From 234b55f5798a073ed59c60bc072f27c2518ebec8 Mon Sep 17 00:00:00 2001 From: Wolfgang Amann <8766375+wollefitz@users.noreply.github.com> Date: Tue, 2 Apr 2024 09:15:48 +0200 Subject: [PATCH] docs(web-modeler): permissions are evaluated with OIDC provider (#3513) --- .../guides/connect-to-an-oidc-provider.md | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/docs/self-managed/platform-deployment/helm-kubernetes/guides/connect-to-an-oidc-provider.md b/docs/self-managed/platform-deployment/helm-kubernetes/guides/connect-to-an-oidc-provider.md index 39b1cb2a00..8e1bb289e3 100644 --- a/docs/self-managed/platform-deployment/helm-kubernetes/guides/connect-to-an-oidc-provider.md +++ b/docs/self-managed/platform-deployment/helm-kubernetes/guides/connect-to-an-oidc-provider.md @@ -228,12 +228,12 @@ It's also important to follow the [steps described here](https://learn.microsoft ### Component-specific configuration -| Component | Redirect URI | Notes | -| ----------- | -------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| Identity | https:///auth/login-callback | | -| Operate | https:///identity-callback | | -| Optimize | https:///api/authentication/callback | There is a fallback if you use the existing ENV vars to configure your authentication provider, if you use a custom `yaml`, you need to update your properties to match the new values in this guide.

When using an OIDC provider, the following features are not currently available: User permissions tab in collections, digests, `Alerts` tab in collections. | -| Tasklist | https:///identity-callback | | -| Web Modeler | https:///login-callback | Using a different OIDC provider than Keycloak currently disables all checks of the permissions claim both for using Web Modeler via the UI and via the public API.

Required configuration variables for webapp:
`OAUTH2_CLIENT_ID=[client-id]`
`OAUTH2_JWKS_URL=[provider-jwks-url]`
`OAUTH2_TOKEN_AUDIENCE=[client-audience]`
`OAUTH2_TOKEN_ISSUER=[provider-issuer]`
`OAUTH2_TYPE=[provider-type]`

Required configuration variables for restapi:
`CAMUNDA_IDENTITY_BASEURL=[identity-base-url]`
`CAMUNDA_IDENTITY_TYPE=[provider-type]`
`CAMUNDA_MODELER_SECURITY_JWT_AUDIENCE_INTERNAL_API=[client-audience]`
`CAMUNDA_MODELER_SECURITY_JWT_AUDIENCE_PUBLIC_API=[publicapi-audience]` (for security reasons, use a different value here than for `CAMUNDA_MODELER_SECURITY_JWT_AUDIENCE_INTERNAL_API`)
`SPRING_SECURITY_OAUTH2_RESOURCESERVER_JWT_ISSUER_URI=[provider-issuer]` | -| Zeebe | no redirect URI | Instead, include `tokenScope:" /.default "` | -| Connectors | | Connectors act as a client in the OIDC flow.

For outbound-only mode (when `CAMUNDA_CONNECTOR_POLLING_ENABLED` is `false`), only Zeebe client properties are required:
`ZEEBE_CLIENT_ID=[client-id]`
`ZEEBE_CLIENT_SECRET=[client-secret]`
`ZEEBE_AUTHORIZATION_SERVER_URL=[provider-issuer]`
`ZEEBE_TOKEN_AUDIENCE=[Zeebe audience]`
`ZEEBE_TOKEN_SCOPE=[Zeebe scope]` (optional)

For inbound mode, Operate client properties are required:
`CAMUNDA_IDENTITY_TYPE=[provider-type]`
`CAMUNDA_IDENTITY_AUDIENCE=[Operate audience]`
`CAMUNDA_IDENTITY_CLIENT_ID=[client-id]`
`CAMUNDA_IDENTITY_CLIENT_SECRET=[client-secret]`
`CAMUNDA_IDENTITY_ISSUER_BACKEND_URL=[provider-issuer]` | +| Component | Redirect URI | Notes | +| ----------- | -------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Identity | https:///auth/login-callback | | +| Operate | https:///identity-callback | | +| Optimize | https:///api/authentication/callback | There is a fallback if you use the existing ENV vars to configure your authentication provider, if you use a custom `yaml`, you need to update your properties to match the new values in this guide.

When using an OIDC provider, the following features are not currently available: User permissions tab in collections, digests, `Alerts` tab in collections. | +| Tasklist | https:///identity-callback | | +| Web Modeler | https:///login-callback | Required configuration variables for webapp:
`OAUTH2_CLIENT_ID=[client-id]`
`OAUTH2_JWKS_URL=[provider-jwks-url]`
`OAUTH2_TOKEN_AUDIENCE=[client-audience]`
`OAUTH2_TOKEN_ISSUER=[provider-issuer]`
`OAUTH2_TYPE=[provider-type]`

Required configuration variables for restapi:
`CAMUNDA_IDENTITY_BASEURL=[identity-base-url]`
`CAMUNDA_IDENTITY_TYPE=[provider-type]`
`CAMUNDA_MODELER_SECURITY_JWT_AUDIENCE_INTERNAL_API=[client-audience]`
`CAMUNDA_MODELER_SECURITY_JWT_AUDIENCE_PUBLIC_API=[publicapi-audience]` (for security reasons, use a different value here than for `CAMUNDA_MODELER_SECURITY_JWT_AUDIENCE_INTERNAL_API`)
`SPRING_SECURITY_OAUTH2_RESOURCESERVER_JWT_ISSUER_URI=[provider-issuer]` | +| Zeebe | no redirect URI | Instead, include `tokenScope:" /.default "` | +| Connectors | | Connectors act as a client in the OIDC flow.

For outbound-only mode (when `CAMUNDA_CONNECTOR_POLLING_ENABLED` is `false`), only Zeebe client properties are required:
`ZEEBE_CLIENT_ID=[client-id]`
`ZEEBE_CLIENT_SECRET=[client-secret]`
`ZEEBE_AUTHORIZATION_SERVER_URL=[provider-issuer]`
`ZEEBE_TOKEN_AUDIENCE=[Zeebe audience]`
`ZEEBE_TOKEN_SCOPE=[Zeebe scope]` (optional)

For inbound mode, Operate client properties are required:
`CAMUNDA_IDENTITY_TYPE=[provider-type]`
`CAMUNDA_IDENTITY_AUDIENCE=[Operate audience]`
`CAMUNDA_IDENTITY_CLIENT_ID=[client-id]`
`CAMUNDA_IDENTITY_CLIENT_SECRET=[client-secret]`
`CAMUNDA_IDENTITY_ISSUER_BACKEND_URL=[provider-issuer]` |