Is it possible to integrate Okta to Camunda Platform 7 Docker Image? I saw a few examples for embedded Spring Boot but none for Docker deployment. What options are recommended?
Hello @khoanguyen123 ,
out of the box, the distribution images support ldap.
For Okta, you could configure something using the okta spring boot starter and extend the run distro with it as run is built using spring-boot.
I hope this helps
Jonathan
Thanks, @jonathan.lukas for the guidance. I will look further into this option. Is there a document and/or sample that I can learn from?
Best,
Khoa
Hello @khoanguyen123 ,
this is an example of an extension using spring.factories:
I would do this for the Spring Web Security that you need to configure.
Then, you can add the required dependencies to the configuration/userlib folder of Camunda Run (the one you create and all dependencies the Okta Spring Boot Starter needs).
I hope this helps
Jonathan
@jonathan.lukas I tried this approach by
- Creating a project in spring security. I also added spring factory so that Camunda run can scan it.
- Package the jar (mvn clean package) and added to Camunda run folder.
Issue : Camunda run does not contain Spring Security . How do I add spring security dependencies into Camunda-run ?
Update : I am able to make it run with a dirty solution for spring dependency jars.
Copy are spring security related jars manually into folder configuration/userlib
I am looking at a clean solution, will share on GitHub once done.
1 Like
Hello @ad_sahota ,
this sounds like some progress. If you plan to make it one jar to drop in, you could also use a assembly.
If you plan to create a docker image anyway, this is already a very good solution. You could copy dependencies to target using a maven plugin. From there, you can move *.jar to the userlib folder of camunda run.
I hope this helps
Jonathan
It was a fun weekend project and I finally solved it , It was fun to do project but I will not recommend as it required lots of engineering . The amount of efforts you will spend in it is not worth it. Because in the same efforts you can create a spring boot project for your self here you have to create 3 projects.
- Changes in Okta Plugin : Added spring.factories in META-INF of my okta plugin project with this content so that Camunda run can scan Spring bean containing Security config.
org.springframework.boot.autoconfigure.EnableAutoConfiguration=com.example.workflow.config.WebAppSecurityConfig
- Created a separate project to produce single jar containing only spring security and okta sdk jars . I had to exclude lots of dependencies because almost 80% of them are already present in Camunda run and were causing clashes/ crash in Camunda run.
Here is the pom file for Dependecy project
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://maven.apache.org/POM/4.0.0"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.6.11</version>
<relativePath/> <!-- lookup parent from repository -->
</parent>
<groupId>com.example</groupId>
<artifactId>demo</artifactId>
<version>0.0.1-SNAPSHOT</version>
<name>demo</name>
<description>Demo project for Spring Boot</description>
<properties>
<java.version>17</java.version>
<okta.sdk.version>2.1.6</okta.sdk.version>
<maven.compiler.source>17</maven.compiler.source>
<maven.compiler.target>17</maven.compiler.target>
</properties>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
<exclusions>
<!-- need selective dependencies -->
<exclusion>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot</artifactId>
</exclusion>
<exclusion>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-autoconfigure</artifactId>
</exclusion>
<exclusion>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter</artifactId>
</exclusion>
<exclusion>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-logging</artifactId>
</exclusion>
<exclusion>
<groupId>org.springframework</groupId>
<artifactId>*</artifactId>
</exclusion>
<exclusion>
<groupId>ch.qos.logback</groupId>
<artifactId>*</artifactId>
</exclusion>
<exclusion>
<groupId>org.slf4j</groupId>
<artifactId>*</artifactId>
</exclusion>
<exclusion>
<groupId>org.yaml</groupId>
<artifactId>*</artifactId>
</exclusion>
<exclusion>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>*</artifactId>
</exclusion>
<exclusion>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>*</artifactId>
</exclusion>
<exclusion>
<groupId>jakarta.annotation</groupId>
<artifactId>*</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>com.okta.spring</groupId>
<artifactId>okta-spring-boot-starter</artifactId>
<version>${okta.sdk.version}</version>
<exclusions>
<exclusion>
<groupId>org.springframework.boot</groupId>
<artifactId>*</artifactId>
</exclusion>
<exclusion>
<groupId>org.springframework</groupId>
<artifactId>*</artifactId>
</exclusion>
<exclusion>
<groupId>org.ow2.asm</groupId>
<artifactId>*</artifactId>
</exclusion>
<exclusion>
<groupId>javax.validation</groupId>
<artifactId>*</artifactId>
</exclusion>
<exclusion>
<groupId>org.slf4j</groupId>
<artifactId>*</artifactId>
</exclusion>
<exclusion>
<groupId>com.github.stephenc.jcip</groupId>
<artifactId>*</artifactId>
</exclusion>
</exclusions>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
</plugin>
<plugin>
<artifactId>maven-assembly-plugin</artifactId>
<configuration>
<descriptorRefs>
<descriptorRef>jar-with-dependencies</descriptorRef>
</descriptorRefs>
</configuration>
</plugin>
</plugins>
</build>
</project>
I could have copied these jars manually as well but to make it future prroof I am letting Maven to do the dependency management for security and okta jars. Here is the delta of jars if you are interested :
- Create one more maven project to explode original Webjars that come with Camunda 7.17.0 and add custom logout button to perform logout via spring security. Default login takes to basic auth form.
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>org.camunda.bpm</groupId>
<artifactId>camunda-parent</artifactId>
<version>7.17.0</version>
</parent>
<groupId>com.camunda.consulting</groupId>
<artifactId>springboot-customized-webapp-webjar</artifactId>
<packaging>jar</packaging>
<properties>
<skipTests>true</skipTests>
</properties>
<dependencies>
<dependency>
<groupId>org.camunda.bpm.webapp</groupId>
<artifactId>camunda-webapp</artifactId>
<type>jar</type>
<classifier>classes</classifier>
</dependency>
<dependency>
<groupId>org.camunda.bpm.webapp</groupId>
<artifactId>camunda-webapp-webjar</artifactId>
<type>jar</type>
<optional>true</optional>
</dependency>
</dependencies>
<build>
<finalName>${project.artifactId}</finalName>
<resources>
<resource>
<directory>src/main/resources</directory>
<filtering>true</filtering>
<includes>
<include>**/*.css</include>
<include>**/*.js</include>
</includes>
</resource>
<resource>
<directory>src/main/resources</directory>
<filtering>false</filtering>
<excludes>
<exclude>**/*.css</exclude>
<exclude>**/*.js</exclude>
</excludes>
</resource>
</resources>
<plugins>
<!-- first fetch and unpack the war -->
<plugin>
<artifactId>maven-dependency-plugin</artifactId>
<executions>
<!-- We are exploding the default camunda web jar for webapps here-->
<execution>
<id>unpack</id>
<phase>process-sources</phase>
<goals>
<goal>unpack</goal>
</goals>
<configuration>
<artifactItems>
<artifactItem>
<groupId>org.camunda.bpm.webapp</groupId>
<artifactId>camunda-webapp-webjar</artifactId>
<version>${project.version}</version>
<type>jar</type>
<overWrite>true</overWrite>
<outputDirectory>${project.build.outputDirectory}</outputDirectory>
<includes>META-INF/resources/**</includes>
</artifactItem>
</artifactItems>
</configuration>
</execution>
</executions>
</plugin>
</plugins>
</build>
</project>
- Added 3 jars created and following configuration to camunda-run properties file default.yml
okta:
oauth2:
# Make sure to change the below as per your okta tenant
issuer: https://dev-9999999.okta.com/oauth2/default
client-id: **********
client-secret: ****************
scopes: openid,profile,email
#Make sure you have created camunda-groups claim on okta authorization server
groupsClaim: camunda-groups
# Make sure to change the below as per your okta tenant
orgUrl: https://dev-9999999.okta.com
postLogoutRedirectUri: http://localhost:8080/
This is good for learning purpose only please don’t try this at home 
This has given my idea for next fun project :
- Clone Camunda run source code
- Add Spring boot dependencies
- Rebuild and repackage it
6 Likes
I agree. This is pure gold! Can’t wait to hear about your next project
This has given my idea for next fun project :
- Clone Camunda run source code
- Add Spring boot dependencies
- Rebuild and repackage it
2 Likes
https://jira.camunda.com/browse/CAM-11308 requests adding Spring Security and oauth to RUN ootb. Anyone with specific thoughts of requirements to consider, please comment on this ticket.
2 Likes