-
I have been trying to run the camunda 8 development setup in a centralized development server using Keycloak Instance.
-
When I try to assign application operate permission. It shows Unauthorized
You don’t have access to this resource. -
Underlying response to the post call is showing response of Invalid CORS request permissions
-
But in the local development server it is working perfectly without any issues.
Hi @Zoltan_Karolyi - depending on how you have it deployed, you may need a reverse proxy in front of the resources. We typically recommend using an API between your front-end client and Camunda to prevent accidentally allowing external users to call the Camunda API’s directly.
Hi Nathan,
Thank you for your answer.
I upgraded Camunda 7 on Camunda 8. I use Identity,tasklist,operate,optimize,connectors,zeebe components with Keycloak.
Everything run in Docker. I installed Camunda 8 with 8.5.0 version.
When I entered in the Identity (camunda-platform) I could not modify or delete anything because I get this error message:
for example:
https://domain/api/clients
Request Method:
POST
Status Code:
403 Forbidden (from service worker)
Invalid CORS request
but It seems that all GET request are work and get 200 OK. answer.
But in the local development server it is working perfectly without any issues.
I use default demo user. If I add permisson or remove one in Keycloak on camunda-platform client then I see the changes in Identity admin page.
Please help me. Thank you!
services:
zeebe:
image: camunda/zeebe:8.5.0
container_name: zeebe
ports:
- "26500:26500"
- "9600:9600"
expose:
- "26500:26500"
- "9600:9600"
environment:
- ZEEBE_BROKER_GATEWAY_SECURITY_AUTHENTICATION_MODE=identity
- ZEEBE_BROKER_GATEWAY_SECURITY_AUTHENTICATION_IDENTITY_ISSUERBACKENDURL=http://keycloak:8080/auth/realms/camunda-platform
- ZEEBE_BROKER_GATEWAY_SECURITY_AUTHENTICATION_IDENTITY_AUDIENCE=zeebe-api
- ZEEBE_BROKER_GATEWAY_SECURITY_AUTHENTICATION_IDENTITY_BASEURL=http://identity:8084
- ZEEBE_BROKER_GATEWAY_MULTITENANCY_ENABLED=false
- ZEEBE_BROKER_EXPORTERS_ELASTICSEARCH_CLASSNAME=io.camunda.zeebe.exporter.ElasticsearchExporter
- ZEEBE_BROKER_EXPORTERS_ELASTICSEARCH_ARGS_URL=http://elasticsearch:9200
- ZEEBE_BROKER_EXPORTERS_ELASTICSEARCH_ARGS_BULK_SIZE=1
- ZEEBE_BROKER_DATA_DISKUSAGECOMMANDWATERMARK=0.998
- ZEEBE_BROKER_DATA_DISKUSAGEREPLICATIONWATERMARK=0.999
- ZEEBE_LOG_LEVEL=debug
- "JAVA_TOOL_OPTIONS=-Xms512m -Xmx512m"
restart: always
healthcheck:
test: [ "CMD-SHELL", "timeout 10s bash -c ':> /dev/tcp/127.0.0.1/9600' || exit 1" ]
interval: 30s
timeout: 5s
retries: 5
start_period: 30s
volumes:
- zeebe:/usr/local/zeebe/data
networks:
- interswarm
depends_on:
- elasticsearch
- identity
operate:
image: camunda/operate:8.5.0
container_name: operate
ports:
- "8081:8080"
environment:
- CAMUNDA_OPERATE_ZEEBE_GATEWAYADDRESS=zeebe:26500
- ZEEBE_CLIENT_ID=zeebe
- ZEEBE_CLIENT_SECRET=zeebe
- ZEEBE_TOKEN_AUDIENCE=zeebe-api
- ZEEBE_AUTHORIZATION_SERVER_URL=http://keycloak:8080/auth/realms/camunda-platform/protocol/openid-connect/token
- CAMUNDA_OPERATE_ELASTICSEARCH_URL=http://elasticsearch:9200
- CAMUNDA_OPERATE_ZEEBEELASTICSEARCH_URL=http://elasticsearch:9200
- SPRING_PROFILES_ACTIVE=identity-auth
- CAMUNDA_OPERATE_IDENTITY_BASEURL=http://identity:8084
- CAMUNDA_OPERATE_IDENTITY_ISSUER_URL=http://readylocal:8080/auth/realms/camunda-platform
- CAMUNDA_OPERATE_IDENTITY_ISSUER_BACKEND_URL=http://keycloak:8080/auth/realms/camunda-platform
- CAMUNDA_OPERATE_IDENTITY_CLIENTID=operate
- CAMUNDA_OPERATE_IDENTITY_CLIENTSECRET=fETczEXF7Uuk3QMkt4y36KLEcvIkngV8
- CAMUNDA_OPERATE_IDENTITY_AUDIENCE=operate-api
- CAMUNDA_OPERATE_MULTITENANCY_ENABLED=false
- SPRING_SECURITY_OAUTH2_RESOURCESERVER_JWT_ISSUER_URI=http://keycloak:8080/auth/realms/camunda-platform
- SPRING_SECURITY_OAUTH2_RESOURCESERVER_JWT_JWK_SET_URI=http://keycloak:8080/auth/realms/camunda-platform/protocol/openid-connect/certs
- CAMUNDA_OPERATE_IDENTITY_RESOURCEPERMISSIONSENABLED=false
- management.endpoints.web.exposure.include=health
- management.endpoint.health.probes.enabled=true
- ZEEBE_CLIENT_CONFIG_PATH=/tmp/zeebe_auth_cache
healthcheck:
test: [ "CMD-SHELL", "wget -O - -q 'http://localhost:8080/actuator/health/readiness'" ]
interval: 30s
timeout: 1s
retries: 5
start_period: 30s
volumes:
- operate_tmp:/tmp
networks:
- interswarm
depends_on:
- zeebe
- identity
- elasticsearch
tasklist:
image: camunda/tasklist:8.5.0
container_name: tasklist
ports:
- "8082:8080"
environment:
- CAMUNDA_TASKLIST_ZEEBE_GATEWAYADDRESS=zeebe:26500
- ZEEBE_CLIENT_ID=zeebe
- ZEEBE_CLIENT_SECRET=zeebe
- ZEEBE_CLIENT_CONFIG_PATH=/tmp/zeebe_auth_cache
- ZEEBE_TOKEN_AUDIENCE=zeebe-api
- ZEEBE_AUTHORIZATION_SERVER_URL=http://keycloak:8080/auth/realms/camunda-platform/protocol/openid-connect/token
- CAMUNDA_TASKLIST_ELASTICSEARCH_URL=http://elasticsearch:9200
- CAMUNDA_TASKLIST_ZEEBEELASTICSEARCH_URL=http://elasticsearch:9200
- SPRING_PROFILES_ACTIVE=identity-auth
- CAMUNDA_TASKLIST_IDENTITY_BASEURL=http://identity:8084
- CAMUNDA_TASKLIST_IDENTITY_ISSUER_URL=http://readylocal:8080/auth/realms/camunda-platform
- CAMUNDA_TASKLIST_IDENTITY_ISSUER_BACKEND_URL=http://keycloak:8080/auth/realms/camunda-platform
- CAMUNDA_TASKLIST_IDENTITY_CLIENTID=tasklist
- CAMUNDA_TASKLIST_IDENTITY_CLIENTSECRET=fETczEXF7Uuk3QMkt4y36KLEcvIkngV8
- CAMUNDA_TASKLIST_IDENTITY_AUDIENCE=tasklist-api
- CAMUNDA_TASKLIST_MULTITENANCY_ENABLED=false
- SPRING_SECURITY_OAUTH2_RESOURCESERVER_JWT_ISSUER_URI=http://readylocal:8080/auth/realms/camunda-platform
- SPRING_SECURITY_OAUTH2_RESOURCESERVER_JWT_JWK_SET_URI=http://readylocal:8080/auth/realms/camunda-platform/protocol/openid-connect/certs
- CAMUNDA_TASKLIST_IDENTITY_RESOURCE_PERMISSIONS_ENABLED=false
- management.endpoints.web.exposure.include=health
- management.endpoint.health.probes.enabled=true
healthcheck:
test: [ "CMD-SHELL", "wget -O - -q 'http://localhost:8080/actuator/health/readiness'" ]
interval: 30s
timeout: 1s
retries: 5
start_period: 30s
volumes:
- tasklist_tmp:/tmp
networks:
- interswarm
depends_on:
zeebe:
condition: service_started
elasticsearch:
condition: service_healthy
identity:
condition: service_healthy
connectors:
image: camunda/connectors-bundle:8.5.0
container_name: connectors
ports:
- "8085:8080"
environment:
- ZEEBE_CLIENT_BROKER_GATEWAY-ADDRESS=zeebe:26500
- ZEEBE_CLIENT_SECURITY_PLAINTEXT=true
- ZEEBE_CLIENT_ID=zeebe
- ZEEBE_CLIENT_SECRET=zeebe
- ZEEBE_CLIENT_CONFIG_PATH=/tmp/zeebe_auth_cache
- ZEEBE_TOKEN_AUDIENCE=zeebe-api
- ZEEBE_AUTHORIZATION_SERVER_URL=http://keycloak:8080/auth/realms/camunda-platform/protocol/openid-connect/token
- CAMUNDA_OPERATE_CLIENT_URL=http://operate:8080
- CAMUNDA_OPERATE_CLIENT_CLIENT-ID=operate
- CAMUNDA_OPERATE_CLIENT_CLIENT-SECRET=fETczEXF7Uuk3QMkt4y36KLEcvIkngV8
- CAMUNDA_IDENTITY_BASE_URL=http://identity:8084
- CAMUNDA_IDENTITY_ISSUER=http://readylocal:8080/auth/realms/camunda-platform
- CAMUNDA_IDENTITY_ISSUER_BACKEND_URL=http://keycloak:8080/auth/realms/camunda-platform
- CAMUNDA_IDENTITY_CLIENT_ID=connectors
- CAMUNDA_IDENTITY_CLIENT_SECRET=fETczEXF7Uuk3QMkt4y36KLEcvIkngV8
- CAMUNDA_IDENTITY_TYPE=KEYCLOAK
- CAMUNDA_IDENTITY_AUDIENCE=connectors
- management.endpoints.web.exposure.include=health
- management.endpoint.health.probes.enabled=true
- "JAVA_TOOL_OPTIONS=-Dlogging.level.io.camunda.zeebe.client.impl.ZeebeCallCredentials=ERROR"
env_file: connector-secrets.txt
healthcheck:
test: [ "CMD-SHELL", "curl -f http://localhost:8080/actuator/health/readiness" ]
interval: 30s
timeout: 1s
retries: 5
start_period: 30s
networks:
- interswarm
depends_on:
- zeebe
- operate
- identity
optimize:
image: camunda/optimize:8.5.0
container_name: optimize
ports:
- "8086:8090"
environment:
- OPTIMIZE_ELASTICSEARCH_HOST=elasticsearch
- OPTIMIZE_ELASTICSEARCH_HTTP_PORT=9200
- SPRING_PROFILES_ACTIVE=ccsm
- CAMUNDA_OPTIMIZE_ZEEBE_ENABLED=true
- CAMUNDA_OPTIMIZE_ENTERPRISE=false
- CAMUNDA_OPTIMIZE_IDENTITY_ISSUER_URL=http://readylocal:8080/auth/realms/camunda-platform
- CAMUNDA_OPTIMIZE_IDENTITY_ISSUER_BACKEND_URL=http://keycloak:8080/auth/realms/camunda-platform
- CAMUNDA_OPTIMIZE_IDENTITY_CLIENTID=optimize
- CAMUNDA_OPTIMIZE_IDENTITY_CLIENTSECRET=fETczEXF7Uuk3QMkt4y36KLEcvIkngV8
- CAMUNDA_OPTIMIZE_IDENTITY_AUDIENCE=optimize-api
- CAMUNDA_OPTIMIZE_IDENTITY_BASE_URL=http://identity:8084
- CAMUNDA_OPTIMIZE_MULTITENANCY_ENABLED=false
- CAMUNDA_OPTIMIZE_SECURITY_AUTH_COOKIE_SAME_SITE_ENABLED=false
- CAMUNDA_OPTIMIZE_UI_LOGOUT_HIDDEN=true 2
- management.endpoints.web.exposure.include=health
- management.endpoint.health.probes.enabled=true
healthcheck:
test: [ "CMD-SHELL", "curl -f http://localhost:8090/api/readyz" ]
interval: 30s
timeout: 1s
retries: 5
start_period: 30s
volumes:
- "./.optimize/environment-config.yaml:/optimize/config/environment-config.yaml"
restart: on-failure
networks:
- interswarm
depends_on:
- identity
- elasticsearch
identity:
container_name: identity
image: camunda/identity:8.5.0
ports:
- "8084:8084"
expose:
- "8084:8084"
environment:
SERVER_PORT: 8084
IDENTITY_RETRY_DELAY_SECONDS: 30
KEYCLOAK_URL: http://readylocal:8080/auth
IDENTITY_AUTH_PROVIDER_BACKEND_URL: http://keycloak:8080/auth/realms/camunda-platform
IDENTITY_AUTH_PROVIDER_ISSUER_URL: http://readylocal:8080/auth/realms/camunda-platform
KEYCLOAK_INIT_OPERATE_SECRET: fETczEXF7Uuk3QMkt4y36KLEcvIkngV8
KEYCLOAK_INIT_OPERATE_ROOT_URL: http://localhost:8081
KEYCLOAK_INIT_TASKLIST_SECRET: fETczEXF7Uuk3QMkt4y36KLEcvIkngV8
KEYCLOAK_INIT_TASKLIST_ROOT_URL: http://localhost:8082
KEYCLOAK_INIT_OPTIMIZE_SECRET: fETczEXF7Uuk3QMkt4y36KLEcvIkngV8
KEYCLOAK_INIT_OPTIMIZE_ROOT_URL: http://localhost:8083
KEYCLOAK_INIT_CONNECTORS_SECRET: fETczEXF7Uuk3QMkt4y36KLEcvIkngV8
KEYCLOAK_INIT_CONNECTORS_ROOT_URL: http://localhost:8085
KEYCLOAK_INIT_ZEEBE_NAME: zeebe
KEYCLOAK_USERS_0_USERNAME: demo
KEYCLOAK_USERS_0_PASSWORD: demo
KEYCLOAK_USERS_0_FIRST_NAME: demo
KEYCLOAK_USERS_0_EMAIL: demo@demo.hu
KEYCLOAK_USERS_0_ROLES_0: Identity
KEYCLOAK_USERS_0_ROLES_1: Optimize
KEYCLOAK_USERS_0_ROLES_2: Operate
KEYCLOAK_USERS_0_ROLES_3: Tasklist
KEYCLOAK_SETUP_USER: voszportadmin
KEYCLOAK_SETUP_PASSWORD: reparetekmogyoro
IDENTITY_URL: http://localhost:8084
IDENTITY_LOG_LEVEL: TRACE
# IDENTITY_CLIENT_ID: camunda-identity
# IDENTITY_CLIENT_SECRET: y0uVq8FKYj3HKVs24mfDRy014d7JUWOE
# KEYCLOAK_REALM: camunda-platform
KEYCLOAK_CLIENTS_0_NAME: zeebe
KEYCLOAK_CLIENTS_0_ID: zeebe
KEYCLOAK_CLIENTS_0_SECRET: zeebe
KEYCLOAK_CLIENTS_0_TYPE: M2M
KEYCLOAK_CLIENTS_0_PERMISSIONS_0_RESOURCE_SERVER_ID: zeebe-api
KEYCLOAK_CLIENTS_0_PERMISSIONS_0_DEFINITION: write:*
MULTITENANCY_ENABLED: false
RESOURCE_PERMISSIONS_ENABLED: false
healthcheck:
test: [ "CMD", "wget", "-q", "--tries=1", "--spider", "http://localhost:8082/actuator/health" ]
interval: 5s
timeout: 15s
retries: 30
start_period: 60s
restart: on-failure
networks:
- interswarm
elasticsearch:
image: docker.elastic.co/elasticsearch/elasticsearch:8.12.1
container_name: elasticsearch
ports:
- "9200:9200"
- "9300:9300"
environment:
- bootstrap.memory_lock=true
- discovery.type=single-node
- xpack.security.enabled=false
# allow running with low disk space
- cluster.routing.allocation.disk.threshold_enabled=false
- "ES_JAVA_OPTS=-Xms512m -Xmx512m"
ulimits:
memlock:
soft: -1
hard: -1
restart: always
healthcheck:
test: [ "CMD-SHELL", "curl -f http://localhost:9200/_cat/health | grep -q green" ]
interval: 30s
timeout: 5s
retries: 3
volumes:
- elastic:/usr/share/elasticsearch/data
networks:
- interswarm
volumes:
zeebe:
elastic:
operate_tmp:
tasklist_tmp:
networks:
interswarm:
name: interswarm
external: true
Keycloak:
Hi @Zoltan_Karolyi - apologies for a late reply, I was on holiday for a short time. I am not a Docker networking expert, but I’m confused why you have both readylocal and keycloak used as hosts for Identity and/or Keycloak. That would be the first thing I would investigate. A domain name mismatch could lead to CORS errors.
IDENTITY_AUTH_PROVIDER_BACKEND_URL: http://keycloak:8080/auth/realms/camunda-platform
IDENTITY_AUTH_PROVIDER_ISSUER_URL: http://readylocal:8080/auth/realms/camunda-platform