Tasklist REST API PATCH Requests Access Denied

Camunda 8 Topics Discussion & Questions
1

Hello folks,

I have an issue when trying to assign/complete a task using the Tasklist REST API. I am using the Self-Managed version of Camunda 8.
When using the PATCH requests described in the documentation for assigning/completing a task, I keep getting an Access Denied log in my Tasklist container:
LOG org.springframework.security.access.AccessDeniedException: Access is denied
||at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:77) ~[spring-security-core-6.1.6.jar!/:6.1.6]|
|—|—|
||at org.springframework.security.access.intercept.AbstractSecurityInterceptor.attemptAuthorization(AbstractSecurityInterceptor.java:253) ~[spring-security-core-6.1.6.jar!/:6.1.6]|
||at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:222) ~[spring-security-core-6.1.6.jar!/:6.1.6]|
||at org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor.invoke(MethodSecurityInterceptor.java:64) ~[spring-security-core-6.1.6.jar!/:6.1.6]|

When using the same Bearer token in the Authorization header for GET and POST requests (i.e. post request for searching all tasks), it works just fine. I have this issue only for PATCH requests.

I am using Camunda Identity with Keycloak, I have set up my client for my application in Keycloak with full access to Tasklist and also given it every permission possible in Identity.
Another behaviour that I can’t is explain is if I am logging into the Tasklist GUI client and claim the task for myself, it works and I can see the PATCH method responding with 200 Success in my Tasklist container. The same happens if I log in to the Tasklist GUI Client, then I access the live swagger file and run the PATCH request for assigning the task to a user with an empty body(which basically assigns the task to the current user, basically claiming the task).

But when I try to run the PATCH requests using my Bearer token form my Keycloak instance(which is the same used by my Identity service) in the authorisation header, I get Access Denied.
Does anyone know what I might have set up wrong? Or does the Tasklist REST API not support requests with Bearer token as a form of authorization? I’ve noticed that the log in session when I log in to Tasklist via the GUI client uses cookies for authorization.

2

Hello @smesca, welcome to the community!

can you please provide more details like:

  • which Tasklist version are you using?
  • a snippet of the PATCH request you are using

Best regards,
Houssain

3

I have also this error

my camunda version is 8.5.7 also tasklist version 8.5.7

2025-04-17 13:05:05.684  INFO 8 --- [nio-8080-exec-5] i.c.t.w.c.f.LoggingFilter                : Request Processed: Method=PATCH, URI=/v1/tasks/2251800986555237/assign, Response Code=500, Time Taken=7 ms
2025-04-17 13:05:08.697 ERROR 8 --- [io-8080-exec-12] i.c.t.w.a.r.v.c.TaskController           : Unexpected exception happened: Access is denied
org.springframework.security.access.AccessDeniedException: Access is denied

image
image1911×754 40.1 KB

I added all roles to my user

4

@IxtiyorXaitov Most likely it’s a permission issue.

Camunda Tasklist has fine-grained permissions. Even if a user is authenticated, they may not have the right role or permission to assign a task.

Checklist:

  • Does the user making the request have the task:assign permission?
  • Are you using Camunda Identity (SSO, LDAP, etc.)? If so, the user’s group might be missing the required permission.
  • Try with a user that has admin privileges and see if the request succeeds.