Hello All,
I would like to get some help regarding to changing from Keycloak authentication to Entra authentication.
We started this journey by changing the related identity configuration based on the documentation: Connect to an OpenID Connect provider | Camunda 8 Docs
Stack: Self-managed Enterprise version
Deployed to Kubernetes via Helm chart (version: 10.2.0)
(Identity postgresql database does not freshly set up, this state used when keycloak auth used)
Filled out the new values.yaml as below:
auth:
enabled: true
issuer: "https://login.microsoftonline.com/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX/v2.0"
issuerBackendUrl: "https://login.microsoftonline.com/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX/v2.0"
tokenUrl: "https://login.microsoftonline.com/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX/oauth2/v2.0/token"
jwksUrl: "https://login.microsoftonline.com/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX/discovery/v2.0/keys"
type: "MICROSOFT"
publicIssuerUrl: "https://login.microsoftonline.com/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX/v2.0"
connectors:
clientId: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
existingSecret: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
identity:
clientId: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
audience: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
existingSecret: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
redirectUrl: "https://XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX/identity/auth/login-callback"
initialClaimName: "oid"
initialClaimValue: "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
operate:
clientId: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
audience: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
existingSecret: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
redirectUrl: "https://XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX/operate/identity-callback"
tasklist:
clientId: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
audience: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
existingSecret: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
redirectUrl: "https://XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX/tasklist/identity-callback"
optimize:
clientId: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
audience: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
existingSecret: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
redirectUrl: "https://XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX/optimize/api/authentication/callback"
webModeler:
clientId: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
clientApiAudience: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
publicApiAudience: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
redirectUrl: "https://webmodeler.XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX/login-callback"
console:
clientId: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
audience: console-api
wellKnown: #https://well-known-uri
existingSecret: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
redirectUrl: "https://XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX/console"
audience: console-api
zeebe:
clientId: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
existingSecret: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
audience: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
tokenScope: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX/.default
As point of identity, the error message looks like (miss some AuthorizationService related configuration):
Description:
Parameter 3 of constructor in io.camunda.identity.controller.AuthorizationController required a bean of type 'io.camunda.identity.service.AuthorizationService' that could not be found.
Action:
Consider defining a bean of type 'io.camunda.identity.service.AuthorizationService' in your configuration.