Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add zeebe tokenScope w/ postfix to MSFT Entra doc #3285

Merged
merged 12 commits into from
Feb 15, 2024
Merged

Add zeebe tokenScope w/ postfix to MSFT Entra doc #3285

Changes from 3 commits
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
a051145
add zeebe tokenScope w/ postfix
akeller Feb 2, 2024
ccaaf75
reuse terms from page
akeller Feb 2, 2024
c385727
add yaml
akeller Feb 2, 2024
390ada2
Lessons learned configuring Web Modeler
upgradingdave Feb 5, 2024
357c78e
remove tokenScope
akeller Feb 9, 2024
0965085
Merge branch 'main' into entra-docs-zeebe-tokenscope
akeller Feb 9, 2024
fd46e76
Update docs/self-managed/platform-deployment/helm-kubernetes/guides/c…
akeller Feb 13, 2024
ddb3063
Update docs/self-managed/platform-deployment/helm-kubernetes/guides/c…
akeller Feb 13, 2024
e5f89b4
review fixes
akeller Feb 14, 2024
cd06baf
Merge branch 'entra-docs-zeebe-tokenscope' of https://github.com/camu…
akeller Feb 14, 2024
a8112f4
backport 8.4
akeller Feb 14, 2024
5bb4b9c
Merge branch 'main' into entra-docs-zeebe-tokenscope
akeller Feb 14, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 10 additions & 1 deletion ...naged/platform-deployment/helm-kubernetes/guides/connect-to-an-oidc-provider.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -139,7 +139,7 @@ When using OIDC, set `connectors.inbound.mode: disabled` [in your Connectors Hel
</TabItem>
<TabItem value="helm">

```
```yaml
global:
identity:
auth:
Expand All @@ -149,28 +149,36 @@ global:
tokenUrl: <TOKEN_URL_ENDPOINT>
jwksUrl: <JWKS_URL>
type: "MICROSOFT"
publicIssuerUrl: <URL_OF_ISSUER>
operate:
clientId: <Client ID from step 1>
audience: <Audience of your application>
existingSecret: <Client secret from step 3>
redirectUrl: <See table below>
tasklist:
clientId: <Client ID from step 1>
audience: <Audience of your application>
existingSecret: <Client secret from step 3>
redirectUrl: <See table below>
optimize:
clientId: <Client ID from step 1>
audience: <Audience of your application>
existingSecret: <Client secret from step 3>
redirectUrl: <See table below>
zeebe:
clientId: <Client ID from step 1>
audience: <Audience of your application>
existingSecret: <Client secret from step 3>
tokenScope: "<Client ID from step 1>/.default"
webModeler:
clientId: <Client ID from step 1>
clientApiAudience: <Audience for your application>
publicApiAudience: <Audience for using Web Modeler's API. For security reasons, use a different value than for clientApiAudience>
redirectUrl: <See table below>
```

<!-- Add ingress and image for completeness?-->

</TabItem>
</Tabs>

Expand Down Expand Up @@ -202,3 +210,4 @@ Connectors do not yet support authentication with Microsoft Entra ID as the OIDC
| Optimize | https://<OPTIMIZE_URL>/api/authentication/callback | There is a fallback if you use the existing ENV vars to configure your authentication provider, if you use a custom `yaml`, you need to update your properties to match the new values in this guide.<br/><br/>When using an OIDC provider, the following features are not currently available: User permissions tab in collections, digests, `Alerts` tab in collections. |
| Tasklist | https://<TASKLIST_URL>/identity-callback | |
| Web Modeler | https://<WEB_MODELER_URL>/login-callback | Using a different OIDC provider than Keycloak currently disables all checks of the permissions claim both for using Web Modeler via the UI and via the public API.<br/><br/> Required configuration variables for webapp:<br/>`OAUTH2_CLIENT_ID=[client-id]`<br/>`OAUTH2_JWKS_URL=[provider-jwks-url]`<br/>`OAUTH2_TOKEN_AUDIENCE=[client-audience]`<br/>`OAUTH2_TOKEN_ISSUER=[provider-issuer]`<br/>`OAUTH2_TYPE=[provider-type]`<br/><br/> Required configuration variables for restapi:<br/>`CAMUNDA_IDENTITY_BASEURL=[identity-base-url]`<br/>`CAMUNDA_IDENTITY_TYPE=[provider-type]`<br/>`CAMUNDA_MODELER_SECURITY_JWT_AUDIENCE_INTERNAL_API=[client-audience]`<br/>`CAMUNDA_MODELER_SECURITY_JWT_AUDIENCE_PUBLIC_API=[publicapi-audience]` (for security reasons, <strong>use a different value here than for `CAMUNDA_MODELER_SECURITY_JWT_AUDIENCE_INTERNAL_API`</strong>)<br/>`SPRING_SECURITY_OAUTH2_RESOURCESERVER_JWT_ISSUER_URI=[provider-issuer]` |
| Zeebe | no redirect URI | Instead, include `tokenScope:"<Azure-AppRegistration-ClientID> /.default "` |
Loading