docs(web-modeler): backport changes to previous versions

Author: wollefitz

docs/self-managed/modeler/web-modeler/troubleshooting/troubleshoot-login.md

@@ -1,20 +1,16 @@
 ---
 id: troubleshoot-login
-title: "Troubleshooting log in issues"
-sidebar_label: "Log in issues"
+title: "Troubleshooting login issues"
+sidebar_label: "Login issues"
 ---
 
 :::note
-Web Modeler Self-Managed is available to [Enterprise customers](../../../../reference/licenses.md#web-modeler) only.
+Web Modeler Self-Managed is available to [enterprise customers](../../../../reference/licenses.md#web-modeler) only.
 :::
 
-## Problem
-
 Logging in to Web Modeler doesn't work as expected and shows an error or a blank page when accessing the application.
 
-## Solution
-
-To resolve this issue, check the [log output](docs/self-managed/modeler/web-modeler/configuration/logging.md) of the `modeler-restapi` and `modeler-webapp` services for errors and warnings.
+To further debug this issue, check the [log output](docs/self-managed/modeler/web-modeler/configuration/logging.md) of the `modeler-restapi` and `modeler-webapp` services for errors and warnings.
 
 ## Unique constraint violation
 
@@ -41,22 +37,22 @@ As a workaround, you can manually update the user ID in the Web Modeler database
     WHERE realm_id = 'camunda-platform' AND email IS NOT NULL;
    ```
 2. Create a new table in the **Web Modeler database**:
-3. ```sql
+   ```sql
    CREATE TABLE keycloak_users (
        id    varchar(255),
        email varchar(255)
    );
    ```
-4. Import the CSV file from **Step 1** into the new `keycloak_users` table.
-5. Update the user IDs by running the following query in the **Web Modeler database**:
+3. Import the CSV file from **Step 1** into the new `keycloak_users` table.
+4. Update the user IDs by running the following query in the **Web Modeler database**:
    ```sql
    UPDATE users u
    SET iam_id = k.id
    FROM keycloak_users k
    WHERE k.email = u.email;
    ```
-6. Verify that the login is working again.
-7. Delete the `keycloak_users` table:
+5. Verify that the login is working again.
+6. Delete the `keycloak_users` table:
    ```sql
    DROP TABLE keycloak_users;
    ```

docs/self-managed/operational-guides/backup-restore/modeler-backup-and-restore.md

@@ -37,7 +37,7 @@ After the database has been restored, you can start Web Modeler again.
 
 :::warning
 When restoring Web Modeler data from a backup, ensure that the ids of the users stored in your OIDC provider (e.g. Keycloak) do not change in between the backup and restore.
-Otherwise, users may not be able to log in after the restore (see [Web Modeler's log in troubleshooting guide](docs/self-managed/modeler/web-modeler/troubleshooting/troubleshoot-login.md#unique-constraint-violation)).
+Otherwise, users may not be able to log in after the restore (see [Web Modeler's login troubleshooting guide](docs/self-managed/modeler/web-modeler/troubleshooting/troubleshoot-login.md#unique-constraint-violation)).
 :::
 
 :::tip

docs/self-managed/operational-guides/update-guide/keycloak/keycloak-update.md

@@ -9,5 +9,5 @@ When updating Keycloak, follow the [Keycloak upgrade guide](https://www.keycloak
 :::danger
 When updating Keycloak, ensure that you carry along its existing database.
 **Do not** update by creating a new Keycloak instance and re-importing your users from external sources (e.g. LDAP) as this will result in new Keycloak-internal ids.
-Otherwise, users may not be able to access their data (e.g. Optimize collections) or log in to Web Modeler (see [Web Modeler's log in troubleshooting guide](docs/self-managed/modeler/web-modeler/troubleshooting/troubleshoot-login.md#unique-constraint-violation)) after the update as their Keycloak-internal ids may change.
+Otherwise, users may not be able to access their data (e.g. Optimize collections) or log in to Web Modeler (see [Web Modeler's login troubleshooting guide](self-managed/modeler/web-modeler/troubleshooting/troubleshoot-login.md#unique-constraint-violation)) after the update.
 :::

optimize_sidebars.js

@@ -1946,6 +1946,12 @@ module.exports = {
                   "self-managed/operational-guides/update-guide/elasticsearch/7-to-8/"
                 ),
               ],
+              Keycloak: [
+                docsLink(
+                  "Update Keycloak",
+                  "self-managed/operational-guides/update-guide/keycloak/keycloak-update"
+                ),
+              ],
             },
           ],
         },
@@ -2460,6 +2466,10 @@ module.exports = {
                   "Zeebe connection",
                   "self-managed/modeler/web-modeler/troubleshooting/troubleshoot-zeebe-connection/"
                 ),
+                docsLink(
+                  "Login issues",
+                  "self-managed/modeler/web-modeler/troubleshooting/troubleshoot-login/"
+                ),
               ],
             },
           ],

versioned_docs/version-8.2/guides/update-guide/keycloak/keycloak-update.md

@@ -0,0 +1,13 @@
+---
+id: keycloak-update
+title: Update Keycloak
+description: "Review what has to be taken into account when updating Keycloak."
+---
+
+When updating Keycloak, follow the [Keycloak upgrade guide](https://www.keycloak.org/docs/latest/upgrading/index.html) and refer to the [supported environments](reference/supported-environments.md#camunda-8-self-managed) to ensure compatibility with tested Keycloak versions.
+
+:::danger
+When updating Keycloak, ensure that you carry along its existing database.
+**Do not** update by creating a new Keycloak instance and re-importing your users from external sources (e.g. LDAP) as this will result in new Keycloak-internal ids.
+Otherwise, users may not be able to access their data (e.g. Optimize collections) or log in to Web Modeler (see [Web Modeler's login troubleshooting guide](self-managed/modeler/web-modeler/troubleshooting/troubleshoot-login.md#unique-constraint-violation)) after the update.
+:::

versioned_docs/version-8.2/self-managed/backup-restore/modeler-backup-and-restore.md

@@ -37,6 +37,7 @@ After the database has been restored, you can start Web Modeler again.
 
 :::warning
 When restoring Web Modeler data from a backup, ensure that the ids of the users stored in your OIDC provider (e.g. Keycloak) do not change in between the backup and restore.
+Otherwise, users may not be able to log in after the restore (see [Web Modeler's login troubleshooting guide](docs/self-managed/modeler/web-modeler/troubleshooting/troubleshoot-login.md#unique-constraint-violation)).
 :::
 
 :::tip

versioned_docs/version-8.2/self-managed/modeler/web-modeler/troubleshooting/troubleshoot-login.md

@@ -0,0 +1,58 @@
+---
+id: troubleshoot-login
+title: "Troubleshooting login issues"
+sidebar_label: "Login issues"
+---
+
+:::note
+Web Modeler Self-Managed is available to [enterprise customers](../../../../reference/licenses.md#web-modeler) only.
+:::
+
+Logging in to Web Modeler doesn't work as expected and shows an error or a blank page when accessing the application.
+
+To further debug this issue, check the [log output](docs/self-managed/modeler/web-modeler/configuration/logging.md) of the `modeler-restapi` and `modeler-webapp` services for errors and warnings.
+
+## Unique constraint violation
+
+When you try to log in to Web Modeler using Keycloak as an OIDC provider, you see an error message in the `modeler-restapi` logs similar to this:
+
+```
+org.postgresql.util.PSQLException: ERROR: duplicate key value violates unique constraint "users_email_key"
+    Detail: Key (email)=(***************) already exists.
+```
+
+### Ensure the Keycloak-managed user id didn't change
+
+Web Modeler uses the value of the `sub` (subject) claim in the JSON Web Token (JWT) issued by the configured OIDC provider (by default Keycloak) to identify users and correlate them with their data created in Web Modeler.
+It is important that this value doesn't change over time, for example when the user is deleted and re-created in Keycloak or re-imported from an external user directory, or when reinstalling/updating/switching Keycloak instances.
+
+If the `sub` claim value changes for an existing user, Web Modeler will try to create a new user record in its database for the user, which will lead to the error above when the user tries to log in.
+
+As a workaround, you can manually update the user ID in the Web Modeler database:
+
+1. Export the users from the **Keycloak database** to a CSV file. The following query can be used to select the relevant data:
+   ```sql
+    SELECT id, email
+    FROM user_entity
+    WHERE realm_id = 'camunda-platform' AND email IS NOT NULL;
+   ```
+2. Create a new table in the **Web Modeler database**:
+   ```sql
+   CREATE TABLE keycloak_users (
+       id    varchar(255),
+       email varchar(255)
+   );
+   ```
+3. Import the CSV file from **Step 1** into the new `keycloak_users` table.
+4. Update the user IDs by running the following query in the **Web Modeler database**:
+   ```sql
+   UPDATE users u
+   SET iam_id = k.id
+   FROM keycloak_users k
+   WHERE k.email = u.email;
+   ```
+5. Verify that the login is working again.
+6. Delete the `keycloak_users` table:
+   ```sql
+   DROP TABLE keycloak_users;
+   ```

versioned_docs/version-8.3/self-managed/modeler/web-modeler/troubleshooting/troubleshoot-login.md

@@ -0,0 +1,58 @@
+---
+id: troubleshoot-login
+title: "Troubleshooting login issues"
+sidebar_label: "Login issues"
+---
+
+:::note
+Web Modeler Self-Managed is available to [enterprise customers](../../../../reference/licenses.md#web-modeler) only.
+:::
+
+Logging in to Web Modeler doesn't work as expected and shows an error or a blank page when accessing the application.
+
+To further debug this issue, check the [log output](docs/self-managed/modeler/web-modeler/configuration/logging.md) of the `modeler-restapi` and `modeler-webapp` services for errors and warnings.
+
+## Unique constraint violation
+
+When you try to log in to Web Modeler using Keycloak as an OIDC provider, you see an error message in the `modeler-restapi` logs similar to this:
+
+```
+org.postgresql.util.PSQLException: ERROR: duplicate key value violates unique constraint "users_email_key"
+    Detail: Key (email)=(***************) already exists.
+```
+
+### Ensure the Keycloak-managed user id didn't change
+
+Web Modeler uses the value of the `sub` (subject) claim in the JSON Web Token (JWT) issued by the configured OIDC provider (by default Keycloak) to identify users and correlate them with their data created in Web Modeler.
+It is important that this value doesn't change over time, for example when the user is deleted and re-created in Keycloak or re-imported from an external user directory, or when reinstalling/updating/switching Keycloak instances.
+
+If the `sub` claim value changes for an existing user, Web Modeler will try to create a new user record in its database for the user, which will lead to the error above when the user tries to log in.
+
+As a workaround, you can manually update the user ID in the Web Modeler database:
+
+1. Export the users from the **Keycloak database** to a CSV file. The following query can be used to select the relevant data:
+   ```sql
+    SELECT id, email
+    FROM user_entity
+    WHERE realm_id = 'camunda-platform' AND email IS NOT NULL;
+   ```
+2. Create a new table in the **Web Modeler database**:
+   ```sql
+   CREATE TABLE keycloak_users (
+       id    varchar(255),
+       email varchar(255)
+   );
+   ```
+3. Import the CSV file from **Step 1** into the new `keycloak_users` table.
+4. Update the user IDs by running the following query in the **Web Modeler database**:
+   ```sql
+   UPDATE users u
+   SET iam_id = k.id
+   FROM keycloak_users k
+   WHERE k.email = u.email;
+   ```
+5. Verify that the login is working again.
+6. Delete the `keycloak_users` table:
+   ```sql
+   DROP TABLE keycloak_users;
+   ```

versioned_docs/version-8.3/self-managed/operational-guides/backup-restore/modeler-backup-and-restore.md

@@ -37,6 +37,7 @@ After the database has been restored, you can start Web Modeler again.
 
 :::warning
 When restoring Web Modeler data from a backup, ensure that the ids of the users stored in your OIDC provider (e.g. Keycloak) do not change in between the backup and restore.
+Otherwise, users may not be able to log in after the restore (see [Web Modeler's login troubleshooting guide](docs/self-managed/modeler/web-modeler/troubleshooting/troubleshoot-login.md#unique-constraint-violation)).
 :::
 
 :::tip

versioned_docs/version-8.3/self-managed/operational-guides/update-guide/keycloak/keycloak-update.md

@@ -0,0 +1,13 @@
+---
+id: keycloak-update
+title: Update Keycloak
+description: "Review what has to be taken into account when updating Keycloak."
+---
+
+When updating Keycloak, follow the [Keycloak upgrade guide](https://www.keycloak.org/docs/latest/upgrading/index.html) and refer to the [supported environments](reference/supported-environments.md#camunda-8-self-managed) to ensure compatibility with tested Keycloak versions.
+
+:::danger
+When updating Keycloak, ensure that you carry along its existing database.
+**Do not** update by creating a new Keycloak instance and re-importing your users from external sources (e.g. LDAP) as this will result in new Keycloak-internal ids.
+Otherwise, users may not be able to access their data (e.g. Optimize collections) or log in to Web Modeler (see [Web Modeler's login troubleshooting guide](self-managed/modeler/web-modeler/troubleshooting/troubleshoot-login.md#unique-constraint-violation)) after the update.
+:::

versioned_docs/version-8.4/self-managed/modeler/web-modeler/troubleshooting/troubleshoot-login.md

@@ -0,0 +1,58 @@
+---
+id: troubleshoot-login
+title: "Troubleshooting login issues"
+sidebar_label: "Login issues"
+---
+
+:::note
+Web Modeler Self-Managed is available to [enterprise customers](../../../../reference/licenses.md#web-modeler) only.
+:::
+
+Logging in to Web Modeler doesn't work as expected and shows an error or a blank page when accessing the application.
+
+To further debug this issue, check the [log output](docs/self-managed/modeler/web-modeler/configuration/logging.md) of the `modeler-restapi` and `modeler-webapp` services for errors and warnings.
+
+## Unique constraint violation
+
+When you try to log in to Web Modeler using Keycloak as an OIDC provider, you see an error message in the `modeler-restapi` logs similar to this:
+
+```
+org.postgresql.util.PSQLException: ERROR: duplicate key value violates unique constraint "users_email_key"
+    Detail: Key (email)=(***************) already exists.
+```
+
+### Ensure the Keycloak-managed user id didn't change
+
+Web Modeler uses the value of the `sub` (subject) claim in the JSON Web Token (JWT) issued by the configured OIDC provider (by default Keycloak) to identify users and correlate them with their data created in Web Modeler.
+It is important that this value doesn't change over time, for example when the user is deleted and re-created in Keycloak or re-imported from an external user directory, or when reinstalling/updating/switching Keycloak instances.
+
+If the `sub` claim value changes for an existing user, Web Modeler will try to create a new user record in its database for the user, which will lead to the error above when the user tries to log in.
+
+As a workaround, you can manually update the user ID in the Web Modeler database:
+
+1. Export the users from the **Keycloak database** to a CSV file. The following query can be used to select the relevant data:
+   ```sql
+    SELECT id, email
+    FROM user_entity
+    WHERE realm_id = 'camunda-platform' AND email IS NOT NULL;
+   ```
+2. Create a new table in the **Web Modeler database**:
+   ```sql
+   CREATE TABLE keycloak_users (
+       id    varchar(255),
+       email varchar(255)
+   );
+   ```
+3. Import the CSV file from **Step 1** into the new `keycloak_users` table.
+4. Update the user IDs by running the following query in the **Web Modeler database**:
+   ```sql
+   UPDATE users u
+   SET iam_id = k.id
+   FROM keycloak_users k
+   WHERE k.email = u.email;
+   ```
+5. Verify that the login is working again.
+6. Delete the `keycloak_users` table:
+   ```sql
+   DROP TABLE keycloak_users;
+   ```

versioned_docs/version-8.4/self-managed/operational-guides/backup-restore/modeler-backup-and-restore.md

@@ -37,6 +37,7 @@ After the database has been restored, you can start Web Modeler again.
 
 :::warning
 When restoring Web Modeler data from a backup, ensure that the ids of the users stored in your OIDC provider (e.g. Keycloak) do not change in between the backup and restore.
+Otherwise, users may not be able to log in after the restore (see [Web Modeler's login troubleshooting guide](docs/self-managed/modeler/web-modeler/troubleshooting/troubleshoot-login.md#unique-constraint-violation)).
 :::
 
 :::tip

versioned_docs/version-8.4/self-managed/operational-guides/update-guide/keycloak/keycloak-update.md

@@ -0,0 +1,13 @@
+---
+id: keycloak-update
+title: Update Keycloak
+description: "Review what has to be taken into account when updating Keycloak."
+---
+
+When updating Keycloak, follow the [Keycloak upgrade guide](https://www.keycloak.org/docs/latest/upgrading/index.html) and refer to the [supported environments](reference/supported-environments.md#camunda-8-self-managed) to ensure compatibility with tested Keycloak versions.
+
+:::danger
+When updating Keycloak, ensure that you carry along its existing database.
+**Do not** update by creating a new Keycloak instance and re-importing your users from external sources (e.g. LDAP) as this will result in new Keycloak-internal ids.
+Otherwise, users may not be able to access their data (e.g. Optimize collections) or log in to Web Modeler (see [Web Modeler's login troubleshooting guide](self-managed/modeler/web-modeler/troubleshooting/troubleshoot-login.md#unique-constraint-violation)) after the update.
+:::

versioned_sidebars/version-8.2-sidebars.json

@@ -56,7 +56,8 @@
           ]
         },
         {
-          "Elasticsearch": ["guides/update-guide/elasticsearch/7-to-8"]
+          "Elasticsearch": ["guides/update-guide/elasticsearch/7-to-8"],
+          "Keycloak": ["guides/update-guide/keycloak/keycloak-update"]
         }
       ]
     },
@@ -1400,7 +1401,8 @@
               ],
               "Troubleshooting": [
                 "self-managed/modeler/web-modeler/troubleshooting/troubleshoot-database-connection",
-                "self-managed/modeler/web-modeler/troubleshooting/troubleshoot-zeebe-connection"
+                "self-managed/modeler/web-modeler/troubleshooting/troubleshoot-zeebe-connection",
+                "self-managed/modeler/web-modeler/troubleshooting/troubleshoot-login"
               ]
             }
           ]

versioned_sidebars/version-8.3-sidebars.json

@@ -1023,6 +1023,9 @@
             {
               "Elasticsearch": [
                 "self-managed/operational-guides/update-guide/elasticsearch/7-to-8"
+              ],
+              "Keycloak": [
+                "self-managed/operational-guides/update-guide/keycloak/keycloak-update"
               ]
             }
           ]
@@ -1495,7 +1498,8 @@
               ],
               "Troubleshooting": [
                 "self-managed/modeler/web-modeler/troubleshooting/troubleshoot-database-connection",
-                "self-managed/modeler/web-modeler/troubleshooting/troubleshoot-zeebe-connection"
+                "self-managed/modeler/web-modeler/troubleshooting/troubleshoot-zeebe-connection",
+                "self-managed/modeler/web-modeler/troubleshooting/troubleshoot-login"
               ]
             }
           ]

versioned_sidebars/version-8.4-sidebars.json

@@ -1079,6 +1079,9 @@
             {
               "Elasticsearch": [
                 "self-managed/operational-guides/update-guide/elasticsearch/7-to-8"
+              ],
+              "Keycloak": [
+                "self-managed/operational-guides/update-guide/keycloak/keycloak-update"
               ]
             }
           ]
@@ -1555,7 +1558,8 @@
               ],
               "Troubleshooting": [
                 "self-managed/modeler/web-modeler/troubleshooting/troubleshoot-database-connection",
-                "self-managed/modeler/web-modeler/troubleshooting/troubleshoot-zeebe-connection"
+                "self-managed/modeler/web-modeler/troubleshooting/troubleshoot-zeebe-connection",
+                "self-managed/modeler/web-modeler/troubleshooting/troubleshoot-login"
               ]
             }
           ]