Skip to content

Commit

Permalink
feat(connectors): OIDC support (#3318)
Browse files Browse the repository at this point in the history
  • Loading branch information
@chillleader
chillleader authored Feb 16, 2024
1 parent da8d1eb commit 13f7ded
Show file tree
Hide file tree
Showing 6 changed files with 48 additions and 44 deletions.
22 changes: 13 additions & 9 deletions docs/guides/host-custom-connector.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -78,12 +78,14 @@ docker run --rm --name=CustomConnectorInSMWithKeyCloak \
-e ZEEBE_CLIENT_SECURITY_PLAINTEXT=true \
-e ZEEBE_CLIENT_ID=<YOUR_ZEEBE_CLIENT_ID> \
-e ZEEBE_CLIENT_SECRET=<YOUR_ZEEBE_CLIENT_SECRET> \
-e ZEEBE_CLIENT_CONFIG_PATH=/tmp/zeebe_auth_cache \
-e ZEEBE_TOKEN_AUDIENCE=zeebe-api \
-e ZEEBE_AUTHORIZATION_SERVER_URL=http://keycloak:8080/auth/realms/camunda-platform/protocol/openid-connect/token \
-e CAMUNDA_OPERATE_CLIENT_KEYCLOAK-URL=http://keycloak:8080 \
-e CAMUNDA_OPERATE_CLIENT_CLIENT-ID=connectors \
-e CAMUNDA_OPERATE_CLIENT_CLIENT-SECRET=<YOUR_OPERATE_CLIENT_SECRET> \
-e CAMUNDA_OPERATE_CLIENT_KEYCLOAK-REALM=<YOUR_KEYCLOAK_OPERATE_REALM> \
-e CAMUNDA_IDENTITY_TYPE=KEYCLOAK \
-e CAMUNDA_IDENTITY_AUDIENCE=operate-api \
-e CAMUNDA_IDENTITY_ISSUER_BACKEND_URL=http://keycloak:8080/auth/realms/camunda-platform \
-e CAMUNDA_IDENTITY_CLIENT_ID=connectors \
-e CAMUNDA_IDENTITY_CLIENT_SECRET=<YOUR_OPERATE_SECRET> \
-e CAMUNDA_OPERATE_CLIENT_URL=http://operate:8080 \
camunda/connectors-bundle:<desired-version>
```
Expand All @@ -102,7 +104,7 @@ For the purpose of this section, imagine you installed Helm charts with `helm in
and forwarded Zeebe, Operate, and Keycloak ports:

- `kubectl port-forward svc/dev-zeebe-gateway 26500:26500`
- `kubectl port-forward svc/dev-operate 8081:80`
- `kubectl port-forward svc/dev-operate 8081:80`
- `kubectl port-forward svc/dev-keycloak 18080:80`

Now, you need to obtain both Zeebe and Connectors' Operate OAuth clients. You can do it with `kubectl get secret dev-zeebe-identity-secret -o jsonpath="{.data.*}" | base64 --decode`
Expand All @@ -117,12 +119,14 @@ docker run --rm --name=CustomConnectorInSMWithHelm \
-e ZEEBE_CLIENT_SECURITY_PLAINTEXT=true \
-e ZEEBE_CLIENT_ID=zeebe \
-e ZEEBE_CLIENT_SECRET=<YOUR_ZEEBE_CLIENT_SECRET> \
-e ZEEBE_CLIENT_CONFIG_PATH=/tmp/zeebe_auth_cache \
-e ZEEBE_TOKEN_AUDIENCE=zeebe-api \
-e ZEEBE_AUTHORIZATION_SERVER_URL=http://host.docker.internal:18080/auth/realms/camunda-platform/protocol/openid-connect/token \
-e CAMUNDA_OPERATE_CLIENT_KEYCLOAK-URL=http://host.docker.internal:18080 \
-e CAMUNDA_OPERATE_CLIENT_CLIENT-ID=connectors \
-e CAMUNDA_OPERATE_CLIENT_CLIENT-SECRET=<YOUR_OPERATE_CLIENT_SECRET> \
-e CAMUNDA_OPERATE_CLIENT_KEYCLOAK-REALM=camunda-platform \
-e CAMUNDA_IDENTITY_TYPE=KEYCLOAK \
-e CAMUNDA_IDENTITY_AUDIENCE=operate-api \
-e CAMUNDA_IDENTITY_ISSUER_BACKEND_URL=http://host.docker.internal:18080/auth/realms/camunda-platform \
-e CAMUNDA_IDENTITY_CLIENT_ID=connectors \
-e CAMUNDA_IDENTITY_CLIENT_SECRET=<YOUR_OPERATE_CLIENT_SECRET> \
-e CAMUNDA_OPERATE_CLIENT_URL=http://host.docker.internal:8081 \
camunda/connectors-bundle:<desired-version>
```
Expand Down
10 changes: 7 additions & 3 deletions docs/self-managed/connectors-deployment/connectors-configuration.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -65,11 +65,15 @@ CAMUNDA_OPERATE_CLIENT_USERNAME=demo
CAMUNDA_OPERATE_CLIENT_PASSWORD=demo
```

When running against a self-managed environment you might also need to configure the Keycloak endpoint to not use Operate username/password authentication:
When running against a self-managed environment you might also need to configure Identity properties instead of username and password:

```bash
CAMUNDA_OPERATE_CLIENT_KEYCLOAK-URL=http://localhost:18080
CAMUNDA_OPERATE_CLIENT_KEYCLOAK-REALM=camunda-platform
CAMUNDA_OPERATE_CLIENT_URL=http://localhost:8081
CAMUNDA_IDENTITY_TYPE=KEYCLOAK
CAMUNDA_IDENTITY_AUDIENCE=operate-api
CAMUNDA_IDENTITY_ISSUER_BACKEND_URL=http://localhost:18080/auth/realms/camunda-platform
CAMUNDA_IDENTITY_CLIENT_ID=connectors
CAMUNDA_IDENTITY_CLIENT_SECRET=<YOUR_OPERATE_CLIENT_SECRET>
```

</TabItem>
Expand Down
14 changes: 4 additions & 10 deletions ...naged/platform-deployment/helm-kubernetes/guides/connect-to-an-oidc-provider.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -99,12 +99,6 @@ global:

For authentication, the Camunda components use the scopes `email`, `openid`, `offline_access`, and `profile`.

:::note
The Connectors do not yet support authentication with a generic OIDC provider.

When using OIDC, set `connectors.inbound.mode: disabled` [in your Connectors Helm values](https://artifacthub.io/packages/helm/camunda/camunda-platform#connectors-parameters).
:::

</TabItem>
<TabItem value="microsoftEntraId">

Expand Down Expand Up @@ -176,6 +170,9 @@ global:
clientApiAudience: <Client ID from step 1>
publicApiAudience: <Audience for using Web Modeler's API. For security reasons, use a different value than for clientApiAudience>
redirectUrl: <See table below>
connectors:
clientId: <Client ID from step 2>
existingSecret: <Client secret from step 3>
```
</TabItem>
Expand All @@ -200,10 +197,6 @@ It's also important to follow the [steps described here](https://learn.microsoft
"accessTokenAcceptedVersion": 2,
```

:::note
Connectors do not yet support authentication with Microsoft Entra ID as the OIDC provider. When using OIDC, set `connectors.inbound.mode: disabled` [in your Connectors Helm values](https://artifacthub.io/packages/helm/camunda/camunda-platform#connectors-parameters).
:::

</TabItem>
</Tabs>

Expand All @@ -216,3 +209,4 @@ Connectors do not yet support authentication with Microsoft Entra ID as the OIDC
| Tasklist | https://<TASKLIST_URL>/identity-callback | |
| Web Modeler | https://<WEB_MODELER_URL>/login-callback | Using a different OIDC provider than Keycloak currently disables all checks of the permissions claim both for using Web Modeler via the UI and via the public API.<br/><br/> Required configuration variables for webapp:<br/>`OAUTH2_CLIENT_ID=[client-id]`<br/>`OAUTH2_JWKS_URL=[provider-jwks-url]`<br/>`OAUTH2_TOKEN_AUDIENCE=[client-audience]`<br/>`OAUTH2_TOKEN_ISSUER=[provider-issuer]`<br/>`OAUTH2_TYPE=[provider-type]`<br/><br/> Required configuration variables for restapi:<br/>`CAMUNDA_IDENTITY_BASEURL=[identity-base-url]`<br/>`CAMUNDA_IDENTITY_TYPE=[provider-type]`<br/>`CAMUNDA_MODELER_SECURITY_JWT_AUDIENCE_INTERNAL_API=[client-audience]`<br/>`CAMUNDA_MODELER_SECURITY_JWT_AUDIENCE_PUBLIC_API=[publicapi-audience]` (for security reasons, <strong>use a different value here than for `CAMUNDA_MODELER_SECURITY_JWT_AUDIENCE_INTERNAL_API`</strong>)<br/>`SPRING_SECURITY_OAUTH2_RESOURCESERVER_JWT_ISSUER_URI=[provider-issuer]` |
| Zeebe | no redirect URI | Instead, include `tokenScope:"<Azure-AppRegistration-ClientID> /.default "` |
| Connectors | | Connectors act as a client in the OIDC flow. <br/><br/> For outbound-only mode (when `CAMUNDA_CONNECTOR_POLLING_ENABLED` is `false`), only Zeebe client properties are required: <br/> `ZEEBE_CLIENT_ID=[client-id]`<br/>`ZEEBE_CLIENT_SECRET=[client-secret]`<br/>`ZEEBE_AUTHORIZATION_SERVER_URL=[provider-issuer]`<br/>`ZEEBE_TOKEN_AUDIENCE=[Zeebe audience]`<br/>`ZEEBE_TOKEN_SCOPE=[Zeebe scope]` (optional)<br/><br/> For inbound mode, Operate client properties are required:<br/>`CAMUNDA_IDENTITY_TYPE=[provider-type]`<br/>`CAMUNDA_IDENTITY_AUDIENCE=[Operate audience]`<br/>`CAMUNDA_IDENTITY_CLIENT_ID=[client-id]`<br/>`CAMUNDA_IDENTITY_CLIENT_SECRET=[client-secret]`<br/>`CAMUNDA_IDENTITY_ISSUER_BACKEND_URL=[provider-issuer]` |
22 changes: 13 additions & 9 deletions versioned_docs/version-8.4/guides/host-custom-connector.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -78,12 +78,14 @@ docker run --rm --name=CustomConnectorInSMWithKeyCloak \
-e ZEEBE_CLIENT_SECURITY_PLAINTEXT=true \
-e ZEEBE_CLIENT_ID=<YOUR_ZEEBE_CLIENT_ID> \
-e ZEEBE_CLIENT_SECRET=<YOUR_ZEEBE_CLIENT_SECRET> \
-e ZEEBE_CLIENT_CONFIG_PATH=/tmp/zeebe_auth_cache \
-e ZEEBE_TOKEN_AUDIENCE=zeebe-api \
-e ZEEBE_AUTHORIZATION_SERVER_URL=http://keycloak:8080/auth/realms/camunda-platform/protocol/openid-connect/token \
-e CAMUNDA_OPERATE_CLIENT_KEYCLOAK-URL=http://keycloak:8080 \
-e CAMUNDA_OPERATE_CLIENT_CLIENT-ID=connectors \
-e CAMUNDA_OPERATE_CLIENT_CLIENT-SECRET=<YOUR_OPERATE_CLIENT_SECRET> \
-e CAMUNDA_OPERATE_CLIENT_KEYCLOAK-REALM=<YOUR_KEYCLOAK_OPERATE_REALM> \
-e CAMUNDA_IDENTITY_TYPE=KEYCLOAK \
-e CAMUNDA_IDENTITY_AUDIENCE=operate-api \
-e CAMUNDA_IDENTITY_ISSUER_BACKEND_URL=http://keycloak:8080/auth/realms/camunda-platform \
-e CAMUNDA_IDENTITY_CLIENT_ID=connectors \
-e CAMUNDA_IDENTITY_CLIENT_SECRET=<YOUR_OPERATE_SECRET> \
-e CAMUNDA_OPERATE_CLIENT_URL=http://operate:8080 \
camunda/connectors-bundle:<desired-version>
```
Expand All @@ -102,7 +104,7 @@ For the purpose of this section, imagine you installed Helm charts with `helm in
and forwarded Zeebe, Operate, and Keycloak ports:

- `kubectl port-forward svc/dev-zeebe-gateway 26500:26500`
- `kubectl port-forward svc/dev-operate 8081:80`
- `kubectl port-forward svc/dev-operate 8081:80`
- `kubectl port-forward svc/dev-keycloak 18080:80`

Now, you need to obtain both Zeebe and Connectors' Operate OAuth clients. You can do it with `kubectl get secret dev-zeebe-identity-secret -o jsonpath="{.data.*}" | base64 --decode`
Expand All @@ -117,12 +119,14 @@ docker run --rm --name=CustomConnectorInSMWithHelm \
-e ZEEBE_CLIENT_SECURITY_PLAINTEXT=true \
-e ZEEBE_CLIENT_ID=zeebe \
-e ZEEBE_CLIENT_SECRET=<YOUR_ZEEBE_CLIENT_SECRET> \
-e ZEEBE_CLIENT_CONFIG_PATH=/tmp/zeebe_auth_cache \
-e ZEEBE_TOKEN_AUDIENCE=zeebe-api \
-e ZEEBE_AUTHORIZATION_SERVER_URL=http://host.docker.internal:18080/auth/realms/camunda-platform/protocol/openid-connect/token \
-e CAMUNDA_OPERATE_CLIENT_KEYCLOAK-URL=http://host.docker.internal:18080 \
-e CAMUNDA_OPERATE_CLIENT_CLIENT-ID=connectors \
-e CAMUNDA_OPERATE_CLIENT_CLIENT-SECRET=<YOUR_OPERATE_CLIENT_SECRET> \
-e CAMUNDA_OPERATE_CLIENT_KEYCLOAK-REALM=camunda-platform \
-e CAMUNDA_IDENTITY_TYPE=KEYCLOAK \
-e CAMUNDA_IDENTITY_AUDIENCE=operate-api \
-e CAMUNDA_IDENTITY_ISSUER_BACKEND_URL=http://host.docker.internal:18080/auth/realms/camunda-platform \
-e CAMUNDA_IDENTITY_CLIENT_ID=connectors \
-e CAMUNDA_IDENTITY_CLIENT_SECRET=<YOUR_OPERATE_CLIENT_SECRET> \
-e CAMUNDA_OPERATE_CLIENT_URL=http://host.docker.internal:8081 \
camunda/connectors-bundle:<desired-version>
```
Expand Down
10 changes: 7 additions & 3 deletions ...docs/version-8.4/self-managed/connectors-deployment/connectors-configuration.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -65,11 +65,15 @@ CAMUNDA_OPERATE_CLIENT_USERNAME=demo
CAMUNDA_OPERATE_CLIENT_PASSWORD=demo
```

When running against a self-managed environment you might also need to configure the Keycloak endpoint to not use Operate username/password authentication:
When running against a self-managed environment you might also need to configure Identity properties instead of username and password:

```bash
CAMUNDA_OPERATE_CLIENT_KEYCLOAK-URL=http://localhost:18080
CAMUNDA_OPERATE_CLIENT_KEYCLOAK-REALM=camunda-platform
CAMUNDA_OPERATE_CLIENT_URL=http://localhost:8081
CAMUNDA_IDENTITY_TYPE=KEYCLOAK
CAMUNDA_IDENTITY_AUDIENCE=operate-api
CAMUNDA_IDENTITY_ISSUER_BACKEND_URL=http://localhost:18080/auth/realms/camunda-platform
CAMUNDA_IDENTITY_CLIENT_ID=connectors
CAMUNDA_IDENTITY_CLIENT_SECRET=<YOUR_OPERATE_CLIENT_SECRET>
```

</TabItem>
Expand Down
14 changes: 4 additions & 10 deletions ...naged/platform-deployment/helm-kubernetes/guides/connect-to-an-oidc-provider.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -99,12 +99,6 @@ global:

For authentication, the Camunda components use the scopes `email`, `openid`, `offline_access`, and `profile`.

:::note
The Connectors do not yet support authentication with a generic OIDC provider.

When using OIDC, set `connectors.inbound.mode: disabled` [in your Connectors Helm values](https://artifacthub.io/packages/helm/camunda/camunda-platform#connectors-parameters).
:::

</TabItem>
<TabItem value="microsoftEntraId">

Expand Down Expand Up @@ -176,6 +170,9 @@ global:
clientApiAudience: <Client ID from step 1>
publicApiAudience: <Audience for using Web Modeler's API. For security reasons, use a different value than for clientApiAudience>
redirectUrl: <See table below>
connectors:
clientId: <Client ID from step 2>
existingSecret: <Client secret from step 3>
```
</TabItem>
Expand All @@ -200,10 +197,6 @@ It's also important to follow the [steps described here](https://learn.microsoft
"accessTokenAcceptedVersion": 2,
```

:::note
Connectors do not yet support authentication with Microsoft Entra ID as the OIDC provider. When using OIDC, set `connectors.inbound.mode: disabled` [in your Connectors Helm values](https://artifacthub.io/packages/helm/camunda/camunda-platform#connectors-parameters).
:::

</TabItem>
</Tabs>

Expand All @@ -216,3 +209,4 @@ Connectors do not yet support authentication with Microsoft Entra ID as the OIDC
| Tasklist | https://<TASKLIST_URL>/identity-callback | |
| Web Modeler | https://<WEB_MODELER_URL>/login-callback | Using a different OIDC provider than Keycloak currently disables all checks of the permissions claim both for using Web Modeler via the UI and via the public API.<br/><br/> Required configuration variables for webapp:<br/>`OAUTH2_CLIENT_ID=[client-id]`<br/>`OAUTH2_JWKS_URL=[provider-jwks-url]`<br/>`OAUTH2_TOKEN_AUDIENCE=[client-audience]`<br/>`OAUTH2_TOKEN_ISSUER=[provider-issuer]`<br/>`OAUTH2_TYPE=[provider-type]`<br/><br/> Required configuration variables for restapi:<br/>`CAMUNDA_IDENTITY_BASEURL=[identity-base-url]`<br/>`CAMUNDA_IDENTITY_TYPE=[provider-type]`<br/>`CAMUNDA_MODELER_SECURITY_JWT_AUDIENCE_INTERNAL_API=[client-audience]`<br/>`CAMUNDA_MODELER_SECURITY_JWT_AUDIENCE_PUBLIC_API=[publicapi-audience]` (for security reasons, <strong>use a different value here than for `CAMUNDA_MODELER_SECURITY_JWT_AUDIENCE_INTERNAL_API`</strong>)<br/>`SPRING_SECURITY_OAUTH2_RESOURCESERVER_JWT_ISSUER_URI=[provider-issuer]` |
| Zeebe | no redirect URI | Instead, include `tokenScope:"<Azure-AppRegistration-ClientID> /.default "` |
| Connectors | | Connectors act as a client in the OIDC flow. <br/><br/> For outbound-only mode (when `CAMUNDA_CONNECTOR_POLLING_ENABLED` is `false`), only Zeebe client properties are required: <br/> `ZEEBE_CLIENT_ID=[client-id]`<br/>`ZEEBE_CLIENT_SECRET=[client-secret]`<br/>`ZEEBE_AUTHORIZATION_SERVER_URL=[provider-issuer]`<br/>`ZEEBE_TOKEN_AUDIENCE=[Zeebe audience]`<br/>`ZEEBE_TOKEN_SCOPE=[Zeebe scope]` (optional)<br/><br/> For inbound mode, Operate client properties are required:<br/>`CAMUNDA_IDENTITY_TYPE=[provider-type]`<br/>`CAMUNDA_IDENTITY_AUDIENCE=[Operate audience]`<br/>`CAMUNDA_IDENTITY_CLIENT_ID=[client-id]`<br/>`CAMUNDA_IDENTITY_CLIENT_SECRET=[client-secret]`<br/>`CAMUNDA_IDENTITY_ISSUER_BACKEND_URL=[provider-issuer]` |

0 comments on commit 13f7ded

Please sign in to comment.