Skip to main content
Version: 8.4

Connect to an OpenID Connect provider

To enable a smoother integration with your existing systems, Camunda supports connecting to an OpenID Connect (OIDC) authentication provider. To connect to a Keycloak authentication provider, see our guide on using an existing Keycloak.

In this guide, we step through the configuration required to connect Camunda to your authentication provider.

Prerequisites

  • Information about your OIDC provider's configuration, including the issuer URL.
  • Ability to create applications in your OIDC provider.
  • Ability to access the following information about the applications you have created in your OIDC provider:
    • Client ID
    • Client secrets
    • Audience
note

The steps below are a general approach for the Camunda components; it is important you reference the component-specific configuration to ensure the components are configured correctly.

danger

Internally the Camunda components use Identity to handle authentication with your OIDC provider. However, the Identity UI is not available for this version.

Configuration

Steps

  1. In your OIDC provider, create an application for each of the components you want to connect. The expected redirect URI of the component you are configuring an app for can be found in component-specific configuration.
  2. For all Components, ensure the appropriate application type is used:
    • Operate, Tasklist, Optimize, Identity: Web applications requiring confidential access/a confidential client
    • Web Modeler: A single-page application requiring public access/a public client
  3. Make a note of the following values for each application you create:
    • Client ID
    • Client secret
    • Audience
  4. Set the following environment variables for the component you are configuring an app for:
   CAMUNDA_IDENTITY_TYPE=GENERIC
CAMUNDA_IDENTITY_BASE_URL=<IDENTITY_URL>
CAMUNDA_IDENTITY_ISSUER=<URL_OF_ISSUER>
CAMUNDA_IDENTITY_ISSUER_BACKEND_URL=<URL_OF_ISSUER> // this is used for container to container communication
CAMUNDA_IDENTITY_CLIENT_ID=<Client ID from Step 2>
CAMUNDA_IDENTITY_CLIENT_SECRET=<Client secret from Step 2>
CAMUNDA_IDENTITY_AUDIENCE=<Audience from Step 2>
SPRING_PROFILES_ACTIVE=oidc

Additional considerations

For authentication, the Camunda components use the scopes email, openid, offline_access, and profile.

Component-specific configuration

ComponentRedirect URINotes
OperateMicrosoft Entra ID:
https://<OPERATE_URL>/identity-callback

Helm:
https://<OPERATE_URL>
OptimizeMicrosoft Entra ID:
https://<OPTIMIZE_URL>/api/authentication/callback

Helm:
https://<OPTIMIZE_URL>
There is a fallback if you use the existing ENV vars to configure your authentication provider, if you use a custom yaml, you need to update your properties to match the new values in this guide.

When using an OIDC provider, the following features are not currently available: User permissions tab in collections, digests, Alerts tab in collections.
TasklistMicrosoft Entra ID:
https://<TASKLIST_URL>/identity-callback

Helm:
https://<TASKLIST_URL>
Web ModelerMicrosoft Entra ID:
https://<WEB_MODELER_URL>/login-callback

Helm:
https://<WEB_MODELER_URL>
Web Modeler requires two clients: one for the internal API, and one for the external/public API.

Using a different OIDC provider than Keycloak currently disables all checks of the permissions claim both for using Web Modeler via the UI and via the public API.

Required configuration variables for webapp:
OAUTH2_CLIENT_ID=[client-id]
OAUTH2_JWKS_URL=[provider-jwks-url]
OAUTH2_TOKEN_AUDIENCE=[client-audience]
OAUTH2_TOKEN_ISSUER=[provider-issuer]
OAUTH2_TYPE=[provider-type]

Required configuration variables for restapi:
CAMUNDA_IDENTITY_BASEURL=[identity-base-url]
CAMUNDA_IDENTITY_TYPE=[provider-type]
CAMUNDA_MODELER_SECURITY_JWT_AUDIENCE_INTERNAL_API=[client-audience]
CAMUNDA_MODELER_SECURITY_JWT_AUDIENCE_PUBLIC_API=[publicapi-audience] (for security reasons, use a different value here than for CAMUNDA_MODELER_SECURITY_JWT_AUDIENCE_INTERNAL_API)
SPRING_SECURITY_OAUTH2_RESOURCESERVER_JWT_ISSUER_URI=[provider-issuer]
Zeebeno redirect URIInstead, include tokenScope:"<Azure-AppRegistration-ClientID> /.default ". This refers to the Helm value global.identity.auth.zeebe.tokenScope, which should be set to the displayed value. "`
ConnectorsConnectors act as a client in the OIDC flow.

For outbound-only mode (when CAMUNDA_CONNECTOR_POLLING_ENABLED is false), only Zeebe client properties are required:
ZEEBE_CLIENT_ID=[client-id]
ZEEBE_CLIENT_SECRET=[client-secret]
ZEEBE_AUTHORIZATION_SERVER_URL=[provider-issuer]
ZEEBE_TOKEN_AUDIENCE=[Zeebe audience]
ZEEBE_TOKEN_SCOPE=[Zeebe scope] (optional)

For inbound mode, Operate client properties are required:
CAMUNDA_IDENTITY_TYPE=[provider-type]
CAMUNDA_IDENTITY_AUDIENCE=[Operate audience]
CAMUNDA_IDENTITY_CLIENT_ID=[client-id]
CAMUNDA_IDENTITY_CLIENT_SECRET=[client-secret]
CAMUNDA_IDENTITY_ISSUER_BACKEND_URL=[provider-issuer]