Camunda 8 web modeler restapi problem

Camunda 8 Topics Discussion & Questions
1

Hello All,

I installed the Self managed type of Camunda 8 via helm chart and face the following issue in component “restapi modeler”:

Configuration (domain masked with X):
SPRING_SECURITY_OAUTH2_RESOURCESERVER_JWT_ISSUER_URI: https://keycloak.camunda.XXXXXXXXXXXXXX/realms/camunda-platform
RESTAPI_OAUTH2_TOKEN_ISSUER_BACKEND_URL: https://keycloak.camunda.XXXXXXXXXXXXXX//realms/camunda-platform

The issue: “unable to find valid certification path to requested target\n\tat java.base/sun.security.ssl.Alert.createSSLException(Unknown Source)\n\taT”

How can I solv this case?

If I change the RESTAPI_OAUTH2_TOKEN_ISSUER_BACKEND_URL to kubernetes service URL the issue will be other: “The Issuer "https://keycloak.camunda.XXXXXXXXXXXXXX/realms/camunda-platform\” provided in the configuration did not match the requested issuer "http://keycloak//realms/camunda-platform\“\n\tat”

Thank you.

3

How is SSL configured on your keycloak?

image
image1392×767 60.5 KB

4

External request, as yours

Configuration made based on the documention Configuration | Camunda 8 Docs

Keycloak related restapi configuration looks like (domain masked with X) as below. Used with same methology in other components, but they work as expected (identity, tasklist, optimize, operate etc.):

5

Test by disabling ssl and making the request with http instead of https!

6

Unfortunatelly not helped: The Issuer "[https://keycloak.camunda.dev.XXXXXXX/realms/camunda-platform\](https://keycloak.camunda.dev.xxxxxxx/realms/camunda-platform\)” provided in the configuration did not match the requested issuer "[http://keycloak.keycloak.svc.cluster.local//realms/camunda-platform\](http://keycloak.keycloak.svc.cluster.local//realms/camunda-platform\)“

image
image1193×712 47.3 KB

Full log:
{“timestamp”:“2024-04-08T20:55:12.577Z”,“thread”:“main”,“logger”:“org.springframework.boot.SpringApplication”,“message”:“Application run failed”,“context”:“default”,“exception”:“org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name ‘org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration’: Unsatisfied dependency expressed through method ‘setFilterChains’ parameter 0: Error creating bean with name ‘filterChain’ defined in class path resource [io/camunda/modeler/configuration/security/WebSecurityConfiguration.class]: Failed to instantiate [org.springframework.security.web.SecurityFilterChain]: Factory method ‘filterChain’ threw exception with message: Error creating bean with name ‘jwtDecoder’ defined in class path resource [io/camunda/modeler/configuration/security/JwtDecoderConfiguration.class]: Failed to instantiate [org.springframework.security.oauth2.jwt.JwtDecoder]: Factory method ‘jwtDecoder’ threw exception with message: The Issuer "https://keycloak.camunda.dev.XXXXXXX/realms/camunda-platform\” provided in the configuration did not match the requested issuer "http://keycloak.keycloak.svc.cluster.local//realms/camunda-platform\“\n\tat org.springframework.beans.factory.annotation.AutowiredAnnotationBeanPostProcessor$AutowiredMethodElement.resolveMethodArguments(AutowiredAnnotationBeanPostProcessor.java:884)\n\tat org.springframework.beans.factory.annotation.AutowiredAnnotationBeanPostProcessor$AutowiredMethodElement.inject(AutowiredAnnotationBeanPostProcessor.java:837)\n\tat org.springframework.beans.factory.annotation.InjectionMetadata.inject(InjectionMetadata.java:145)\n\tat org.springframework.beans.factory.annotation.AutowiredAnnotationBeanPostProcessor.postProcessProperties(AutowiredAnnotationBeanPostProcessor.java:497)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.populateBean(AbstractAutowireCapableBeanFactory.java:1414)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:595)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:518)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:325)\n\tat org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:234)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:323)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:199)\n\tat org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:973)\n\tat org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:949)\n\tat org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:615)\n\tat org.springframework.boot.web.servlet.context.ServletWebServerApplicationContext.refresh(ServletWebServerApplicationContext.java:146)\n\tat org.springframework.boot.SpringApplication.refresh(SpringApplication.java:738)\n\tat org.springframework.boot.SpringApplication.refreshContext(SpringApplication.java:440)\n\tat org.springframework.boot.SpringApplication.run(SpringApplication.java:324)\n\tat org.springframework.boot.SpringApplication.run(SpringApplication.java:1317)\n\tat org.springframework.boot.SpringApplication.run(SpringApplication.java:1306)\n\tat io.camunda.modeler.ModelerSelfManagedApp.main(ModelerSelfManagedApp.java:18)\n\tat java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(Unknown Source)\n\tat java.base/java.lang.reflect.Method.invoke(Unknown Source)\n\tat org.springframework.boot.loader.MainMethodRunner.run(MainMethodRunner.java:49)\n\tat org.springframework.boot.loader.Launcher.launch(Launcher.java:95)\n\tat org.springframework.boot.loader.Launcher.launch(Launcher.java:58)\n\tat org.springframework.boot.loader.PropertiesLauncher.main(PropertiesLauncher.java:466)\nCaused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name ‘filterChain’ defined in class path resource [io/camunda/modeler/configuration/security/WebSecurityConfiguration.class]: Failed to instantiate [org.springframework.security.web.SecurityFilterChain]: Factory method ‘filterChain’ threw exception with message: Error creating bean with name ‘jwtDecoder’ defined in class path resource [io/camunda/modeler/configuration/security/JwtDecoderConfiguration.class]: Failed to instantiate [org.springframework.security.oauth2.jwt.JwtDecoder]: Factory method ‘jwtDecoder’ threw exception with message: The Issuer "https://keycloak.camunda.dev.XXXXXXX/realms/camunda-platform\” provided in the configuration did not match the requested issuer "http://keycloak.keycloak.svc.cluster.local//realms/camunda-platform\“\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:650)\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:638)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateUsingFactoryMethod(AbstractAutowireCapableBeanFactory.java:1330)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1160)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:558)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:518)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:325)\n\tat org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:234)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:323)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:199)\n\tat org.springframework.beans.factory.config.DependencyDescriptor.resolveCandidate(DependencyDescriptor.java:254)\n\tat org.springframework.beans.factory.support.DefaultListableBeanFactory.addCandidateEntry(DefaultListableBeanFactory.java:1633)\n\tat org.springframework.beans.factory.support.DefaultListableBeanFactory.findAutowireCandidates(DefaultListableBeanFactory.java:1597)\n\tat org.springframework.beans.factory.support.DefaultListableBeanFactory.resolveMultipleBeans(DefaultListableBeanFactory.java:1488)\n\tat org.springframework.beans.factory.support.DefaultListableBeanFactory.doResolveDependency(DefaultListableBeanFactory.java:1375)\n\tat org.springframework.beans.factory.support.DefaultListableBeanFactory.resolveDependency(DefaultListableBeanFactory.java:1337)\n\tat org.springframework.beans.factory.annotation.AutowiredAnnotationBeanPostProcessor$AutowiredMethodElement.resolveMethodArguments(AutowiredAnnotationBeanPostProcessor.java:876)\n\t… 26 common frames omitted\nCaused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [org.springframework.security.web.SecurityFilterChain]: Factory method ‘filterChain’ threw exception with message: Error creating bean with name ‘jwtDecoder’ defined in class path resource [io/camunda/modeler/configuration/security/JwtDecoderConfiguration.class]: Failed to instantiate [org.springframework.security.oauth2.jwt.JwtDecoder]: Factory method ‘jwtDecoder’ threw exception with message: The Issuer "https://keycloak.camunda.dev.XXXXXXX/realms/camunda-platform\” provided in the configuration did not match the requested issuer "http://keycloak.keycloak.svc.cluster.local//realms/camunda-platform\“\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:171)\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:646)\n\t… 42 common frames omitted\nCaused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name ‘jwtDecoder’ defined in class path resource [io/camunda/modeler/configuration/security/JwtDecoderConfiguration.class]: Failed to instantiate [org.springframework.security.oauth2.jwt.JwtDecoder]: Factory method ‘jwtDecoder’ threw exception with message: The Issuer "https://keycloak.camunda.dev.XXXXXXX/realms/camunda-platform\” provided in the configuration did not match the requested issuer "http://keycloak.keycloak.svc.cluster.local//realms/camunda-platform\“\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:650)\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:638)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateUsingFactoryMethod(AbstractAutowireCapableBeanFactory.java:1330)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1160)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:558)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:518)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:325)\n\tat org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:234)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:323)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:224)\n\tat org.springframework.beans.factory.support.DefaultListableBeanFactory.resolveNamedBean(DefaultListableBeanFactory.java:1310)\n\tat org.springframework.beans.factory.support.DefaultListableBeanFactory.resolveNamedBean(DefaultListableBeanFactory.java:1271)\n\tat org.springframework.beans.factory.support.DefaultListableBeanFactory.resolveBean(DefaultListableBeanFactory.java:484)\n\tat org.springframework.beans.factory.support.DefaultListableBeanFactory.getBean(DefaultListableBeanFactory.java:339)\n\tat org.springframework.beans.factory.support.DefaultListableBeanFactory.getBean(DefaultListableBeanFactory.java:332)\n\tat org.springframework.context.support.AbstractApplicationContext.getBean(AbstractApplicationContext.java:1183)\n\tat org.springframework.security.config.annotation.web.configurers.oauth2.server.resource.OAuth2ResourceServerConfigurer$JwtConfigurer.getJwtDecoder(OAuth2ResourceServerConfigurer.java:437)\n\tat org.springframework.security.config.annotation.web.configurers.oauth2.server.resource.OAuth2ResourceServerConfigurer$JwtConfigurer.getAuthenticationProvider(OAuth2ResourceServerConfigurer.java:446)\n\tat org.springframework.security.config.annotation.web.configurers.oauth2.server.resource.OAuth2ResourceServerConfigurer.getAuthenticationProvider(OAuth2ResourceServerConfigurer.java:346)\n\tat org.springframework.security.config.annotation.web.configurers.oauth2.server.resource.OAuth2ResourceServerConfigurer.init(OAuth2ResourceServerConfigurer.java:264)\n\tat org.springframework.security.config.annotation.web.configurers.oauth2.server.resource.OAuth2ResourceServerConfigurer.init(OAuth2ResourceServerConfigurer.java:147)\n\tat org.springframework.security.config.annotation.AbstractConfiguredSecurityBuilder.init(AbstractConfiguredSecurityBuilder.java:344)\n\tat org.springframework.security.config.annotation.AbstractConfiguredSecurityBuilder.doBuild(AbstractConfiguredSecurityBuilder.java:306)\n\tat org.springframework.security.config.annotation.AbstractSecurityBuilder.build(AbstractSecurityBuilder.java:38)\n\tat io.camunda.modeler.configuration.security.WebSecurityConfiguration.filterChain(WebSecurityConfiguration.java:79)\n\tat io.camunda.modeler.configuration.security.WebSecurityConfiguration$$SpringCGLIB$$0.CGLIB$filterChain$0()\n\tat io.camunda.modeler.configuration.security.WebSecurityConfiguration$$SpringCGLIB$$FastClass$$1.invoke()\n\tat org.springframework.cglib.proxy.MethodProxy.invokeSuper(MethodProxy.java:258)\n\tat org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:331)\n\tat io.camunda.modeler.configuration.security.WebSecurityConfiguration$$SpringCGLIB$$0.filterChain()\n\tat java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(Unknown Source)\n\tat java.base/java.lang.reflect.Method.invoke(Unknown Source)\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:139)\n\t… 43 common frames omitted\nCaused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [org.springframework.security.oauth2.jwt.JwtDecoder]: Factory method ‘jwtDecoder’ threw exception with message: The Issuer "https://keycloak.camunda.dev.XXXXXXX/realms/camunda-platform\” provided in the configuration did not match the requested issuer "http://keycloak.keycloak.svc.cluster.local//realms/camunda-platform\“\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:171)\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:646)\n\t… 75 common frames omitted\nCaused by: java.lang.IllegalStateException: The Issuer "https://keycloak.camunda.dev.XXXXXXX/realms/camunda-platform\” provided in the configuration did not match the requested issuer "http://keycloak.keycloak.svc.cluster.local//realms/camunda-platform\“\n\tat org.springframework.util.Assert.state(Assert.java:97)\n\tat org.springframework.security.oauth2.jwt.JwtDecoderProviderConfigurationUtils.validateIssuer(JwtDecoderProviderConfigurationUtils.java:89)\n\tat org.springframework.security.oauth2.jwt.JwtDecoders.withProviderConfiguration(JwtDecoders.java:110)\n\tat org.springframework.security.oauth2.jwt.JwtDecoders.fromOidcIssuerLocation(JwtDecoders.java:58)\n\tat io.camunda.modeler.configuration.security.JwtDecoderConfiguration.jwtDecoder(JwtDecoderConfiguration.java:37)\n\tat io.camunda.modeler.configuration.security.JwtDecoderConfiguration$$SpringCGLIB$$0.CGLIB$jwtDecoder$0()\n\tat io.camunda.modeler.configuration.security.JwtDecoderConfiguration$$SpringCGLIB$$FastClass$$1.invoke()\n\tat org.springframework.cglib.proxy.MethodProxy.invokeSuper(MethodProxy.java:258)\n\tat org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:331)\n\tat io.camunda.modeler.configuration.security.JwtDecoderConfiguration$$SpringCGLIB$$0.jwtDecoder()\n\tat java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(Unknown Source)\n\tat java.base/java.lang.reflect.Method.invoke(Unknown Source)\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:139)\n\t… 76 common frames omitted\n”,“severity”:“ERROR”}

7

This error log indicates a problem with JWT decoding. It appears that the provided JWT emitter (https://keycloak.camunda.dev.XXXXXXX/realms/camunda-platform) does not match the requested emitter (http://keycloak.keycloak.svc.cluster.local//realms/camunda- platforms).

This means you probably have incorrect settings. I think to resolve this issue you will need to ensure that the JWT sender configuration in the Spring Security settings matches the emitter provided by your Keycloak instance.

8

Where should I fix the issue or where can I find it?
Could you please advice?
For tasklist and other components it is working fine

{“issuer”:“https://keycloak.camunda.dev.XXXXXXX/realms/camunda-platform”,
“authorization_endpoint”:“https://keycloak.camunda.dev.XXXXXXX/realms/camunda-platform/protocol/openid-connect/auth”,
“token_endpoint”:“http://keycloak.keycloak.svc.cluster.local/realms/camunda-platform/protocol/openid-connect/token”,
“introspection_endpoint”:“http://keycloak.keycloak.svc.cluster.local/realms/camunda-platform/protocol/openid-connect/token/introspect”,
“userinfo_endpoint”:“http://keycloak.keycloak.svc.cluster.local/realms/camunda-platform/protocol/openid-connect/userinfo”,
“end_session_endpoint”:“https://keycloak.camunda.dev.XXXXXXX/realms/camunda-platform/protocol/openid-connect/logout”,
“frontchannel_logout_session_supported”:true,
“frontchannel_logout_supported”:true,
“jwks_uri”:“http://keycloak.keycloak.svc.cluster.local/realms/camunda-platform/protocol/openid-connect/certs”,
“check_session_iframe”:“https://keycloak.camunda.dev.XXXXXXX/realms/camunda-platform/protocol/openid-connect/login-status-iframe.html”,
“grant_types_supported”:[“authorization_code”,“implicit”,“refresh_token”,“password”,“client_credentials”,“urn:ietf:params:oauth:grant-type:device_code”,“urn:openid:params:grant-type:ciba”],
“acr_values_supported”:[“0”,“1”],“response_types_supported”:[“code”,“none”,“id_token”,“token”,“id_token token”,“code id_token”,“code token”,“code id_token token”],
“subject_types_supported”:[“public”,“pairwise”],
“id_token_signing_alg_values_supported”:[“PS384”,“ES384”,“RS384”,“HS256”,“HS512”,“ES256”,“RS256”,“HS384”,“ES512”,“PS256”,“PS512”,“RS512”],
“id_token_encryption_alg_values_supported”:[“RSA-OAEP”,“RSA-OAEP-256”,“RSA1_5”],“id_token_encryption_enc_values_supported”:[“A256GCM”,“A192GCM”,“A128GCM”,“A128CBC-HS256”,“A192CBC-HS384”,“A256CBC-HS512”],
“userinfo_signing_alg_values_supported”:[“PS384”,“ES384”,“RS384”,“HS256”,“HS512”,“ES256”,“RS256”,“HS384”,“ES512”,“PS256”,“PS512”,“RS512”,“none”],
“userinfo_encryption_alg_values_supported”:[“RSA-OAEP”,“RSA-OAEP-256”,“RSA1_5”],“userinfo_encryption_enc_values_supported”:[“A256GCM”,“A192GCM”,“A128GCM”,“A128CBC-HS256”,“A192CBC-HS384”,“A256CBC-HS512”],
“request_object_signing_alg_values_supported”:[“PS384”,“ES384”,“RS384”,“HS256”,“HS512”,“ES256”,“RS256”,“HS384”,“ES512”,“PS256”,“PS512”,“RS512”,“none”],
“request_object_encryption_alg_values_supported”:[“RSA-OAEP”,“RSA-OAEP-256”,“RSA1_5”],“request_object_encryption_enc_values_supported”:[“A256GCM”,“A192GCM”,“A128GCM”,“A128CBC-HS256”,“A192CBC-HS384”,“A256CBC-HS512”],
“response_modes_supported”:[“query”,“fragment”,“form_post”,“query.jwt”,“fragment.jwt”,“form_post.jwt”,“jwt”],
“registration_endpoint”:“http://keycloak.keycloak.svc.cluster.local/realms/camunda-platform/clients-registrations/openid-connect”,
“token_endpoint_auth_methods_supported”:[“private_key_jwt”,“client_secret_basic”,“client_secret_post”,“tls_client_auth”,“client_secret_jwt”],
“token_endpoint_auth_signing_alg_values_supported”:[“PS384”,“ES384”,“RS384”,“HS256”,“HS512”,“ES256”,“RS256”,“HS384”,“ES512”,“PS256”,“PS512”,“RS512”],
“introspection_endpoint_auth_methods_supported”:[“private_key_jwt”,“client_secret_basic”,“client_secret_post”,“tls_client_auth”,“client_secret_jwt”],
“introspection_endpoint_auth_signing_alg_values_supported”:[“PS384”,“ES384”,“RS384”,“HS256”,“HS512”,“ES256”,“RS256”,“HS384”,“ES512”,“PS256”,“PS512”,“RS512”],
“authorization_signing_alg_values_supported”:[“PS384”,“ES384”,“RS384”,“HS256”,“HS512”,“ES256”,“RS256”,“HS384”,“ES512”,“PS256”,“PS512”,“RS512”],
“authorization_encryption_alg_values_supported”:[“RSA-OAEP”,“RSA-OAEP-256”,“RSA1_5”],
“authorization_encryption_enc_values_supported”:[“A256GCM”,“A192GCM”,“A128GCM”,“A128CBC-HS256”,“A192CBC-HS384”,“A256CBC-HS512”],
“claims_supported”:[“aud”,“sub”,“iss”,“auth_time”,“name”,“given_name”,“family_name”,“preferred_username”,“email”,“acr”],
“claim_types_supported”:[“normal”],“claims_parameter_supported”:true,
“scopes_supported”:[“openid”,“offline_access”,“camunda-identity”,“phone”,“email”,“address”,“roles”,“profile”,“acr”,“web-origins”,“microprofile-jwt”],
“request_parameter_supported”:true,“request_uri_parameter_supported”:true,
“require_request_uri_registration”:true,“code_challenge_methods_supported”:[“plain”,“S256”],
“tls_client_certificate_bound_access_tokens”:true,“revocation_endpoint”:“https://keycloak.camunda.dev.XXXXXXX/realms/camunda-platform/protocol/openid-connect/revoke”,
“revocation_endpoint_auth_methods_supported”:[“private_key_jwt”,“client_secret_basic”,“client_secret_post”,“tls_client_auth”,“client_secret_jwt”],
“revocation_endpoint_auth_signing_alg_values_supported”:[“PS384”,“ES384”,“RS384”,“HS256”,“HS512”,“ES256”,“RS256”,“HS384”,“ES512”,“PS256”,“PS512”,“RS512”],
“backchannel_logout_supported”:true,“backchannel_logout_session_supported”:true,
“device_authorization_endpoint”:“https://keycloak.camunda.dev.XXXXXXX/realms/camunda-platform/protocol/openid-connect/auth/device”,
“backchannel_token_delivery_modes_supported”:[“poll”,“ping”],
“backchannel_authentication_endpoint”:“http://keycloak.keycloak.svc.cluster.local/realms/camunda-platform/protocol/openid-connect/ext/ciba/auth”,
“backchannel_authentication_request_signing_alg_values_supported”:[“PS384”,“ES384”,“RS384”,“ES256”,“RS256”,“ES512”,“PS256”,“PS512”,“RS512”],
“require_pushed_authorization_requests”:false,“pushed_authorization_request_endpoint”:“http://keycloak.keycloak.svc.cluster.local/realms/camunda-platform/protocol/openid-connect/ext/par/request”,
“mtls_endpoint_aliases”:{“token_endpoint”:“http://keycloak.keycloak.svc.cluster.local/realms/camunda-platform/protocol/openid-connect/token”,
“revocation_endpoint”:“https://keycloak.camunda.dev.XXXXXXX/realms/camunda-platform/protocol/openid-connect/revoke”,
“introspection_endpoint”:“http://keycloak.keycloak.svc.cluster.local/realms/camunda-platform/protocol/openid-connect/token/introspect”,
“device_authorization_endpoint”:“https://keycloak.camunda.dev.XXXXXXX/realms/camunda-platform/protocol/openid-connect/auth/device”,
“registration_endpoint”:“http://keycloak.keycloak.svc.cluster.local/realms/camunda-platform/clients-registrations/openid-connect”,
“userinfo_endpoint”:“http://keycloak.keycloak.svc.cluster.local/realms/camunda-platform/protocol/openid-connect/userinfo”,
“pushed_authorization_request_endpoint”:“http://keycloak.keycloak.svc.cluster.local/realms/camunda-platform/protocol/openid-connect/ext/par/request”,
“backchannel_authentication_endpoint”:“http://keycloak.keycloak.svc.cluster.local/realms/camunda-platform/protocol/openid-connect/ext/ciba/auth”}}

9

I’ll have to investigate a little, it’s been a while since I’ve dealt with implementation

10

Based on the configuration provided, it appears that there is a mismatch in the Keycloak URL configuration between the global settings and the identity settings. Ensure Keycloak URL configuration is consistent across all sections

11

Unfortunatelly not solved, not cleared what has been disconfigured. Is there any example regarding to this?

12

@tech_a Can you share the values of the helm chart that you use?

Regards,
Alex