Keycloak Camunda Identity Provider Plugin

Hello, I am new to camunda and recently I’ve been trying to secure my camunda springboot application by using keycloak and I was following this article: GitHub - camunda-community-hub/camunda-bpm-identity-keycloak: Camunda Keycloak Identity Provider Plugin
So I basically cloned the repo ,pulled the configured docker image for keycloak as provided in the article and ran the springboot CamundaApplication in the directory camunda-bpm-identity-keycloak/examples/sso-kubernetes/src/main/java/org/camunda/bpm/extension/keycloak/showcase / with intellij ultimate.

On going to the http://localhost:8080/camunda I was successfully redirected to the keycloak sign-in page as expected:

but the issue is,
After logging in from the keycloak login page I got directed to the camunda login page also and there was a server error notification and no credentials are working so I’m not sure what could be causing this

Hi @Mako88 and welcome!

Keycloak can be very finicky about what it wants in terms of configuration, etc. Can you post some more details about how you’ve configured your Realm in Keycloak? Sometimes just a simple missed / in an allowed URL can cause problems.

I’ve had some experience with Keycloak, so hopefully I can help. (Now that you mention it, I should really go secure my Camunda-BPM-Run instance with Keycloak too.)

dg

2 Likes

Hi @davidgs . So I was using an already configured realm named camunda and I start that keycloak server by running a seperate docker compose file with the following :

`version: “3.3”

services:
jboss.keycloak:
build: .
#image: jboss/keycloak:14.0.0
image: gunnaraccso/keycloak.server:14.0.0
restart: always
environment:
TZ: Europe/Berlin
KEYCLOAK_USER: keycloak
KEYCLOAK_PASSWORD: keycloak1!
ports:
- “9001:8443”
- “9000:8080”`

After starting keycloak that’s when I then run my springboot application with the sso-kubernetes directory as my project file in intellij.
This one: camunda-bpm-identity-keycloak/examples/sso-kubernetes at master · camunda-community-hub/camunda-bpm-identity-keycloak · GitHub
So I basically I run the seperate keycloak image and the springboot application inside the sso-kubernetes directory

What are the realm settings for the camunda realm? Specifically the Root URL, Valid Redirect URL etc. As these are very specific and can prevent Keycloak from functioning.

I also notice that your Keycloak version is very out of date, as they are up to v15.0.2 at this point (that’s the version I run).

I am working on spinning up a Keycloak server to do authentication for my Camunda instance so I’ll be able to give you more information in a bit, I hope.

dg

So I’ve set up a Keycloak Server (v15.0.2) fronting the authentication for Camunda BPM Run (v7.15.4-ee) And I’ve gotten it working after a bit of tinkering.

The Keycloak Realm and Client settings are very important to get right, as is the configuration file for Camunda. But once those are squared away, things seem to work just fine.

Here are then settings I have for my Realm:


Screen Shot 2021-11-05 at 4.43.21 PM


Once that was all set up, I added the following configuration to my production.yml file for Camunda Platform Run:

# Camunda Keycloak Identity Provider Plugin
plugin.identity.keycloak:
  keycloakIssuerUrl: https://<KeycloakServer>:9443/auth/realms/camunda
  keycloakAdminUrl: https://<KeycloakServer>:9443/auth/admin/realms/camunda
  clientId: camunda-id-client
  clientSecret: <copy from your client secret on Keycloak Server
  useUsernameAsCamundaUserId: true
  useGroupPathAsCamundaGroupId: true
  administratorGroupName: camunda-admin
  disableSSLCertificateValidation: true

Note: The user you want to sign in to the Camunda interface with must already exist in keycloak. I have not, so far, found a way to have the Camunda Login Page redirect to the Keycloak ‘Login/Register’ page but I’ll keep digging. The users must also be in the camunda-admin group.

Hope this helps.
dg

1 Like

Hi Daviddgs will it be the same if i am running SpringBoot Camunda and is SSO configuration mandatory.

Hello @davidgs . These were the realm settings I’ve been using:

Thank you. Let me create a new project and try with the versions you used and see if I can work it out.

It looks like it’s your “Redirect URIs” that are the problem. Try using just http://localhost:8080/* and see if that clears it up for you.

Best Regards,
dg

Since this was a popular topic, I wrote a blog post about it. Let me know if it’s helpful!

dg