We are trying to consume operate API using token authorization in Self-Managed cluster but getting unauthorized error
Steps to get token
- rolled up Identity and keycloak images in docker
- added application in identity
- enabled service account for application in keycloak
- Hit token api and get the token from keycloak
- Save token in postman and call process instance api from postman
- getting unauthorized error
Can you please guide us what I am missing here?
I have followed below link and re-verified all the settings and found below observation on Camunda Identity platform
- Created Application
- Created API and assign permission to it
- In Application details not found “Access to APIs” tab in local docker image.
Do you have any suggestions how we can enable this tab? Or any reason why this tab is not available with docker image?
docker image -
identity: # Docker | Camunda Platform 8
environment: # Configuration variables | Camunda Platform 8
Can you please help us for above queries or redirect us to a contact who can help on this?
Hi @Vipul ,
I was told that the tab/ui is available at
8.0.4. Can you please set the environment variable
CAMUNDA_PLATFORM_VERSION=8.0.4. Otherwise version
8.0.2 is used in docker-compose file.
Thank you for the response…
I have loaded new docker image and tried to access the API but still I am getting the same issue as Unauthorized. Can you please help me to resolve this issue?
Hi @Vipul ,
Can you please check if Operate has at least
read:* permission? You can find the permissions tab in Identity under API → your application → Permissions. See also Adding a permission | Camunda Platform 8.
Permissions are already given…
Any suggestion would really help us to proceed.
Hi @Vipul ,
I tried this official docker-compose file camunda-platform/docker-compose.yaml at main · camunda/camunda-platform · GitHub and it worked for me.
I think it is useful to test the default access first. Maybe you can try my steps and see what happens:
- Start operate with dependencies:
docker-compose up operate
- Make sure every application works, it can take some time until all dependencies (elasticsearch, zeebe, keycloak, Identity, Operate) are ready to use. For that you can take a look at the log files and check the webapps in the browser.
- Zeebe should work: The last log message should be:
io.camunda.zeebe.broker.exporter.elasticsearch - Exporter opened
- Identity should work: Check the webapp at http://localhost:8084
- Operate should work: Check the webapp at http://localhost:8081
- Test the default API access for Operate.
- Take the
client_secret from Operate configuration in
- Compare with Operate application configuration in Identity webapp. Should be the same.
- Get a token from Identity for Operate application at http://localhost:18080/auth/realms/camunda-platform/protocol/openid-connect/token.
client_secret from step 1.
- Use this token to access Operate at http://localhost:8081/v1/process-instances/search
- Without permissions a html content with an error message will be returned, with permissions it should return something like:
- Test with a new created application
- Create a application
- Use the created
client_secret by Identity in the Operate configuration part of your
docker-compose file. Operate needs to know the
- Restart Operate from docker-compose file
- Get a token now with new
- Try to access Operate with new token.
- if you create an application you need to tell Operate the new
client_secret. For that update the Operate configuration, in this case in the
- if you change permissions you need to get a new token.
I hope this helps.
You can also take a look at this forum question Camunda8 GraphQL API get active tasks list - #8 by valiu which had similar issues.
Please try to add also read permission on “Camunda Identity Resource Server” on to “Operate application”
After that here are the steps:
Thank you @ralfpuchert, @valiu for the the help
Now I am able to access the apis after this settings…
Hi @Vipul ,
Good to hear! Thanks for letting me know.
I am facing the same issue. I am using Helm Charts camunda-platform-8.0.12.
I am facing the same issue where, In Application, “Access to APIs” tab is not present.
@krishnadey I answered that in slack Slack
The image tag is set to 8.0.0 camunda-platform-helm/values.yaml at main · camunda/camunda-platform-helm · GitHub If you haven’t changed that then I guess it is the issue, as @Ralf mentioned here Getting unauthorized error for operate api even if we get the token using keycloak and identity - #4 by ralfpuchert it is supported with 8.0.4. Please try again with an higher version.
E.g. --set global.image.tag=8.0.4