Hey @hari_kiran!
Maybe it is worth to try and run the Camunda 8 docker-compose.yaml and see if it is going to work with that one. It include Zeebe, Tasklist, Operate and ElasticSearch without any IAM and Security.
I am also wondering how you obtained the source code for Tasklist? As far as I am concerned the code is not available to public.
Let me know if you make any progress with this approach!
Best,
Thomas
Just a little addition: If you use Camunda Identity and Keycloak this is authentication is not possible. So make sure to only use the core components when doing so.
From my understanding, if you don’t have keycloak installed, what you have done in postman is the right way to call Tasklist API.
Once you have keycloak installed you can use the keyclock token endpoint to get the access token and add the token to your request header in the following format:
And basically you can have 2 ways to get the access token:
grant_type: client_credentials
content-type: x-www-form-urlencoded
client_id: <client_id>
client_secret: <client_secret>
grant_type: client_credentials
audience: <client audience> # tasklist in this case
grant_type: password
content-type: x-www-form-urlencoded
client_id: <client_id>
client_secret: <client_secret>
grant_type: client_credentials
username: demo #users in keycloak or identity
password: demo
I’m not sure if this is the recommended way to directly interact with keycloak for access token, but it does work for me. So far I couldn’t find any API exposed by Identity to get the access token.
Hey,
This seems the way to go for now but i’m wondering how are you handling the TASKLIST_SESSION cookie? Right now I’m able to obtain the bearer token from the keycloak instance but when i’m trying to call the graphql api i’m seeing a redirect and as far as i can tell that’s because of the missing cookie on the request.
Hey, I know it sounds silly but there is no need to get the cookie to call the graphql endpoint. All you need is to make sure there is a trailing slash at the end of the url.
When calling http://[host]/graphql i always get a 400 response saying that i need to authenticate, however when calling http://[host]/graphql/ - note the trailing slash - i get 200 response without using any cookie
I’m trying to validate with the community if the token-based authentication works as expected in the Self-managed environment. Have you tried to authenticate to Tasklist with JWT? Authentication | Camunda Platform 8 Docs
Do you have maybe any suggestions to improve documentation or everything worked well?
hi @aleksander-dytko ,
yes i did the authentication to Tasklist with jwt.
So to start, you have to add an application in identity as per Camunda docs and add permissions to an application for Tasklist API.
In the camunda docs, the jwt token is an ‘App token’ , to get a user token you have to make a POST call to Keyclaok ( check @GgJinFWu response above )
and use the jwt token in your graphql call header ( the token is the “access_token” field in the keycloak post response ).
I had a small issue when claiming a task for example, as per the graphql schema :
claimTask(taskId: String!assignee: String): Task!
Claim a task with taskId to currently logged in user. Returns the task.
I was forced to pass the assignee parameter, the system was not able to detect the assignee from the jwt token ( i think it’s a tasklist exception )
Thanks for the validation, I appreciate your answer!
Regarding:
The JWT token is mainly meant for the m2m communication - so when you have some client application, that uses GraphQL, the token is issued for that application, not for the user. This allows to have one token, not for each user, using it.
@aleksander-dytko how to find the current user using the JWT token of a m2m communication ? I think we need to have a token per user to claim and complete a task