IAM discovery on Camunda Cloud Self Managed

IAM version: 1.2.2

Hello @dlavrenuek, according to your configuration, the service runs normally for the first time, but when I start the service for the second time, the following error occurs:

java.lang.IllegalStateException: Failed to execute ApplicationRunner
	at org.springframework.boot.SpringApplication.callRunner(SpringApplication.java:800)
	at org.springframework.boot.SpringApplication.callRunners(SpringApplication.java:787)
	at org.springframework.boot.SpringApplication.run(SpringApplication.java:333)
	at org.springframework.boot.SpringApplication.run(SpringApplication.java:1313)
	at org.springframework.boot.SpringApplication.run(SpringApplication.java:1302)
	at io.camunda.iam.IamApplicationKt.main(IamApplication.kt:39)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.base/java.lang.reflect.Method.invoke(Method.java:566)
	at org.springframework.boot.loader.MainMethodRunner.run(MainMethodRunner.java:49)
	at org.springframework.boot.loader.Launcher.launch(Launcher.java:107)
	at org.springframework.boot.loader.Launcher.launch(Launcher.java:58)
	at org.springframework.boot.loader.JarLauncher.main(JarLauncher.java:88)
Caused by: java.lang.reflect.UndeclaredThrowableException: null
	at com.sun.proxy.$Proxy168.findByClientId(Unknown Source)
	at io.camunda.iam.client.ClientService.findByClientId(ClientService.kt:28)
	at io.camunda.iam.client.ClientService$$FastClassBySpringCGLIB$$26e7d5d1.invoke(<generated>)
	at org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:218)
	at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.invokeJoinpoint(CglibAopProxy.java:779)
	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:163)
	at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:750)
	at org.springframework.transaction.interceptor.TransactionInterceptor$1.proceedWithInvocation(TransactionInterceptor.java:123)
	at org.springframework.transaction.interceptor.TransactionAspectSupport.invokeWithinTransaction(TransactionAspectSupport.java:388)
	at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:119)
	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186)
	at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:750)
	at org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:692)
	at io.camunda.iam.client.ClientService$$EnhancerBySpringCGLIB$$c0f8e6e2.findByClientId(<generated>)
	at io.camunda.iam.init.client.ClientsInitializer.initClient(ClientsInitializer.kt:145)
	at io.camunda.iam.init.client.ClientsInitializer.checkAndInitClientConfigurations(ClientsInitializer.kt:83)
	at io.camunda.iam.init.client.ClientsInitializer.run(ClientsInitializer.kt:75)
	at org.springframework.boot.SpringApplication.callRunner(SpringApplication.java:797)
	... 13 common frames omitted
Caused by: com.nimbusds.jose.JOSEException: AES/GCM/NoPadding decryption failed: Tag mismatch!
	at com.nimbusds.jose.crypto.impl.AESGCM.decrypt(AESGCM.java:301)
	at com.nimbusds.jose.crypto.impl.ContentCryptoProvider.decrypt(ContentCryptoProvider.java:289)
	at com.nimbusds.jose.crypto.DirectDecrypter.decrypt(DirectDecrypter.java:272)
	at com.nimbusds.jose.JWEObject.decrypt(JWEObject.java:415)
	at io.camunda.iam.client.crypto.ClientSecretAttributeConverter.convertToEntityAttribute(ClientSecretAttributeConverter.kt:42)
	at io.camunda.iam.client.crypto.ClientSecretAttributeConverter.convertToEntityAttribute(ClientSecretAttributeConverter.kt:21)
	at org.hibernate.metamodel.model.convert.internal.JpaAttributeConverterImpl.toDomainValue(JpaAttributeConverterImpl.java:45)
	at org.hibernate.type.descriptor.converter.AttributeConverterSqlTypeDescriptorAdapter$2.doConversion(AttributeConverterSqlTypeDescriptorAdapter.java:140)
	at org.hibernate.type.descriptor.converter.AttributeConverterSqlTypeDescriptorAdapter$2.extract(AttributeConverterSqlTypeDescriptorAdapter.java:121)
	at org.hibernate.type.AbstractStandardBasicType.nullSafeGet(AbstractStandardBasicType.java:257)
	at org.hibernate.type.AbstractStandardBasicType.nullSafeGet(AbstractStandardBasicType.java:253)
	at org.hibernate.type.AbstractStandardBasicType.nullSafeGet(AbstractStandardBasicType.java:243)
	at org.hibernate.type.AbstractStandardBasicType.hydrate(AbstractStandardBasicType.java:329)
	at org.hibernate.persister.entity.AbstractEntityPersister.hydrate(AbstractEntityPersister.java:3130)
	at org.hibernate.loader.Loader.loadFromResultSet(Loader.java:1869)
	at org.hibernate.loader.Loader.hydrateEntityState(Loader.java:1797)
	at org.hibernate.loader.Loader.instanceNotYetLoaded(Loader.java:1770)
	at org.hibernate.loader.Loader.getRow(Loader.java:1622)
	at org.hibernate.loader.Loader.getRowFromResultSet(Loader.java:740)
	at org.hibernate.loader.Loader.getRowsFromResultSet(Loader.java:1039)
	at org.hibernate.loader.Loader.processResultSet(Loader.java:990)
	at org.hibernate.loader.Loader.doQuery(Loader.java:959)
	at org.hibernate.loader.Loader.doQueryAndInitializeNonLazyCollections(Loader.java:349)
	at org.hibernate.loader.Loader.doList(Loader.java:2849)
	at org.hibernate.loader.Loader.doList(Loader.java:2831)
	at org.hibernate.loader.Loader.listIgnoreQueryCache(Loader.java:2663)
	at org.hibernate.loader.Loader.list(Loader.java:2658)
	at org.hibernate.loader.hql.QueryLoader.list(QueryLoader.java:506)
	at org.hibernate.hql.internal.ast.QueryTranslatorImpl.list(QueryTranslatorImpl.java:400)
	at org.hibernate.engine.query.spi.HQLQueryPlan.performList(HQLQueryPlan.java:219)
	at org.hibernate.internal.SessionImpl.list(SessionImpl.java:1414)
	at org.hibernate.query.internal.AbstractProducedQuery.doList(AbstractProducedQuery.java:1625)
	at org.hibernate.query.internal.AbstractProducedQuery.list(AbstractProducedQuery.java:1593)
	at org.hibernate.query.internal.AbstractProducedQuery.getSingleResult(AbstractProducedQuery.java:1641)
	at org.springframework.data.jpa.repository.query.JpaQueryExecution$SingleEntityExecution.doExecute(JpaQueryExecution.java:196)
	at org.springframework.data.jpa.repository.query.JpaQueryExecution.execute(JpaQueryExecution.java:88)
	at org.springframework.data.jpa.repository.query.AbstractJpaQuery.doExecute(AbstractJpaQuery.java:155)
	at org.springframework.data.jpa.repository.query.AbstractJpaQuery.execute(AbstractJpaQuery.java:143)
	at org.springframework.data.repository.core.support.RepositoryMethodInvoker.doInvoke(RepositoryMethodInvoker.java:137)
	at org.springframework.data.repository.core.support.RepositoryMethodInvoker.invoke(RepositoryMethodInvoker.java:121)
	at org.springframework.data.repository.core.support.QueryExecutorMethodInterceptor.doInvoke(QueryExecutorMethodInterceptor.java:152)
	at org.springframework.data.repository.core.support.QueryExecutorMethodInterceptor.invoke(QueryExecutorMethodInterceptor.java:131)
	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186)
	at org.springframework.data.projection.DefaultMethodInvokingMethodInterceptor.invoke(DefaultMethodInvokingMethodInterceptor.java:80)
	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186)
	at org.springframework.transaction.interceptor.TransactionInterceptor$1.proceedWithInvocation(TransactionInterceptor.java:123)
	at org.springframework.transaction.interceptor.TransactionAspectSupport.invokeWithinTransaction(TransactionAspectSupport.java:388)
	at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:119)
	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186)
	at org.springframework.dao.support.PersistenceExceptionTranslationInterceptor.invoke(PersistenceExceptionTranslationInterceptor.java:137)
	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186)
	at org.springframework.data.jpa.repository.support.CrudMethodMetadataPostProcessor$CrudMethodMetadataPopulatingMethodInterceptor.invoke(CrudMethodMetadataPostProcessor.java:145)
	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186)
	at org.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:97)
	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186)
	at org.springframework.data.repository.core.support.MethodInvocationValidator.invoke(MethodInvocationValidator.java:98)
	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186)
	at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:215)
	... 31 common frames omitted
Caused by: javax.crypto.AEADBadTagException: Tag mismatch!
	at java.base/com.sun.crypto.provider.GaloisCounterMode.decryptFinal(GaloisCounterMode.java:580)
	at java.base/com.sun.crypto.provider.CipherCore.finalNoPadding(CipherCore.java:1049)
	at java.base/com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:985)
	at java.base/com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:847)
	at java.base/com.sun.crypto.provider.AESCipher.engineDoFinal(AESCipher.java:446)
	at java.base/javax.crypto.Cipher.doFinal(Cipher.java:2202)
	at com.nimbusds.jose.crypto.impl.AESGCM.decrypt(AESGCM.java:297)
	... 88 common frames omitted

When I truncate the tables of the iam database and restart the service, the service returned to normal.

Looks like we are getting close.

@ajeans:

There is another setting I have missed for iam in docker-compose:

FRONTEND_URL: http://iam.localhost:8080

@MaximMonin

You have enabled ENFORCE_HTTPS=true but the return url is pointing to http://xxx/. Did you configure Operate and Tasklist to also use https?

@lzgabel

To make IAM production ready, you need to provide a database encryption key and depending on the setup a token encryption key. Otherwise they will be randomly generated on startup.

You can set the database encryption key with following env variable in the docker-compose (or k8s setup):

  DATABASE_ENCRYPTION_KEY: add_a_32_characters_secret_here_

For the token signing key generate and add a JWKS with the algorithm “RS256” and preferably a length of 4096 as follows. There are multiple ways to generate a JWKS and some online tools.

  TOKEN_SIGNING_KEY: your JWKS

@dlavrenuek thanks for your response!

@dlavrenuek

There is another setting I have missed for iam in docker-compose:

FRONTEND_URL: http://iam.localhost:8080

Thanks, just added that.

That still fails with the lack of permission message with user demo/demo.

image1300×1085 128 KB

But permissions should be correctly set up

image1300×1085 60.8 KB

Here is the diff on top of my previous configuration.

--- a/config/operate/application.yml
+++ b/config/operate/application.yml
@@ -28,7 +28,7 @@ camunda.operate:
   iam:
     issuer: http://iam.localhost:8080
     issuerUrl: http://iam.localhost:8080
-    clientId: operate-iam-client
+    clientId: operate
     clientSecret: d66eb844-0e14-4da0-939c-8794cc105e16
 logging:
   level:
diff --git a/docker-compose.yml b/docker-compose.yml
index 96987208..0a6dbde9 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -175,17 +175,21 @@ services:
       - postgres_data:/var/lib/postgresql/data/
 
   iam:
-    image: camunda/iam:latest
+    image: camunda/iam:1.2.2
     environment:
-      IAM_CLIENT_BASE_URL: http://iam.localhost:8080
-      BACKEND_URL: http://iam.localhost:8080/api
-      IAM_CLIENT_SECRET: 43cc9055-e396-4274-b2ed-c8154fc3be4e
+      # Operate
       CLIENTS_0_BASE_URL: http://localhost:9080/
-      CLIENTS_0_CLIENT_ID: operate-iam-client
+      CLIENTS_0_CLIENT_ID: operate
       CLIENTS_0_LOGOUT_URL: http://localhost:9080/api/logout
       CLIENTS_0_NAME: Operate
       CLIENTS_0_CLIENT_SECRET: d66eb844-0e14-4da0-939c-8794cc105e16
-      # For localhost usage
+      # IAM UI
+      IAM_CLIENT_BASE_URL: http://iam.localhost:8080
+      IAM_CLIENT_SECRET: 43cc9055-e396-4274-b2ed-c8154fc3be4e
+      # IAM
+      FRONTEND_URL: http://iam.localhost:8080
+      BACKEND_URL: http://iam.localhost:8080/api
+      # For localhost usage (NOT FOR PRODUCTION)
       ENFORCE_HTTPS: "false"
       FEATURE_USER_MANAGEMENT: "true"
       DB_URL: jdbc:postgresql://postgres-iam:5432/pgiamdb
@@ -209,3 +213,4 @@ services:
       interval: 30s
       timeout: 15s
       retries: 10

Yes I use for all points nginx with https2 ssl + etoken auth.
I do not understand what should be values FRONTEND_URL and BACKEND_URL because with ENFORCE_HTTPS=true they are required
https://myserver:2700/zeebe/operate/ - entry point to operate
https://myserver:2700/zeebe/tasklist/ - entry point to task list
I tried https://myserver:2700/zeebe/admin/ for Iam but failed i returned to https:/myserver:2729

Hello,

I created a new user test in IAM:

Screenshot 2021-10-26 at 15.25.481897×582 23.6 KB

added permissions for operate and added to role FULL ACCESS:

Screenshot 2021-10-26 at 15.25.091897×582 30.8 KB

and gave user test the role FULL ACCESS:

Screenshot 2021-10-26 at 15.24.371888×554 24.2 KB

After access operate I was redirected to IAM to login:

Screenshot 2021-10-26 at 15.35.551897×582 24.9 KB

and after login as test redirected back from IAM to operate:

Screenshot 2021-10-26 at 15.37.271897×582 40.2 KB

Can you try to create a new user as described? Maybe we can find other issues during this procedure.

Hello @ralfpuchert

I did exactly the steps above, with a new test user and the appropriate role.

When I navigate to http://localhost:9080 to access Operate, I get the error message as explained above.

I have the docker-compose logs after startup and the HAR file ready, would you like them by email? I cannot find how to share them easily here…

Possibly silly / offtopic question

Is IAM a convenient way to do an Oauth2 Authorization Flow for Operate and Tasklist?

And are the permissions equivalent to Oauth2 scopes?

If that is the case, I am thinking I could try to hook Operate to the Keycloak I already have in my architecture.

Thanks

Yes, you can send to the email address as seen in the screenshot.

No, unfortunately not yet.

hey @ajeans,

Sorry for the delay on this, I had a busy day yesterday.
So I found the issue here. Mostly is because of the network isolation of the docker containers.

I am sharing with you my docker-compose.yml file to have as reference.

version: "2.4"
services:
  elasticsearch:
    image: docker.elastic.co/elasticsearch/elasticsearch:7.13.4
    container_name: elasticsearch
    environment:
      - discovery.type=single-node
      - cluster.name=docker-cluster
      - bootstrap.memory_lock=true
      - xpack.security.enabled=false
      - "ES_JAVA_OPTS=-Xms1024m -Xmx1024m"
    ulimits:
      memlock:
        soft: -1
        hard: -1
    ports:
      - 9200:9200
      - 9300:9300
    restart: always

  kibana:
    image: docker.elastic.co/kibana/kibana:7.13.0
    ports:
      - 5601:5601
    links:
      - elasticsearch

  zeebe:
    container_name: zeebe
    image: camunda/zeebe:1.2.1
    environment:
      - "JAVA_TOOL_OPTIONS=-Xms512m -Xmx512m"
      - ZEEBE_HOST=${ZEEBE_HOST:-}
      - ZEEBE_BROKER_CLUSTER_PARTITIONS_COUNT=4
      - ZEEBE_BROKER_EXPORTERS_ELASTICSEARCH_ARGS_INDEX_DEPLOYMENT=false
      #- "JAVA_OPTS=-agentlib:jdwp=transport=dt_socket,address=8000,server=y,suspend=n"
    ports:
      - 26500:26500
      - 8000:8000
    restart: always
    volumes:
      - ./config/zeebe.cfg.yaml:/usr/local/zeebe/config/application.yaml

  iam-backend:
    image: docker.io/camunda/iam:1.2.1
    container_name: iam-backend
    depends_on:
      - database
      - mailserver
    environment:
      SMTP_HOST: localhost
      SMTP_PORT: 11025
      SMTP_USER: mailhog
      SMTP_PASSWORD: mailhog
      SMTP_WITH_TLS: "false"
      DB_URL: jdbc:postgresql://database:5432/iam
      DB_USER: camunda
      DB_PASSWORD: mydatabasepassword
      DATABASE_ENCRYPTION_KEY: XALaRPl5qwTEItdwCMiPS62nVpKs7dL7
      FRONTEND_URL: http://iam-backend:8080
      BACKEND_URL: http://iam-backend:8080/api
      EMAIL_SENDER: support@camunda.com
      EMAIL_NOREPLY_SENDER: noreply@camunda.com
      EMAIL_SENDER_NAME: Camunda Team
      TOKEN_ISSUER: http://localhost:8080
      TOKEN_SIGNING_KEY: "{ \"kty\": \"RSA\", \"n\": \"on67R4CfHONIwOSEXYbZ2uzm92gRta4WZxnaVpdpoh3oK_Y7Re6eKFFMZF7XbHT1lEyIkul4irTYrSduCEEL3IpQrF-eH9GCJoCQiTaQq3eO3oPthmQB0GZZOoT1A6EalhsQY1cACcrkr-ZJ58wOAAEdCTGjCCJlch7-yMLUzB97iQWMWceEc90h1Bh9cThhEvPVVMyrVe53L9Lsn72y7K8M-ZkFiVtd8c3Wou0n3aettD-G6WNkg8dJZILTBS3zcF4RIVRX7uR1ZFmqRZK_taul0aACZpGXXM1GxXMocFQbOshnDo_D3LEMAwHnVHGZhB-dY0L8hPQIVm7IMPAjIIP-zOfnYtgt9CKuGv_rUk5ZNebpXGkvfvo39-_lZI-TWEViuuBNJcMHYIBAPABWFuenInRHNGcExWd6kNWTKKQnJK55zBlZ6JB1MDCBi96ZNEOnkgIlYLC1N2dYB05RuemLD5Lnu-UlOAqkq8luv5-5kG0CymorTWbUTkjMWpIllBR1YHjVGSoP38vXVbofjULJ-hV4OWXxFgfmV1t0eKsR74U_FQ6JRdC7b9uKPQ30Bw-gUJaQlR9qrb51UpgTL_TMvDYVZlzbx733Iso4c3TJspmWGQaOR8TeNh_0x9WLGvYFWg5-gJVU_1vHHnrzHNlcr-9a8wly1-pD5RihV78\", \"e\": \"AQAB\", \"d\": \"T_jLNu-IX3FElxpgQp9hjKtXKKAhRyb8g5VnrYIrTMwnPaublFlRoUoRrLw4jXoqeugHtzYMS0eh8-YZ8xoAOnQgLBWK_uHfig9wEve1z42x1LVdKu0BL42PkItrAnRBX2rGb_2bWTZvwlo2OUxl_36Myb-SGyjCgJ3civXIQQWliNQgNPdKqrNEONwssJIsxGUYsvlfwZTxN6o5Joz4CCBG5Hh5DxbWb3D8l4bcPeyOQs2ZGjf-ehSUfFEehcgNrVm-WIboF_x8Af1XHZKRo1ls7HQxekVhFx04HWkFl_Lsy8thXPtIS88euEQxk4-tHCdrEDUhjlWD3PX8tIka39cTt-PpGGTY-gtekI_qO6LOnW2YPDZq3Pg_KATnHRlOUGDvOdiyN0r00l64nCFPrDyW0vGQ7RyAJe7UtvurljfBQEWHl5G2dMjmO6ENC8PKM3AfQ9dD9V-rTHlOLpYio60TvYSGZM2G_lqDkG9f4O3b77Mt0dmDH0zp1EqsaQP9ABfIfpygahmH00kIskgeb6iGsUU36drJnqYE9tcVv_BINwSD6MKFfx9AV9wY66_g7yNg4Ir38MVr26pq1i8HWjvZhtZ_634G8TVlxoJOQzlohrnMyzo4gUqA9t_5nDWQbHJiQKyH9iHWFt9ZEEFU4tvkpsWl8tQglcEebY2LyzE\", \"p\": \"zQEu0awXy11qfiMWRg1jsGFbp68DrlAiVTFeqee3BDsggBDRTZn_tg5pHTVxWe0vHFQBPmn19HfLb--ZxQoWpaAzdOqAhQG4NXVkGpLLBS8q9nGO7ImZnrc2GBiaE83jC6loOFx1-BIBpShANp6A6ymB7Pg2Y8XPrL6Jg7dsBrIfTlQZgfHWchzOUHs3N_8uZlWWXjdjNRJQvONB4-QHur8r_xHJVtjW2jFIkpyVPuHs-71sm-IKCh0SLD3cQr-M3hpGOUpdyUoRLEzmvgi8KUFYeDKpSeMy5Ptq2zyhZgj8S3OyBKLOugg2ZCwOFijiVesynUOstsxTGc40r9yydQ\", \"q\": \"yuqDb_WiuP0vJG9d0rADHjZUqmVd3jMSAxwnTDBM0hmEn26PC1NpogM57y-YviiqvaIG97PjBIy8IUU7ajwhQR9tfwaEINA1UDJiKgYU5T2YYyStjRPsQAmPbLh3fxzZrb2A___bbZOiU-HlKS90bM4s05cKAX_iFQCZWbhnnNEo49dpj5JURo_lnX00vcZ2RIWVKf88nskzz4gBg1aKYnC1KxGV5LCgc8Yd2itT5H7k6cW_GusGehUKPhSZIVPBCIoWfUFfzfNH5I0bRGPdpjT3ArUx_rTM4MHH8Xz0XBLPq7zzyHPHPZL5ZztxNMMVcQR6PR2aya2pvVSB0bty4w\", \"dp\": \"ZYpZc1cnLf6mObYNWUNWhk2ixUqlqxhb-RCMD-IKv5i9v1EVKrfFdZprrCEFdQJLHF_rgcugHKedZ2MpKfSWRRE1i4p_f-HbKPdtTtA4qOe1Av46SaTaJ0geDg9Zece31tXhHlGFyQq6L-Dg9WzK9C_J_-Ltpbub4rc5i7k1U5e0c-qp-7gafMkR08FEF4NYqy1nXmFWzTm2LejugP84aOI524wmytJ6kPZqONw__DaRWBt6CTgLuvitQKafS5xvHK-s6sGP9JywJt4sSCIxeMm6FUcanNNhKRPy2IaOduiqdoDmwu8VMAXTUwiTLZywhtgJaOXVTXGlE5oUdKr-5Q\", \"dq\": \"mG3ohJ9COLLAyh76nP1pqjVoDoSNKhC1NC7e-mXCH4XZ0aZMwFZNoM3JpHrdw-Nqt39SupqgK9fIrzmBs4Et_eys5WIwuTGPCwp-IVFmOvq1UazIzpSrwUMtQZ-k7JDwmIolsKkz3bGsnFSyP-kNDXsnw17Pvmahn-NOT06uTuf0TouQGbDzq_oGo_LdPr4qM7khX2YD1MgSKpDhihblZ6OBBLR2JE_miHHIFQ69O4VzUoUg1Qi-WdEaW54_lgCDnnWVBUypul1JoU-6rvpSE7vv3lHdF5gb267WEvsp2UysQjdz7h3DCucwgTLvDJKLtdWGOgjWMTBKtRYZW0Lzvw\", \"qi\": \"H5ZJVUO913d3ycntfj5HG0fb4lkicnv2aTQwoX1mrwp0z-JshnXCwy-sEQgB_ZKqxCsOt1gwd_uVd5t11IcF7uepwMYkdQdnGHOqTj2j-Fj5h2NEy858rvOngb4luY5QOJUV7bY_K7fvN-rt888M2oub9jJpGuE4VNvzcXmMdPTu2rHKTwYr5Q1MasEEzALt9pzp2oS-EI04jLiZy9TjsbRV-qkBLdusyhCVIYwTrFFCkoS4qO7x77yuHpHGzOvn8GgCvcCrHy3DTu371Xg_1RvqRaT99KNbiaKNG7sn8UpqvHSzcDkToOVLj9cfyYiW4ar4sjern2iIoVuq_KS4Ug\" }"
      ENFORCE_HTTPS: "false"
      DEFAULT_USER_EMAIL: test_user@camunda.com
      DEFAULT_USER_PASSWORD: 123
      DEFAULT_USER_CREATE: "true"
      CLIENTS_0_NAME: operate
      CLIENTS_0_CLIENT_ID: operate
      CLIENTS_0_CLIENT_SECRET: XALaRPl5qwTEItdwCMiPS62nVpKs7dL7
      CLIENTS_0_LOGOUT_URL: http://localhost:8080/iam-logout-callback
      CLIENTS_0_BASE_URL: http://localhost:8080
      IAM_CLIENT_SECRET: XALaRPl5qwTEItdwCMiPS62nVpKs7dL7
      IAM_CLIENT_BASE_URL: http://localhost:8080
      IAM_CLIENT_LOGOUT_URL: http://localhost:8080/logout
      FEATURE_USER_MANAGEMENT: "true"
      FEATURE_SELF_SIGN_UP: "true"
    ports:
      - 8080:8080
    healthcheck:
      test: wget http://localhost:8081/actuator/health -q -O - > /dev/null 2>&1
      interval: 30s
      timeout: 15s
      retries: 5
  database:
    image: postgres:12.7-alpine
    environment:
      POSTGRES_DB: iam
      POSTGRES_USER: camunda
      POSTGRES_PASSWORD: mydatabasepassword
    ports:
      - 15432:5432
    healthcheck:
      test: pg_isready -d iam -U camunda
      interval: 30s
      timeout: 15s
      retries: 5

  mailserver:
    image: mailhog/mailhog:v1.0.1
    ports:
      - 18025:8025
      - 11025:1025



  operate:
    image: camunda/operate:1.2.1
    environment:
      - SPRING_PROFILES_ACTIVE=iam-auth
      - CAMUNDA_OPERATE_IAM_ISSUER_URL=http://iam-backend:8080
      - CAMUNDA_OPERATE_IAM_CLIENT_ID=operate
      - CAMUNDA_OPERATE_IAM_CLIENT_SECRET=XALaRPl5qwTEItdwCMiPS62nVpKs7dL7
    ports:
      - 8088:8080
    volumes:
      - ./config/application.yml:/usr/local/operate/config/application.yml
    depends_on:
      - zeebe
      - elasticsearch
      - iam-backend

also, I added this to my hosts file:

127.0.0.1 iam-backend

Now let me explain the reasoning.
Docker isolate the networks and with those parameters we had some issues while accessing each service. There are different ways we can try to solve (e.g… creating a bridge network), but here is what I did:

1. Pointed IAM to iam-backend (which is the docker container name)
2. Changed the port of Operate to 8088 (the exposed one on my machine)
3. all my requests cross Operate<->IAM are now via localhost:8088<->iam-backend:8080. Which does the trick to request both inside the container and in my browser

Other than that is the previous permissions we had already set inside IAM and it all works.

Let me know if you have any extra question

Ok, almost done with few issues:

  operate:
    image: camunda/operate:1.2.2
    container_name: zeebe-cluster-operate-$ENVIRONMENT
    restart: always
    depends_on:
      - node0
      - es01
      - iam
    ports:
      - "$OPERATE_PORT:8080"
    expose:
      - 8080
    networks:
      zeebe_network:
        ipv4_address: $CLUSTER_NETWORK.10
    volumes:
      - ./cfg/operate.yml:/usr/local/operate/config/application.yml:ro
      - /etc/localtime:/etc/localtime:ro
    environment:
      - SPRING_PROFILES_ACTIVE=iam-auth
      - CAMUNDA_OPERATE_IAM_ISSUER_URL=$IAM_URL
      - CAMUNDA_OPERATE_IAM_CLIENT_ID=operate
      - CAMUNDA_OPERATE_IAM_CLIENT_SECRET=$IAM_CLIENT_SECRET

  tasklist:
    image: camunda/tasklist:1.2.2
    container_name: zeebe-cluster-tasklist-$ENVIRONMENT
    restart: always
    depends_on:
      - node0
      - es01
      - iam
    ports:
      - "$TASKLIST_PORT:8080"
    expose:
      - 8080
    networks:
      zeebe_network:
        ipv4_address: $CLUSTER_NETWORK.11
    volumes:
      - ./cfg/tasklist.yml:/config/application.yml:ro
      - /etc/localtime:/etc/localtime:ro
    environment:
      - SPRING_PROFILES_ACTIVE=iam-auth
      - CAMUNDA_TASKLIST_IAM_ISSUER_URL=$IAM_URL
      - CAMUNDA_TASKLIST_IAM_CLIENT_ID=tasklist
      - CAMUNDA_TASKLIST_IAM_CLIENT_SECRET=$IAM_CLIENT_SECRET

  iam:
    image: camunda/iam:1.2.2
    container_name: zeebe-cluster-iam-$ENVIRONMENT
    restart: always
    depends_on:
      - iam-db
    ports:
      - "$IAM_PORT:8080"
    networks:
      zeebe_network:
        ipv4_address: $CLUSTER_NETWORK.12
    volumes:
      - ./cfg/iam.yml:/app/application.yml:ro
      - /etc/localtime:/etc/localtime:ro
    environment:
      # Operate
      - CLIENTS_0_CLIENT_ID=operate
      - CLIENTS_0_NAME=Operate
      - CLIENTS_0_BASE_URL=https://my-operate-browser-path
      - CLIENTS_0_LOGOUT_URL=https://my-operate-browser-path/iam-logout-callback
      - CLIENTS_0_CLIENT_SECRET=$IAM_CLIENT_SECRET
      # TaskList
      - CLIENTS_1_CLIENT_ID=tasklist
      - CLIENTS_1_NAME=Tasklist
      - CLIENTS_1_BASE_URL=https://my-task-list-browser-path
      - CLIENTS_1_LOGOUT_URL=https://my-task-list-browser-path/iam-logout-callback
      - CLIENTS_1_CLIENT_SECRET=$IAM_CLIENT_SECRET
      # IAM UI
      - IAM_CLIENT_BASE_URL=$IAM_URL
      - IAM_CLIENT_LOGOUT_URL=$IAM_URL/logout
      - IAM_CLIENT_SECRET=$IAM_CLIENT_SECRET
      # Default User
      - DEFAULT_USER_EMAIL=demo@zeebe
      - DEFAULT_USER_PASSWORD=demo
      - DEFAULT_USER_CREATE=true
      # IAM
      - ENFORCE_HTTPS=false
      - FRONTEND_URL=$IAM_URL
      - BACKEND_URL=$IAM_URL/api
      - FEATURE_USER_MANAGEMENT=true
      - FEATURE_SELF_SIGN_UP=true
      - TOKEN_ISSUER=http://localhost:8080
      - TOKEN_SIGNING_KEY=$IAM_TOKEN
      - DATABASE_ENCRYPTION_KEY=$IAM_CLIENT_SECRET
      - DB_URL=jdbc:postgresql://iam-db:5432/iam
      - DB_USER=zeebe
      - DB_PASSWORD=zeebe
    healthcheck:
      test: wget http://localhost:8081/actuator/health -q -O - > /dev/null 2>&1
      interval: 30s
      timeout: 15s
      retries: 5

  iam-db:
    image: postgres:14.0
    restart: always
    container_name: zeebe-cluster-iamdb-$ENVIRONMENT
    expose:
      - 5432
    networks:
      zeebe_network:
        ipv4_address: $CLUSTER_NETWORK.13
    volumes:
      - ./db/iam:/var/lib/postgresql/data
      - /etc/localtime:/etc/localtime:ro
    environment:
      - POSTGRES_DB=iam
      - POSTGRES_USER=zeebe
      - POSTGRES_PASSWORD=zeebe
    healthcheck:
        test: pg_isready -d iam -U zeebe
        interval: 30s
        timeout: 15s
        retries: 5

1 issue:

image995×610 11.7 KB

image1879×778 21 KB

image1377×791 18.1 KB

3. I can signup in operate and it is sucessfully create new user in iam, but then I still getting no permission. There is strange thing about registation, after it I have full rights in iam and can do anything there with full access

4. When adding permission to operate, tasklist, sometimes I cannot enter description field… it gives error… permission already exists… but with empty permission description I can successfully commit it

Hey Max,

Maybe the client is configured to have a FRONTEND_URL with http and not https?

About the signup:
There is a flag that controls if the permissions are enforced within IAM ENFORCE_ACCESS_CONTROL , if that flag is either set to false or left as default (false) then a new user on sign-up will be able to perform any action. Its not so much that during signup FULL ACCESS is granted, more that the flag is of

And we are verifying the description problem. Most likely we are creating a bug here and fixing it.
Thanks for all the info

I do not have http end points, all points https,
I use https://my-server:2729 as IAM_URL
Flag enforce_https true false has no effect to it.

@MaximMonin

The no permissions page is also displayed if there was an error communicating to IAM backend. Could you look up the last entries in the Operate logs when you try to log in?

IAM log:

2021-11-01 17:06:12.597  INFO 1 --- [io-8080-exec-10] io.camunda.iam.utils.MDCLogger           : user.login

Operate log many - 2 seconds later:

2021-11-01 17:06:14.164  WARN 8 --- [nio-8080-exec-3] i.c.o.u.RetryOperation                   : request to IAM API failed with status code '401' and body '<html>
<head><title>401 Authorization Required</title></head>
<body>
<center><h1>401 Authorization Required</h1></center>
<hr><center>nginx</center>
</body>
</html>

and when i get no permission:

	at io.camunda.iam.sdk.RestClient.send(RestClient.java:112) ~[camunda-cloud-iam-sdk-1.2.2.jar!/:?]
	at io.camunda.iam.sdk.RestClient.request(RestClient.java:92) ~[camunda-cloud-iam-sdk-1.2.2.jar!/:?]
	at io.camunda.iam.sdk.Authentication.exchangeAuthCode(Authentication.java:110) ~[camunda-cloud-iam-sdk-1.2.2.jar!/:?]
	at io.camunda.operate.webapp.security.iam.IAMAuthentication.lambda$retrieveTokens$0(IAMAuthentication.java:141) ~[classes!/:?]
	at io.camunda.operate.util.RetryOperation.retry(RetryOperation.java:117) ~[operate-common-1.2.2.jar!/:?]
	at io.camunda.operate.webapp.security.iam.IAMAuthentication.requestWithRetry(IAMAuthentication.java:157) ~[classes!/:?]
	at io.camunda.operate.webapp.security.iam.IAMAuthentication.retrieveTokens(IAMAuthentication.java:140) ~[classes!/:?]
	at io.camunda.operate.webapp.security.iam.IAMAuthentication.authenticate(IAMAuthentication.java:129) ~[classes!/:?]
	at io.camunda.operate.webapp.security.iam.IAMController.loggedInCallback(IAMController.java:84) [classes!/:?]
	at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:?]
	at jdk.internal.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) ~[?:?]
	at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) ~[?:?]
	at java.lang.reflect.Method.invoke(Unknown Source) ~[?:?]
	at org.springframework.web.method.support.InvocableHandlerMethod.doInvoke(InvocableHandlerMethod.java:205) [spring-web-5.3.10.jar!/:5.3.10]
	at org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:150) [spring-web-5.3.10.jar!/:5.3.10]
	at org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod.invokeAndHandle(ServletInvocableHandlerMethod.java:117) [spring-webmvc-5.3.10.jar!/:5.3.10]
	at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.invokeHandlerMethod(RequestMappingHandlerAdapter.java:895) [spring-webmvc-5.3.10.jar!/:5.3.10]
	at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.handleInternal(RequestMappingHandlerAdapter.java:808) [spring-webmvc-5.3.10.jar!/:5.3.10]
	at org.springframework.web.servlet.mvc.method.AbstractHandlerMethodAdapter.handle(AbstractHandlerMethodAdapter.java:87) [spring-webmvc-5.3.10.jar!/:5.3.10]
	at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:1067) [spring-webmvc-5.3.10.jar!/:5.3.10]
	at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:963) [spring-webmvc-5.3.10.jar!/:5.3.10]
	at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:1006) [spring-webmvc-5.3.10.jar!/:5.3.10]
	at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:898) [spring-webmvc-5.3.10.jar!/:5.3.10]
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:655) [tomcat-embed-core-9.0.53.jar!/:4.0.1]
	at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:883) [spring-webmvc-5.3.10.jar!/:5.3.10]
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:764) [tomcat-embed-core-9.0.53.jar!/:4.0.1]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:227) [tomcat-embed-core-9.0.53.jar!/:?]
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162) [tomcat-embed-core-9.0.53.jar!/:?]
	at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53) [tomcat-embed-websocket-9.0.53.jar!/:?]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189) [tomcat-embed-core-9.0.53.jar!/:?]
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162) [tomcat-embed-core-9.0.53.jar!/:?]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:327) [spring-security-web-5.5.2.jar!/:5.5.2]
	at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:115) [spring-security-web-5.5.2.jar!/:5.5.2]
	at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:81) [spring-security-web-5.5.2.jar!/:5.5.2]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336) [spring-security-web-5.5.2.jar!/:5.5.2]
	at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:121) [spring-security-web-5.5.2.jar!/:5.5.2]
	at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:115) [spring-security-web-5.5.2.jar!/:5.5.2]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336) [spring-security-web-5.5.2.jar!/:5.5.2]
	at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:126) [spring-security-web-5.5.2.jar!/:5.5.2]
	at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:81) [spring-security-web-5.5.2.jar!/:5.5.2]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336) [spring-security-web-5.5.2.jar!/:5.5.2]
	at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:105) [spring-security-web-5.5.2.jar!/:5.5.2]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336) [spring-security-web-5.5.2.jar!/:5.5.2]
	at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:149) [spring-security-web-5.5.2.jar!/:5.5.2]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336) [spring-security-web-5.5.2.jar!/:5.5.2]
	at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:63) [spring-security-web-5.5.2.jar!/:5.5.2]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336) [spring-security-web-5.5.2.jar!/:5.5.2]
	at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:103) [spring-security-web-5.5.2.jar!/:5.5.2]
	at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:89) [spring-security-web-5.5.2.jar!/:5.5.2]
       at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336) [spring-security-web-5.5.2.jar!/:5.5.2]
	at io.camunda.operate.webapp.security.BaseWebConfigurer$1.doFilterInternal(BaseWebConfigurer.java:154) [classes!/:?]
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) [spring-web-5.3.10.jar!/:5.3.10]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336) [spring-security-web-5.5.2.jar!/:5.5.2]
	at org.springframework.security.web.csrf.CsrfFilter.doFilterInternal(CsrfFilter.java:117) [spring-security-web-5.5.2.jar!/:5.5.2]
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) [spring-web-5.3.10.jar!/:5.3.10]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336) [spring-security-web-5.5.2.jar!/:5.5.2]
	at org.springframework.security.web.header.HeaderWriterFilter.doHeadersAfter(HeaderWriterFilter.java:90) [spring-security-web-5.5.2.jar!/:5.5.2]
	at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:75) [spring-security-web-5.5.2.jar!/:5.5.2]
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) [spring-web-5.3.10.jar!/:5.3.10]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336) [spring-security-web-5.5.2.jar!/:5.5.2]
	at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:110) [spring-security-web-5.5.2.jar!/:5.5.2]
	at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:80) [spring-security-web-5.5.2.jar!/:5.5.2]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336) [spring-security-web-5.5.2.jar!/:5.5.2]
	at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:55) [spring-security-web-5.5.2.jar!/:5.5.2]
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) [spring-web-5.3.10.jar!/:5.3.10]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336) [spring-security-web-5.5.2.jar!/:5.5.2]
	at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:211) [spring-security-web-5.5.2.jar!/:5.5.2]
	at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:183) [spring-security-web-5.5.2.jar!/:5.5.2]
	at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:358) [spring-web-5.3.10.jar!/:5.3.10]
	at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:271) [spring-web-5.3.10.jar!/:5.3.10]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189) [tomcat-embed-core-9.0.53.jar!/:?]
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162) [tomcat-embed-core-9.0.53.jar!/:?]
	at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:100) [spring-web-5.3.10.jar!/:5.3.10]
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) [spring-web-5.3.10.jar!/:5.3.10]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189) [tomcat-embed-core-9.0.53.jar!/:?]
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162) [tomcat-embed-core-9.0.53.jar!/:?]
	at org.springframework.web.filter.FormContentFilter.doFilterInternal(FormContentFilter.java:93) [spring-web-5.3.10.jar!/:5.3.10]
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) [spring-web-5.3.10.jar!/:5.3.10]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189) [tomcat-embed-core-9.0.53.jar!/:?]
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162) [tomcat-embed-core-9.0.53.jar!/:?]
	at org.springframework.boot.actuate.metrics.web.servlet.WebMvcMetricsFilter.doFilterInternal(WebMvcMetricsFilter.java:96) [spring-boot-actuator-2.5.5.jar!/:2.5.5]
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) [spring-web-5.3.10.jar!/:5.3.10]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189) [tomcat-embed-core-9.0.53.jar!/:?]
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162) [tomcat-embed-core-9.0.53.jar!/:?]
	at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:201) [spring-web-5.3.10.jar!/:5.3.10]
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) [spring-web-5.3.10.jar!/:5.3.10]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189) [tomcat-embed-core-9.0.53.jar!/:?]
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162) [tomcat-embed-core-9.0.53.jar!/:?]
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:197) [tomcat-embed-core-9.0.53.jar!/:?]
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:97) [tomcat-embed-core-9.0.53.jar!/:?]
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:540) [tomcat-embed-core-9.0.53.jar!/:?]
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:135) [tomcat-embed-core-9.0.53.jar!/:?]
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92) [tomcat-embed-core-9.0.53.jar!/:?]
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78) [tomcat-embed-core-9.0.53.jar!/:?]
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:357) [tomcat-embed-core-9.0.53.jar!/:?]
	at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:382) [tomcat-embed-core-9.0.53.jar!/:?]
	at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65) [tomcat-embed-core-9.0.53.jar!/:?]
	at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:893) [tomcat-embed-core-9.0.53.jar!/:?]
	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1726) [tomcat-embed-core-9.0.53.jar!/:?]
	at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) [tomcat-embed-core-9.0.53.jar!/:?]
	at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191) [tomcat-embed-core-9.0.53.jar!/:?]
	at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659) [tomcat-embed-core-9.0.53.jar!/:?]
	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) [tomcat-embed-core-9.0.53.jar!/:?]
	at java.lang.Thread.run(Unknown Source) [?:?]

@MaximMonin

The error comes from an nginx and afaik neither IAM, nor Operate or Tasklist use one. I assume that you have configured one for routing and it might be misconfigured?

Issue was with nginx - firewall + nginx etoken check
While authorizing there is interconnect between operate and iam and this query do not have etoken info

But i still cant connect:

request to IAM API failed with status code '400' and body'{"error":"invalid_grant","error_description":"Redirect url does not match auth code"}'

I look iam nginx log and see:

my.ip - - [02/Nov/2021:14:40:29 +0000] emailAddress=maximmonin@mydomain,CN=maximmonin,OU=noc,O=My company DBA.,L=Kyiv,ST=Kyiv,C=UA SUCCESS "GET /api/authorize?client_id=operate&redirect_uri=http%3A%2F%2Fmyhost%3A2700%2Fzeebe%2Foperate%2Fiam-callback&response_type=code&scope= HTTP/2.0" 400 34 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36"rt=0.015 uct="0.000" uht="0.012" urt="0.016"
my.ip - - [02/Nov/2021:14:40:35 +0000] emailAddress=maximmonin@mydomain,CN=maximmonin,OU=noc,O=mycompany DBA.,L=Kyiv,ST=Kyiv,C=UA SUCCESS "GET /api/authorize?client_id=operate&redirect_uri=https%3A%2F%2Fmyhost%3A2700%2Fzeebe%2Foperate%2Fiam-callback&response_type=code&scope= HTTP/2.0" 302 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36"rt=0.020 uct="0.000" uht="0.020" urt="0.020"

I dont know why operate gerenate http query instead https

Hi @MaximMonin

It is really hard to reproduce here. Currently, the operate implementation basically get the ISSUER_URL value and create request to that. So I don’t know if that’s an nginx issue.
I tried to reproduce, but I don’t know your exact set up here

Thanks