Getting unauthorized error for operate api even if we get the token using keycloak and identity

Camunda 8 Topics
9

Hi @Vipul ,

I tried this official docker-compose file camunda-platform/docker-compose.yaml at main · camunda/camunda-platform · GitHub and it worked for me.

I think it is useful to test the default access first. Maybe you can try my steps and see what happens:

  1. Start operate with dependencies: docker-compose up operate
  2. Make sure every application works, it can take some time until all dependencies (elasticsearch, zeebe, keycloak, Identity, Operate) are ready to use. For that you can take a look at the log files and check the webapps in the browser.
    • Zeebe should work: The last log message should be: io.camunda.zeebe.broker.exporter.elasticsearch - Exporter opened
    • Identity should work: Check the webapp at http://localhost:8084
    • Operate should work: Check the webapp at http://localhost:8081
  3. Test the default API access for Operate.
    1. Take the client_id, client_secret from Operate configuration in docker-compose file:
     - CAMUNDA_OPERATE_IDENTITY_CLIENTID=operate
 - CAMUNDA_OPERATE_IDENTITY_CLIENTSECRET=XALaRPl5qwTEItdwCMiPS62nVpKs7dL7
    1. Compare with Operate application configuration in Identity webapp. Should be the same.
    2. Get a token from Identity for Operate application at http://localhost:18080/auth/realms/camunda-platform/protocol/openid-connect/token.
      Use the client_id and client_secret from step 1.
    3. Use this token to access Operate at http://localhost:8081/v1/process-instances/search
    4. Without permissions a html content with an error message will be returned, with permissions it should return something like:
      {
 "items": [],
 "sortValues": [],
 "total": 0
}
  4. Test with a new created application
    1. Create a application
    2. Use the created client_id and client_secret by Identity in the Operate configuration part of your docker-compose file. Operate needs to know the client_id and client_secret.
    3. Restart Operate from docker-compose file
    4. Get a token now with new client_id and client_secret.
    5. Try to access Operate with new token.

Important:

  • if you create an application you need to tell Operate the new client_id and client_secret. For that update the Operate configuration, in this case in the docker-compose file.
  • if you change permissions you need to get a new token.

I hope this helps.
You can also take a look at this forum question Camunda8 GraphQL API get active tasks list - #8 by valiu which had similar issues.

Best regards,
Ralf