Unable to configure Camunda C8run 8.8.0-alpha8 with External Identity Provider

Camunda 8 Topics
2

Hi @devmsaleh,

Looking at your configuration and the error logs, I can see you’re encountering a connection refused error on port 26500, which is the Zeebe gateway port. This suggests that the Connectors service cannot establish a connection to the Zeebe gateway. Let me help you troubleshoot this issue.

Issues I’ve Identified

1. Environment Variable Naming

I notice some inconsistencies in your environment variable names. Based on the documentation, you should use:

# Correct variable names
CAMUNDA_IDENTITY_BASEURL=http://localhost:8080          # ✅ This looks correct
CAMUNDA_IDENTITY_ISSUER=http://localhost:9999/realms/camunda-realm  # ✅ This looks correct  
CAMUNDA_IDENTITY_ISSUERBACKENDURL=http://localhost:9999/realms/camunda-realm  # ✅ This looks correct
CAMUNDA_IDENTITY_CLIENTID=camundaClient                 # ✅ This looks correct
CAMUNDA_IDENTITY_CLIENTSECRET=zWORlgc8c63xVokfHjU0BXV5t693NaJD  # ✅ This looks correct
CAMUNDA_IDENTITY_AUDIENCE=account                       # ✅ This looks correct

2. Zeebe Gateway Connectivity Issue

The main problem appears to be that the Connectors service cannot reach the Zeebe gateway on port 26500. Here’s how to troubleshoot:

Step 1: Verify Zeebe Gateway is Running

# Test if port 26500 is accessible
netstat -an | findstr :26500
# Or use PowerShell
Test-NetConnection -ComputerName localhost -Port 26500

Step 2: Check Service Startup Order
Make sure all services are starting in the correct order:

  1. Keycloak should be fully started first
  2. Then Zeebe gateway
  3. Finally, other services like Connectors

3. Keycloak Configuration Verification

Ensure your Keycloak client configuration includes:

  • Client ID: camundaClient
  • Client Secret: zWORlgc8c63xVokfHjU0BXV5t693NaJD
  • Valid Redirect URIs: Your list looks comprehensive
  • Access Type: Should be set to “confidential”
  • Service Accounts Enabled: Should be enabled

4. Network Configuration

Since you’re using localhost in your configuration, ensure:

  • All services are running on the same machine
  • No firewall is blocking port 26500
  • If using Docker, all containers are on the same network

Recommended Troubleshooting Steps

  1. Check if Zeebe is accessible:

    c8run status

  2. Verify Keycloak connectivity:
    Test if your Keycloak endpoint is accessible:

    curl http://localhost:9999/realms/camunda-realm/.well-known/openid-configuration

  3. Review all service logs:

    • Check camunda.log for Zeebe gateway startup messages
    • Check if Identity service is connecting to Keycloak successfully
    • Look for authentication-related errors

  4. Try starting services individually:
    Sometimes starting services step by step can help identify where the issue occurs.

Additional Configuration Notes

For C8run with external OIDC, you might also want to verify these settings:

  • Ensure your Keycloak realm has the correct issuer URL
  • Verify that the account audience is properly configured in Keycloak
  • Check that the preferred_username claim is available in your tokens

Could you please:

  1. Run the connectivity tests above and share the results?
  2. Check if Zeebe gateway is actually running and listening on port 26500?
  3. Share any relevant logs from camunda.log around the startup time?

This will help us pinpoint whether the issue is with the Zeebe gateway not starting, network connectivity, or authentication configuration.

References: