Clients
Clients are applications that interact with an orchestration cluster through its APIs. Managing clients involves configuring their access to a cluster so client applications have the permissions they need.
This guide describes how to manage client access in SaaS and in Self-Managed environments that use an external OpenID Connect (OIDC) provider for authentication.
If you are using the Orchestration Cluster with basic authentication, both end users and m2m applications are treated as users and need to be managed accordingly. That is why the Identity UI does not display dedicated client options in basic authentication setups.
- SaaS
- Self-Managed
Manage clients on SaaS
In Camunda 8 SaaS, client credentials are created and managed in Console.
1. Create client credentials in Console
See the guide for creating client credentials in Console. Take note of the client id that is displayed in the variables after you have created your client.
2. Configure authorizations in Identity
If you have enabled authorizations on your cluster, the new client will have no permissions by default, even after assigning scopes in Console. You must grant fine-grained permissions in Identity:
- Navigate to the Identity application for your cluster.
- Go to the Authorizations tab.
- Click Create authorization.
- Set the Owner type to
Client. - In the Owner ID field, enter the Client ID of the client you just created.
- Select the Resource type, Resource ID, and permissions the client needs.
- Click Create authorization.
If authorizations are disabled, your client will have full access based on the scopes you selected during creation.
Manage clients on Self-Managed
As a prerequisite, make sure that your Orchestration Cluster is configured to use a token claim as the client id.
Configuring a client application in a Self-Managed environment with OIDC then involves two steps:
- Register your client application with your identity provider to obtain client credentials.
- Configure authorizations for the client in the Orchestration Cluster Identity to grant the necessary permissions.
The following steps will guide you through this process.
1. Create client credentials in your IdP
Before configuring access in the Orchestration Cluster, you must register your client application in your OIDC-compatible identity provider (e.g., EntraID, Keycloak, Okta).
During the registration process, your identity provider will provide you with a Client ID and a Client Secret. Your application will use these credentials to authenticate and obtain an access token.
2. Configure authorizations in Identity
Once you have your client credentials, you can configure the required permissions in the Identity component of your cluster. Log in to Identity and choose one of the following methods to grant authorizations.
Authorization based on client ID
This method is suitable when your client application requires a fixed set of permissions. Follow the steps on how to create authorizations with the following specifics:
- As the Owner type, select
Client. - In the Owner ID field, enter the Client ID that matches your client's value for the configured client id claim.
You can also assign the client to existing groups or roles to inherit their permissions.
Flexible authorization based on JWT claims with mapping rules
This method is ideal when you need to dynamically assign permissions based on claims in the OIDC access token, such as scopes or custom claims.
- Create a mapping rule that matches a claim from your client's access token.
- Create authorizations for the mapping rule with the following specifics:
- As the Owner type, select
Mapping Rule. - In the Owner ID field, enter the Mapping Rule ID that you chose in the previous step.
- As the Owner type, select
Alternatively, you can assign the mapping rule to groups or roles to inherit their permissions.
Any client that authenticates with a token matching the criteria of the mapping rule will be granted the associated permissions.
3. Client application is configured
After completing these steps, your client application can authenticate with your IdP, obtain an access token, and use that token to make authorized API calls to the Camunda 8 orchestration cluster.