Why identity redirect to wrong url?

West_Farmer · November 17, 2023, 7:51am

Hi, I deployed camunda 8 on self-managed k8s with values like below:

global:
   ingress:
      enabled: false
   identity:
      keycloak:
         internal: true
         url:
            protocol: "http"
            host: "keycloak.security.svc.cluster.local"
            port: "80"
            # defines the endpoint of Keycloak which varies between Keycloak versions.
            ## @param global.identity.keycloak.contextPath In Keycloak v16.x.x it's hard-coded as '/auth', but in v19.x.x it's '/'.
         contextPath: "/"
         ## @param global.identity.keycloak.realm defines Keycloak realm path used for Camunda.
         realm: "/realms/itps"
            ## @param global.identity.keycloak.auth same as "identity.keycloak.auth" but it's used for existing Keycloak.
         auth:
            adminUser: user
            existingSecret: "keycloak" # 不在同一个命名空间能否支持？
            existingSecretKey: "admin-password"
      auth:
         publicIssuerUrl: "https://keycloak.itps.xxx.com/realms/itps"
         operate:
            redirectUrl: "https://camunda.itps.xxx.com/operate"
         tasklist:
            redirectUrl: "https://camunda.itps.xxx.com/tasklist"
         optimize:
            redirectUrl: "https://camunda.itps.xxx.com/optimize"

identity:
   contextPath: "/identity"
   keycloak:
      enabled: false
   env:
   -  name: IDENTITY_LOG_LEVEL
      value: "DEBUG"
   -  name: KEYCLOAK_REALM
      value: "itps"
   -  name: IDENTITY_CLIENT_SECRET
      value: "nqQjKlcp4d9Z0igQStsdoLwDOCQO9AuL"
   -  name: IDENTITY_URL
      value: "https://camunda.itps.xxx.com"
   -  name: IDENTITY_BASE_PATH
      value: "/identity"
      
operate:
   contextPath: "/operate"
   
tasklist:
   contextPath: "/tasklist"
   
optimize:
   contextPath: "/optimize"

service was exposed using istio’s virtualservice instead of ingress.

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: zeebe-vs
spec:
  hosts:
  - "camunda.itps.xxx.com"
  gateways:
  - istio-system/default-gateway
  http:
  - match:
    - uri:
        exact: "/"
    route:
    - destination:
        port:
          number: 26500
        host: camunda-platform-zeebe-gateway
  - match:
    - uri:
        prefix: "/identity"
    route:
    - destination:
        port:
          number: 80
        host: camunda-platform-identity
  - match:
    - uri:
        prefix: "/operate"
    route:
    - destination:
        port:
          number: 80
        host: camunda-platform-operate
  - match:
    - uri:
        prefix: "/optimize"
    route:
    - destination:
        port:
          number: 80
        host: camunda-platform-optimize
  - match:
    - uri:
        prefix: "/tasklist"
    route:
    - destination:
        port:
          number: 80
        host: camunda-platform-tasklist

I can access operate, but when trying to access identity, it redirect me to

https://camunda.itps.xxx.com/auth/login

why is this happen ?

West_Farmer · November 17, 2023, 7:59am

effective identity pod ENV:

DENTITY_AUTH_PROVIDER_BACKEND_URL : http://keycloak.security.svc.cluster.local:80//realms/itps
IDENTITY_AUTH_PROVIDER_ISSUER_URL : https://keycloak.itps.xxx.com/realms/itps
IDENTITY_BASE_PATH : /identity
IDENTITY_BASE_PATH : /identity
IDENTITY_CLIENT_SECRET : nqQjKlcp4d9Z0igQStsdoLwDOCQO9AuL
IDENTITY_LOG_LEVEL : DEBUG
IDENTITY_URL : https://camunda.itps.xxx.com
KEYCLOAK_CLIENTS_0_ID : connectors
KEYCLOAK_CLIENTS_0_NAME : Connectors
KEYCLOAK_CLIENTS_0_PERMISSIONS_0_DEFINITION : read:*
KEYCLOAK_CLIENTS_0_PERMISSIONS_0_RESOURCE_SERVER_ID : operate-api
KEYCLOAK_CLIENTS_0_REDIRECT_URIS_0 : /
KEYCLOAK_CLIENTS_0_ROOT_URL : http://placeholder
KEYCLOAK_CLIENTS_0_SECRET : secret(camunda-platform-connectors-identity-secret)[connectors-secret] 
KEYCLOAK_CLIENTS_1_ID : zeebe
KEYCLOAK_CLIENTS_1_NAME : Zeebe
KEYCLOAK_CLIENTS_1_PERMISSIONS_0_DEFINITION : write:*
KEYCLOAK_CLIENTS_1_PERMISSIONS_0_RESOURCE_SERVER_ID : zeebe-api
KEYCLOAK_CLIENTS_1_SECRET : secret(camunda-platform-zeebe-identity-secret)[zeebe-secret] 
KEYCLOAK_CLIENTS_1_TYPE : M2M
KEYCLOAK_INIT_CONSOLE_ROOT_URL : http://localhost:8080
KEYCLOAK_INIT_CONSOLE_SECRET : secret(camunda-platform-console-identity-secret)[console-secret] 
KEYCLOAK_INIT_OPERATE_ROOT_URL : https://camunda.itps.xxx.com/operate
KEYCLOAK_INIT_OPERATE_SECRET : secret(camunda-platform-operate-identity-secret)[operate-secret] 
KEYCLOAK_INIT_OPTIMIZE_ROOT_URL : https://camunda.itps.xxx.com/optimize
KEYCLOAK_INIT_OPTIMIZE_SECRET : secret(camunda-platform-optimize-identity-secret)[optimize-secret] 
KEYCLOAK_INIT_TASKLIST_ROOT_URL : https://camunda.itps.xxx.com/tasklist
KEYCLOAK_INIT_TASKLIST_SECRET : secret(camunda-platform-tasklist-identity-secret)[tasklist-secret] 
KEYCLOAK_INIT_WEBMODELER_ROOT_URL : http://localhost:8084
KEYCLOAK_INIT_ZEEBE_NAME : Zeebe
KEYCLOAK_REALM : itps
KEYCLOAK_SETUP_PASSWORD : secret(keycloak)[admin-password] 
KEYCLOAK_SETUP_USER : user
KEYCLOAK_URL : http://keycloak.security.svc.cluster.local:80/
KEYCLOAK_USERS_0_EMAIL : demo@example.org
KEYCLOAK_USERS_0_FIRST_NAME : Demo
KEYCLOAK_USERS_0_LAST_NAME : User
KEYCLOAK_USERS_0_PASSWORD : demo
KEYCLOAK_USERS_0_ROLES_0 : Identity
KEYCLOAK_USERS_0_ROLES_1 : Operate
KEYCLOAK_USERS_0_ROLES_2 : Tasklist
KEYCLOAK_USERS_0_ROLES_3 : Optimize
KEYCLOAK_USERS_0_ROLES_4 : Web Modeler
KEYCLOAK_USERS_0_USERNAME : demo
SERVER_PORT : 8080

West_Farmer · November 17, 2023, 8:34am

the fullURL in chart values become IDENTITY_URL
the contextPath in chart values become IDENTITY_BASE_PATH

and fullURL should contain contextPath if expose identity under subpath.

for example:

if identity is at https://camunda.xxx.com/identity
fullURL should be https://camunda.xxx.com/identity
contextPath should be /identity

system · November 24, 2023, 8:35am

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.