How to access keycloak secured Camunda Tasklist API from Postman etc

Hello everybody,
I hope someone can help me with this problem. We use the following Camunda platform 8 in a Docker environment: GitHub - camunda/camunda-platform: Camunda Platform 8. We are currently building our own tasklist client. However, there are currently difficulties in accessing the tasks via GraphQL, since the Camunda task list and other Camunda components are protected by Keycloak. Unfortunately I don’t know how to proceed to authenticate myself correctly with Keycloak and to be able to make requests to the underlying API.
Through the Keycloak token endpoint (/auth/realms/camunda-platform/protocol/openid-connect/token) I can already get a bearer token from Keycloak. However, I still can’t make queries to the GraphQL endpoint of the tasklist with this token in the authorization header. Whenever this is attempted, a login HTML page is returned to me by Keycloak, regardless of which bearer token is used, or if a bearer token is used at all. On the contrary, the original camunda task list client works after manual authentication in the browser. However, we cannot reproduce this with any other client like Postman for example.
Feel free to ask additional questions.

This is the default response of my queries to the graphql endpoint.

I use these keys with their corresponding values for obtaining the token.
var urlencoded = new URLSearchParams();
urlencoded.append(“client_id”, “tasklist-api”);
urlencoded.append(“grant_type”, “password”);
urlencoded.append(“client_secret”, “myClientSecret…”);
urlencoded.append(“scope”, “openid”);
urlencoded.append(“username”, “myUsername”);
urlencoded.append(“password”, “myPassword”);

Thanks in advance!

Hello everybody,
unfortunately the "/" character was missing at the end of the GraphQL tasklist Endpoint. We used something like localhost:8080/graphql and now we’re using something like localhost:8080/graphql/ and it’s now working as it should :wink:
To figure out the mechanism how to properly authenticate with Keycloak we used Postman. There under Authorization there is the possibility to authenticate yourself using the oAuth2.0 protocol and to analyze the generated requests in the console.
I hope that whenever someone else runs into the same problem, they read this post.
Best wishes
Alwin Siemens

1 Like