Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Camunda Run Spring Security OAuth2 integration #4450

Closed
7 of 10 tasks
Tracked by #654
danielkelemen opened this issue Jun 24, 2024 · 3 comments
Closed
7 of 10 tasks
Tracked by #654

Camunda Run Spring Security OAuth2 integration #4450

danielkelemen opened this issue Jun 24, 2024 · 3 comments
Assignees
@gbetances089
Labels
scope:run Changes to the Run distribution. scope:spring-boot Changes to the Spring Boot starter. type:feature Issues that add a new user feature to the project. version:7.22.0

Comments

@danielkelemen
Copy link
Member

danielkelemen commented Jun 24, 2024
edited
Loading

User Story (Required on creation)

As an administrator, I want to be able to use a camunda-provided docker image with minimal customization, dropping some code and jars to the userLib folder to enable SSO integration.

Functional Requirements (Required before implementation)

See product-hub epic.

Technical Requirements (Required before implementation)

  • Integrate Spring Security into Spring Boot & Camunda Run.
  • Provide out of the box oauth2 integrations with Camunda auth flows for the Webapps.

Limitations of Scope

  • We do not provide OIDC specific support.

Hints

Links

Breakdown

Tasks
Beta Give feedback
  1. Introduce Spring Boot Security Starter & Oauth2 Camunda Run modules #4451
    4 of 4
    scope:run scope:spring-boot type:subtask version:7.22.0 version:7.22.0-alpha5
    danielkelemen
  2. Provide Spring Security integration with Camunda auth #4452
    1 of 1
    scope:authorization scope:run scope:spring-boot type:subtask version:7.22.0 version:7.22.0-alpha5
    yanavasileva
  3. Provide OAuth2 compatible identity provider #4453
    1 of 1
    scope:authorization scope:run scope:spring-boot type:subtask version:7.22.0 version:7.22.0-alpha5
    tasso94
  4. OAuth2 session is not revalidated #4585
    1 of 1
    type:bug type:subtask version:7.22.0
    gbetances089
  5. Add support for SSO logout #4455
    2 of 2
    scope:authorization scope:run scope:spring-boot type:subtask version:7.22.0 version:7.22.0-alpha6
    gbetances089
  6. Activate identity provider automatically when passing --oauth2 #4583
    1 of 1
    type:subtask version:7.22.0 version:7.22.0-alpha6
    danielkelemen
  7. Document Spring Security OAuth2 integration #4454
    1 of 1
    scope:documentation type:subtask version:7.22.0
    danielkelemen

Follow-ups
Beta Give feedback
  1. In Spring Security, activate CORS and disable it for Camunda Run #4584
    type:subtask
    danielkelemen
  2. Add tests for OAuth2 Authentication and Identity Provider #4567
    0 of 1
    type:task version:7.23.0
    joaquinfelici

Dev2QA handover

  • Does this ticket need a QA test and the testing goals are not clear from the description? Add a Dev2QA handover comment
@danielkelemen danielkelemen added type:feature Issues that add a new user feature to the project. scope:run Changes to the Run distribution. scope:spring-boot Changes to the Spring Boot starter. version:7.22.0 labels Jun 24, 2024
Open
@danielkelemen danielkelemen self-assigned this Jun 24, 2024
@yanavasileva
Copy link
Member

🔧 Smaller improvements from the other tickets:

  • Adjust Camunda Run message to: Enabling Camunda Spring Security OAuth2 integration.
  • Add comments at least in production.yaml on how to configure OAuth2.

@tasso94
Copy link
Member

tasso94 commented Sep 6, 2024
edited by danielkelemen
Loading

Handover Dev 2 QA

Setup

Check out the Confluence guide: https://confluence.camunda.com/display/AP/Spring+Security+OAuth2
Here is an example of how to configure the default.yml file for Run:
default.yml.zip

clientId and clientSecret were removed to not disclose them.

This is how you start Run: ./start.sh --webapps --rest --oauth2.

Test scenarios

  • Ensure Run still works as expected when not passing the --oauth2 flag.
  • Validate scenarios with Okta and Cognito.
    • Okta has priority since this is what the customer uses.
  • Perform regression tests with multiple SSO users and groups.
  • Add different authorizations in Admin to different SSO users/groups.
    • Disable SSO in the default.yml file to log in with the Admin user and create authorizations.
  • Check if authorizations work with SSO as expected.
    • E.g., when a user has no permission to deploy something, this should fail.
  • Enable authentication for the REST API and login with Camunda internal users (no SSO users).
    • You need to create Camunda internal users (no SSO users) for this.
    • You can achieve this by disabling SSO, logging in with the Admin user, and creating Camunda internal users. This doesn't work with SSO enabled
  • Map authorities from a different claim by using camunda.bpm.oauth2.identity-provider.group-name-attribute: <claim name>.

@tasso94 tasso94 assigned gbetances089 and unassigned danielkelemen Sep 6, 2024
@gbetances089
Copy link
Member

Tested on camunda-bpm-run-ee-7.22.0-SNAPSHOT and alpha6 with test cases added under the Okta section on TestRail + guide on how to setup until the docs are ready.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@gbetances089 gbetances089

Labels
scope:run Changes to the Run distribution. scope:spring-boot Changes to the Spring Boot starter. type:feature Issues that add a new user feature to the project. version:7.22.0
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@gbetances089 @tasso94 @danielkelemen @yanavasileva