Closed cogniware closed 2 months ago
Hi @cogniware,
thanks for your input and your PR which is very much appreciated. I will have a look at your PR in the next weeks.
Can you give me a hint on your general settings of the Keycloak Identity Provider (e.g. have you set one the parameters useEmailAsCamundaUserId
or useUsernameAsCamundaUserId
etc.)? That would help a lot.
Thanks
Gunnar
Hi Gunnar,
thanks for taking a look.
Yes, we are using useUsernameAsCamundaUserId
, more specifically, here is entire part of configuration with some values intentionally replaced with placeholders:
<plugin>
<class>org.camunda.bpm.extension.keycloak.plugin.KeycloakIdentityProviderPlugin</class>
<properties>
<property name="keycloakIssuerUrl">https://HOSTorIP:28443/realms/master</property>
<property name="keycloakAdminUrl">https://HOSTorIP:8443/admin/realms/master</property>
<property name="clientId">clientId</property>
<property name="clientSecret">clientSecret</property>
<property name="useUsernameAsCamundaUserId">true</property>
<property name="useGroupPathAsCamundaGroupId">true</property>
<property name="disableSSLCertificateValidation">true</property>
<property name="administratorGroupName">admin</property>
</properties>
</plugin>
If there is anything more that might help, please let me know.
Thanks for your input 👍
See Version 7.21.2
Is there something else that needs to be done to publish the 7.21.2 version also to maven repository?
@dbenesj: You're right, it hasn't shown up. Thanks for the info. There have been some changes in the community hub parent especially in the area of publishing releases to nexus... I will try to dig into it - and if necessary get help from Camunda.
As a quick workaround for you 7.21.2 is available in Camunda's Artifactory.
The release has clearly been uploaded to Nexus - and within the deploy action I have set maven-auto-release-after-close: true
which is responsible for automatically moving the artifacts from staging area to prod without manual interaction.
So I have to ask Camunda if there are any problems.
You can now use 7.21.5 which is available on Maven Central, see https://central.sonatype.com/search?q=%2Fcamunda-platform-7-keycloak
Thank you very much, we have successfully used the artifact from the Maven Central.
Camunda Keycloak Identity Provider Pull Request
When retrieving user by ID request just exact match, otherwise user might not be able to login when many similar usernames exists.
Description
Otherwise when there are over 100 results that does not match exactly, login to web UI with NPE. For example you are trying to login as user with username
tester
. But in the Keycloak, there are users such astester1
,tester2
,stester1
and so on. Once the number of those users is large enough, you would not be able to login. This is because when retrieving list of users from Keycloak it is doing "fulltext search" on usernames and the user you are logging in with might not be in the results. Keycloak returns first 100 results but those are not sorted by the best match. configuration valuemaxResultSize
is not used for such calls. Since we need to retrieve just one exact user we should use a parameter of Keycloak REST API that requests only the user that returns exactly matching username.Testing your changes
Having a deployment with many users with just a number suffix, we were not able to login to the Camunda web UI. Once deployed local build of proposed change, user were able to log in and list groups that user is a member of.
Types of changes
Checklist: