Integration with keycloak

hi @Niall hope u doing just fine
i wanna integrate Keycloak with camunda but im facing this exception
org.camunda.bpm.engine.impl.identity.IdentityProviderException: Unable to read data of configured administratorGroupName camunda-admin
i followed the steps of this github repo

1 Like

Hi @mohamed! Thank you so much for your post! @VonDerBeck is the maintainer of Keycloak. :slight_smile: If you would be so kind as to open an issue in the repository describing the problem you are facing and your current configuration, I’m sure he would be happy to help!

1 Like

Hi @kiran.oliver really appreciated yr response but we figured it out . it was an issue with the configuration file
thx a lot

1 Like

Hi @mohamed! Could you tell us how did you fix error?

We got same error after upgrade on Keycloak 12.04 and Camunda 7.15 and using newer plugin version (GitHub - camunda-community-hub/camunda-bpm-identity-keycloak: Camunda Keycloak Identity Provider Plugin):

‘processEngineFactoryBean’: FactoryBean threw exception on object creation; nested exception is org.camunda.bpm.engine.impl.identity.IdentityProviderException: Unable to read data of configured administratorGroupName camunda-admin

With new plugin there is property: plugin.identity.keycloak.administratorGroupName=camunda-admin
If I remove property Camunda will start, but another error will occur later.

It is interesting if we use Keycloak with Docker error does not happen. But in production we have Keycloak without Docker. Both Keycloaks have same version and camunda-client settings are same.

There is also one more identical question on Camunda forum: Camunda and keaycloak users integration . It is also not answered.

Hi Igor! If you would be so kind as to open an issue in the Keycloak repository, I’m sure @VonDerBeck will be happy to take a look at it! :slight_smile:

@Igor: just send me your configuration file / application.yaml and the complete exception stack strace.
And one hint (just to make sure the basics are ok): this is a read only identity provider. Have you already configured a group named “camunda-admin” in your Keycloak realm? Is the client secret correct?
Furthermore: are you sure, that the configured connection to Keycloak is configured correctly? Any proxy setting? SSL? ??

Hi @VonDerBeck! Thanks for answer. We have 2 configuration files, as we have 2 profiles: one with Basic authentication which currently works in production and another using Keycloak. Older Camunda-Keycloak plugin was working without issues using Keycloak 9 and Camunda 7.11. We use properties instead yaml. We use HTTPS and and we have configured Proxy with Apache. We got addtitonal issues with CORS and Preflight/MixedContent as in production we have now Keycloak on diferrent domain. For this reason I made some additional changes in properties and httpd file to fix CORS and MixedContent errors. Fix was done when using basic authentication or Keycloak with docker. As with Keycloak without docker (downloaded on Ubuntu) Camunda does not even start if administratorGroupName=camunda-admin is set.

Identity provider classes and properties are copied from github - /camunda-community-hub/camunda-bpm-identity-keycloak.

Current error (“Unable to read data of configured administratorGroupName camunda-admin”) did not appear when we tested with Keycloak 12.04 installed with Docker. Problem occurs with Keycloak 12.04 installed without Docker on Ubuntu. Keycloak database I have exported from Keycloak 9 using script:

sudo docker exec keycloak-ecl /opt/jboss/keycloak/bin/standalone.sh -Djboss.socket.binding.port-offset=100 -Dkeycloak.migration.action=export -Dkeycloak.migration.provider=singleFile -Dkeycloak.migration.realmName=my-realm -Dkeycloak.migration.usersExportStrategy=REALM_FILE -Dkeycloak.migration.file=/opt/jboss/keycloak/imports/my-realm.json

I do not know if it could cause some kind of an issue. In Keycloak UI it looks all identical.

camunda-admin group is configured in Keycloak and same setting was working with older version of plugin.

Client secret is correct. One can see in logs when it fails.

stack_trace_camunda_error.txt (34.6 KB)

config_files.txt (7.3 KB)

You clearly get a HTTP 403 Forbidden:

Caused by: org.springframework.web.client.HttpClientErrorException$Forbidden: 403 Forbidden: [{"error":"unknown_error"}]

Are you sure that within your client camunda-ecl you have service accounts enabled and you have added client roles for realm-management as described ( query-groups, query-users, view-users)??

Hi @VonDerBeck! Roles are assigned. Before we used realm roles. Recently we changed on client roles. So both are there. Service account is enabled.

Hi @VonDerBeck! Once again to be sure I changed Camunda to point Keycloak 12.04 installed with Docker and it works OK as before. I did not notice relevant difference in keycloak configuration for camunda client.

Using Keycloak 12.04 installed with Docker:

[INFO ] 2021-08-03 17:03:11,295 org.camunda.bpm.container - ENGINE-08050 Process application eclCamundaApplication successfully deployed
[INFO ] 2021-08-03 17:03:11,310 de.karb.camunda.EclCamundaApplication - Started EclCamundaApplication in 77.999 seconds (JVM running for 88.003)

Unfortunately in production Keycloak 12.04 does not run with Docker, so we need same environment for test and development.

After I switched again Camunda to point Keycloak 12.04 installed on Ubuntu and error is same: Unable to read data of configured administratorGroupName camunda-admin.

In Keycloak UI / Server info, there are some differences. I do not know if they could have some impact.

Keycloak 12.04 installed with Docker:

System
Current Working Directory /
Java Version 11.0.11
Java Vendor Red Hat, Inc.
Java Runtime OpenJDK Runtime Environment
Java VM OpenJDK 64-Bit Server VM
Java VM Version 11.0.11+9-LTS
Java Home /usr/lib/jvm/java-11-openjdk-11.0.11.0.9-0.el8_3.x86_64
User Name jboss
User Timezone Europe/Berlin
User Locale us_EN
System Encoding UTF-8
Operating System Linux 5.4.0-77-generic
OS Architecture amd64

Keycloak 12.04 installed on Ubuntu

System
Current Working Directory /
Java Version 11.0.11
Java Vendor Ubuntu
Java Runtime OpenJDK Runtime Environment
Java VM OpenJDK 64-Bit Server VM
Java VM Version 11.0.11+9-Ubuntu-0ubuntu2.18.04
Java Home /usr/lib/jvm/java-11-openjdk-amd64
User Name keycloak
User Timezone Europe/Berlin
User Locale us_EN
System Encoding ANSI_X3.4-1968
Operating System Linux 4.15.18-21-pve
OS Architecture amd64

My another concern is using export/import from another version of Keycloak - 9.0. Could it make something corrupt? Maybe some difference in json file which contains realm’s information.

Solution was described at Integration with Keycloak / Unable to read data of configured administratorGroupName camunda-admin · Issue #71 · camunda-community-hub/camunda-bpm-identity-keycloak · GitHub

I found that problem was with missing roles in the realm_management. It looks like it is not enough to add roles to Realm roles or Client roles to camunda client.
They have to be added also at realm-management. Actually it works if roles are only added to “Client Roles” under realm-management.

It looks that those roles under realm-management were not exported with export/import tools.

In Documentation:
4 Add the roles query-groups, query-users, view-users to the service account client roles of your realm (master-realm or realm-management, depending on whether you are using master or a separate realm):

It would be helpful to add an extra screenshot in documentation.

1 Like