I’m integrating Camunda Identity with an external Keycloak instance, where I already have a custom realm (qportal) configured with all necessary resources. My environment includes:
IDENTITY_KEYCLOAK_REALM=qportal
IDENTITY_KEYCLOAK_CREATE_REALM=false
CAMUNDA_IDENTITY_TYPE=KEYCLOAK
IDENTITY_AUTH_PROVIDER_ISSUER_URL=https://keycloak-dev.att/keycloak/realms/qportal
IDENTITY_AUTH_PROVIDER_BACKEND_URL=https://keycloak-dev.att/keycloak/realms/qportal
IDENTITY_AUTH_PROVIDER_CLIENT_ID=camunda-identity
IDENTITY_AUTH_PROVIDER_CLIENT_SECRET=client-secret
Despite these settings, Identity still attempts to use the default realm camunda-platform. If I pre-create the camunda-identity client in qportal, Identity throws a 409 Conflict. If I remove the client, I get a 401 Unauthorized, indicating it may not actually be pointing to qportal as expected.
Reviewing the container setup, it seems the realm creation logic is hard-coded into the identity.jar. Is there any official way to prevent Identity from auto-creating the default realm and resources, and ensure it strictly uses the external realm I provide?
Hi @Nayuovga, welcome to the forums! What version of Camunda are you using? And how have you deployed it? (Helm, Docker, C8 Run, etc.)
Hi, thanks for your reply.
I’m using Camunda 8, version 8.8.0-alpha6, deployed via Docker Compose, along with an external Keycloak.
@Nayuovga - can you share your docker-compose.yaml file? (with any secrets redacted, of course!)
identity:
container_name: identity
image: camunda/identity:${CAMUNDA_IDENTITY_VERSION}
ports:
- "8084:8084"
environment:
- SERVER_PORT=8084
- IDENTITY_URL=https://my-host/identity
- IDENTITY_RETRY_DELAY_SECONDS=30
- KEYCLOAK_URL=https://my-keycloak/keycloak
- IDENTITY_AUTH_PROVIDER_ISSUER_URL=https://my-keycloak/keycloak/realms/qportal
- IDENTITY_AUTH_PROVIDER_BACKEND_URL=https://my-keycloak/keycloak/realms/qportal
- IDENTITY_AUTH_PROVIDER_CLIENT_ID=camunda-identity
- IDENTITY_AUTH_PROVIDER_CLIENT_SECRET=my-secret
- IDENTITY_KEYCLOAK_REALM=qportal
- CAMUNDA_IDENTITY_TYPE=KEYCLOAK
- LOGGING_LEVEL_ROOT=DEBUG
- LOGGING_LEVEL_IO_CAMUNDA_IDENTITY=DEBUG
- SPRING_LOGGING_LEVEL_ORG_APACHE_HTTP=TRACE
- SPRING_LOGGING_LEVEL_ORG_SPRINGFRAMEWORK_WEB_CLIENT=TRACE
- SPRING_LOGGING_LEVEL_ORG_SPRINGFRAMEWORK_WEB_CLIENT_REACTIVE=DEBUG
- SPRING_LOGGING_LEVEL_ORG_SPRINGFRAMEWORK_SECURITY_OAUTH2=DEBUG
- SERVER_LOGGING_LEVEL=TRACE
- logging.level.org.springframework.web.client.RestTemplate=DEBUG
- logging.level.org.apache.http=DEBUG
- "JAVA_TOOL_OPTIONS=-Djavax.net.ssl.trustStore=/opt/truststore.jks -Djavax.net.ssl.trustStorePassword=changeit -Djavax.net.debug=ssl -Dlogging.level.io.camunda=DEBUG"
- SPRING_WEB_FORWARD-HEADERS-STRATEGY=native
- CAMUNDA_IDENTITY_SSO_SINGLE_SIGN_OUT_ENABLED="true"
- MULTITENANCY_ENABLED=${MULTI_TENANCY_ENABLED}
- RESOURCE_PERMISSIONS_ENABLED=${RESOURCE_AUTHORIZATIONS_ENABLED}
restart: on-failure
volumes:
- ./truststore.jks:/opt/truststore.jks
labels:
- "traefik.enable=true"
- "traefik.http.routers.identity.tls=true"
- "traefik.http.routers.identity.service=identity"
- "traefik.http.services.identity.loadbalancer.server.port=8084"
- "traefik.http.routers.identity.rule=PathPrefix(`/identity`)"
- "traefik.http.middlewares.identity-midl.stripprefix.prefixes=/identity"
- "traefik.http.middlewares.identity-midl.stripprefix.forceSlash=False"
- "traefik.http.routers.identity.middlewares=identity-midl"
networks:
- peering-dev
- camunda-platform
Hi @Nayuovga - thanks for sharing the config. We noticed a couple things:
- the
IDENTITY_KEYCLOAK_REALM variable is incorrectly named; it should be KEYCLOAK_REALM (see step #12 here)
- the
IDENTITY_KEYCLOAK_CREATE_REALM variable is not supported
I suspect that if you rename that variable, it should work.