Identity Migration Failure: ClientMigrationHandler with invalid_client_credentials Error (Camunda 8.7 → 8.8)

Environment

• Camunda Version: Migrating from 8.7 to 8.8

• Deployment: Self-Managed Kubernetes

• Identity Provider: Keycloak

Problem

• During the migration from Camunda 8.7 to 8.8, the Identity migration is failing with client authentication errors. The migration stops at the ClientMigrationHandler step.

  Error Messages

  Migration Error:

  Code

  [2026-02-12 11:40:32.555] [main] ERROR io.camunda.application.commons.migration.BlockingMigrationsRunner 
  - IdentityMigrator failed with: Execution of ClientMigrationHandler failed
  
  o.camunda.migration.identity.handler.IdentityMigrator - Starting ClientMigrationHandler
  
  

  Keycloak Logs (repeated errors):

  Code

  2026-02-12 11:35:49,681 WARN [org.keycloak.events] (executor-thread-3) 
  type="CLIENT_LOGIN_ERROR", realmId="camunda-platform", realmName="camunda-platform", 
  clientId="zeebe", userId="null", ipAddress="10.190.138.103", 
  error="invalid_client_credentials", grant_type="client_credentials"
  
  2026-02-12 11:38:04,635 WARN [org.keycloak.events] (executor-thread-4) 
  type="CLIENT_LOGIN_ERROR", realmId="camunda-platform", realmName="camunda-platform", 
  clientId="connectors", userId="null", ipAddress="10.190.138.126", 
  error="invalid_client_credentials", grant_type="client_credentials"
  
  

  The errors show repeated authentication failures for both zeebe and connectors clients.

What I’ve Tried

• Verified client credentials in Keycloak admin console

• Confirmed both zeebe and connectors clients are enabled

• Checked that service accounts are enabled for both clients

• checked Standard flow for zeebe (unable to access the UI’s)

This looks like a client authentication configuration issue during the Identity migration from 8.7 to 8.8. I found the following relevant resources:

• Camunda 8.7 to 8.8 Helm chart upgrade - Identity migration
• Components update 8.7 to 8.8 - Configuration of the Identity Migration application
• Camunda 8.7 to 8.8 Helm chart upgrade - Authentication
• Set up the Helm chart with an external Keycloak instance - Full configuration example
• Camunda 8.7 to 8.8 Helm chart upgrade - Troubleshooting

Does this help? If not, can anyone from the community jump in?

Hints: Use the Ask AI feature in Camunda’s documentation to chat with AI and get fast help. Report bugs and features in Camuda’s GitHub issue tracker. Trust the process.

migration values are below :

 migration:
    data:
      enabled: true
    identity:
      enabled: true
      secret:
        existingSecret: identity-migration-secret
        existingSecretKey: password
      resourceAuthorizationsEnabled: true

created the secret in identity-migration-secret.yaml

getting error in identity logs: 2026-02-12 13:40:29.803 ERROR 1 — [nio-8084-exec-4] i.s.e.RestResponseEntityExceptionHandler : Unexpected error

jakarta.ws.rs.BadRequestException: HTTP 400 Bad Request
at org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.handleErrorStatus(ClientInvocation.java:236) ~[resteasy-client-6.2.9.Final.jar!/:6.2.9.Final]
at org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.extractResult(ClientInvocation.java:216) ~[resteasy-client-6.2.9.Final.jar!/:6.2.9.Final]
at org.jboss.resteasy.client.jaxrs.internal.proxy.extractors.BodyEntityExtractor.extractEntity(BodyEntityExtractor.java:59) ~[resteasy-client-6.2.9.Final.jar!/:6.2.9.Final]

migration job error:

[2026-02-12 13:39:01.459] [main] ERROR
io.camunda.application.commons.migration.BlockingMigrationsRunner - The cause of the failed migration was: 500 on GET request for “http://camunda-identity:80/identity/api/clients/27827d22-fc6f-4720-b7d8-38ca0b59cc96/permissions”: [no body]
org.springframework.web.client.HttpServerErrorException$InternalServerError: 500 on GET request for “http://camunda-identity:80/identity/api/clients/27827d22-fc6f-4720-b7d8-38ca0b59cc96/permissions”: [no body]

still issue is not resolved

Issue is resolved now after removing the client from keycloack DB and helm upgrade