Skip to main content
Keycloak authentication combines OAuth2 / OIDC login with a dedicated Keycloak identity provider plugin, giving you single sign-on plus full synchronization of Keycloak users and groups into the ASEE Flow engine.

Dependencies

<dependency>
  <groupId>org.camunda.bpm.extension</groupId>
  <artifactId>camunda-platform-7-keycloak</artifactId>
  <version>${camunda.platform-7-keycloak.version}</version>
</dependency>
<dependency>
  <groupId>org.springframework.boot</groupId>
  <artifactId>spring-boot-starter-oauth2-client</artifactId>
</dependency>
<dependency>
  <groupId>org.springframework.boot</groupId>
  <artifactId>spring-boot-starter-oauth2-resource-server</artifactId>
</dependency>
These are provided in the starter, so include them explicitly. camunda-platform-7-keycloak (the Keycloak identity provider plugin) is 7.24.0. The org.camunda.bpm.* coordinate is correct — it is an external Camunda extension that ASEE Flow uses as-is.

Configuration

Enable the mode and configure the Spring Security OAuth2 client (as for OAuth2): 
aseeflow:
  webadmin:
    authentication: keycloak

camunda.bpm.oauth2:
  sso-logout:
    enabled: true
    postLogoutRedirectUri: http://localhost:8080/webadmin
  identity-provider:
    group-name-attribute: groups

spring.security:
  oauth2:
    client:
      registration:
        keycloak:
          provider: keycloak
          client-id: ${keycloak.client.id}
          client-secret: ${keycloak.client.secret}
          authorization-grant-type: authorization_code
          redirect-uri: "{baseUrl}/{action}/oauth2/code/{registrationId}"
          scope: openid, profile, email
      provider:
        keycloak:
          issuer-uri: ${keycloak.url.auth}/realms/camunda
          authorization-uri: ${keycloak.url.auth}/realms/camunda/protocol/openid-connect/auth
          user-info-uri: ${keycloak.url.auth}/realms/camunda/protocol/openid-connect/userinfo
          token-uri: ${keycloak.url.token}/realms/camunda/protocol/openid-connect/token
          jwk-set-uri: ${keycloak.url.token}/realms/camunda/protocol/openid-connect/certs
          user-name-attribute: preferred_username
Then configure the identity provider plugin so the engine can resolve users and groups from Keycloak: 
plugin:
  identity:
    keycloak:
      keycloak-issuer-url: https://your-keycloak-server/realms/your-realm
      keycloak-admin-url: https://your-keycloak-server/admin/realms/your-realm
      client-id: your-client-id
      client-secret: your-client-secret
      use-email-as-camunda-user-id: false
      use-username-as-camunda-user-id: true
      use-group-path-as-camunda-group-id: true
      administrator-group-name: camunda-admin
      disable-ssl-certificate-validation: false

How it works

Users are redirected to Keycloak for OAuth2 / OIDC login; Spring Security manages the session. The identity provider plugin synchronizes Keycloak users, groups, and roles into the engine’s Identity Service in real time, including nested group hierarchies and an administrator-group mapping. On logout, an OIDC-compliant flow returns the user to /webadmin/. When deploying behind a reverse proxy or load balancer, a ForwardedHeaderFilter ensures OAuth2 redirect URIs are assembled correctly, and a customized firewall permits the URL-encoded slashes used in nested Keycloak group paths.

When to use it

Keycloak authentication is ideal when your organization already uses Keycloak for SSO and you want full Keycloak role and group integration with ASEE Flow, beyond what token claims alone provide.

Properties

WebAdmin properties:
PropertyTypeDefaultDescription
aseeflow.webadmin.authenticationStringbasicSet to keycloak to enable this mode.
aseeflow.webadmin.disable-rest-securityBooleanfalseWhen true, REST endpoints are reachable without authentication.
Keycloak identity provider plugin properties:
PropertyTypeDefaultDescription
plugin.identity.keycloak.keycloak-issuer-urlStringnoneKeycloak realm issuer URL.
plugin.identity.keycloak.keycloak-admin-urlStringnoneKeycloak admin API URL for the realm.
plugin.identity.keycloak.client-idStringnoneOAuth2 client ID.
plugin.identity.keycloak.client-secretStringnoneOAuth2 client secret.
plugin.identity.keycloak.use-email-as-camunda-user-idBooleanfalseUse the email claim as the engine user ID.
plugin.identity.keycloak.use-username-as-camunda-user-idBooleantrueUse the username claim as the engine user ID.
plugin.identity.keycloak.use-group-path-as-camunda-group-idBooleantrueUse the full group path as the engine group ID.
plugin.identity.keycloak.administrator-group-nameStringcamunda-adminGroup treated as administrators.
plugin.identity.keycloak.disable-ssl-certificate-validationBooleanfalseDisable SSL validation (development only).
Use proper SSL certificates in production; disable-ssl-certificate-validation is for development only.