Skip to main content
Version: Next

Connect to an OpenID Connect provider

To enable a smoother integration with your existing systems, Camunda supports connecting to an OpenID Connect (OIDC) authentication provider. To connect to a Keycloak authentication provider, see our guide on using an existing Keycloak.

In this guide, we step through the configuration required to connect Camunda to your authentication provider.

Prerequisites

  • Information about your OIDC provider's configuration, including the issuer URL.
  • Ability to create applications in your OIDC provider.
  • Ability to access the following information about the applications you have created in your OIDC provider:
    • Client ID
    • Client secrets
    • Audience
  • A claim name and value to use for initial access.
note

The steps below are a general approach for the Camunda components; it is important you reference the component-specific configuration to ensure the components are configured correctly.

Configuration

Steps

  1. In your OIDC provider, create an application for each of the components you want to connect. The expected redirect URI of the component you are configuring an app for can be found in component-specific configuration.
  2. For all Components, ensure the appropriate application type is used:
    • Operate, Tasklist, Optimize, Identity: Web applications requiring confidential access/a confidential client
    • Web Modeler, Console: Single-page applications requiring public access/a public client
  3. Make a note of the following values for each application you create:
    • Client ID
    • Client secret
    • Audience
  4. Set the following environment variables for the component you are configuring an app for:
   CAMUNDA_IDENTITY_TYPE=GENERIC
CAMUNDA_IDENTITY_BASE_URL=<IDENTITY_URL>
CAMUNDA_IDENTITY_ISSUER=<URL_OF_ISSUER>
CAMUNDA_IDENTITY_ISSUER_BACKEND_URL=<URL_OF_ISSUER> // this is used for container to container communication
CAMUNDA_IDENTITY_CLIENT_ID=<Client ID from Step 2>
CAMUNDA_IDENTITY_CLIENT_SECRET=<Client secret from Step 2>
CAMUNDA_IDENTITY_AUDIENCE=<Audience from Step 2>
IDENTITY_INITIAL_CLAIM_NAME=<Initial claim name if not using the default "oid">
IDENTITY_INITIAL_CLAIM_VALUE=<Initial claim value>
SPRING_PROFILES_ACTIVE=oidc
note

Once set, you cannot update your initial claim name and value using environment or Helm values. You must change these values directly in the database.

Additional considerations

For authentication, the Camunda components use the scopes email, openid, offline_access, and profile.

Component-specific configuration

ComponentRedirect URINotes
IdentityMicrosoft Entra ID:
https://<IDENTITY_URL>/auth/login-callback

Helm:
https://<IDENTITY_URL>
OperateMicrosoft Entra ID:
https://<OPERATE_URL>/identity-callback

Helm:
https://<OPERATE_URL>
OptimizeMicrosoft Entra ID:
https://<OPTIMIZE_URL>/api/authentication/callback

Helm:
https://<OPTIMIZE_URL>
There is a fallback if you use the existing ENV vars to configure your authentication provider, if you use a custom yaml, you need to update your properties to match the new values in this guide.

When using an OIDC provider, the following features are not currently available: User permissions tab in collections, digests, Alerts tab in collections.
TasklistMicrosoft Entra ID:
https://<TASKLIST_URL>/identity-callback

Helm:
https://<TASKLIST_URL>
Web ModelerMicrosoft Entra ID:
https://<WEB_MODELER_URL>/login-callback

Helm:
https://<WEB_MODELER_URL>
Web Modeler requires two clients: one for the internal API, and one for the external/public API.

Required configuration variables for webapp:
OAUTH2_CLIENT_ID=[client-id]
OAUTH2_JWKS_URL=[provider-jwks-url]
OAUTH2_TOKEN_AUDIENCE=[client-audience]
OAUTH2_TOKEN_ISSUER=[provider-issuer]
OAUTH2_TYPE=[provider-type]

Required configuration variables for restapi:
CAMUNDA_IDENTITY_BASEURL=[identity-base-url]
CAMUNDA_IDENTITY_TYPE=[provider-type]
CAMUNDA_MODELER_SECURITY_JWT_AUDIENCE_INTERNAL_API=[client-audience]
CAMUNDA_MODELER_SECURITY_JWT_AUDIENCE_PUBLIC_API=[publicapi-audience] (for security reasons, use a different value here than for CAMUNDA_MODELER_SECURITY_JWT_AUDIENCE_INTERNAL_API)
SPRING_SECURITY_OAUTH2_RESOURCESERVER_JWT_ISSUER_URI=[provider-issuer]
ConsoleMicrosoft Entra ID:
https://<CONSOLE_URL>

Helm:
https://<CONSOLE_URL>
Zeebeno redirect URIInstead, include tokenScope:"<Azure-AppRegistration-ClientID> /.default ". This refers to the Helm value global.identity.auth.zeebe.tokenScope, which should be set to the displayed value.
ConnectorsConnectors act as a client in the OIDC flow.

For outbound-only mode (when CAMUNDA_CONNECTOR_POLLING_ENABLED is false), only Zeebe client properties are required:
ZEEBE_CLIENT_ID=[client-id]
ZEEBE_CLIENT_SECRET=[client-secret]
ZEEBE_AUTHORIZATION_SERVER_URL=[provider-issuer]
ZEEBE_TOKEN_AUDIENCE=[Zeebe audience]
ZEEBE_TOKEN_SCOPE=[Zeebe scope] (optional)

For inbound mode, Operate client properties are required:
CAMUNDA_IDENTITY_TYPE=[provider-type]
CAMUNDA_IDENTITY_AUDIENCE=[Operate audience]
CAMUNDA_IDENTITY_CLIENT_ID=[client-id]
CAMUNDA_IDENTITY_CLIENT_SECRET=[client-secret]
CAMUNDA_IDENTITY_ISSUER_BACKEND_URL=[provider-issuer]