The identity base url is not set correctly for some components.
This leads to problems when using GENERIC oidc mode
Actual behavior:
When enabling GENERIC oidc mode, Auth to the zeebeGateway fails.
Expected behavior:
Auth works
How to reproduce:
Enable GENERIC oidc
configure a client for the zeebe gateway
install platform
Other applications trying to access the zeebe gateway will be rejected
Logs:
Zeebe Gateway:
SEVERE: Exception while executing runnable io.grpc.internal.ServerImpl$ServerTransportListenerImpl$1HandleServerCall@7082a708
java.lang.IllegalStateException: java.lang.IllegalArgumentException: URI with undefined scheme
at io.grpc.internal.ServerImpl$ServerTransportListenerImpl$1HandleServerCall.runInternal(ServerImpl.java:617)
at io.grpc.internal.ServerImpl$ServerTransportListenerImpl$1HandleServerCall.runInContext(ServerImpl.java:603)
at io.grpc.internal.ContextRunnable.run(ContextRunnable.java:37)
at io.grpc.internal.SerializingExecutor.run(SerializingExecutor.java:133)
at java.base/java.util.concurrent.ForkJoinTask$RunnableExecuteAction.exec(Unknown Source)
at java.base/java.util.concurrent.ForkJoinTask.doExec(Unknown Source)
at java.base/java.util.concurrent.ForkJoinPool$WorkQueue.topLevelExec(Unknown Source)
at java.base/java.util.concurrent.ForkJoinPool.scan(Unknown Source)
at java.base/java.util.concurrent.ForkJoinPool.runWorker(Unknown Source)
at java.base/java.util.concurrent.ForkJoinWorkerThread.run(Unknown Source)
Caused by: java.lang.IllegalArgumentException: URI with undefined scheme
at java.net.http/jdk.internal.net.http.common.Utils.newIAE(Unknown Source)
at java.net.http/jdk.internal.net.http.HttpRequestBuilderImpl.checkURI(Unknown Source)
at java.net.http/jdk.internal.net.http.HttpRequestBuilderImpl.uri(Unknown Source)
at java.net.http/jdk.internal.net.http.HttpRequestBuilderImpl.uri(Unknown Source)
at io.camunda.identity.sdk.impl.rest.RestClient.request(RestClient.java:60)
at io.camunda.identity.sdk.impl.generic.GenericAuthentication.getPermissions(GenericAuthentication.java:139)
at io.camunda.identity.sdk.authentication.AbstractAuthentication.verifyToken(AbstractAuthentication.java:215)
at io.camunda.identity.sdk.authentication.AbstractAuthentication.verifyToken(AbstractAuthentication.java:164)
at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(Unknown Source)
at java.base/java.lang.reflect.Method.invoke(Unknown Source)
at io.camunda.identity.sdk.annotation.AnnotationProcessor.lambda$apply$0(AnnotationProcessor.java:33)
at jdk.proxy2/jdk.proxy2.$Proxy108.verifyToken(Unknown Source)
at io.camunda.zeebe.gateway.interceptors.impl.IdentityInterceptor.interceptCall(IdentityInterceptor.java:79)
at io.grpc.ServerInterceptors$InterceptCallHandler.startCall(ServerInterceptors.java:269)
at io.grpc.internal.ServerImpl$ServerTransportListenerImpl.startWrappedCall(ServerImpl.java:701)
at io.grpc.internal.ServerImpl$ServerTransportListenerImpl.access$2200(ServerImpl.java:408)
at io.grpc.internal.ServerImpl$ServerTransportListenerImpl$1HandleServerCall.runInternal(ServerImpl.java:613)
... 9 more
Environment:
Please note: Without the following info, it's hard to resolve the issue and probably it will be closed.
Platform: not relevant
Helm CLI version: not relevant
Chart version: latest
Values file:
global:
identity:
auth:
issuer: https://<keycloak base url>/realms/camunda-platform
issuerBackendUrl: https://<keycloak base url>/realms/camunda-platform
tokenUrl: https://<keycloak base url>/realms/camunda-platform/protocol/openid-connect/token
jwksUrl: https://<keycloak base url>/realms/camunda-platform/protocol/openid-connect/certs
type: "GENERIC"
identity:
clientId: identity
audience: identity
existingSecret: <identity client secret>
initialClaimName: sub
initialClaimValue: <uuid of the first user to access identity and leave all others in>
redirectUrl: <identity base url>
operate:
clientId: operate
audience: operate
existingSecret: <operate client secret>
redirectUrl: <operate base url>
tasklist:
clientId: tasklist
audience: tasklist
existingSecret: <tasklist client secret>
redirectUrl: <tasklist base url>
optimize:
clientId: optimize
audience: optimize
existingSecret: <optimize client secret>
redirectUrl: <optimize base url>
zeebe:
clientId: zeebe
audience: zeebe
existingSecret: <zeebe client secret>
connectors:
clientId: connectors
audience: connectors
existingSecret: <connectors client secret>
# disable the dependency keycloak
identityKeycloak:
enabled: false
# enable the identity database (unless you have a dedicated database for identity to work with)
identityPostgresql:
enabled: true
Describe the issue:
The identity base url is not set correctly for some components.
This leads to problems when using GENERIC oidc mode
Actual behavior:
When enabling GENERIC oidc mode, Auth to the zeebeGateway fails.
Expected behavior:
Auth works
How to reproduce:
Logs:
Zeebe Gateway:
Environment:
Please note: Without the following info, it's hard to resolve the issue and probably it will be closed.