Hi @devmsaleh,
I can see you’re experiencing a 401 Unauthorized error with the ProcessDefinitionImporter when trying to configure c8run 8.8.0-alpha8 with Keycloak as an external identity provider. This is a Problem that typically indicates an authentication configuration issue.
Looking at your configuration, I notice a few potential issues:
Main Issues Identified:
1. Profile Configuration
Your current profile configuration includes consolidated-auth, but for OIDC authentication with external identity providers like Keycloak, you should use the oidc profile instead:
spring:
profiles:
active: "identity,operate,tasklist,broker,oidc" # Use 'oidc' instead of 'consolidated-auth'
2. Configuration Structure
Your configuration uses a security section, but c8run 8.8.0 expects the OIDC configuration under camunda.identity. Here’s the correct structure:
camunda:
identity:
type: KEYCLOAK
baseUrl: http://localhost:8080
issuer: http://localhost:9999/realms/camunda-realm
issuerBackendUrl: http://localhost:9999/realms/camunda-realm
clientId: camundaClient
clientSecret: zWORlgc8c63xVokfHjU0BXV5t693NaJD
audience: camundaClient
initialClaimName: preferred_username
initialClaimValue: demo # or your admin user
3. Common Causes of 401 Errors:
- Incorrect client credentials: Ensure the
clientIdandclientSecretin your configuration exactly match those in your Keycloak realm - Wrong issuer URL: Verify that
http://localhost:9999/realms/camunda-realmis accessible and correct - Missing client configuration in Keycloak: Ensure your Keycloak client is properly configured with the correct redirect URIs and grant types
- Keycloak service not ready: Make sure Keycloak is fully started before starting c8run
Recommended Configuration:
Replace your current application.yaml with:
spring:
profiles:
active: "identity,operate,tasklist,broker,oidc"
management:
server:
port: 9600
server:
forward-headers-strategy: none
address: 0.0.0.0
zeebe:
host: 0.0.0.0
log:
level: "info"
broker:
gateway:
enable: true
network:
host: 0.0.0.0
port: 26500
network:
host: 0.0.0.0
commandApi:
port: 26501
internalApi:
port: 26502
data:
snapshotPeriod: 5m
freeSpace:
processing: 2GB
replication: 3GB
threads:
cpuThreadCount: "3"
ioThreadCount: "3"
exporters:
elasticsearch:
className: "io.camunda.zeebe.exporter.ElasticsearchExporter"
args:
url: "http://elasticsearch:9200"
index:
prefix: "zeebe-record"
CamundaExporter:
className: "io.camunda.exporter.CamundaExporter"
args:
connect:
type: elasticsearch
url: "http://elasticsearch:9200"
createSchema: true
camunda:
persistent:
sessions:
enabled: true
identity:
type: KEYCLOAK
baseUrl: http://localhost:8080
issuer: http://localhost:9999/realms/camunda-realm
issuerBackendUrl: http://localhost:9999/realms/camunda-realm
clientId: camundaClient
clientSecret: zWORlgc8c63xVokfHjU0BXV5t693NaJD
audience: camundaClient
initialClaimName: preferred_username
initialClaimValue: demo
rest:
query:
enabled: true
Next Steps:
- Update your configuration as shown above
- Verify your Keycloak client configuration matches the clientId and clientSecret
- Ensure Keycloak is running and accessible at
http://localhost:9999 - Check both c8run and Keycloak logs for more detailed error messages
If you continue to see 401 errors after making these changes, please share:
- Your Keycloak client configuration
- Any relevant log entries from both c8run and Keycloak
- Confirmation that you can access the Keycloak issuer URL directly
References:
- How to configure Camunda 8.8.0 User Flow with External Identity Provider
- Identity troubleshooting - Unable to connect to Keycloak
Let me know how this works for you!