Starting configuration for Identity
The Identity component requires a set of base configurations to operate correctly. When Identity is started it will create or update the following entities in Keycloak:
Clients​
| Name | Client ID | Service Accounts | Created/Updated with component |
|---|---|---|---|
| Identity | camunda-identity | enabled | All |
| Camunda Identity Resource Server | camunda-identity-resource-server | enabled | All |
| Operate | operate | enabled | Operate |
| Operate API | operate-api | enabled | Operate |
| Optimize | optimize | enabled | Optimize |
| Optimize API | optimize-api | enabled | Optimize |
| Tasklist | tasklist | enabled | Tasklist |
| Tasklist API | tasklist-api | enabled | Tasklist |
| Web Modeler | web-modeler | disabled | Web Modeler |
| Web Modeler API | web-modeler-api | enabled | Web Modeler |
Roles​
| Name | Created/Updated with component |
|---|---|
| Identity | All |
| Operate | Operate |
| Optimize | Optimize |
| Tasklist | Tasklist |
| Web Modeler | Web Modeler |
Client scopes​
| Name | Protocol | Description |
|---|---|---|
| camunda-identity | openid-connect | A default client scope that contains mappers to augment the token generated with information required by the components of Camunda. Contains the mappers described in the mappers section |
Mappers​
| Name | Protocol Mapper | Description |
|---|---|---|
| oidc-usermodel-property-mapper | Adds the email user attribute to the access, ID, and user info tokens using the claim name email | |
| full name | oidc-full-name-mapper | Adds the user's full name to the access, ID, and user info tokens |
| permissions | oidc-usermodel-client-role-mapper | Adds the users client roles to the access token with the claim name permissions.${client_id} |
| audience resolve | oidc-audience-resolve-mapper | Adds the audiences the user has access to in the audience claim |