I am trying to add OAuth 2 to my application (Camunda 7.17 with the Spring Boot starter). In order to do so, I followed the setup mentioned in https://github.com/camunda-community-hub/camunda-platform-7-keycloak#activating-single-sign-on, but I believe I missed something.
Steps taken:
- configured the application as in the example (config is below)
- created group camunda-admin
- created user demo and added it to camunda-admin group
- go to Camunda app url and get redirected to Keycloak
- login with username and password
- login works in keycloak (if I return to the keycloak page I see that I am logged in) and redirects me to Camunda Welcome page where it asks me to login again
- try to login again with same username and password, but receive error “status”:403,“error”:“Forbidden”,“path”:“/camunda/api/admin/auth/user/default/login/welcome”
Is there any additional role or configuration I should add to the user in order to be able to connect to Cockpit?
Here is my config:
plugin.identity.keycloak:
keycloakIssuerUrl: <keycloak>/auth/realms/<dev-realm>
keycloakAdminUrl: <keycloak>/auth/admin/realms/<dev-realm>
clientId: camunda-identity-service
clientSecret: <client-secret>
useUsernameAsCamundaUserId: true
administratorGroupName: camunda-admin
administratorUserId: demo
useGroupPathAsCamundaGroupId: true
disableSSLCertificateValidation: true
#Spring Boot Security OAuth2 SSO
spring.security.oauth2:
client:
registration:
keycloak:
provider: keycloak
client-id: camunda-identity-service
client-secret: <client-secret>
authorization-grant-type: authorization_code
redirect-uri: "{baseUrl}/{action}/oauth2/code/{registrationId}"
scope: openid, profile, email
provider:
keycloak:
issuer-uri: <keycloak>/auth/realms/<dev-realm>
authorization-uri: <keycloak>/auth/realms/<dev-realm>/protocol/openid-connect/auth
user-info-uri: <keycloak>/auth/realms/<dev-realm>/protocol/openid-connect/userinfo
token-uri: <keycloak>/auth/realms/<dev-realm>/protocol/openid-connect/token
jwk-set-uri: <keycloak>/auth/realms/<dev-realm>/protocol/openid-connect/certs
# set user-name-attribute one of:
# - sub -> default; using keycloak ID as camunda user ID
# - email -> useEmailAsCamundaUserId=true
# - preferred_username -> useUsernameAsCamundaUserId=true
user-name-attribute: preferred_username