Hi all, I am Abdullah from Saudi Arabia.
We are developing a very big government project and we want to use Camunda in it, but there is a problem we are facing and we would kindly like to solve it as soon as possible, as there is a launch soon for the project.
We integrated with keycloak successfully by followed this instruction:
We created simple process that just call Java delegate class:
and inside this class we triad to get logged in user information then we want to pass his info to keycloak, but we always get anonymousUser when do like this code :
Hi Abdullah, it sounds like you are having the same issue regardless of using the plugin or not, but did you ask on GitHub where the Keycloak plugin is located? @VonDerBeck maintains that and may be able to assist.
when I look at the screenshots of your source code it looks like you’re using keycloak-spring-boot-starter for SSO or something similar? If yes this is definitely not a problem of the " Camunda Platform 7 - Keycloak Identity Provider Plugin". Maybe it’s a good thing to separate your aspects before you try to find your error.
the Keycloak Identity Provider itself has nothing to do with the SSO part- it’s a replacement of the Camunda Identity Provider using Keycloak with ReadOnly access. This even works without SSO. Just like the original LDAP Identity Provider of Camunda
of course the Keycloak Identity Provider repository has an example for SSO included in order to get an idea on how to wire the whole stuff. But this example is based on bare Spring Boot OAuth2 only without using Keycloaks keycloak-spring-boot-starter(!)
please be aware that Spring Boot SecurityContextHolder is Spring Boot stuff and does not know anything of Camunda’s IdentityProvider, independent of the rest of your setup
Some other general hints:
in your process please be aware that any former session information from the process start will not be available in case the service task is asynchronous.
Camunda’s Identity Provider has a method identityService.getCurrentAuthentication() which gives you the current authenticated user (again: only in a synchronous scenario!) in case your authentication setup is correct.
Here are some steps to follow:
Check if your SessionUtil delivers the correct authenticated user when starting the process
if no, check your general SSO setup (which is a different and additional aspect to the Identity Provider Plugin)
Think about asynchronous continuations and a concept for dealing with asynchronous jobs.
@VonDerBeck we will review our project’s structure and we try to follow steps that you mentioned.
We have one more question that will effect on our decision whether we will depend on the Camunda on all our projects or not; which is if the Camunda team stop support Camunda 7 community after 3 or 5 yers (as they told us), and we want to upgrade our Keycklok to new version, how be able make the Camunda7-Keyklock alignment with the same Keycklok’s version? where we will use use “Camunda Platform 7 - Keycloak Identity Provider Plugin”
Now it’s working locally properly, but on dev env working fine with only use email as ID, but we want make userId as ID in camunda, so when we change these attributes like this
Camunda 8 does not require the Keycloak Identity Provider Plugin any more - Camunda Applications like Operate, Tasklist, Optimize and last but not least Identity are already designed to work with Keycloak out of the box.
for a real Cloud setup the Helm charts of Camunda are recommended - and by the way absolutely well maintained and documented
Key for you would be to first understand the general architecture differences between Camunda 7 and Camunda 8. Keycloak is supported out of the box in Camunda 8, in Camunda 7 you have Community projects at your hand.
