diff --git a/docs/self-managed/platform-deployment/helm-kubernetes/guides/connect-to-an-oidc-provider.md b/docs/self-managed/platform-deployment/helm-kubernetes/guides/connect-to-an-oidc-provider.md index c3903c09d6e..7355d39cdd7 100644 --- a/docs/self-managed/platform-deployment/helm-kubernetes/guides/connect-to-an-oidc-provider.md +++ b/docs/self-managed/platform-deployment/helm-kubernetes/guides/connect-to-an-oidc-provider.md @@ -117,8 +117,9 @@ When using OIDC, set `connectors.inbound.mode: disabled` [in your Connectors Hel 2. Within the app registered in Step 1, [configure a platform](https://learn.microsoft.com/en-gb/entra/identity-platform/quickstart-register-app#configure-platform-settings) - of type `web`. The expected redirect URI of the component you are configuring an app for can be found - in [component-specific configuration](#component-specific-configuration). + of type `Web` for Operate, TaskList, and Optimize. [Configure a platform](https://learn.microsoft.com/en-gb/entra/identity-platform/quickstart-register-app#configure-platform-settings) + of type `Single-page application` for Modeler. The expected redirect URI of the component you are configuring an app for can be found + in [component-specific configuration](#component-specific-configuration). Make sure the redirect URIs entered here match the redirect URI's configured in step 4. 3. Once you have registered a platform for your app a client secret needs to be created. To do this, see [adding a client secret](https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app#add-a-client-secret). Make a note of the value of the client secret as it will be required later on. @@ -129,46 +130,52 @@ When using OIDC, set `connectors.inbound.mode: disabled` [in your Connectors Hel ``` CAMUNDA_IDENTITY_TYPE=MICROSOFT - CAMUNDA_IDENTITY_ISSUER= - CAMUNDA_IDENTITY_ISSUER_BACKEND_URL= // this is used for container to container communication + CAMUNDA_IDENTITY_ISSUER=https://login.microsoftonline.com//v2.0 + CAMUNDA_IDENTITY_ISSUER_BACKEND_URL=https://login.microsoftonline.com//v2.0 CAMUNDA_IDENTITY_CLIENT_ID= CAMUNDA_IDENTITY_CLIENT_SECRET= - CAMUNDA_IDENTITY_AUDIENCE= + CAMUNDA_IDENTITY_AUDIENCE= ``` -``` +```yaml global: identity: auth: - issuer: + issuer: https://login.microsoftonline.com//v2.0 # this is used for container to container communication - issuerBackendUrl: - tokenUrl: - jwksUrl: + issuerBackendUrl: https://login.microsoftonline.com//v2.0 + tokenUrl: https://login.microsoftonline.com//oauth2/v2.0/token + jwksUrl: https://login.microsoftonline.com//discovery/v2.0/keys type: "MICROSOFT" + publicIssuerUrl: https://login.microsoftonline.com//v2.0 operate: clientId: - audience: + audience: existingSecret: + redirectUrl: tasklist: clientId: - audience: + audience: existingSecret: + redirectUrl: optimize: clientId: - audience: + audience: existingSecret: + redirectUrl: zeebe: clientId: - audience: + audience: existingSecret: + tokenScope: "/.default" webModeler: clientId: - clientApiAudience: + clientApiAudience: publicApiAudience: + redirectUrl: ``` @@ -187,6 +194,12 @@ process. To successfully authenticate wth Entra ID, you should use the `v2.0` API. This means that the `CAMUNDA_IDENTITY_ISSUER_BACKEND_URL` value should end with `/v2.0`. +It's also important to follow the [steps described here](https://learn.microsoft.com/en-us/entra/identity-platform/reference-app-manifest#configure-the-app-manifest) to configure the app manifest and set the [accesstokenAcceptedVersion](https://learn.microsoft.com/en-us/entra/identity-platform/reference-app-manifest#accesstokenacceptedversion-attribute) to `2` like so: + +```json + "accessTokenAcceptedVersion": 2, +``` + :::note Connectors do not yet support authentication with Microsoft Entra ID as the OIDC provider. When using OIDC, set `connectors.inbound.mode: disabled` [in your Connectors Helm values](https://artifacthub.io/packages/helm/camunda/camunda-platform#connectors-parameters). ::: @@ -202,3 +215,4 @@ Connectors do not yet support authentication with Microsoft Entra ID as the OIDC | Optimize | https:///api/authentication/callback | There is a fallback if you use the existing ENV vars to configure your authentication provider, if you use a custom `yaml`, you need to update your properties to match the new values in this guide.

When using an OIDC provider, the following features are not currently available: User permissions tab in collections, digests, `Alerts` tab in collections. | | Tasklist | https:///identity-callback | | | Web Modeler | https:///login-callback | Using a different OIDC provider than Keycloak currently disables all checks of the permissions claim both for using Web Modeler via the UI and via the public API.

Required configuration variables for webapp:
`OAUTH2_CLIENT_ID=[client-id]`
`OAUTH2_JWKS_URL=[provider-jwks-url]`
`OAUTH2_TOKEN_AUDIENCE=[client-audience]`
`OAUTH2_TOKEN_ISSUER=[provider-issuer]`
`OAUTH2_TYPE=[provider-type]`

Required configuration variables for restapi:
`CAMUNDA_IDENTITY_BASEURL=[identity-base-url]`
`CAMUNDA_IDENTITY_TYPE=[provider-type]`
`CAMUNDA_MODELER_SECURITY_JWT_AUDIENCE_INTERNAL_API=[client-audience]`
`CAMUNDA_MODELER_SECURITY_JWT_AUDIENCE_PUBLIC_API=[publicapi-audience]` (for security reasons, use a different value here than for `CAMUNDA_MODELER_SECURITY_JWT_AUDIENCE_INTERNAL_API`)
`SPRING_SECURITY_OAUTH2_RESOURCESERVER_JWT_ISSUER_URI=[provider-issuer]` | +| Zeebe | no redirect URI | Instead, include `tokenScope:" /.default "` | diff --git a/versioned_docs/version-8.4/self-managed/platform-deployment/helm-kubernetes/guides/connect-to-an-oidc-provider.md b/versioned_docs/version-8.4/self-managed/platform-deployment/helm-kubernetes/guides/connect-to-an-oidc-provider.md index c3903c09d6e..7355d39cdd7 100644 --- a/versioned_docs/version-8.4/self-managed/platform-deployment/helm-kubernetes/guides/connect-to-an-oidc-provider.md +++ b/versioned_docs/version-8.4/self-managed/platform-deployment/helm-kubernetes/guides/connect-to-an-oidc-provider.md @@ -117,8 +117,9 @@ When using OIDC, set `connectors.inbound.mode: disabled` [in your Connectors Hel 2. Within the app registered in Step 1, [configure a platform](https://learn.microsoft.com/en-gb/entra/identity-platform/quickstart-register-app#configure-platform-settings) - of type `web`. The expected redirect URI of the component you are configuring an app for can be found - in [component-specific configuration](#component-specific-configuration). + of type `Web` for Operate, TaskList, and Optimize. [Configure a platform](https://learn.microsoft.com/en-gb/entra/identity-platform/quickstart-register-app#configure-platform-settings) + of type `Single-page application` for Modeler. The expected redirect URI of the component you are configuring an app for can be found + in [component-specific configuration](#component-specific-configuration). Make sure the redirect URIs entered here match the redirect URI's configured in step 4. 3. Once you have registered a platform for your app a client secret needs to be created. To do this, see [adding a client secret](https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app#add-a-client-secret). Make a note of the value of the client secret as it will be required later on. @@ -129,46 +130,52 @@ When using OIDC, set `connectors.inbound.mode: disabled` [in your Connectors Hel ``` CAMUNDA_IDENTITY_TYPE=MICROSOFT - CAMUNDA_IDENTITY_ISSUER= - CAMUNDA_IDENTITY_ISSUER_BACKEND_URL= // this is used for container to container communication + CAMUNDA_IDENTITY_ISSUER=https://login.microsoftonline.com//v2.0 + CAMUNDA_IDENTITY_ISSUER_BACKEND_URL=https://login.microsoftonline.com//v2.0 CAMUNDA_IDENTITY_CLIENT_ID= CAMUNDA_IDENTITY_CLIENT_SECRET= - CAMUNDA_IDENTITY_AUDIENCE= + CAMUNDA_IDENTITY_AUDIENCE= ``` -``` +```yaml global: identity: auth: - issuer: + issuer: https://login.microsoftonline.com//v2.0 # this is used for container to container communication - issuerBackendUrl: - tokenUrl: - jwksUrl: + issuerBackendUrl: https://login.microsoftonline.com//v2.0 + tokenUrl: https://login.microsoftonline.com//oauth2/v2.0/token + jwksUrl: https://login.microsoftonline.com//discovery/v2.0/keys type: "MICROSOFT" + publicIssuerUrl: https://login.microsoftonline.com//v2.0 operate: clientId: - audience: + audience: existingSecret: + redirectUrl: tasklist: clientId: - audience: + audience: existingSecret: + redirectUrl: optimize: clientId: - audience: + audience: existingSecret: + redirectUrl: zeebe: clientId: - audience: + audience: existingSecret: + tokenScope: "/.default" webModeler: clientId: - clientApiAudience: + clientApiAudience: publicApiAudience: + redirectUrl: ``` @@ -187,6 +194,12 @@ process. To successfully authenticate wth Entra ID, you should use the `v2.0` API. This means that the `CAMUNDA_IDENTITY_ISSUER_BACKEND_URL` value should end with `/v2.0`. +It's also important to follow the [steps described here](https://learn.microsoft.com/en-us/entra/identity-platform/reference-app-manifest#configure-the-app-manifest) to configure the app manifest and set the [accesstokenAcceptedVersion](https://learn.microsoft.com/en-us/entra/identity-platform/reference-app-manifest#accesstokenacceptedversion-attribute) to `2` like so: + +```json + "accessTokenAcceptedVersion": 2, +``` + :::note Connectors do not yet support authentication with Microsoft Entra ID as the OIDC provider. When using OIDC, set `connectors.inbound.mode: disabled` [in your Connectors Helm values](https://artifacthub.io/packages/helm/camunda/camunda-platform#connectors-parameters). ::: @@ -202,3 +215,4 @@ Connectors do not yet support authentication with Microsoft Entra ID as the OIDC | Optimize | https:///api/authentication/callback | There is a fallback if you use the existing ENV vars to configure your authentication provider, if you use a custom `yaml`, you need to update your properties to match the new values in this guide.

When using an OIDC provider, the following features are not currently available: User permissions tab in collections, digests, `Alerts` tab in collections. | | Tasklist | https:///identity-callback | | | Web Modeler | https:///login-callback | Using a different OIDC provider than Keycloak currently disables all checks of the permissions claim both for using Web Modeler via the UI and via the public API.

Required configuration variables for webapp:
`OAUTH2_CLIENT_ID=[client-id]`
`OAUTH2_JWKS_URL=[provider-jwks-url]`
`OAUTH2_TOKEN_AUDIENCE=[client-audience]`
`OAUTH2_TOKEN_ISSUER=[provider-issuer]`
`OAUTH2_TYPE=[provider-type]`

Required configuration variables for restapi:
`CAMUNDA_IDENTITY_BASEURL=[identity-base-url]`
`CAMUNDA_IDENTITY_TYPE=[provider-type]`
`CAMUNDA_MODELER_SECURITY_JWT_AUDIENCE_INTERNAL_API=[client-audience]`
`CAMUNDA_MODELER_SECURITY_JWT_AUDIENCE_PUBLIC_API=[publicapi-audience]` (for security reasons, use a different value here than for `CAMUNDA_MODELER_SECURITY_JWT_AUDIENCE_INTERNAL_API`)
`SPRING_SECURITY_OAUTH2_RESOURCESERVER_JWT_ISSUER_URI=[provider-issuer]` | +| Zeebe | no redirect URI | Instead, include `tokenScope:" /.default "` |