feat(connectors): OIDC support

Author: chillleader

docs/guides/host-custom-connector.md

@@ -78,12 +78,14 @@ docker run --rm --name=CustomConnectorInSMWithKeyCloak \
     -e ZEEBE_CLIENT_SECURITY_PLAINTEXT=true \
     -e ZEEBE_CLIENT_ID=<YOUR_ZEEBE_CLIENT_ID> \
     -e ZEEBE_CLIENT_SECRET=<YOUR_ZEEBE_CLIENT_SECRET> \
+    -e ZEEBE_CLIENT_CONFIG_PATH=/tmp/zeebe_auth_cache \
     -e ZEEBE_TOKEN_AUDIENCE=zeebe-api \
     -e ZEEBE_AUTHORIZATION_SERVER_URL=http://keycloak:8080/auth/realms/camunda-platform/protocol/openid-connect/token \
-    -e CAMUNDA_OPERATE_CLIENT_KEYCLOAK-URL=http://keycloak:8080 \
-    -e CAMUNDA_OPERATE_CLIENT_CLIENT-ID=connectors \
-    -e CAMUNDA_OPERATE_CLIENT_CLIENT-SECRET=<YOUR_OPERATE_CLIENT_SECRET> \
-    -e CAMUNDA_OPERATE_CLIENT_KEYCLOAK-REALM=<YOUR_KEYCLOAK_OPERATE_REALM> \
+    -e CAMUNDA_IDENTITY_TYPE=KEYCLOAK \
+    -e CAMUNDA_IDENTITY_AUDIENCE=operate-api \
+    -e CAMUNDA_IDENTITY_ISSUER_BACKEND_URL=http://keycloak:8080/auth/realms/camunda-platform \
+    -e CAMUNDA_IDENTITY_CLIENT_ID=connectors \
+    -e CAMUNDA_IDENTITY_CLIENT_SECRET=<YOUR_OPERATE_SECRET> \
     -e CAMUNDA_OPERATE_CLIENT_URL=http://operate:8080 \
         camunda/connectors-bundle:<desired-version>
 ```
@@ -102,7 +104,7 @@ For the purpose of this section, imagine you installed Helm charts with `helm in
 and forwarded Zeebe, Operate, and Keycloak ports:
 
 - `kubectl port-forward svc/dev-zeebe-gateway 26500:26500`
-- `kubectl port-forward svc/dev-operate  8081:80`
+- `kubectl port-forward svc/dev-operate 8081:80`
 - `kubectl port-forward svc/dev-keycloak 18080:80`
 
 Now, you need to obtain both Zeebe and Connectors' Operate OAuth clients. You can do it with `kubectl get secret dev-zeebe-identity-secret -o jsonpath="{.data.*}" | base64 --decode`
@@ -117,12 +119,14 @@ docker run --rm --name=CustomConnectorInSMWithHelm \
     -e ZEEBE_CLIENT_SECURITY_PLAINTEXT=true \
     -e ZEEBE_CLIENT_ID=zeebe \
     -e ZEEBE_CLIENT_SECRET=<YOUR_ZEEBE_CLIENT_SECRET> \
+    -e ZEEBE_CLIENT_CONFIG_PATH=/tmp/zeebe_auth_cache \
     -e ZEEBE_TOKEN_AUDIENCE=zeebe-api \
     -e ZEEBE_AUTHORIZATION_SERVER_URL=http://host.docker.internal:18080/auth/realms/camunda-platform/protocol/openid-connect/token \
-    -e CAMUNDA_OPERATE_CLIENT_KEYCLOAK-URL=http://host.docker.internal:18080 \
-    -e CAMUNDA_OPERATE_CLIENT_CLIENT-ID=connectors \
-    -e CAMUNDA_OPERATE_CLIENT_CLIENT-SECRET=<YOUR_OPERATE_CLIENT_SECRET> \
-    -e CAMUNDA_OPERATE_CLIENT_KEYCLOAK-REALM=camunda-platform \
+    -e CAMUNDA_IDENTITY_TYPE=KEYCLOAK \
+    -e CAMUNDA_IDENTITY_AUDIENCE=operate-api \
+    -e CAMUNDA_IDENTITY_ISSUER_BACKEND_URL=http://host.docker.internal:18080/auth/realms/camunda-platform \
+    -e CAMUNDA_IDENTITY_CLIENT_ID=connectors \
+    -e CAMUNDA_IDENTITY_CLIENT_SECRET=<YOUR_OPERATE_CLIENT_SECRET> \
     -e CAMUNDA_OPERATE_CLIENT_URL=http://host.docker.internal:8081 \
         camunda/connectors-bundle:<desired-version>
 ```

docs/self-managed/connectors-deployment/connectors-configuration.md

@@ -65,11 +65,15 @@ CAMUNDA_OPERATE_CLIENT_USERNAME=demo
 CAMUNDA_OPERATE_CLIENT_PASSWORD=demo
 ```
 
-When running against a self-managed environment you might also need to configure the Keycloak endpoint to not use Operate username/password authentication:
+When running against a self-managed environment you might also need to configure Identity properties instead of username and password:
 
 ```bash
-CAMUNDA_OPERATE_CLIENT_KEYCLOAK-URL=http://localhost:18080
-CAMUNDA_OPERATE_CLIENT_KEYCLOAK-REALM=camunda-platform
+CAMUNDA_OPERATE_CLIENT_URL=http://localhost:8081
+CAMUNDA_IDENTITY_TYPE=KEYCLOAK
+CAMUNDA_IDENTITY_AUDIENCE=operate-api
+CAMUNDA_IDENTITY_ISSUER_BACKEND_URL=http://localhost:18080/auth/realms/camunda-platform
+CAMUNDA_IDENTITY_CLIENT_ID=connectors
+CAMUNDA_IDENTITY_CLIENT_SECRET=<YOUR_OPERATE_CLIENT_SECRET>
 ```
 
 </TabItem>

docs/self-managed/platform-deployment/helm-kubernetes/guides/connect-to-an-oidc-provider.md

@@ -99,12 +99,6 @@ global:
 
 For authentication, the Camunda components use the scopes `email`, `openid`, `offline_access`, and `profile`.
 
-:::note
-The Connectors do not yet support authentication with a generic OIDC provider.
-
-When using OIDC, set `connectors.inbound.mode: disabled` [in your Connectors Helm values](https://artifacthub.io/packages/helm/camunda/camunda-platform#connectors-parameters).
-:::
-
 </TabItem>
 <TabItem value="microsoftEntraId">
 
@@ -169,6 +163,9 @@ global:
         clientId: <Client ID from step 1>
         clientApiAudience: <Audience for your application>
         publicApiAudience: <Audience for using Web Modeler's API. For security reasons, use a different value than for clientApiAudience>
+      connectors:
+        clientId: <Client ID from step 2>
+        existingSecret: <Client secret from step 3>
 ```
 
 </TabItem>
@@ -187,10 +184,6 @@ process.
 To successfully authenticate wth Entra ID, you should use the `v2.0` API. This means that
 the `CAMUNDA_IDENTITY_ISSUER_BACKEND_URL` value should end with `/v2.0`.
 
-:::note
-Connectors do not yet support authentication with Microsoft Entra ID as the OIDC provider. When using OIDC, set `connectors.inbound.mode: disabled` [in your Connectors Helm values](https://artifacthub.io/packages/helm/camunda/camunda-platform#connectors-parameters).
-:::
-
 </TabItem>
 </Tabs>
 
@@ -202,3 +195,4 @@ Connectors do not yet support authentication with Microsoft Entra ID as the OIDC
 | Optimize    | https://<OPTIMIZE_URL>/api/authentication/callback | There is a fallback if you use the existing ENV vars to configure your authentication provider, if you use a custom `yaml`, you need to update your properties to match the new values in this guide.<br/><br/>When using an OIDC provider, the following features are not currently available: User permissions tab in collections, digests, `Alerts` tab in collections.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      |
 | Tasklist    | https://<TASKLIST_URL>/identity-callback           |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 |
 | Web Modeler | https://<WEB_MODELER_URL>/login-callback           | Using a different OIDC provider than Keycloak currently disables all checks of the permissions claim both for using Web Modeler via the UI and via the public API.<br/><br/> Required configuration variables for webapp:<br/>`OAUTH2_CLIENT_ID=[client-id]`<br/>`OAUTH2_JWKS_URL=[provider-jwks-url]`<br/>`OAUTH2_TOKEN_AUDIENCE=[client-audience]`<br/>`OAUTH2_TOKEN_ISSUER=[provider-issuer]`<br/>`OAUTH2_TYPE=[provider-type]`<br/><br/> Required configuration variables for restapi:<br/>`CAMUNDA_IDENTITY_BASEURL=[identity-base-url]`<br/>`CAMUNDA_IDENTITY_TYPE=[provider-type]`<br/>`CAMUNDA_MODELER_SECURITY_JWT_AUDIENCE_INTERNAL_API=[client-audience]`<br/>`CAMUNDA_MODELER_SECURITY_JWT_AUDIENCE_PUBLIC_API=[publicapi-audience]` (for security reasons, <strong>use a different value here than for `CAMUNDA_MODELER_SECURITY_JWT_AUDIENCE_INTERNAL_API`</strong>)<br/>`SPRING_SECURITY_OAUTH2_RESOURCESERVER_JWT_ISSUER_URI=[provider-issuer]` |
+| Connectors  |                                                    | Connectors act as a client in the OIDC flow. <br/><br/> For outbound-only mode (when `CAMUNDA_CONNECTOR_POLLING_ENABLED` is `false`), only Zeebe client properties are required: <br/> `ZEEBE_CLIENT_ID=[client-id]`<br/>`ZEEBE_CLIENT_SECRET=[client-secret]`<br/>`ZEEBE_AUTHORIZATION_SERVER_URL=[provider-issuer]`<br/>`ZEEBE_TOKEN_AUDIENCE=[Zeebe audience]`<br/>`ZEEBE_TOKEN_SCOPE=[Zeebe scope]` (optional)<br/><br/> For inbound mode, Operate client properties are required:<br/>`CAMUNDA_IDENTITY_TYPE=[provider-type]`<br/>`CAMUNDA_IDENTITY_AUDIENCE=[Operate audience]`<br/>`CAMUNDA_IDENTITY_CLIENT_ID=[client-id]`<br/>`CAMUNDA_IDENTITY_CLIENT_SECRET=[client-secret]`<br/>`CAMUNDA_IDENTITY_ISSUER_BACKEND_URL=[provider-issuer]`                                                                                                                                                                                                             |

versioned_docs/version-8.4/guides/host-custom-connector.md

@@ -78,12 +78,14 @@ docker run --rm --name=CustomConnectorInSMWithKeyCloak \
     -e ZEEBE_CLIENT_SECURITY_PLAINTEXT=true \
     -e ZEEBE_CLIENT_ID=<YOUR_ZEEBE_CLIENT_ID> \
     -e ZEEBE_CLIENT_SECRET=<YOUR_ZEEBE_CLIENT_SECRET> \
+    -e ZEEBE_CLIENT_CONFIG_PATH=/tmp/zeebe_auth_cache \
     -e ZEEBE_TOKEN_AUDIENCE=zeebe-api \
     -e ZEEBE_AUTHORIZATION_SERVER_URL=http://keycloak:8080/auth/realms/camunda-platform/protocol/openid-connect/token \
-    -e CAMUNDA_OPERATE_CLIENT_KEYCLOAK-URL=http://keycloak:8080 \
-    -e CAMUNDA_OPERATE_CLIENT_CLIENT-ID=connectors \
-    -e CAMUNDA_OPERATE_CLIENT_CLIENT-SECRET=<YOUR_OPERATE_CLIENT_SECRET> \
-    -e CAMUNDA_OPERATE_CLIENT_KEYCLOAK-REALM=<YOUR_KEYCLOAK_OPERATE_REALM> \
+    -e CAMUNDA_IDENTITY_TYPE=KEYCLOAK \
+    -e CAMUNDA_IDENTITY_AUDIENCE=operate-api \
+    -e CAMUNDA_IDENTITY_ISSUER_BACKEND_URL=http://keycloak:8080/auth/realms/camunda-platform \
+    -e CAMUNDA_IDENTITY_CLIENT_ID=connectors \
+    -e CAMUNDA_IDENTITY_CLIENT_SECRET=<YOUR_OPERATE_SECRET> \
     -e CAMUNDA_OPERATE_CLIENT_URL=http://operate:8080 \
         camunda/connectors-bundle:<desired-version>
 ```
@@ -102,7 +104,7 @@ For the purpose of this section, imagine you installed Helm charts with `helm in
 and forwarded Zeebe, Operate, and Keycloak ports:
 
 - `kubectl port-forward svc/dev-zeebe-gateway 26500:26500`
-- `kubectl port-forward svc/dev-operate  8081:80`
+- `kubectl port-forward svc/dev-operate 8081:80`
 - `kubectl port-forward svc/dev-keycloak 18080:80`
 
 Now, you need to obtain both Zeebe and Connectors' Operate OAuth clients. You can do it with `kubectl get secret dev-zeebe-identity-secret -o jsonpath="{.data.*}" | base64 --decode`
@@ -117,12 +119,14 @@ docker run --rm --name=CustomConnectorInSMWithHelm \
     -e ZEEBE_CLIENT_SECURITY_PLAINTEXT=true \
     -e ZEEBE_CLIENT_ID=zeebe \
     -e ZEEBE_CLIENT_SECRET=<YOUR_ZEEBE_CLIENT_SECRET> \
+    -e ZEEBE_CLIENT_CONFIG_PATH=/tmp/zeebe_auth_cache \
     -e ZEEBE_TOKEN_AUDIENCE=zeebe-api \
     -e ZEEBE_AUTHORIZATION_SERVER_URL=http://host.docker.internal:18080/auth/realms/camunda-platform/protocol/openid-connect/token \
-    -e CAMUNDA_OPERATE_CLIENT_KEYCLOAK-URL=http://host.docker.internal:18080 \
-    -e CAMUNDA_OPERATE_CLIENT_CLIENT-ID=connectors \
-    -e CAMUNDA_OPERATE_CLIENT_CLIENT-SECRET=<YOUR_OPERATE_CLIENT_SECRET> \
-    -e CAMUNDA_OPERATE_CLIENT_KEYCLOAK-REALM=camunda-platform \
+    -e CAMUNDA_IDENTITY_TYPE=KEYCLOAK \
+    -e CAMUNDA_IDENTITY_AUDIENCE=operate-api \
+    -e CAMUNDA_IDENTITY_ISSUER_BACKEND_URL=http://host.docker.internal:18080/auth/realms/camunda-platform \
+    -e CAMUNDA_IDENTITY_CLIENT_ID=connectors \
+    -e CAMUNDA_IDENTITY_CLIENT_SECRET=<YOUR_OPERATE_CLIENT_SECRET> \
     -e CAMUNDA_OPERATE_CLIENT_URL=http://host.docker.internal:8081 \
         camunda/connectors-bundle:<desired-version>
 ```

versioned_docs/version-8.4/self-managed/connectors-deployment/connectors-configuration.md

@@ -65,11 +65,15 @@ CAMUNDA_OPERATE_CLIENT_USERNAME=demo
 CAMUNDA_OPERATE_CLIENT_PASSWORD=demo
 ```
 
-When running against a self-managed environment you might also need to configure the Keycloak endpoint to not use Operate username/password authentication:
+When running against a self-managed environment you might also need to configure Identity properties instead of username and password:
 
 ```bash
-CAMUNDA_OPERATE_CLIENT_KEYCLOAK-URL=http://localhost:18080
-CAMUNDA_OPERATE_CLIENT_KEYCLOAK-REALM=camunda-platform
+CAMUNDA_OPERATE_CLIENT_URL=http://localhost:8081
+CAMUNDA_IDENTITY_TYPE=KEYCLOAK
+CAMUNDA_IDENTITY_AUDIENCE=operate-api
+CAMUNDA_IDENTITY_ISSUER_BACKEND_URL=http://localhost:18080/auth/realms/camunda-platform
+CAMUNDA_IDENTITY_CLIENT_ID=connectors
+CAMUNDA_IDENTITY_CLIENT_SECRET=<YOUR_OPERATE_CLIENT_SECRET>
 ```
 
 </TabItem>

versioned_docs/version-8.4/self-managed/platform-deployment/helm-kubernetes/guides/connect-to-an-oidc-provider.md

@@ -99,12 +99,6 @@ global:
 
 For authentication, the Camunda components use the scopes `email`, `openid`, `offline_access`, and `profile`.
 
-:::note
-The Connectors do not yet support authentication with a generic OIDC provider.
-
-When using OIDC, set `connectors.inbound.mode: disabled` [in your Connectors Helm values](https://artifacthub.io/packages/helm/camunda/camunda-platform#connectors-parameters).
-:::
-
 </TabItem>
 <TabItem value="microsoftEntraId">
 
@@ -169,6 +163,9 @@ global:
         clientId: <Client ID from step 1>
         clientApiAudience: <Audience for your application>
         publicApiAudience: <Audience for using Web Modeler's API. For security reasons, use a different value than for clientApiAudience>
+      connectors:
+        clientId: <Client ID from step 2>
+        existingSecret: <Client secret from step 3>
 ```
 
 </TabItem>
@@ -187,10 +184,6 @@ process.
 To successfully authenticate wth Entra ID, you should use the `v2.0` API. This means that
 the `CAMUNDA_IDENTITY_ISSUER_BACKEND_URL` value should end with `/v2.0`.
 
-:::note
-Connectors do not yet support authentication with Microsoft Entra ID as the OIDC provider. When using OIDC, set `connectors.inbound.mode: disabled` [in your Connectors Helm values](https://artifacthub.io/packages/helm/camunda/camunda-platform#connectors-parameters).
-:::
-
 </TabItem>
 </Tabs>
 
@@ -202,3 +195,4 @@ Connectors do not yet support authentication with Microsoft Entra ID as the OIDC
 | Optimize    | https://<OPTIMIZE_URL>/api/authentication/callback | There is a fallback if you use the existing ENV vars to configure your authentication provider, if you use a custom `yaml`, you need to update your properties to match the new values in this guide.<br/><br/>When using an OIDC provider, the following features are not currently available: User permissions tab in collections, digests, `Alerts` tab in collections.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      |
 | Tasklist    | https://<TASKLIST_URL>/identity-callback           |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 |
 | Web Modeler | https://<WEB_MODELER_URL>/login-callback           | Using a different OIDC provider than Keycloak currently disables all checks of the permissions claim both for using Web Modeler via the UI and via the public API.<br/><br/> Required configuration variables for webapp:<br/>`OAUTH2_CLIENT_ID=[client-id]`<br/>`OAUTH2_JWKS_URL=[provider-jwks-url]`<br/>`OAUTH2_TOKEN_AUDIENCE=[client-audience]`<br/>`OAUTH2_TOKEN_ISSUER=[provider-issuer]`<br/>`OAUTH2_TYPE=[provider-type]`<br/><br/> Required configuration variables for restapi:<br/>`CAMUNDA_IDENTITY_BASEURL=[identity-base-url]`<br/>`CAMUNDA_IDENTITY_TYPE=[provider-type]`<br/>`CAMUNDA_MODELER_SECURITY_JWT_AUDIENCE_INTERNAL_API=[client-audience]`<br/>`CAMUNDA_MODELER_SECURITY_JWT_AUDIENCE_PUBLIC_API=[publicapi-audience]` (for security reasons, <strong>use a different value here than for `CAMUNDA_MODELER_SECURITY_JWT_AUDIENCE_INTERNAL_API`</strong>)<br/>`SPRING_SECURITY_OAUTH2_RESOURCESERVER_JWT_ISSUER_URI=[provider-issuer]` |
+| Connectors  |                                                    | Connectors act as a client in the OIDC flow. <br/><br/> For outbound-only mode (when `CAMUNDA_CONNECTOR_POLLING_ENABLED` is `false`), only Zeebe client properties are required: <br/> `ZEEBE_CLIENT_ID=[client-id]`<br/>`ZEEBE_CLIENT_SECRET=[client-secret]`<br/>`ZEEBE_AUTHORIZATION_SERVER_URL=[provider-issuer]`<br/>`ZEEBE_TOKEN_AUDIENCE=[Zeebe audience]`<br/>`ZEEBE_TOKEN_SCOPE=[Zeebe scope]` (optional)<br/><br/> For inbound mode, Operate client properties are required:<br/>`CAMUNDA_IDENTITY_TYPE=[provider-type]`<br/>`CAMUNDA_IDENTITY_AUDIENCE=[Operate audience]`<br/>`CAMUNDA_IDENTITY_CLIENT_ID=[client-id]`<br/>`CAMUNDA_IDENTITY_CLIENT_SECRET=[client-secret]`<br/>`CAMUNDA_IDENTITY_ISSUER_BACKEND_URL=[provider-issuer]`                                                                                                                                                                                                             |