however the error persists… :
2025-08-04 18:26:33
2025-08-04 17:26:33.509 ERROR 1 --- [ main] i.c.i.i.k.c.KeycloakConfiguration : Failure #1. Unable to connect to Keycloak.
2025-08-04 18:27:03
2025-08-04 17:27:03.512 WARN 1 --- [ main] i.c.i.i.k.c.KeycloakConfiguration : Retrying...
2025-08-04 18:27:03
2025-08-04 17:27:03.547 ERROR 1 --- [ main] i.c.i.i.k.c.KeycloakConfiguration : Failure #2. Unable to connect to Keycloak.
Update: I renamed the keycloak container to keycloak, pinged it successfully from the identity container however the error persists…
i guess that i solve the identity problem, at least the error is not showing up:
2025-08-04 18:08:05.785 INFO 1 — [ main] i.c.i.Application : Starting Application using Java 17.0.15 with PID 1 (/app/identity.jar started by camunda in /app)
2025-08-04 19:08:05
2025-08-04 18:08:05.794 DEBUG 1 — [ main] i.c.i.Application : Running with Spring Boot v3.3.13, Spring v6.1.21
2025-08-04 19:08:05
2025-08-04 18:08:05.795 INFO 1 — [ main] i.c.i.Application : The following 1 profile is active: "keycloak"
2025-08-04 19:08:07
2025-08-04 18:08:07.621 TRACE 1 — [ main] i.c.i.a.DatabaseRequired : Condition DatabaseRequired on io.camunda.identity.config.JpaConfig did not match due to AnyNestedCondition 0 matched 5 did not; NestedCondition on DatabaseRequired.Groups; NestedCondition on DatabaseRequired.Roles; NestedCondition on DatabaseRequired.Migration @ConditionalOnProperty (identity.flags.migration=true) found different value in property 'migration'; NestedCondition on DatabaseRequired.MultiTenancy @ConditionalOnProperty (identity.flags.multi-tenancy=true) found different value in property 'multi-tenancy'; NestedCondition on DatabaseRequired.ResourcePermissions @ConditionalOnProperty (identity.flags.resource-permissions=true) found different value in property 'resource-permissions'
2025-08-04 19:08:09
2025-08-04 18:08:09.364 WARN 1 — [ main] trationDelegate$BeanPostProcessorChecker : Bean 'globalMethodSecurityConfig' of type [io.camunda.identity.security.config.GlobalMethodSecurityConfig$$SpringCGLIB$$0] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying). Is this bean getting eagerly injected/applied to a currently created BeanPostProcessor [healthEndpointGroupsBeanPostProcessor]? Check the corresponding BeanPostProcessor declaration and its dependencies/advisors. If this bean does not have to be post-processed, declare it with ROLE_INFRASTRUCTURE.
2025-08-04 19:08:10
2025-08-04 18:08:10.806 DEBUG 1 — [ main] i.c.i.i.s.s.s.f.SmJwtFilter : Filter 'smJwtFilter' configured for use
2025-08-04 19:08:10
2025-08-04 18:08:10.810 DEBUG 1 — [ main] i.c.i.s.s.f.FilterExceptionHandler : Filter 'filterExceptionHandler' configured for use
2025-08-04 19:08:11
2025-08-04 18:08:11.005 WARN 1 — [ main] i.c.i.c.AppConfig : Expected a valid license but encountered an invalid one instead. Please check the license key and try again.
2025-08-04 19:08:12
2025-08-04 18:08:12.744 INFO 1 — [ main] i.c.i.Application : Started Application in 8.46 seconds (process running for 10.717)
2025-08-04 19:08:14
2025-08-04 18:08:14.752 DEBUG 1 — [ main] .c.i.i.k.i.s.ClientInitializationService : Client Web Modeler is a public client, not validating secret
However, I created a user test in Keycloak, and I cannot use his credentials on my task list. Am I doing something wrong?
I found the problem! basically the urls were wrong
wrong : http://keycloak:8080/auth/realms/camunda-platform/protocol/openid-connect/token
Correct: http://keycloak:8080/realms/camunda-platform/protocol/openid-connect/token
I can successfully log in to my operate container with the user test that I created on the realm; however, on the task list, I’m not able to. What am I missing?
Any update on this?
Do you have given the access right to your user to the differents applications (and API) in the Camunda Identity Webapp
From my side I create some groups and put people in thoses groups (you can also add those API/Applications directly from Keycloak to your user, if it cannot access identity UI now)
Can you give me your docker-compose file? i cant even open my identity now… only my operate container is redirecting me for my keycloak…
docker-compose.yaml (17.7 KB)
Unfortunatly my deploiement is using Kubernetes (so I use the helm chart)
The keycloak url is only defined at identity level (using external url except for backendurl where I use the internal cluster url)
(Note: in my case, with Keycloak Quarkus, the keycloak url contains the /auth)
Try to look at the logs of your different containers using “docker logs container-id”, by chance you will see an exception that can help you
so external url should be used near everywhere as it is what will be used for redirection in your client browser (it is why you should mainly use the http://$HOST:port (exposed port of your keycloak container)
Here the identity part of the HELM
identity:
keycloak:
realm: “/realms/fti-mobile-after”
url:
protocol: “http”
host: “keycloak-http.keycloak.svc.cluster.local”
port: “80”
auth:
enabled: true
issuer: “https://keycloak2.after-val.myorg.corp/auth/realms/fti-mobile-after”
issuerBackendUrl: “http://keycloak-http.keycloak.svc.cluster.local/auth/realms/fti-mobile-after”
publicIssuerUrl: “https://keycloak2.after-val.myorg.corp/auth/realms/fti-mobile-after”
so for me, in your case, you need to use the external url for
IDENTITY_AUTH_PROVIDER_ISSUER_URL: http://keycloak:8080/realms/camunda-platform
KEYCLOAK_URL: http://keycloak:8080
you should use instead, http://$HOST:exposed-port
And ofcourse update the corresponding issuer wherever it is relevant (the token generated via your browser will have the external url, and the token generated ising your internal url will have the internal issuer)
If mis configured you will see in some logs, something telling that the issuer is incorrect or something like that
if correctly configured for the web browser part, you should see the keycloak login screen when accessnig identity UI, operate UI, etc…
I guess that i solved the problem however I cannot perform the log out from the operate/tasklist… basically when i click on logout it refreshes the page
