Always got 403 at Camunda startup

[FlowsenAusMonotown]

Hi,

I'm not able to use your PlugIn. At startup of my application I got following exception:

Caused by: org.springframework.web.client.HttpClientErrorException$Forbidden: 403 Forbidden at org.springframework.web.client.HttpClientErrorException.create(HttpClientErrorException.java:83) ~[spring-web-5.2.1.RELEASE.jar:5.2.1.RELEASE] at org.springframework.web.client.DefaultResponseErrorHandler.handleError(DefaultResponseErrorHandler.java:123) ~[spring-web-5.2.1.RELEASE.jar:5.2.1.RELEASE] at org.springframework.web.client.DefaultResponseErrorHandler.handleError(DefaultResponseErrorHandler.java:102) ~[spring-web-5.2.1.RELEASE.jar:5.2.1.RELEASE] at org.springframework.web.client.ResponseErrorHandler.handleError(ResponseErrorHandler.java:63) ~[spring-web-5.2.1.RELEASE.jar:5.2.1.RELEASE] at org.springframework.web.client.RestTemplate.handleResponse(RestTemplate.java:785) ~[spring-web-5.2.1.RELEASE.jar:5.2.1.RELEASE] at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:743) ~[spring-web-5.2.1.RELEASE.jar:5.2.1.RELEASE] at org.springframework.web.client.RestTemplate.execute(RestTemplate.java:677) ~[spring-web-5.2.1.RELEASE.jar:5.2.1.RELEASE] at org.springframework.web.client.RestTemplate.exchange(RestTemplate.java:586) ~[spring-web-5.2.1.RELEASE.jar:5.2.1.RELEASE] at org.camunda.bpm.extension.keycloak.KeycloakIdentityProviderSession.getKeycloakAdminGroupId(KeycloakIdentityProviderSession.java:1043) ~[camunda-bpm-identity-keycloak-1.5.0.jar:1.5.0] ... 38 common frames omitted

I have an existing Keycloak server and added a new client and the admin group in my realm with all the settings out of the documentation. It seems that the login success but the request for the admin group fails.

Is there something to change in Keycloak what is missing in the documentation?

Best regards

[rfelgent]

Same here. I don't see what I am missing. Is the documentation up-to-date ?

[rfelgent]

Sorry, my mistake. I created new roles like 'query-groups', 'query-users' and 'view-users' within client 'camunda-identity-service' rather than re-using them from client 'master-realm'.

Re-use the mentioned roles and configure them in the box 'assigned client roles' inside of tab 'Service Account Roles' of client 'camunda-identity-service' as described in the docs

[VonDerBeck]

Hi @FlowsenAusMonotown, this is very likely a setup error where you made a small mistake you don't see yourself. Do you have a) the application.yaml config on Camunda side b) the setup of your identity service?

[FlowsenAusMonotown]

Hi @VonDerBeck, this issue is solved by the comment of @rfelgent. I also created the roles in the client and don't use the "realm-management". Now it is working.

[VonDerBeck]

Hi @FlowsenAusMonotown, great to hear that you were successful :-)

[FlowsenAusMonotown]

@VonDerBeck The next issue I have is that I now can't login. Which user I have to use? I normally thought I can use every user of keycloak to sign in, isn't it?

[VonDerBeck]

First of all I recommend to create an admin user in Keycloak and configure a corresponding admin group. This admin group then goes to your Keycloak Identity Provider Configuration. Afterwards you can log in with this admin. And then go to Camunda Admin -> Authorizations and create access rights for Cockpit, Tasklist etc. for other groups and users. Don't forget authorizations for processes etc. This has nothing to do with Keycloak, it would be the same in case you use the LDAP Identity Provider.

[FlowsenAusMonotown]

So I have to start without keycloak plugin -> create the admin user, start with keycloak plugin -> login with the admin -> give access rights via the admin web UI?

[VonDerBeck]

1.) Just setup your Keycloak server. Prepare at least a single admin user belonging to an admin group. 2.) Configure the Keycloak Identity Provider accordingly (with the admin group) 3.) Startup Camunda - upon first startup it will automatically create all required authorizations for your admin group 4.) Login with the admin user. 5.) Create other authorizations for non admin groups in case they are required, e.g. authorizations for a ReadOnly group, ...

[FlowsenAusMonotown]

I have already a Keycloak instance running (also for other apps). There is a admin user existing. I use this user to manage keycloak. The user has no groups belonging to but has the assigned role "admin". This user is in the user list of the master realm. Not in the created realm. Have I put this user to the "camunda-admin" group? What do you mean with no. 2? My IdentityProvider looks as follows:

@Component @ConfigurationProperties(prefix="plugin.identity.keycloak") public class KeycloakIdentityProvider extends KeycloakIdentityProviderPlugin { }

My application.yaml:

` server: servlet: context-path: /camunda spring: datasource: url: jdbc:postgresql://localhost:5432/camunda username: camunda password: camunda driverClassName: org.postgresql.Driver

camunda.bpm: database: type: postgres

schema-update: drop-create

authorization: enabled: true

plugin.identity.keycloak: keycloakIssuerUrl: https://myserver.com/auth/realms/MyRealm keycloakAdminUrl: https://myserver.com/auth/admin/realms/MyRealm clientId: camunda-identity-service clientSecret: a43b7e2c-d7e7-4914-8cc7-e0a95bbbc8ac useUsernameAsCamundaUserId: true administratorGroupName: camunda-admin `

[VonDerBeck]

You need a user or group in the Keycloak Realm Camunda is connected to. According to your config you'll need a group "camunda-admin" in this realm. Alternatively you configure a user (and not a group) using 'administratorUserId' property (instead of 'administratorGroupName')

[FlowsenAusMonotown]

OK, I changed it to:

plugin.identity.keycloak: keycloakIssuerUrl: https://myserver.com/auth/realms/MyRealm keycloakAdminUrl: https://myserver.com/auth/admin/realms/MyRealm clientId: camunda-identity-service clientSecret: a43b7e2c-d7e7-4914-8cc7-e0a95bbbc8ac useUsernameAsCamundaUserId: true administratorUserId: a26de9f9-ae21-4243-b45c-f95b45d80ba4

And on startup I see multiple lines like this:

KEYCLOAK-01003 GRANT user admin@myserver.com ALL permissions on resource Application. ...

But I still can't login to Camunda with this user. It always shows message "Invalid credentials" but I used the right one. I double check to login with this user in an other application and it works.

[VonDerBeck]

You have set 'useUsernameAsCamundaUserId' to true. Are you aware of that? In case you try to login using Camunda's login screen (and not SSO with Keycloak login) the Camunda UserId is now the Keycloak username attribute. You'll find other options within the properties description of the Identity Provider.

[FlowsenAusMonotown]

@VonDerBeck Yes. Because I also configured Keycloak to use the e-mail address as user id.

[VonDerBeck]

Why don't you configure that in Camunda as well, e.g. by using 'useEmailAsCamundaUserId'? That would be consistent...

[FlowsenAusMonotown]

@VonDerBeck I changed it but the same result "Invalid credentials". I checked the database and the 'act_id_user' table is empty. I don't now if this is important for this.

[VonDerBeck]

Camunda database tables for users and groups are of no interest in case you use any foreign Identity Provider. 1.) The user you configured - it does exist within the Camunda realm, right? 2.) What exactly do you mean by "Because I also configured Keycloak to use the e-mail address as user id" - I only know an option which allows you to login using your email as well, which is on the per realm level. 3.) A working example can be found in the sub directory examples of this realm 4.) In case you want to play around a bit with a working default Keycloak instance setup, you can use the docker image "gunnaraccso/keycloak.server:7.0.0". It's old (based on Keycloak 7.x), but should be sufficient to show the basics. Start it and login with keycloak/keycloak1! - you'll find a test setup inside.

[FlowsenAusMonotown]

1. The user is in the "MyRealm".
2. In the "MyRealm" Realm Settings tab "Login" you can choose "E-mail as username". So the register page will not display input field username anymore.
3. Can I set another logging level to check the request/response while authenticating?

[FlowsenAusMonotown]

@VonDerBeck I tried the docker image you recommended. I reconfigured my application using:

plugin.identity.keycloak: keycloakIssuerUrl: http://localhost:8090/auth/realms/camunda keycloakAdminUrl: http://localhost:8090/auth/admin/realms/camunda clientId: camunda-identity-service clientSecret: 0ca35c49-c721-44dd-a6c2-a5e825e13c84 useEmailAsCamundaUserId: true administratorUserId: a0513f01-c509-4bef-a59e-3c5f528a742b

Tried to login with "camunda" user and get the same error "Invalid credentials". (I changed the password of the user in keycloak admin ui first und using the new password for login)

I will create a new ticket for this or do you have any suggestions?

[VonDerBeck]

In case you set useEmailAsCamundaUserId to true you have to login using your email address. In Camunda you always login with the userId - which in this case is configured to be the email address of Keycloak. I don't think that this is an issue. Please see documentation of the plugin - it has been described in the "Usage with Camunda Spring Boot" section

[FlowsenAusMonotown]

@VonDerBeck I used the e-mail address (camunda@accso.de) as login username and the new password. But I can't login. I tried everything from the documentation "Camunda Spring Boot" section. If you think it is not an issue, what should I do for getting it running?

[VonDerBeck]

I will try to reproduce what you are doing. Can you list the exact changes you made to the test Keycloak instance? As this afternoon I have different work to do - I will try to have a look at this tomorrow.

[FlowsenAusMonotown]

Reproduce:

pom:

<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
  <modelVersion>4.0.0</modelVersion>
  <groupId>org.flowsen</groupId>
  <artifactId>flowsen-process</artifactId>
  <version>1.0.0</version>

  <properties>
    <java.version>11</java.version>
  </properties>

  <dependencyManagement>
    <dependencies>
      <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-dependencies</artifactId>
        <version>2.2.1.RELEASE</version>
        <type>pom</type>
        <scope>import</scope>
      </dependency>
    </dependencies>
  </dependencyManagement>

  <dependencies>
    <dependency>
      <groupId>org.camunda.bpm.springboot</groupId>
      <artifactId>camunda-bpm-spring-boot-starter</artifactId>
      <version>3.4.0</version>
    </dependency>
    <dependency>
      <groupId>org.camunda.bpm.springboot</groupId>
      <artifactId>camunda-bpm-spring-boot-starter-webapp</artifactId>
      <version>3.4.0</version>
    </dependency>
    <dependency>
      <groupId>org.camunda.bpm.springboot</groupId>
      <artifactId>camunda-bpm-spring-boot-starter-rest</artifactId>
      <version>3.4.0</version>
    </dependency>
    <dependency>
      <groupId>org.camunda.bpm.extension</groupId>
      <artifactId>camunda-bpm-identity-keycloak</artifactId>
      <version>1.5.0</version>
    </dependency>
    <dependency>
      <groupId>org.springframework.boot</groupId>
      <artifactId>spring-boot-starter-security</artifactId>
    </dependency>
    <dependency>
      <groupId>org.springframework.security.oauth.boot</groupId>
      <artifactId>spring-security-oauth2-autoconfigure</artifactId>
      <version>2.1.5.RELEASE</version>
    </dependency>
    <dependency>
      <groupId>org.springframework.boot</groupId>
      <artifactId>spring-boot-starter-jdbc</artifactId>
    </dependency>
    <dependency>
      <groupId>org.postgresql</groupId>
      <artifactId>postgresql</artifactId>
      <version>42.2.4</version>
    </dependency>
    <dependency>
      <groupId>com.h2database</groupId>
      <artifactId>h2</artifactId>
      <scope>test</scope>
    </dependency>
  </dependencies>

   <build>
    <plugins>
      <plugin>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-maven-plugin</artifactId>
        <configuration>
          <layout>ZIP</layout>
        </configuration>
        <executions>
          <execution>
            <goals>
              <goal>repackage</goal>
            </goals>
          </execution>
        </executions>
      </plugin>
      <plugin>
        <groupId>org.apache.maven.plugins</groupId>
        <artifactId>maven-compiler-plugin</artifactId>
        <configuration>
          <source>${java.version}</source>
          <target>${java.version}</target>
        </configuration>
      </plugin>
    </plugins>
  </build>

</project>

application.yml

server:
  servlet:
    context-path: /camunda
spring:
  datasource:
    url: jdbc:postgresql://localhost:5432/camunda
    username: camunda
    password: camunda
    driverClassName: org.postgresql.Driver

camunda.bpm:
  database:
    type: postgres
    #schema-update: drop-create
  authorization:
    enabled: true

plugin.identity.keycloak:
  keycloakIssuerUrl: http://localhost:8090/auth/realms/camunda
  keycloakAdminUrl: http://localhost:8090/auth/admin/realms/camunda
  clientId: camunda-identity-service
  clientSecret: 0ca35c49-c721-44dd-a6c2-a5e825e13c84
  useEmailAsCamundaUserId: true
  administratorUserId: a0513f01-c509-4bef-a59e-3c5f528a742b

KeycloakIdentityProvider

package org.flowsen.keycloak;

import org.springframework.boot.context.properties.ConfigurationProperties;
import org.springframework.stereotype.Component;
import org.camunda.bpm.extension.keycloak.plugin.KeycloakIdentityProviderPlugin;

@Component
@ConfigurationProperties(prefix="plugin.identity.keycloak")
public class KeycloakIdentityProvider extends KeycloakIdentityProviderPlugin {
}

Application

package org.flowsen;

import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;

@SpringBootApplication
public class Application {

    public static void main(String... args) {
        SpringApplication.run(Application.class, args);
    }

}

Docker: docker run -it -p 8090:8080 gunnaraccso/keycloak.server:7.0.0 Postgres:12.1 with user and database camunda

Keycloak:

• Login as keycloak
• Switch to Manage -> Users
• Choose camunda
• Switch to Credentials
• Set new password and switch of temp property
• Save password

[VonDerBeck]

Hi @FlowsenAusMonotown,

I have just created a simple Maven project consisting of the artifacts you mentionend above - and nothing more. And of course you can't login with that...

Please study carefully the dependencies in your pom.xml. You have added Spring Security and Spring Security OAuth2. Which means you have secured your overal application with OAuth2. Unless you haven't configured it otherwise in your WebSecurity configuration, you will get the login mask from Spring itself at any URL you type. This will never work in the configuration above.

What you should see instead as login at localhost:8080/camunda is: And with that you can of course login successfully. You can achieve this in your above example by just commenting out the 2 spring-security artifacts in your pom.xml. This will show you, that the Keycloak Identity Provider itself is working perfectly.

In case you want your Application to use SSO and Spring Security OAuth2 - meaning that your login will be redirected to Keycloak - please study the "Activating Single Sign On "section in the README. You'll need a lot more stuff. A complete example can be found at https://github.com/camunda/camunda-bpm-identity-keycloak/tree/master/examples/sso-kubernetes In case you want to leave Camunda Cockpit as is and keep using the Camunda login, you'll have to configure your WebSecurity accordingly and allow all requests to /camunda/app/*

The difference between both 2 scenarios (without SSO and with SSO) is described in https://blog.camunda.com/post/2019/08/keycloak-identity-provider-extension/

Hope this helps?

Gunnar

[FlowsenAusMonotown]

@VonDerBeck Thx a lot. Now it is working perfect.