Skip to main content
Version: 8.7

Authentication

Depending on your configuration, users and applications authenticate with Camunda 8 via the IdP using the OAuth 2.0 protocol, using either a login page or M2M tokens.

Login page authentication

When a user accesses a Camunda 8 web application, they are shown the login page provided by the configured IdP.

M2M (machine-to-machine) authentication

Applications can authenticate with Camunda 8 using M2M (machine-to-machine) tokens.

Prerequisites

The following prerequisites are required for M2M authentication:

PrerequisiteDescription
IdentityA running Identity service.
ApplicationAn application for your service.
Client IDThe client ID of your application.
Client secretThe client secret of your application.
REST clientA REST client of your choice.

Generate a token

In the following example, the Keycloak instance that supports Identity can be found via http://localhost:18080. This might be different for your Identity configuration, adjust the host name (and port if required) if required.

To request a token, use the following cURL command, replacing the placeholders with your application details:

curl --location --request POST 'http://localhost:18080/auth/realms/camunda-platform/protocol/openid-connect/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_id=[CLIENT_ID]' \
--data-urlencode 'client_secret=[CLIENT_SECRET]' \
--data-urlencode 'grant_type=client_credentials'

The following shows an example successful authentication response:

{
"access_token": "<TOKEN>",
"expires_in": 300,
"refresh_expires_in": 0,
"token_type": "Bearer",
"not-before-policy": 0
}

You can use the token to authenticate an application with Camunda components, for example to access Operate REST APIs.