@camundaman12345 - disclaimer up front: I haven’t tested this, and I’m waiting on confirmation from the engineers … but this is my understanding:
If you do not sets those values, an audience is not required on the backend for the Orchestration Cluster. However, Desktop Modeler requires that field on the frontend, so I believe you can put any value in there and because it isn’t validated on the API, it should be ignored.
And I got my confirmation from the engineering team - you can view the validation in the source code here, as well as lines 77-80 in the same file. If there is no audience configured, it is ignored.
In our environment, we commented out the following two parameters and rebuilt the container:
services:
orchestration
environment
CAMUNDA_SECURITY_AUTHENTICATION_OIDC_AUDIENCES_0: orchestration
CAMUNDA_SECURITY_AUTHENTICATION_OIDC_AUDIENCES_1: orchestration-api
However, the Keycloak token mapper is still required. Our understanding is that without the token mapper, deployment from Modeler is not possible. We would prefer to avoid making changes in Keycloak as much as possible.
When an audience set is present,
Keycloak should use a token mapper
to provide the audience claim.
If the above is the official recommendation, then no further discussion is necessary.
@camundaman12345 - we do not have official recommendations for these parts of your Keycloak configuration. You are free to configure that however you need to achieve the results you are looking for. If that means your Keycloak configuration requires the token mapper to set the audience claim, then it sounds like that is what is needed, but it is not a requirement from Camunda. Keycloak is not a requirement of Camunda’s, it is one option for an identity provider but not the only one.
The official OIDC spec requires the audience claim (ref 1, ref 2), so an OIDC provider not setting the audience claim in a token is a bit strange. I don’t know enough about Keycloak and how you have it configured to say why it’s not doing that without a token mapper. I’ve never seen a bearer token without an audience before either, this is new to me! (And this thread has raised the question internally with our product team about why we allow bypassing the audience validation considering it is part of the OIDC spec, so this may become a requirement in a future release.)
Because it is a requirement from the OIDC spec, the best practice and recommendation from Camunda is to use the audience claims for their intended purpose. But the application allows you to disable the audience for the Orchestration Cluster API.
You previously said that any value inside the Modeler audience form field allows the deployment to work, which says to me that the backend isn’t validating the audience claim. Are you saying that it is now failing when you put an audience value in Modeler after unsetting the CAMUNDA_SECURITY_AUTHENTICATION_OIDC_AUDIENCES_* values? If so, it sounds like there is still an audience configuration in Camunda and it is expecting that value.
This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.