Help with configuration

Hi,

I am working on a project to authenticate a camunda user over Keycloak with an Identity Provider that uses OpenID Connect (Entra-ID).

I used the shown sso-example to recreate the scenario on my local machine. And indeed, it was working as expected.

When deploying the configuration and source files to the dev server it didn't work. I can login over the identity provider but when returning to camunda I get redirected to an error page instead to the camunda welcome screen.

The reason for that is an exception that is thrown. Here are the important lines: 2024-10-29 09:48:17.472 [http-nio-8080-exec-7] TRACE o.s.security.web.FilterChainProxy - [X-Request-Trace-Id=bd55409d-1c8d-4c22-b625-eb90c83b4bea] - Invoking OAuth2LoginAuthenticationFilter (8/16) 2024-10-29 09:48:17.473 [http-nio-8080-exec-7] TRACE o.s.s.authentication.ProviderManager - [X-Request-Trace-Id=bd55409d-1c8d-4c22-b625-eb90c83b4bea] - Authenticating request with OAuth2LoginAuthenticationProvider (1/3) 2024-10-29 09:48:17.473 [http-nio-8080-exec-7] TRACE o.s.s.authentication.ProviderManager - [X-Request-Trace-Id=bd55409d-1c8d-4c22-b625-eb90c83b4bea] - Authenticating request with OidcAuthenticationRequestChecker (2/3) 2024-10-29 09:48:17.473 [http-nio-8080-exec-7] DEBUG o.s.s.a.DefaultAuthenticationEventPublisher - [X-Request-Trace-Id=bd55409d-1c8d-4c22-b625-eb90c83b4bea] - No event was found for the exception org.springframework.security.oauth2.core.OAuth2AuthenticationException 2024-10-29 09:48:17.473 [http-nio-8080-exec-7] TRACE o.s.s.o.c.w.OAuth2LoginAuthenticationFilter - [X-Request-Trace-Id=bd55409d-1c8d-4c22-b625-eb90c83b4bea] - Failed to process authentication request org.springframework.security.oauth2.core.OAuth2AuthenticationException: [oidc_provider_not_configured] An OpenID Connect Authentication Provider has not been configured. Check to ensure you include the dependency 'spring-security-oauth2-jose'.

When comparing this to the output that is working: 2024-10-29T11:48:32.324+01:00 TRACE 70912 --- [nio-8080-exec-4] o.s.security.web.FilterChainProxy : Invoking OAuth2LoginAuthenticationFilter (8/15) 2024-10-29T11:48:32.329+01:00 TRACE 70912 --- [nio-8080-exec-4] o.s.s.authentication.ProviderManager : Authenticating request with OAuth2LoginAuthenticationProvider (1/3) 2024-10-29T11:48:32.330+01:00 TRACE 70912 --- [nio-8080-exec-4] o.s.s.authentication.ProviderManager : Authenticating request with OidcAuthorizationCodeAuthenticationProvider (2/3) 2024-10-29T11:48:32.471+01:00 TRACE 70912 --- [nio-8080-exec-4] s.CompositeSessionAuthenticationStrategy : Preparing session with ChangeSessionIdAuthenticationStrategy (1/2) 2024-10-29T11:48:32.473+01:00 DEBUG 70912 --- [nio-8080-exec-4] .s.ChangeSessionIdAuthenticationStrategy : Changed session id from BB47D423E9A745C7272B9BB3E11275C4 2024-10-29T11:48:32.473+01:00 TRACE 70912 --- [nio-8080-exec-4] s.CompositeSessionAuthenticationStrategy : Preparing session with CsrfAuthenticationStrategy (2/2) 2024-10-29T11:48:32.474+01:00 DEBUG 70912 --- [nio-8080-exec-4] w.c.HttpSessionSecurityContextRepository : Stored SecurityContextImpl [Authentication=OAuth2AuthenticationToken ......

As we can see the AuthenticationProvider (2/3) is different (OidcAuthenticationRequestChecker vs OidcAuthorizationCodeAuthenticationProvider).

OidcAuthenticationRequestChecker throws an error if "openid" is in the scope.

Where does the OidcAuthenticationRequestChecker come from? And why is the OidcAuthenticationRequestChecker not registered?

The config on the dev server contains an additional entry (spring.security.oauth2.client.registration.oidc, spring.security.oauth2.client.provider.oidc). Is this interfering with our config?

Thanks for looking into this, Lukas

camunda-community-hub / camunda-platform-7-keycloak

Help with configuration #265