Group based authorization for rest api calls against roles set in the jwt token

Camunda 8 Topics
1

Hello,

I’m thinking of a custom plugin development and wondering if its the right approach or perhaps there’s a better/easier solution. Just to mention, it is a camunda 8.x and it is a self hosted deployment using docker images per each component.

I would like to be able to authorize rest api access, for example to operate api, using a list of roles found in a request object [ custom header or jwt body ], against Camunda’s Identity and group permission configuration.

Couple of constraints:

  • No User creation in Camunda Identity. There should be only Groups, the ones that are expected to come from request object
  • The authN is already done at the point when the rest api call is triggered towards Operate APi endpoint
  • The AuthZ should rely on the list of roles received in request object

Having in in mind springboot, it sounds like a custom filter implementation with authZ override and validation against Camunda’s Identity configuration, while loaded in each component separately using a official docker image release [ operate, tasklist … ] ? Which API would one use/extend in this case ?

Might there be any way to ‘globally configure Camunda’ to look for roles in jwt and validate without the userId ?

A penny for your thoughts :).
Thanks in advance

2

Hi @djura, welcome to the forums! I don’t think such a plugin is currently possible - you’d be building a custom version of each component (Operate, Tasklist, etc.), and that comes with some obvious support implications.

You can build custom roles in Identity, but you still need to authenticate a user (or a machine-to-machine token). It sounds like you are trying to avoid that need for authentication, which I would recommend against. (Or have I misunderstood your goal?)

There are a couple workarounds I can think of, if the combination of groups and user/machine tokens doesn’t fit your requirements:

  • Identity supports using external OIDC providers, and you can create custom role mappings to match your existing groups.
  • Build an API that forwards requests to Camunda. Your application would query your API, rather than calling the Camunda APIs directly. Your API would handle the custom authorizations, make the corresponding request to Camunda, then return the data.
3

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.