TomCat configuration engine-rest api

[JosephVasc]

My team and I have been developing a front end to run Camunda rest api tasks through. I have setup the keycloak plugin and know I need to modify the authentication filter to accept a token from the front end (in the api call header) to process the request. I have added the following to /camunda/webapps/engine-rest/WEB-INF/web.xml

<!-- KeyCloak OpenID Connect Filter 
  <filter>
    <filter-name>KeyCloak OpenID Connect Filter</filter-name>
    <filter-class>org.keycloak.adapters.servlet.KeycloakOIDCFilter</filter-class>
   <async-supported>true</async-supported>
     <init-param>
            <param-name>keycloak.config.file</param-name>
            <param-value>/camunda/config/keycloak.json</param-value>
    </init-param>
 </filter>
  <filter-mapping>
    <filter-name>KeyCloak OpenID Connect Filter</filter-name>
    <url-pattern>/*</url-pattern>
    <dispatcher>REQUEST</dispatcher>
  </filter-mapping> -->

<!-- Camunda Keycloak Authentication Filter 
  <filter>
    <filter-name>camunda-auth</filter-name>
    <filter-class>org.camunda.community.auth.keycloak.filter.KeycloakAuthenticationFilter</filter-class>
    <async-supported>true</async-supported> 
  </filter>
  <filter-mapping>
    <filter-name>camunda-auth</filter-name>
    <url-pattern>/*</url-pattern>
    <dispatcher>REQUEST</dispatcher>
  </filter-mapping> -->

keycloak.json

{
    "realm": "camunda-id",
    "auth-server-url": "project-flow_jboss.keycloak_1:8080/auth/",
    "ssl-required": "none",
    "resource": "camunda-identity-service",
    "credentials": {
      "secret": "**********"
    },
    "confidential-port": 0
  }

I have also installed the camunda-bpm-auth-keycloak-sso-1.3.jar into the lib folder.

also note i am using two different clients here (same realm). The engine is connected (and properly sharing an identity server) with one client (camunda-identity-service) and the front end is authenticating through another client (camunda-web-app).

I was wondering if I am missing something in config that will allow us to pass a keycloak token from the react app to authorize requests.

[VonDerBeck]

Hi @JosephVasc, as far as I can see, your question addresses a different project: camunda-bpm-auth-keycloak-sso. This project here provides the underlying Camunda Readonly Identity Provider, but not SSO for standalone Tomcat. So your question belongs to the Tomcat integration project. Sorry.

Personally I understand what you are trying to achieve. But honestly: why do you make it so difficult for yourselves? Setting up your own Camunda Spring Boot instance is quite easy and would give you the flexibility to use just everything out of the well prepared Spring Boot world and adapt that to your own needs. And then you only need to add a small piece of code playing the bridge between Spring Boot Security and Camunda. See e.g. https://github.com/camunda-community-hub/camunda-platform-7-keycloak/tree/master/examples/sso-kubernetes/src/main/java/org/camunda/bpm/extension/keycloak/showcase/rest. Especially the KeycloakAuthenticationFilter is of interest.

Hope that helps.

[JosephVasc]

Thank you for the reply @VonDerBeck

WIth the sso issues im having with tomcat I'm going to give the spring boot version a shot. Is the dockerfile in sso-kubernetes the container I need? Or is there an image on docker hub.

Thanks.

[VonDerBeck]

Hi @JosephVasc,

sorry for coming back to you so late. When talking about Spring Boot with Camunda 7 - in case you have special environment requirements and integrations the best way in most cases is to setup your own Spring Boot project and build it for yourself. The sso-kubernetes example is such a basic example showcasing the integration.

[VonDerBeck]

No further info; since the question concerns another project, i am closing this issue now