docs
Stack: Self-managed Enterprise version
Deployed to Kubernetes via Helm chart (version: 10.2.0)
(Identity postgresql database does not freshly set up, this state used when keycloak auth used)

Filled out the new values.yaml as below:

auth:
  enabled: true

  issuer: "https://login.microsoftonline.com/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX/v2.0"
  issuerBackendUrl: "https://login.microsoftonline.com/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX/v2.0"
  tokenUrl: "https://login.microsoftonline.com/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX/oauth2/v2.0/token"
  jwksUrl: "https://login.microsoftonline.com/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX/discovery/v2.0/keys"
  type: "MICROSOFT"
  publicIssuerUrl: "https://login.microsoftonline.com/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX/v2.0"

  connectors:
    clientId: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    existingSecret: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

  identity:
    clientId: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    audience: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    existingSecret: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    redirectUrl: "https://XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX/identity/auth/login-callback"
    initialClaimName: "oid"
    initialClaimValue: "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"

  operate:
    clientId: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    audience: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    existingSecret: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    redirectUrl: "https://XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX/operate/identity-callback"

  tasklist:
    clientId: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    audience: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    existingSecret: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    redirectUrl: "https://XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX/tasklist/identity-callback"

  optimize:
    clientId: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    audience: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    existingSecret: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    redirectUrl: "https://XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX/optimize/api/authentication/callback"

  webModeler:
    clientId: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    clientApiAudience: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    publicApiAudience: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    redirectUrl: "https://webmodeler.XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX/login-callback"

  console:
    clientId: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    audience: console-api
    wellKnown: #https://well-known-uri
    existingSecret: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    redirectUrl: "https://XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX/console"
    audience: console-api

  zeebe:
    clientId: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    existingSecret: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    audience: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    tokenScope: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX/.default

As point of identity, the error message looks like (miss some AuthorizationService related configuration):

Description:

Parameter 3 of constructor in io.camunda.identity.controller.AuthorizationController required a bean of type 'io.camunda.identity.service.AuthorizationService' that could not be found.

Action:
Consider defining a bean of type 'io.camunda.identity.service.AuthorizationService' in your configuration.