Expected valid client id but none was provided

Rabeb_Abid · May 12, 2025, 1:28pm

i.c.z.client.impl.ZeebeCallCredentials : The request’s security level does not guarantee that the credentials will be confidential.

i use self-managed without indentity et authentication . camunda 8.7
application.yml :

camunda:
  client:
    mode: self-managed
    auth:
      path: /api/login
      username: demo
      password: demo
    zeebe:
      enabled: true
      prefer-rest-over-grpc: false
      audience: zeebe-api
      execution-threads: 5
      defaults:
        stream-enabled: false
      grpc-address: http://localhost:26500
      rest-address: http://localhost:5088

## Image versions ##
# renovate: datasource=docker depName=camunda/connectors-bundle
CAMUNDA_CONNECTORS_VERSION=8.7.0
# renovate: datasource=docker depName=camunda/zeebe
CAMUNDA_ZEEBE_VERSION=8.7.1
# renovate: datasource=docker depName=camunda/identity
CAMUNDA_IDENTITY_VERSION=8.7.0
# renovate: datasource=docker depName=camunda/operate
CAMUNDA_OPERATE_VERSION=8.7.1
# renovate: datasource=docker depName=camunda/tasklist
CAMUNDA_TASKLIST_VERSION=8.7.1
# renovate: datasource=docker depName=camunda/optimize
CAMUNDA_OPTIMIZE_VERSION=8.7.0
# renovate: datasource=docker depName=camunda/web-modeler-restapi
CAMUNDA_WEB_MODELER_VERSION=8.7.0
# renovate: datasource=docker depName=elasticsearch
ELASTIC_VERSION=8.17.5
KEYCLOAK_SERVER_VERSION=24.0.5
# renovate: datasource=docker depName=axllent/mailpit
MAILPIT_VERSION=v1.21.8
POSTGRES_VERSION=14.5-alpine
HOST=localhost
KEYCLOAK_HOST=localhost

## Configuration ##
# By default the zeebe api is public, when setting this to `identity` a valid zeebe client token is required
ZEEBE_AUTHENTICATION_MODE=none
ZEEBE_CLIENT_ID=zeebe
ZEEBE_CLIENT_SECRET=zecret

# Set to 'true' to enable resource based authorizations for users and groups
# This can be used to limit access for users or groups to view/update specific
# processes and decisions in Operate and Tasklist
RESOURCE_AUTHORIZATIONS_ENABLED=false

# Set to 'true' to enable multi-tenancy across all components
# This requires use of identity for authentication
#
#  ZEEBE_AUTHENTICATION_MODE=identity
#
MULTI_TENANCY_ENABLED=false

# Document store credentials
# DOCUMENT_DEFAULT_STORE_ID=...
# AWS_ACCESS_KEY_ID=...
# AWS_SECRET_ACCESS_KEY=...
# AWS_REGION=..
# DOCUMENT_STORE_AWS_BUCKET=...
# DOCUMENT_STORE_AWS_BUCKET_PATH=...
# DOCUMENT_STORE_AWS_CLASS=...

2025-05-12T14:21:38.520+01:00 WARN 19804 — [core] [ task-3] i.c.z.client.impl.ZeebeCallCredentials : The request’s security level does not guarantee that the credentials will be confidential.
2025-05-12T14:21:38.521+01:00 WARN 19804 — [core] [ task-9] i.c.z.client.impl.ZeebeCallCredentials : The request’s security level does not guarantee that the credentials will be confidential.
2025-05-12T14:21:38.521+01:00 WARN 19804 — [core] [ task-6] i.c.z.client.impl.ZeebeCallCredentials : The request’s security level does not guarantee that the credentials will be confidential.
2025-05-12T14:21:38.522+01:00 WARN 19804 — [core] [ task-1] i.c.z.client.impl.ZeebeCallCredentials : The request’s security level does not guarantee that the credentials will be confidential.
2025-05-12T14:21:38.522+01:00 WARN 19804 — [core] [ task-9] i.c.z.client.impl.ZeebeCallCredentials : The request’s security level does not guarantee that the credentials will be confidential.

main] z.s.c.c.CredentialsProviderConfiguration : Failed to configure credential provider

java.lang.IllegalArgumentException: java.lang.NullPointerException: Expected valid client id but none was provided.
at io.camunda.zeebe.client.impl.oauth.OAuthCredentialsProviderBuilder.validate(OAuthCredentialsProviderBuilder.java:261) ~[zeebe-client-java-8.7.1.jar:8.7.1]
at io.camunda.zeebe.client.impl.oauth.OAuthCredentialsProviderBuilder.build(OAuthCredentialsProviderBuilder.java:175) ~[zeebe-client-java-8.7.1.jar:8.7.1]
at io.camunda.zeebe.spring.client.configuration.CredentialsProviderConfiguration.camundaClientCredentialsProvider(CredentialsProviderConfiguration.java:57) ~[spring-boot-starter-camunda-sdk-8.7.1.jar:8.7.1]
at io.camunda.zeebe.spring.client.configuration.CredentialsProviderConfiguration$$SpringCGLIB$$0.CGLIB$camundaClientCredentialsProvider$0() ~[spring-boot-starter-camunda-sdk-8.7.1.jar:8.7.1]
at io.camunda.zeebe.spring.client.configuration.CredentialsProviderConfiguration$$SpringCGLIB$$FastClass$$1.invoke() ~[spring-boot-starter-camunda-sdk-8.7.1.jar:8.7.1]

GotnOGuts · May 12, 2025, 7:59pm

I believe that this is just a warning, being very very clear that since you are using http:// rather than https:// the data cannot be promised to be kept secure while in transit (ie. someone else could obtain your username and password)

However, the underlying report “Expected valid client ID but none was provided” indicates that somewhere things are still expecting OAuth / Identity configuration.

Rabeb_Abid · May 13, 2025, 7:32am

thank you , but how to fix this warning
i dont want to use OAuth / Identity configuration.

jonathan.lukas · June 23, 2025, 11:48am

Hello @Rabeb_Abid ,

the warning appears as the spring sdk as well as the underlying java client do only know OAuth or noop authentication.

Starting with 8.8, there will be an explicit auth method and the warning message will not be displayed anymore.

But for 8.7, the logic is that it will always try to build the Oauth credentials provider and if it fails, it will fall back to use the the noop implementation. But: It will still warn you so that a misconfiguration by mistake would be detected:

github.com

camunda/camunda/blob/stable/8.7/clients/spring-boot-starter-camunda-sdk/src/main/java/io/camunda/zeebe/spring/client/configuration/CredentialsProviderConfiguration.java#L59-L61


      
          LOG.warn(
              "Failed to configure oidc credential provider, falling back to use no authentication, cause: {}",
              e.getMessage());

I hope this helps.

Jonathan