Getting unauthorized error for operate api even if we get the token using keycloak and identity

Hello Team,

We are trying to consume operate API using token authorization in Self-Managed cluster but getting unauthorized error

Steps to get token

  1. rolled up Identity and keycloak images in docker
  2. added application in identity
  3. enabled service account for application in keycloak
  4. Hit token api and get the token from keycloak
  5. Save token in postman and call process instance api from postman
  6. getting unauthorized error

Can you please guide us what I am missing here?

Hello Team,

I have followed below link and re-verified all the settings and found below observation on Camunda Identity platform

Steps

  1. Created Application
  2. Created API and assign permission to it
  3. In Application details not found “Access to APIs” tab in local docker image.

screenshot

Do you have any suggestions how we can enable this tab? Or any reason why this tab is not available with docker image?

docker image -

identity: # Docker | Camunda Platform 8
container_name: identity
image: camunda/identity:${CAMUNDA_PLATFORM_VERSION:-8.0.2}
ports:
- “8084:8084”
environment: # Configuration variables | Camunda Platform 8
SERVER_PORT: 8084
KEYCLOAK_URL: http://keycloak:8080/auth
IDENTITY_AUTH_PROVIDER_BACKEND_URL: http://keycloak:8080/auth/realms/camunda-platform
KEYCLOAK_INIT_OPERATE_SECRET: XALaRPl5qwTEItdwCMiPS62nVpKs7dL7
KEYCLOAK_INIT_OPERATE_ROOT_URL: http://localhost:8081
KEYCLOAK_INIT_TASKLIST_SECRET: XALaRPl5qwTEItdwCMiPS62nVpKs7dL7
KEYCLOAK_INIT_TASKLIST_ROOT_URL: http://localhost:8082
KEYCLOAK_INIT_OPTIMIZE_SECRET: XALaRPl5qwTEItdwCMiPS62nVpKs7dL7
KEYCLOAK_INIT_OPTIMIZE_ROOT_URL: http://localhost:8083
KEYCLOAK_USERS_0_USERNAME: “demo”
KEYCLOAK_USERS_0_PASSWORD: “demo”
KEYCLOAK_USERS_0_FIRST_NAME: “demo”
KEYCLOAK_USERS_0_ROLES_0: “Identity”
KEYCLOAK_USERS_0_ROLES_1: “Optimize”
KEYCLOAK_USERS_0_ROLES_2: “Operate”
KEYCLOAK_USERS_0_ROLES_3: “Tasklist”
restart: on-failure
networks:
- identity-network
depends_on:
- keycloak

Hello @davidgs,

Can you please help us for above queries or redirect us to a contact who can help on this?

Thank you!

Best Regards,
Vipul Keskar

Hi @Vipul ,

I was told that the tab/ui is available at 8.0.4. Can you please set the environment variable CAMUNDA_PLATFORM_VERSION=8.0.4. Otherwise version 8.0.2 is used in docker-compose file.

Best regards,
Ralf

Hello @ralfpuchert,
Thank you for the response…

I have loaded new docker image and tried to access the API but still I am getting the same issue as Unauthorized. Can you please help me to resolve this issue?

Hi @Vipul ,

Can you please check if Operate has at least read:* permission? You can find the permissions tab in Identity under API → your application → Permissions. See also Adding a permission | Camunda Platform 8.

Regards

Hello @ralfpuchert,

Permissions are already given…


Thank you!

Best Regards,
Vipul

Hello @ralfpuchert,

Any suggestion would really help us to proceed.

Thank you!

Best Regards,
Vipul

Hi @Vipul ,

I tried this official docker-compose file camunda-platform/docker-compose.yaml at main · camunda/camunda-platform · GitHub and it worked for me.

I think it is useful to test the default access first. Maybe you can try my steps and see what happens:

  1. Start operate with dependencies: docker-compose up operate
  2. Make sure every application works, it can take some time until all dependencies (elasticsearch, zeebe, keycloak, Identity, Operate) are ready to use. For that you can take a look at the log files and check the webapps in the browser.
    • Zeebe should work: The last log message should be: io.camunda.zeebe.broker.exporter.elasticsearch - Exporter opened
    • Identity should work: Check the webapp at http://localhost:8084
    • Operate should work: Check the webapp at http://localhost:8081
  3. Test the default API access for Operate.
    1. Take the client_id, client_secret from Operate configuration in docker-compose file:
     - CAMUNDA_OPERATE_IDENTITY_CLIENTID=operate
     - CAMUNDA_OPERATE_IDENTITY_CLIENTSECRET=XALaRPl5qwTEItdwCMiPS62nVpKs7dL7
    
    1. Compare with Operate application configuration in Identity webapp. Should be the same.
    2. Get a token from Identity for Operate application at http://localhost:18080/auth/realms/camunda-platform/protocol/openid-connect/token.
      Use the client_id and client_secret from step 1.
    3. Use this token to access Operate at http://localhost:8081/v1/process-instances/search
    4. Without permissions a html content with an error message will be returned, with permissions it should return something like:
      {
       "items": [],
       "sortValues": [],
       "total": 0
      }
      
  4. Test with a new created application
    1. Create a application
    2. Use the created client_id and client_secret by Identity in the Operate configuration part of your docker-compose file. Operate needs to know the client_id and client_secret.
    3. Restart Operate from docker-compose file
    4. Get a token now with new client_id and client_secret.
    5. Try to access Operate with new token.

Important:

  • if you create an application you need to tell Operate the new client_id and client_secret. For that update the Operate configuration, in this case in the docker-compose file.
  • if you change permissions you need to get a new token.

I hope this helps.
You can also take a look at this forum question Camunda8 GraphQL API get active tasks list - #8 by valiu which had similar issues.

Best regards,
Ralf

Hi @Vipul

Please try to add also read permission on “Camunda Identity Resource Server” on to “Operate application”

After that here are the steps:

Regards,
Valentin

Thank you @ralfpuchert, @valiu for the the help :slight_smile:
Now I am able to access the apis after this settings…

Thank you!

Best Regards,
Vipul Keskar

1 Like

Hi @Vipul ,

Good to hear! Thanks for letting me know.

Best regards,
Ralf

1 Like

Hello Team,

I am facing the same issue. I am using Helm Charts camunda-platform-8.0.12.

I am facing the same issue where, In Application, “Access to APIs” tab is not present.

@krishnadey I answered that in slack Workspace Deleted | Slack

For reference:

The image tag is set to 8.0.0 camunda-platform-helm/charts/camunda-platform/values.yaml at main · camunda/camunda-platform-helm · GitHub If you haven’t changed that then I guess it is the issue, as @Ralf mentioned here Getting unauthorized error for operate api even if we get the token using keycloak and identity - #4 by ralfpuchert it is supported with 8.0.4. Please try again with an higher version.

E.g. --set global.image.tag=8.0.4

2 Likes