Spring Security OAuth 2 with Keycloak 403 error

I am trying to add OAuth 2 to my application (Camunda 7.17 with the Spring Boot starter). In order to do so, I followed the setup mentioned in https://github.com/camunda-community-hub/camunda-platform-7-keycloak#activating-single-sign-on, but I believe I missed something.

Steps taken:

1. configured the application as in the example (config is below)
2. created group camunda-admin
3. created user demo and added it to camunda-admin group
4. go to Camunda app url and get redirected to Keycloak
5. login with username and password
6. login works in keycloak (if I return to the keycloak page I see that I am logged in) and redirects me to Camunda Welcome page where it asks me to login again
7. try to login again with same username and password, but receive error “status”:403,“error”:“Forbidden”,“path”:“/camunda/api/admin/auth/user/default/login/welcome”

Is there any additional role or configuration I should add to the user in order to be able to connect to Cockpit?
Here is my config:

plugin.identity.keycloak:
  keycloakIssuerUrl: <keycloak>/auth/realms/<dev-realm>
  keycloakAdminUrl: <keycloak>/auth/admin/realms/<dev-realm>
  clientId: camunda-identity-service
  clientSecret: <client-secret>
  useUsernameAsCamundaUserId: true
  administratorGroupName: camunda-admin
  administratorUserId: demo
  useGroupPathAsCamundaGroupId: true
  disableSSLCertificateValidation: true

#Spring Boot Security OAuth2 SSO
spring.security.oauth2:
  client:
    registration:
      keycloak:
        provider: keycloak
        client-id: camunda-identity-service
        client-secret: <client-secret>
        authorization-grant-type: authorization_code
        redirect-uri: "{baseUrl}/{action}/oauth2/code/{registrationId}"
        scope: openid, profile, email
    provider:
      keycloak:
        issuer-uri: <keycloak>/auth/realms/<dev-realm>
        authorization-uri: <keycloak>/auth/realms/<dev-realm>/protocol/openid-connect/auth
        user-info-uri: <keycloak>/auth/realms/<dev-realm>/protocol/openid-connect/userinfo
        token-uri: <keycloak>/auth/realms/<dev-realm>/protocol/openid-connect/token
        jwk-set-uri: <keycloak>/auth/realms/<dev-realm>/protocol/openid-connect/certs
        # set user-name-attribute one of:
        # - sub                -> default; using keycloak ID as camunda user ID
        # - email              -> useEmailAsCamundaUserId=true
        # - preferred_username -> useUsernameAsCamundaUserId=true
        user-name-attribute: preferred_username

Hello @Cody_Newman ,

did you register the ContainerBasedAuthenticationFilter with a ContainerBasedAuthenticationProvider?

This filter takes care the authentication from Spring Security is set to the process engine.

When not setting it, the webapp will redirect you to the login page.

The implementation is mentioned on the readme of the plugin.

I hope this helps

Jonathan

Hello @jonathan.lukas ,

Thank you for your suggestion!
I placed a breakpoint to see if the ContainerBasedAuthenticationProvider was working and noticed that it was never called. On further investigation, the issue was with my filter config. Even though the provider was registered, the patter was wrong. I changed it from the example from “/app/" to “/**”, which meant it did not match when requests were sent. After changing it to "/”, I was able to login.

For others with similar issues to mine, I will provide the code below:

@SuppressWarnings({“rawtypes”, “unchecked”})
@Bean
public FilterRegistrationBean containerBasedAuthenticationFilter() {

    FilterRegistrationBean filterRegistration = new FilterRegistrationBean();
    filterRegistration.setFilter(new ContainerBasedAuthenticationFilter());
    filterRegistration.setInitParameters(Collections.singletonMap("authentication-provider", "nl.vodafoneziggo.mdwr.config.security.KeycloakAuthenticationProvider"));
    filterRegistration.setOrder(101); // make sure the filter is registered after the Spring Security Filter Chain
    filterRegistration.addUrlPatterns("/*");
    return filterRegistration;
}