KeyCloak+Zeebe Gateway Failed to parse bearer token from DesktopModeler

Hi,

I have Zeebe Gateway readdy in K8s and setup port forwarding from 26500 port to 26501, then I have a Keycloak with identity Client “zeebe-api” with secret (the client was created automatically by charts).

I can succesffully retrieve acces-token using Postman:

But when I am trying to connect through grpc using either grpcCurl or deploy diagram from DesktopModelere, I am getting an error that Token cannot be parsed.

Here is the settings in DesktopModeler:

Here is the output from verbose debug mode:

D 2024-08-16T19:04:20.824Z | v1.9.7 21084 | retrying_call | [93] Received status from child [94]
D 2024-08-16T19:04:20.824Z | v1.9.7 21084 | retrying_call | [93] state=TRANSPARENT_ONLY handling status with progress PROCESSED from child [94] in state ACTIVE
D 2024-08-16T19:04:20.824Z | v1.9.7 21084 | retrying_call | [93] ended with status: code=16 details="Failed to parse bearer token, see cause for details"
D 2024-08-16T19:04:20.824Z | v1.9.7 21084 | resolving_call | [92] Received status
D 2024-08-16T19:04:20.824Z | v1.9.7 21084 | resolving_call | [92] ended with status: code=16 details="Failed to parse bearer token, see cause for details"
2024-08-16T19:04:20.824Z grpc topologySync error: 16
21:04:20.825 | zeebe |  INFO: Set Grpc channel ready timer for 3000ms
ERROR app:zeebe-api connection check failed {
  parameters: {
    endpoint: {
      type: 'selfHosted',
      authType: 'oauth',
      url: 'http://localhost:26501',
      oauthURL: 'http://localhost:18080/auth/realms/camunda-platform/protocol/openid-connect/token',
      audience: 'zeebe-api',
      scope: 'openid',
      clientId: '******',
      clientSecret: '******'
    }
  }
} Error: 16 UNAUTHENTICATED: Failed to parse bearer token, see cause for details
    at callErrorFromStatus (C:\Users\mrazv\Downloads\camunda-modeler-5.23.0-win-x64\resources\app.asar\node_modules\@grpc\grpc-js\build\src\call.js:31:19)
    at Object.onReceiveStatus (C:\Users\mrazv\Downloads\camunda-modeler-5.23.0-win-x64\resources\app.asar\node_modules\@grpc\grpc-js\build\src\client.js:192:76)
    at C:\Users\mrazv\Downloads\camunda-modeler-5.23.0-win-x64\resources\app.asar\node_modules\@grpc\grpc-js\build\src\call-interface.js:78:35
    at Object.onReceiveStatus (C:\Users\mrazv\Downloads\camunda-modeler-5.23.0-win-x64\resources\app.asar\node_modules\zeebe-node\dist\lib\GrpcClient.js:97:36)
    at InterceptingListenerImpl.onReceiveStatus (C:\Users\mrazv\Downloads\camunda-modeler-5.23.0-win-x64\resources\app.asar\node_modules\@grpc\grpc-js\build\src\call-interface.js:73:23)
    at Object.onReceiveStatus (C:\Users\mrazv\Downloads\camunda-modeler-5.23.0-win-x64\resources\app.asar\node_modules\@grpc\grpc-js\build\src\client-interceptors.js:360:141)
    at Object.onReceiveStatus (C:\Users\mrazv\Downloads\camunda-modeler-5.23.0-win-x64\resources\app.asar\node_modules\@grpc\grpc-js\build\src\client-interceptors.js:323:181)
    at C:\Users\mrazv\Downloads\camunda-modeler-5.23.0-win-x64\resources\app.asar\node_modules\@grpc\grpc-js\build\src\resolving-call.js:99:78
    at process.processTicksAndRejections (node:internal/process/task_queues:77:11)
for call at
    at ServiceClientImpl.makeUnaryRequest (C:\Users\mrazv\Downloads\camunda-modeler-5.23.0-win-x64\resources\app.asar\node_modules\@grpc\grpc-js\build\src\client.js:160:32)
    at ServiceClientImpl.<anonymous> (C:\Users\mrazv\Downloads\camunda-modeler-5.23.0-win-x64\resources\app.asar\node_modules\@grpc\grpc-js\build\src\make-client.js:105:19)
    at C:\Users\mrazv\Downloads\camunda-modeler-5.23.0-win-x64\resources\app.asar\node_modules\zeebe-node\dist\lib\GrpcClient.js:272:47
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5) {
  code: 16,
  details: 'Failed to parse bearer token, see cause for details',
  metadata: Metadata {
    internalRepr: Map(1) { 'content-type' => [Array] },
    options: {}
  }
}
D 2024-08-16T19:04:20.826Z | v1.9.7 21084 | subchannel_call | [95] HTTP/2 stream closed with code 8
D 2024-08-16T19:04:21.746Z | v1.9.7 21084 | transport | (148) ::1:26501 session closed

Here is the automaticcaly created KeyCloak clients:

Disclaimer: Before posting this, I tested that zeebe-gateway is up and running, port-forwarding is correct, I can reach out to all of the other components. I also tested that it is working without KeyCloak only with Basic auth when identity is disabled in the charts. Also, the token is new, refreshed, it did not expired. I also ran the DesktopModeler in DEBUG mode to have more verbose info about it, but in the console I can see the same output as in the grpcurl.

Any help would be highly appreciated. Last note is, that I am using the default helm charts installations.

Thank you very much :slight_smile:

So I fixed the issue, apparently, you have to use client zeebe and not zeebe-api, which is different from the official documentation. The value its in ther helm charts values.yaml

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.