Optimize in 8.8-alpha7 with separately setup Keycloak and identity from core component

Camunda 8 Topics
4

Thanks for providing those debug logs! The error “No pre-authenticated principal found in request” from CCSMAuthenticationCookieFilter indicates that Optimize is not receiving or recognizing the authentication cookie after the Keycloak login process.

Since you’ve confirmed the redirect URLs are correctly configured, this is likely a cookie handling issue. Here are the specific solutions to try:

:cookie: Cookie Configuration Fix

The most common cause of this specific error is the SameSite cookie setting. You need to disable SameSite cookies for Optimize:

Add this to your Optimize configuration:

environment:
  - CAMUNDA_OPTIMIZE_SECURITY_AUTH_COOKIE_SAME_SITE_ENABLED=false

Or in Helm values:

optimize:
  env:
    - name: CAMUNDA_OPTIMIZE_SECURITY_AUTH_COOKIE_SAME_SITE_ENABLED
      value: "false"

This is especially important when using ingress controllers or reverse proxies, as they can interfere with cookie handling in cross-site scenarios.

:magnifying_glass_tilted_left: Additional Checks

1. Issuer URL Consistency

Verify that the issuer URL in your Optimize configuration exactly matches what Keycloak provides:

# Should match your Keycloak realm issuer URL
CAMUNDA_OPTIMIZE_IDENTITY_ISSUER_URL: "https://your-keycloak-domain/auth/realms/your-realm"

2. Client Secret Configuration

Ensure your Optimize client in Keycloak is:

  • :white_check_mark: Enabled
  • :white_check_mark: Access Type: confidential
  • :white_check_mark: Valid client secret provided to Optimize

3. Protocol Consistency

Make sure all URLs (Keycloak, Optimize, Identity) use the same protocol (HTTPS recommended).

:wrench: Debugging Steps

  1. Check browser network tab during login to see if cookies are being set
  2. Verify cookie domain/path settings in browser dev tools
  3. Enable more detailed logging for authentication:
    logging:
  level:
    com.camunda.optimize.service.security: DEBUG
    org.springframework.security: DEBUG

:bullseye: Most Likely Solution

Based on the specific error you’re seeing, setting CAMUNDA_OPTIMIZE_SECURITY_AUTH_COOKIE_SAME_SITE_ENABLED=false should resolve the issue. This is a common requirement for Optimize when using external OIDC providers like Keycloak.

Try this configuration change first and let me know if the redirect loop persists!

References: