Tasklist provides two ways to authenticate:
By default, user storage in Elasticsearch is enabled.
In this mode, the user authenticates with a username and password stored in Elasticsearch.
The username, password and roles for one user may be set in application.yml:
camunda.tasklist: username: anUser password: aPassword roles: - OWNER - USER
On Tasklist startup, the user is created if they did not exist before.
By default, two users are created:
More users can be added directly to Elasticsearch, to the index
tasklist-user-<version>_. The password must be encoded with a strong BCrypt hashing function.
IAM provides authentication and authorization functionality along with user management.
IAM can only be enabled by setting the Spring profile:
See the following example:
IAM requires the following parameters:
|Parameter name||Description||Example value|
|camunda.tasklist.iam.issuer||Name/ID of issuer||http://app.iam.localhost|
|camunda.tasklist.iam.issuerUrl||Url of issuer (IAM)||http://app.iam.localhost|
|camunda.tasklist.iam.clientId||Similar to a username for the application||tasklist|
|camunda.tasklist.iam.clientSecret||Similar to a password for the application.||XALaRPl...s7dL7|
We provide two different permissions over IAM: read or write. To configure the authorization, you are required to create two different permissions:
|Grants the user the permission to access, view, and read the data in the application.|
|Grants the user the permission to perform operations.|
Note that the minimum permission needed is
read:*. Any user without this permission will have access denied.