Closed MarvinKern closed 4 years ago
Hi @MarvinKern,
take a look at the SSO sample and the following snippets:
In short, you'll have to redirect the logout to logging out from Keycloak and in case of success redirecting this back to the Camunda application.
Hope this helps.
Gunnar
Hi @VonDerBeck, Thank you for the quick answer. I had a look at the ressources under https://github.com/camunda/camunda-bpm-identity-keycloak/tree/master/examples/sso-kubernetes/src/main/resources/META-INF/resources/webjars/camunda/app, but I am not fully understanding what to do. Should I copy the folder webjars/camunda/app in my META-INF folder and configue the custom javascript code in it?
@MarvinKern
this should be part of your project. If you have a look e.g. in folder cockpit
(the Camunda Cockpit Application), you'll find a subfolder scripts
containing a file config.js
- which is standard for adding custom scripts. Under subfolder custom
you'll find the configured custom script logout.js
overriding the default Camunda web application part of the logout functionality.
This has to be done for all four applications of the Camunda Webapp - Cockpit, Tasklist, Admin, Welcome
@VonDerBeck Ah okay, I got it. So i copied the META-INF Folder in my project, but the logout is still not redirecting to the keycloak login page :/
@VonDerBeck I forgot to mention that I am using springboot..
@VonDerBeck Do you have any ideas why this would not work for me? I am using Springboot and a hexagonal software architecture, so I have my project split in the folders bootstrap, infrastructure, workflow and domain.
Hi @MarvinKern,
/auth
replaced with /logout
. When sending a request to Keycloaks logout URL you have to add a redirect parameter back to your application. Which is calculated in the logout handler as well. And guess what: By calling this URL in your application you'll be redirected to Keycloak's login page again because you're not authenticated...Now, in short: change the behaviour of Camunda's logout action with your own action. Capture this URL and make it redirect to Keycloaks logout URL. Which in turn redirects to Camunda once the logout has been successful.
In case to identify your problem you should:
Hope this helps to identify the problem in your special setup.
Gunnar
Hi @VonDerBeck ,
Thanks for the detailled description, I will go for it :)
Thanks for your help, I could make it run with the help of your comments :)
Hello @MarvinKern . I'm running a camunda springboot application and trying to login to the camunda platform using keycloak but I'm having an issue almost similar. Could you help me. Mine is a logging in issue.
@MK88-art,
which version of Camunda / Spring Boot are you using? And what exactly is your problem? What does your application.yaml look like?
Gunnar
Hello @VonDerBeck . Thank you for your feedback. So I'm running a springboot app from intellij using Camunda Platform Version 7.16.0 and Spring Boot Version 2.5.4 and this is the application.yaml:
spring.datasource:
url: ${JDBC_URL:jdbc:h2:./camunda-db;DB_CLOSE_DELAY=-1;DB_CLOSE_ON_EXIT=FALSE}
username: ${JDBC_USER:sa}
password: ${JDBC_PASSWORD:sa}
#spring.h2.console.enabled: true
spring:
jersey:
application-path: /engine-rest
camunda.bpm:
authorization:
enabled: true
filter:
create: All tasks
webapp.application-path:
server:
port: 8080
servlet.context-path: /camunda
# Metrics & Health
management:
health.probes.enabled: true
endpoints:
web.exposure.include: env,health,info,metrics
# Externalized Keycloak configuration
keycloak:
# SSO Authentication requests. Send by application as redirect to the browser
url.auth: ${KEYCLOAK_URL_AUTH:http://localhost:9000}
# SSO Token requests. Send from the application to Keycloak
url.token: ${KEYCLOAK_URL_TOKEN:http://localhost:9000}
# Keycloak access for the Identity Provider plugin.
url.plugin: ${KEYCLOAK_URL_PLUGIN:https://localhost:9001}
# Keycloak Camunda Identity Client
client.id: ${KEYCLOAK_CLIENT_ID:camunda-identity-service}
client.secret: ${KEYCLOAK_CLIENT_SECRET:cbee1434-7e4d-4d85-bab6-5944b427a3c0}
# Spring Boot Security OAuth2 SSO
spring.security:
oauth2:
client:
registration:
keycloak:
provider: keycloak
client-id: ${keycloak.client.id}
client-secret: ${keycloak.client.secret}
authorization-grant-type: authorization_code
redirect-uri: "{baseUrl}/{action}/oauth2/code/{registrationId}"
scope: openid, profile, email
provider:
keycloak:
issuer-uri: ${keycloak.url.auth}/auth/realms/camunda
authorization-uri:
${keycloak.url.auth}/auth/realms/camunda/protocol/openid-connect/auth
user-info-uri:
${keycloak.url.auth}/auth/realms/camunda/protocol/openid-connect/userinfo
token-uri:
${keycloak.url.token}/auth/realms/camunda/protocol/openid-connect/token
jwk-set-uri:
${keycloak.url.token}/auth/realms/camunda/protocol/openid-connect/certs
# set user-name-attribute one of:
# - sub -> default; using keycloak ID as
camunda user ID
# - email -> useEmailAsCamundaUserId=true
# - preferred_username -> useUsernameAsCamundaUserId=true
user-name-attribute: preferred_username
logging.level.org.springframework.security: DEBUG
# Camunda Rest API
rest.security:
enabled: true
provider: keycloak
required-audience: camunda-rest-api
# Camunda Keycloak Identity Provider Plugin
plugin.identity.keycloak:
keycloakIssuerUrl: ${keycloak.url.plugin}/auth/realms/camunda
keycloakAdminUrl: ${keycloak.url.plugin}/auth/admin/realms/camunda
clientId: ${keycloak.client.id}
clientSecret: ${keycloak.client.secret}
useEmailAsCamundaUserId: false
useUsernameAsCamundaUserId: true
useGroupPathAsCamundaGroupId: true
administratorGroupName: camunda-admin
disableSSLCertificateValidation: true
So the problem is on logging out.I can successfully log in via the camunda login page and I can see all my users and processes but on logging out I'm getting this error:
I had also commented out the WebAppSecurityConfig.java because I would get this error which says authentication provider not found:
Hi. I think you may have tagged the wrong person. I’m not affiliated with nor interested the project you’re referencing.
On Fri, Nov 12, 2021 at 03:15 MK88-art @.***> wrote:
Hello @Gunnar von der Beck. Thank you for your feedback. So I'm running a springboot app from intellij using Camunda Platform Version 7.16.0 and Spring Boot Version 2.5.4 and this is the application.yaml:
spring.datasource: url: ${JDBC_URL:jdbc:h2:./camunda-db;DB_CLOSE_DELAY=-1;DB_CLOSE_ON_EXIT=FALSE} username: ${JDBC_USER:sa} password: ${JDBC_PASSWORD:sa}
spring.h2.console.enabled: true
spring: jersey: application-path: /engine-rest
camunda.bpm: authorization: enabled: true filter: create: All tasks webapp.application-path:
server: port: 8080 servlet.context-path: /camunda
Metrics & Health
management: health.probes.enabled: true endpoints: web.exposure.include: env,health,info,metrics
Externalized Keycloak configuration
keycloak:
SSO Authentication requests. Send by application as redirect to the
browser url.auth: ${KEYCLOAK_URL_AUTH:http://localhost:9000}
SSO Token requests. Send from the application to Keycloak
url.token: ${KEYCLOAK_URL_TOKEN:http://localhost:9000}
Keycloak access for the Identity Provider plugin.
url.plugin: ${KEYCLOAK_URL_PLUGIN:https://localhost:9001}
Keycloak Camunda Identity Client
client.id: ${KEYCLOAK_CLIENT_ID:camunda-identity-service} client.secret: ${KEYCLOAK_CLIENT_SECRET:cbee1434-7e4d-4d85-bab6-5944b427a3c0}
Spring Boot Security OAuth2 SSO
spring.security: oauth2: client: registration: keycloak: provider: keycloak client-id: ${keycloak.client.id} client-secret: ${keycloak.client.secret} authorization-grant-type: authorization_code redirect-uri: "{baseUrl}/{action}/oauth2/code/{registrationId}" scope: openid, profile, email provider: keycloak: issuer-uri: ${keycloak.url.auth}/auth/realms/camunda authorization-uri: ${keycloak.url.auth}/auth/realms/camunda/protocol/openid-connect/auth user-info-uri: ${keycloak.url.auth}/auth/realms/camunda/protocol/openid-connect/userinfo token-uri: ${keycloak.url.token}/auth/realms/camunda/protocol/openid-connect/token jwk-set-uri: ${keycloak.url.token}/auth/realms/camunda/protocol/openid-connect/certs
set user-name-attribute one of:
- sub -> default; using keycloak ID as
camunda user ID
- email -> useEmailAsCamundaUserId=true
- preferred_username -> useUsernameAsCamundaUserId=true
user-name-attribute: preferred_username
logging.level.org.springframework.security: DEBUG
Camunda Rest API
rest.security: enabled: true provider: keycloak required-audience: camunda-rest-api
Camunda Keycloak Identity Provider Plugin
plugin.identity.keycloak: keycloakIssuerUrl: ${keycloak.url.plugin}/auth/realms/camunda keycloakAdminUrl: ${keycloak.url.plugin}/auth/admin/realms/camunda clientId: ${keycloak.client.id} clientSecret: ${keycloak.client.secret} useEmailAsCamundaUserId: false useUsernameAsCamundaUserId: true useGroupPathAsCamundaGroupId: true administratorGroupName: camunda-admin disableSSLCertificateValidation: true
So the problem is on logging out.I can successfully log in via the camunda login page and I can see all my users and processes but on logging out I'm getting this error:
[image: logout.png] I had also commented out the WebAppSecurityConfig.java because I would get this error which says authentication provider not found: [image: authfilter.png]
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/camunda-community-hub/camunda-bpm-identity-keycloak/issues/39#issuecomment-966944051, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACAT5TUKJQUZ53JWGP6JVGLULTLKVANCNFSM4RMUBTVA . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.
Hi. I think you may have tagged the wrong person. I’m not affiliated with nor interested the project you’re referencing. … On Fri, Nov 12, 2021 at 03:15 MK88-art @.**> wrote: Hello @gunnar von der Beck. Thank you for your feedback. So I'm running a springboot app from intellij using Camunda Platform Version 7.16.0 and Spring Boot Version 2.5.4 and this is the application.yaml: spring.datasource: url: ${JDBC_URL:jdbc:h2:./camunda-db;DB_CLOSE_DELAY=-1;DB_CLOSE_ON_EXIT=FALSE} username: ${JDBC_USER:sa} password: ${JDBC_PASSWORD:sa} #spring.h2.console.enabled: true spring: jersey: application-path: /engine-rest camunda.bpm: authorization: enabled: true filter: create: All tasks webapp.application-path: server: port: 8080 servlet.context-path: /camunda # Metrics & Health management: health.probes.enabled: true endpoints: web.exposure.include: env,health,info,metrics # Externalized Keycloak configuration keycloak: # SSO Authentication requests. Send by application as redirect to the browser url.auth: ${KEYCLOAK_URL_AUTH:http://localhost:9000} # SSO Token requests. Send from the application to Keycloak url.token: ${KEYCLOAK_URL_TOKEN:http://localhost:9000} # Keycloak access for the Identity Provider plugin. url.plugin: ${KEYCLOAK_URL_PLUGIN:https://localhost:9001} # Keycloak Camunda Identity Client client.id: ${KEYCLOAK_CLIENT_ID:camunda-identity-service} client.secret: ${KEYCLOAK_CLIENT_SECRET:cbee1434-7e4d-4d85-bab6-5944b427a3c0} # Spring Boot Security OAuth2 SSO spring.security: oauth2: client: registration: keycloak: provider: keycloak client-id: ${keycloak.client.id} client-secret: ${keycloak.client.secret} authorization-grant-type: authorization_code redirect-uri: "{baseUrl}/{action}/oauth2/code/{registrationId}" scope: openid, profile, email provider: keycloak: issuer-uri: ${keycloak.url.auth}/auth/realms/camunda authorization-uri: ${keycloak.url.auth}/auth/realms/camunda/protocol/openid-connect/auth user-info-uri: ${keycloak.url.auth}/auth/realms/camunda/protocol/openid-connect/userinfo token-uri: ${keycloak.url.token}/auth/realms/camunda/protocol/openid-connect/token jwk-set-uri: ${keycloak.url.token}/auth/realms/camunda/protocol/openid-connect/certs # set user-name-attribute one of: # - sub -> default; using keycloak ID as camunda user ID # - email -> useEmailAsCamundaUserId=true # - preferred_username -> useUsernameAsCamundaUserId=true user-name-attribute: preferred_username logging.level.org.springframework.security: DEBUG # Camunda Rest API rest.security: enabled: true provider: keycloak required-audience: camunda-rest-api # Camunda Keycloak Identity Provider Plugin plugin.identity.keycloak: keycloakIssuerUrl: ${keycloak.url.plugin}/auth/realms/camunda keycloakAdminUrl: ${keycloak.url.plugin}/auth/admin/realms/camunda clientId: ${keycloak.client.id} clientSecret: ${keycloak.client.secret} useEmailAsCamundaUserId: false useUsernameAsCamundaUserId: true useGroupPathAsCamundaGroupId: true administratorGroupName: camunda-admin disableSSLCertificateValidation: true So the problem is on logging out*.I can successfully log in via the camunda login page and I can see all my users and processes but on logging out I'm getting this error: [image: logout.png] I had also commented out the WebAppSecurityConfig.java because I would get this error which says authentication provider not found: [image: authfilter.png] — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#39 (comment)>, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACAT5TUKJQUZ53JWGP6JVGLULTLKVANCNFSM4RMUBTVA . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.
Yes sincere apologies for that. edited the message but it was already sent
No problem. It’s a fairly common occurrence with my name. I just like to make sure the message gets where it’s supposed to go, so I usually let the person know they’ve made a mistake.
On Fri, Nov 12, 2021 at 04:23 MK88-art @.***> wrote:
Hi. I think you may have tagged the wrong person. I’m not affiliated with nor interested the project you’re referencing. … <#m-2102430039567795175> On Fri, Nov 12, 2021 at 03:15 MK88-art @.***> wrote: Hello @gunnar https://github.com/gunnar von der Beck. Thank you for your feedback. So I'm running a springboot app from intellij using Camunda Platform Version 7.16.0 and Spring Boot Version 2.5.4 and this is the application.yaml: spring.datasource: url: ${JDBC_URL:jdbc:h2:./camunda-db;DB_CLOSE_DELAY=-1;DB_CLOSE_ON_EXIT=FALSE} username: ${JDBC_USER:sa} password: ${JDBC_PASSWORD:sa}
spring.h2.console.enabled: true spring: jersey: application-path:
/engine-rest camunda.bpm: authorization: enabled: true filter: create: All tasks webapp.application-path: server: port: 8080 servlet.context-path: /camunda # Metrics & Health management: health.probes.enabled: true endpoints: web.exposure.include: env,health,info,metrics # Externalized Keycloak configuration keycloak: # SSO Authentication requests. Send by application as redirect to the browser url.auth: ${KEYCLOAK_URL_AUTH: http://localhost:9000} # SSO Token requests. Send from the application to Keycloak url.token: ${KEYCLOAK_URL_TOKEN:http://localhost:9000} # Keycloak access for the Identity Provider plugin. url.plugin: ${KEYCLOAK_URL_PLUGIN:https://localhost:9001} # Keycloak Camunda Identity Client client.id: ${KEYCLOAK_CLIENT_ID:camunda-identity-service} client.secret: ${KEYCLOAK_CLIENT_SECRET:cbee1434-7e4d-4d85-bab6-5944b427a3c0} # Spring Boot Security OAuth2 SSO spring.security: oauth2: client: registration: keycloak: provider: keycloak client-id: ${keycloak.client.id} client-secret: ${keycloak.client.secret} authorization-grant-type: authorization_code redirect-uri: "{baseUrl}/{action}/oauth2/code/{registrationId}" scope: openid, profile, email provider: keycloak: issuer-uri: ${keycloak.url.auth}/auth/realms/camunda authorization-uri: ${keycloak.url.auth}/auth/realms/camunda/protocol/openid-connect/auth user-info-uri: ${keycloak.url.auth}/auth/realms/camunda/protocol/openid-connect/userinfo token-uri: ${keycloak.url.token}/auth/realms/camunda/protocol/openid-connect/token jwk-set-uri: ${keycloak.url.token}/auth/realms/camunda/protocol/openid-connect/certs # set user-name-attribute one of: # - sub -> default; using keycloak ID as camunda user ID # - email -> useEmailAsCamundaUserId=true # - preferred_username -> useUsernameAsCamundaUserId=true user-name-attribute: preferred_username logging.level.org.springframework.security: DEBUG # Camunda Rest API rest.security: enabled: true provider: keycloak required-audience: camunda-rest-api # Camunda Keycloak Identity Provider Plugin plugin.identity.keycloak: keycloakIssuerUrl: ${keycloak.url.plugin}/auth/realms/camunda keycloakAdminUrl: ${keycloak.url.plugin}/auth/admin/realms/camunda clientId: ${ keycloak.client.id} clientSecret: ${keycloak.client.secret} useEmailAsCamundaUserId: false useUsernameAsCamundaUserId: true useGroupPathAsCamundaGroupId: true administratorGroupName: camunda-admin disableSSLCertificateValidation: true So the problem is on logging out.I can successfully log in via the camunda login page and I can see all my users and processes but on logging out I'm getting this error: [image: logout.png] I had also commented out the WebAppSecurityConfig.java because I would get this error which says authentication provider not found: [image: authfilter.png] — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#39 (comment) https://github.com/camunda-community-hub/camunda-bpm-identity-keycloak/issues/39#issuecomment-966944051>, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACAT5TUKJQUZ53JWGP6JVGLULTLKVANCNFSM4RMUBTVA . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub .
Yes sincere apologies for that. edited the message but it was already sent
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/camunda-community-hub/camunda-bpm-identity-keycloak/issues/39#issuecomment-966988755, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACAT5TS4WV3HZBVV5UCIBGTULTTKBANCNFSM4RMUBTVA . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.
Hi @MK88-art
you wrote:
So the problem is on logging out.I can successfully log in via the camunda login page and I can see all my users and processes but on logging out I'm getting this error: I had also commented out the WebAppSecurityConfig.java because I would get this error which says authentication provider not found:
Hmm...
Especially in your WebAppSecurityConfig.java check the following:
@SuppressWarnings({ "rawtypes", "unchecked" })
@Bean
public FilterRegistrationBean containerBasedAuthenticationFilter(){
FilterRegistrationBean filterRegistration = new FilterRegistrationBean();
filterRegistration.setFilter(new ContainerBasedAuthenticationFilter());
filterRegistration.setInitParameters(Collections.singletonMap("authentication-provider", "org.camunda.bpm.extension.keycloak.showcase.sso.KeycloakAuthenticationProvider"));
filterRegistration.setOrder(101); // make sure the filter is registered after the Spring Security Filter Chain
filterRegistration.addUrlPatterns("/app/*");
return filterRegistration;
}
Does the referenced "authentication-provider" class name exactly match your "KeycloakAuthenticationProvider" class? Including the package? Your stacktrace says that it does not and cannot be found.
Regards Gunnar
Hi @VonDerBeck,
first of all many thanks to you. I was searching a lot of time for the proper configuration / implementation of Camunda logout in combination with oauth2 authorisation code flow. I am actually using Azure AD in order to authenticate users in Camunda, but I was not able to implement the logout functionality because of CORS error (logout request to Azure AD).
After I integrated the custom scripts you mentioned (additionally I updated the logout link within the custom scripts -> newLogout.setAttribute('href', '/camunda/api/admin/auth/user/default/logout'); and added the logoutUrl within the security config: http.logout().logoutUrl("/camunda/api/admin/auth/user/default/logout");. The logoutSuccessHandler is already set by AADWebSecurityConfigurerAdapter from Azure AD lib.
Afterwards it's working like a charm :-)
Note that the steps described in the comment above use a GET
request to trigger the logout, whereas it is normally recommended to use a POST
request with a valid CSRF token, see Spring Security Reference - CSRF Logout.
To make a POST request work, some extra work is needed:
Update the logout.js
scripts to make a POST /logout
request with a valid CSRF token, e.g. by rendering and submitting a virtual <form>
element:
//... Somehow capture clicking on the logout link and do the following:
const form = document.createElement('form');
form.action = "logout"; // or "/logout" if using the default logoutRequestMatcher
form.method = "POST";
const input = document.createElement("input");
input.type = "hidden";
input.name = "_csrf";
input.value = ...; // Read the CSRF value, e.g. from the cookie
form.appendChild(input);
form.submit();
Configure Spring Security to accept the (raw) CSRF token request-attribute (while keeping CSRF BREACH protection) as described here. This is only required for Spring Security >= 5.8.
Configure the Content Security Policy (CSP) to allow cross-origin redirects to the OAuth2 server by adding its URL in the 'form-action' directive, see Camunda 7 Docs - Content Security Policy. E.g. in your application.properties
:
camunda.bpm.webapp.header-security.content-security-policy-value=\
base-uri 'self';\
script-src $NONCE 'strict-dynamic' 'unsafe-eval' https: 'self' 'unsafe-inline';\
style-src 'unsafe-inline' 'self';\
default-src 'self';\
img-src 'self' data:;\
block-all-mixed-content;\
form-action 'self' ${your-auth-server-url};\
frame-ancestors 'none';\
object-src 'none';\
sandbox allow-forms allow-scripts allow-same-origin allow-popups allow-downloads;
(Note that this step is not strictly required for Firefox due to inconsistent interpretation of the CSP form-action
directive between browsers, see MDN Web Docs - CSP form-action)
There's also some ongoing effort to natively add support for SSO logout in Camunda.
Hi at all, When I logout in my Camunda application, I am redirected to to camunda login page: http://localhost:8080/camunda/app/welcome/default/#!/login. However I dont want to be redirected to this page, I want to be redirected to the Keycloak login page. I configured my Keycloak as described in this project. Has anybody an idea on this? Thank you :+1: