Skip to main content
OAuth2 authentication delegates login to an external OAuth2 / OIDC identity provider using Spring Security’s OAuth2 support. It works with any standard provider (tested with Keycloak and Auth0).

Dependencies

<dependency>
  <groupId>org.aseeflow.bpm.springboot</groupId>
  <artifactId>aseeflow-bpm-spring-boot-starter-security</artifactId>
  <version>${aseeflow.bpm-platform.version}</version>
</dependency>
<dependency>
  <groupId>org.springframework.boot</groupId>
  <artifactId>spring-boot-starter-oauth2-resource-server</artifactId>
</dependency>
The ASEE Flow security starter is provided in the WebAdmin starter, so include it explicitly.

Configuration

Enable the mode, then configure the OAuth2 client with standard Spring Security properties. The example below uses Keycloak: 
aseeflow:
  webadmin:
    authentication: oauth2

camunda.bpm.oauth2:
  sso-logout:
    enabled: true
    postLogoutRedirectUri: http://localhost:8080/webadmin
  identity-provider:
    group-name-attribute: groups

spring.security:
  oauth2:
    client:
      registration:
        keycloak:
          provider: keycloak
          client-id: ${keycloak.client.id}
          client-secret: ${keycloak.client.secret}
          authorization-grant-type: authorization_code
          redirect-uri: "{baseUrl}/{action}/oauth2/code/{registrationId}"
          scope: openid, profile, email
      provider:
        keycloak:
          issuer-uri: ${keycloak.url.auth}/realms/camunda
          authorization-uri: ${keycloak.url.auth}/realms/camunda/protocol/openid-connect/auth
          user-info-uri: ${keycloak.url.auth}/realms/camunda/protocol/openid-connect/userinfo
          token-uri: ${keycloak.url.token}/realms/camunda/protocol/openid-connect/token
          jwk-set-uri: ${keycloak.url.token}/realms/camunda/protocol/openid-connect/certs
          user-name-attribute: preferred_username
user-name-attribute and group-name-attribute bridge your identity provider to ASEE Flow’s permissions. user-name-attribute (here preferred_username) becomes the engine user ID — if authorizations are assigned to a username but the IdP maps a UUID, the user logs in but has no permissions. group-name-attribute (here groups) must match the token claim that carries group memberships, or all group-based authorization checks fail.
The REST security filter is enabled only when issuer-uri or jwk-set-uri is configured; without one of them, REST requests are not validated as JWTs. The group-name-attribute claim usually has to be added on the provider so it appears in the token.

How it works

Unauthenticated UI requests are redirected to the provider; after login, the access token authorizes subsequent UI and REST requests. REST endpoints (/engine-rest/**) are protected by default (set disable-rest-security: true to disable). Logout is handled by the provider’s logout flow.

When to use it

OAuth2 suits enterprise applications with centralized identity management and integration with providers such as Keycloak, Auth0, or Okta. For deep Keycloak integration with user/group synchronization, use Keycloak authentication instead.

Properties

PropertyTypeDefaultDescription
aseeflow.webadmin.authenticationStringbasicSet to oauth2 to enable this mode.
aseeflow.webadmin.disable-rest-securityBooleanfalseWhen true, REST endpoints are reachable without authentication.
camunda.bpm.oauth2.sso-logout.enabledBooleanfalseEnables OIDC client-initiated logout.
camunda.bpm.oauth2.sso-logout.postLogoutRedirectUriStringemptyRedirect target after logout; defaults to the base path.
camunda.bpm.oauth2.identity-provider.group-name-attributeStringgroupsToken claim that holds group memberships.
Login behavior and REST token validation derive from the standard spring.security.oauth2.client.registration.<id>.* and spring.security.oauth2.client.provider.<id>.* properties.