Integrating identity with existing keycloak instance

Rafael_Oliveira · July 23, 2025, 6:10pm

I am trying to integrate my existing keycloak instance with the identity container following the documentation on : Connect to an existing Keycloak instance | Camunda 8 Docs however when i restart the container it says that cant find the keycloak…

nathan.loding · July 23, 2025, 9:33pm

Hi @Rafael_Oliveira, welcome to the forums! Unfortunately there isn’t enough information here to help. Typically when we see this issue, it’s due to the networking between the containers rather than a configuration issue or bug with Camunda.

how did you deploy Camunda?
can you share your configs (docker-compose.yaml, values.yaml, etc.)?
is it in the same network as Keycloak?
what do the logs show?
what troubleshooting have you tried?
are you able to connect to Keycloak manually using curl or Postman?
are you able to ping or connect to Keycloak from inside the Identity container?

Rafael_Oliveira · July 23, 2025, 11:05pm

Hi @nathan.loding, first of all thanks for your time! I deployed camunda using the docker-compose file heres the one:
docker-compose.yaml (24.1 KB)
the main changes were on the identity container where i set my custom realm and the client secret created following the tutorial mentioned : IDENTITY_CLIENT_SECRET : xx
KEYCLOAK_REALM : core-gateway-realm

Both are on the same docker network, at least i didn’t find any evidence saying that they aren’t
the logs on the identity container are quite simple: 2025-07-23 23:58:49

2025-07-23 22:58:49.005 ERROR 1 — [ main] i.c.i.i.k.c.KeycloakConfiguration : Failure #4. Unable to connect to Keycloak.
2025-07-23 23:59:19

2025-07-23 22:59:19.006 WARN 1 — [ main] i.c.i.i.k.c.KeycloakConfiguration : Retrying…
2025-07-23 23:59:19

2025-07-23 22:59:19.018 ERROR 1 — [ main] i.c.i.i.k.c.KeycloakConfiguration : Failure #5. Unable to connect to Keycloak.

I am able to connect to keycloak manually due to the fact that im also using for other applications

Rafael_Oliveira · July 23, 2025, 11:12pm

Answering your last question, yes im able to ping successfully my keycloak container

nathan.loding · July 24, 2025, 2:30pm

@Rafael_Oliveira - based on that information, I’m still leaning toward a networking issue. Is the external Keycloak instance hosted on your machine or another one?

Rafael_Oliveira · July 24, 2025, 3:06pm

is on my machine you can check here the logs from my networks on docker:
networklogs.form (13.3 KB)

nathan.loding · July 24, 2025, 3:14pm

@Rafael_Oliveira - when you said you could connect to Keycloak manually, did you test from inside the Identity container? Something like:

docker exec --it camunda-identity ping keycloak

(Substituting “camunda-identity” with the name of the container on your system, and “keycloak” with the hostname you provided in the Camunda configs in the docker-compose file.)

Alternately, you could attach to the shell in the container and run the commands from there.

Rafael_Oliveira · July 24, 2025, 3:29pm

Exactly! i entered on the identity container and i pinged it (my keycloak container name is upbeat_lovelace)urafaeloliveira@MacBook-Pro-de-Rafael v % docker exec -it identity sh
~ $ ping upbeat_lovelace
PING upbeat_lovelace (172.19.0.3): 56 data bytes
64 bytes from 172.19.0.3: seq=0 ttl=42 time=1.406 ms
64 bytes from 172.19.0.3: seq=1 ttl=42 time=0.251 ms
64 bytes from 172.19.0.3: seq=2 ttl=42 time=0.130 ms
64 bytes from 172.19.0.3: seq=3 ttl=42 time=0.222 ms
64 bytes from 172.19.0.3: seq=4 ttl=42 time=0.059 ms

nathan.loding · July 24, 2025, 3:48pm

@Rafael_Oliveira - can you share the docker-compose configuration you are running, not the defaults?

Rafael_Oliveira · July 24, 2025, 3:50pm

i edited the default ones changing only what was requested on the documentation: IDENTITY_CLIENT_SECRET : yLX4f0zz9FwaP3KERj1eu4uJwPi5XhVR
KEYCLOAK_REALM : core-gateway-realm

nathan.loding · July 24, 2025, 3:53pm

@Rafael_Oliveira - did you update the Keycloak URL also?

Rafael_Oliveira · July 24, 2025, 4:00pm

no… i just changed the 2 environment variables mentioned on the documentation

nathan.loding · July 24, 2025, 9:49pm

@Rafael_Oliveira - I haven’t reviewed the documentation yet, perhaps there is a bullet point missing. But you must update those URLs otherwise Identity doesn’t know where Keycloak is hosted.

Rafael_Oliveira · July 24, 2025, 9:58pm

Are you able to test it locally? This topic is really important due to the fact that I’m doing a master class thesis using camunda and i can’t go further without it…

nathan.loding · July 24, 2025, 10:06pm

@Rafael_Oliveira - I have Docker connecting to an external Keycloak in a test environment; it is functional, but isn’t a 1:1 test of your environment because I don’t have your Keycloak instance or configuration. You need to update the URLs I highlighted above. It looks like the docs have this information for Helm charts but not for Docker (environment variables), so I’ll raise an issue with the docs team.

Rafael_Oliveira · July 24, 2025, 10:12pm

Can you give the docker-compose.yaml that you are using for?

Rafael_Oliveira · July 25, 2025, 6:40pm

This is the docker-compose.yaml that im using for the identity container:

identity:
    container_name: identity
    image: camunda/identity:${CAMUNDA_IDENTITY_VERSION}
    ports:
      - "8084:8084"
    environment:
      SERVER_PORT: 8084
      IDENTITY_RETRY_DELAY_SECONDS: 30
      IDENTITY_URL: http://${HOST}:8084

      # ✅ FIXED: use container name instead of localhost
      KEYCLOAK_URL: http://upbeat_lovelace:8080/auth
      IDENTITY_CLIENT_SECRET: tPWGVYLBNCcH8icFtIgWbBViyTIX0bwj
      SPRING_PROFILES_ACTIVE: keycloak
      IDENTITY_CLIENT_ID: camunda-platform
      KEYCLOAK_REALM: camunda-platform
      IDENTITY_AUTH_PROVIDER_ISSUER_URL: http://upbeat_lovelace:8080/auth/realms/camunda-platform
      IDENTITY_AUTH_PROVIDER_BACKEND_URL: http://upbeat_lovelace:8080/auth/realms/camunda-platform

      IDENTITY_DATABASE_HOST: postgres
      IDENTITY_DATABASE_PORT: 5432
      IDENTITY_DATABASE_NAME: bitnami_keycloak
      IDENTITY_DATABASE_USERNAME: bn_keycloak
      IDENTITY_DATABASE_PASSWORD: "#3]O?4RGj)DE7Z!9SA5"

      KEYCLOAK_INIT_OPERATE_SECRET: XALaRPl5qwTEItdwCMiPS62nVpKs7dL7
      KEYCLOAK_INIT_OPERATE_ROOT_URL: http://${HOST}:8081
      KEYCLOAK_INIT_TASKLIST_SECRET: XALaRPl5qwTEItdwCMiPS62nVpKs7dL7
      KEYCLOAK_INIT_TASKLIST_ROOT_URL: http://${HOST}:8082
      KEYCLOAK_INIT_OPTIMIZE_SECRET: XALaRPl5qwTEItdwCMiPS62nVpKs7dL7
      KEYCLOAK_INIT_OPTIMIZE_ROOT_URL: http://${HOST}:8083
      KEYCLOAK_INIT_WEBMODELER_ROOT_URL: http://${HOST}:8070
      KEYCLOAK_INIT_CONNECTORS_SECRET: XALaRPl5qwTEItdwCMiPS62nVpKs7dL7
      KEYCLOAK_INIT_CONNECTORS_ROOT_URL: http://${HOST}:8085

      KEYCLOAK_INIT_ZEEBE_NAME: zeebe
      KEYCLOAK_USERS_0_USERNAME: "demo"
      KEYCLOAK_USERS_0_PASSWORD: "demo"
      KEYCLOAK_USERS_0_FIRST_NAME: "demo"
      KEYCLOAK_USERS_0_EMAIL: "demo@acme.com"
      KEYCLOAK_USERS_0_ROLES_0: "Identity"
      KEYCLOAK_USERS_0_ROLES_1: "Optimize"
      KEYCLOAK_USERS_0_ROLES_2: "Operate"
      KEYCLOAK_USERS_0_ROLES_3: "Tasklist"
      KEYCLOAK_USERS_0_ROLES_4: "Web Modeler"
      KEYCLOAK_USERS_0_ROLES_5: "Web Modeler Admin"
      KEYCLOAK_USERS_0_ROLES_6: "Zeebe"
      KEYCLOAK_CLIENTS_0_NAME: zeebe
      KEYCLOAK_CLIENTS_0_ID: ${ZEEBE_CLIENT_ID}
      KEYCLOAK_CLIENTS_0_SECRET: ${ZEEBE_CLIENT_SECRET}
      KEYCLOAK_CLIENTS_0_TYPE: M2M
      KEYCLOAK_CLIENTS_0_PERMISSIONS_0_RESOURCE_SERVER_ID: zeebe-api
      KEYCLOAK_CLIENTS_0_PERMISSIONS_0_DEFINITION: write:*
      KEYCLOAK_CLIENTS_0_PERMISSIONS_1_RESOURCE_SERVER_ID: operate-api
      KEYCLOAK_CLIENTS_0_PERMISSIONS_1_DEFINITION: write:*
      KEYCLOAK_CLIENTS_0_PERMISSIONS_2_RESOURCE_SERVER_ID: tasklist-api
      KEYCLOAK_CLIENTS_0_PERMISSIONS_2_DEFINITION: write:*
      KEYCLOAK_CLIENTS_0_PERMISSIONS_3_RESOURCE_SERVER_ID: optimize-api
      KEYCLOAK_CLIENTS_0_PERMISSIONS_3_DEFINITION: write:*
      KEYCLOAK_CLIENTS_0_PERMISSIONS_4_RESOURCE_SERVER_ID: tasklist-api
      KEYCLOAK_CLIENTS_0_PERMISSIONS_4_DEFINITION: read:*
      KEYCLOAK_CLIENTS_0_PERMISSIONS_5_RESOURCE_SERVER_ID: operate-api
      KEYCLOAK_CLIENTS_0_PERMISSIONS_5_DEFINITION: read:*

      MULTITENANCY_ENABLED: ${MULTI_TENANCY_ENABLED}
      RESOURCE_PERMISSIONS_ENABLED: ${RESOURCE_AUTHORIZATIONS_ENABLED}

    healthcheck:
      test: ["CMD", "wget", "-q", "--tries=1", "--spider", "http://localhost:8082/actuator/health"]
      interval: 5s
      timeout: 15s
      retries: 30
      start_period: 60s
    restart: on-failure
    volumes:
      - keycloak-theme:/app/keycloak-theme
    networks:
      - camunda-platform
      - identity-network

upbeat_lovelace is my keycloak container (docker named it)

nathan.loding · July 28, 2025, 3:45pm

@Rafael_Oliveira - based on the information provided, that docker config appears to be good. Obviously something still isn’t working correctly, so let’s try to change the logging. There are two things to try:

First, you can try to increase the overall log level:

- IDENTITY_LOG_LEVEL=DEBUG # OR HIGHER

Or, you can try this:

- name: JAVA_TOOL_OPTIONS
  value: >-
    -Dlogging.level.org.apache.http.impl.execchain.MainClientExec=DEBUG
    -Dlogging.level.org.apache.http.headers=DEBUG 
    -Dlogging.level.org.apache.http.wire=DEBUG

This will give a lot more information in the log. If you don’t see any obvious issues, then please attach the log file to the reply - you probably have to do it as an attachment instead of pasting the text.

Gerald · August 4, 2025, 5:47am

Hello, I see that the IDENTITY_CLIENT_ID you use has the same name that your realm. Is it normal ? (or wrong copy/paste)
by default the client that is mandatory to pre-create is named camunda-identity
On my side, changing this name was problematic, even by trying to provide the env variable to inform Identity of the new name. (but it was on earlier version, never tried again since new updated Camuda releases)

Rafael_Oliveira · August 4, 2025, 5:08pm

@Gerald You’re right Im going to correct it