I am currently facing an issue while attempting to use the Optimize API on my local self-managed Camunda cluster, and I would appreciate any guidance or assistance from the community.
I have confirmed the use of the correct client_secret and client_id in my token request.
I have experimented both with and without specifying the audience: optimize-api parameter in the token request.
Write permissions for the Optimize API have been granted in the Identity settings.
Surprisingly, attempts to authorize any request to the Optimize API using the acquired token result in a status 401 error.
Additional Information:
All other APIs within the local Camunda cluster are functioning as expected.
I have only experienced this issue when running a local cluster on my Windows 11 machine. Our Camunda SaaS or AKS clusters, on the other hand, do not exhibit this problem.
If anyone has encountered a similar problem or has insights into potential solutions, I would greatly appreciate your assistance. Thank you in advance for your time and support.
Hi @kristofferph, welcome to the forums! Can you share how you’ve configured your client in Identity, with all the associated permissions? Did you deploy Camunda to AKS with a different configuration than locally?
To clarify, I am using a different configuration on the local self-managed cluster (I’m using the standard full docker compose) which is only intended for testing purposes, however I do need to access the Optimize api on the local cluster.
Below are screenshots of how I configured my token request in Postman (which works as expected with the Operate, Zeebe, and tasklist APIs) and the relevant permissions in Identity.
I have noticed that the client_secret seems to be hard-coded, since it is the same across all the APIs; that might be the root of this issue, since the the other apis are working?
I reached out to the Camunda support team, and I’m pleased to share that I’ve received a solution that successfully addresses the issue.
I will paste their response below:
"I have checked the Optimize config, and the reason for the 401 response is that the API token is not set.
For Optimize, you don’t request the token from keycloak, but instead you need to explicitly set a static token with the environment variable OPTIMIZE_API_ACCESS_TOKEN. Then you need to use that token for every REST API request.
Hi @kristofferph - I don’t think you should need a static access token. I am waiting on some information from the engineering team, but I believe there’s a solution to make it work with Identity.
@kristofferph - you should be able to use the jwtSetUri and audience environment variables/configuration options to configure Optimize to work with Identity. I’m not sure if the URL comes from Identity or Keycloak, but the audience value should match whatever you configured for the application inside Identity. I am going to continue to work on getting more details and updating our docs. If you experiment with it and find a configuration that works, please let me know!
