I’m trying to run identity service following the guide Connect to an OpenID Connect provider guide. But identity is not correctly starting on our environment.
The only error messages I can see in the identity log are:
I’m wondering also if there isn’t another spring profile to activate?
In the startup log I can see:
2024-02-20 07:12:19.005 INFO 1 — [ main] i.c.i.Application : Starting Application using Java 17.0.10 with PID 1 (/app/identity.jar started by camunda in /app)
2024-02-20 07:12:19.035 DEBUG 1 — [ main] i.c.i.Application : Running with Spring Boot v3.1.6, Spring v6.0.14
2024-02-20 07:12:19.043 INFO 1 — [ main] i.c.i.Application : The following 1 profile is active: “keycloak”
Our Camunda 8 SM infrastructure is deployed using Terraform to AWS ECS Fargate and I’ve set all the documented environment variables at the AWS task definition level:
CAMUNDA_IDENTITY_TYPE=MICROSOFT
CAMUNDA_IDENTITY_ISSUER=https://login.microsoftonline.com//v2.0
CAMUNDA_IDENTITY_ISSUER_BACKEND_URL=https://login.microsoftonline.com//v2.0
CAMUNDA_IDENTITY_CLIENT_ID=<Client ID from step 1>
CAMUNDA_IDENTITY_CLIENT_SECRET=<Client secret from step 3>
CAMUNDA_IDENTITY_AUDIENCE=<Client ID from step 1>
I have the impression despite the keycloak reference in the error message, it is maybe simply related to the TLS connection not correctly define for my AWS ECS service.
Prior to this functionality, it was necessary to use Keycloak and configure a third-party Identity Provider within Keycloak. Now a Camunda administrator can easily configure their own OpenID Connect (OIDC) Identity Provider directly in the HELM Charts for all Camunda components at one time, removing the need for Keycloak. To speed up configuration for Microsoft Entra (formerly known as Microsoft Azure AD), a detailed guide has been published in the documentation.
You might be missed updating the helm chart value, where type is not changed to MICROSOFT.
zeebe:
clientId: <Client ID from step 1>
audience: <Client ID from step 1>
existingSecret: <Client secret from step 3> tokenScope: “<Client ID from step 1>/.default”
I’m not using Helm chart but the environment variables in my Terraform script (AWS ECS Fargate):
container_definitions = jsonencode([
{
name = “identity-image”
image = “camunda/identity:${var.CAMUNDA_PLATFORM_VERSION}”
portMappings = [
…
environment = [
{
name = “CAMUNDA_IDENTITY_TYPE”
value = “MICROSOFT”
},
{
name = “CAMUNDA_IDENTITY_ISSUER”
value = “https://login.microsoftonline.com/XXXXXXXXXXXXXXXXXX/v2.0”
},
{
name = “CAMUNDA_IDENTITY_ISSUER_BACKEND_URL”
value = “https://login.microsoftonline.com/XXXXXXXXXXXXXXXXXX/v2.0”
},
{
name = “CAMUNDA_IDENTITY_CLIENT_ID”
value = “XXXXXXXXXXXXXXXXXX”
},
{
name = “CAMUNDA_IDENTITY_CLIENT_SECRET”
value = “XXXXXXXXXXXXXXXXXX”
},
{
name = “CAMUNDA_IDENTITY_AUDIENCE”
value = “XXXXXXXXXXXXXXXXXX”
},
{
name = “IDENTITY_LOG_LEVEL”
value = “DEBUG”
}
]
Hi @lugon - does the Identity container not start, or are you unable to access the UI? Identity with a custom OIDC provider currently does not provide a UI (I believe roadmap is to reintroduce the UI in the 8.5 release).
@lugon - I just had a chat with the Identity engineers, and I misunderstood how this feature works! We are going to work some updates to documentation to make this more clear …
When using a custom OIDC provider, Identity isn’t needed at all. You don’t need to start that container/pod. Each component (Operate, Optimize, etc.) communicates with the OIDC provider directly. In other words, it is expected for that container/pod to fail to start in this configuration!
In the upcoming 8.5 release, the Identity service will have new features that further enable custom integrations, and the image may be needed then. But not for 8.4!