From 398166664306132e1bacc515f29b03f11525a92d Mon Sep 17 00:00:00 2001 From: "Meggle (Sebastian Bathke)" Date: Thu, 23 Jan 2025 16:43:04 +0100 Subject: [PATCH] extend limitations on accessible user names in case of custom OpenID Connect provider --- .../guides/connect-to-an-oidc-provider.md | 4 ++-- .../guides/connect-to-an-oidc-provider.md | 16 ++++++++-------- .../guides/connect-to-an-oidc-provider.md | 18 +++++++++--------- .../guides/connect-to-an-oidc-provider.md | 4 ++-- 4 files changed, 21 insertions(+), 21 deletions(-) diff --git a/docs/self-managed/setup/guides/connect-to-an-oidc-provider.md b/docs/self-managed/setup/guides/connect-to-an-oidc-provider.md index aeb15386c4..1523c85c0d 100644 --- a/docs/self-managed/setup/guides/connect-to-an-oidc-provider.md +++ b/docs/self-managed/setup/guides/connect-to-an-oidc-provider.md @@ -243,11 +243,11 @@ Follow the [Microsoft Entra instructions](https://learn.microsoft.com/en-us/entr ### Component-specific configuration -| Component | Redirect URI | Notes | +| Component | Redirect URI | Notes/Limitations | | ----------- | -------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Identity | **Microsoft Entra ID:**
`https:///auth/login-callback`

**Helm:**
`https://` | | | Operate | **Microsoft Entra ID:**
`https:///identity-callback`

**Helm:**
`https://` | | -| Optimize | **Microsoft Entra ID:**
`https:///api/authentication/callback`

**Helm:**
`https://` | There is a fallback if you use the existing ENV vars to configure your authentication provider, if you use a custom `yaml`, you need to update your properties to match the new values in this guide.

When using an OIDC provider, the following features are not currently available: User permissions tab in collections, digests, `Alerts` tab in collections. | +| Optimize | **Microsoft Entra ID:**
`https:///api/authentication/callback`

**Helm:**
`https://` | There is a fallback if you use the existing ENV vars to configure your authentication provider, if you use a custom `yaml`, you need to update your properties to match the new values in this guide.

When using an OIDC provider, the following features are not currently available: User permissions tab in collections, digests, `Alerts` tab in collections, accessible user names for Owners of resources - instead the `sub` claim value is displayed . | | Tasklist | **Microsoft Entra ID:**
`https:///identity-callback`

**Helm:**
`https://` | | | Web Modeler | **Microsoft Entra ID:**
`https:///login-callback`

**Helm:**
`https://` | Web Modeler requires two clients: one for the internal API, and one for the external/public API.

Required configuration variables for webapp:
`OAUTH2_CLIENT_ID=[client-id]`
`OAUTH2_JWKS_URL=[provider-jwks-url]`
`OAUTH2_TOKEN_AUDIENCE=[client-audience]`
`OAUTH2_TOKEN_ISSUER=[provider-issuer]`
`OAUTH2_TYPE=[provider-type]`

Required configuration variables for restapi:
`CAMUNDA_IDENTITY_BASEURL=[identity-base-url]`
`CAMUNDA_IDENTITY_TYPE=[provider-type]`
`CAMUNDA_MODELER_SECURITY_JWT_AUDIENCE_INTERNAL_API=[client-audience]`
`CAMUNDA_MODELER_SECURITY_JWT_AUDIENCE_PUBLIC_API=[publicapi-audience]` (for security reasons, use a different value here than for `CAMUNDA_MODELER_SECURITY_JWT_AUDIENCE_INTERNAL_API`)
`SPRING_SECURITY_OAUTH2_RESOURCESERVER_JWT_ISSUER_URI=[provider-issuer]` | | Console | **Microsoft Entra ID:**
`https://`

**Helm:**
`https://` | | diff --git a/versioned_docs/version-8.4/self-managed/platform-deployment/helm-kubernetes/guides/connect-to-an-oidc-provider.md b/versioned_docs/version-8.4/self-managed/platform-deployment/helm-kubernetes/guides/connect-to-an-oidc-provider.md index d72cb92557..93b4cc45f0 100644 --- a/versioned_docs/version-8.4/self-managed/platform-deployment/helm-kubernetes/guides/connect-to-an-oidc-provider.md +++ b/versioned_docs/version-8.4/self-managed/platform-deployment/helm-kubernetes/guides/connect-to-an-oidc-provider.md @@ -215,11 +215,11 @@ Follow the [Microsoft Entra instructions](https://learn.microsoft.com/en-us/entr ### Component-specific configuration -| Component | Redirect URI | Notes | -| ----------- | ------------------------------------------------------------------------------------------------------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| Operate | **Microsoft Entra ID:**
`https:///identity-callback`

**Helm:**
`https://` | | -| Optimize | **Microsoft Entra ID:**
`https:///api/authentication/callback`

**Helm:**
`https://` | There is a fallback if you use the existing ENV vars to configure your authentication provider, if you use a custom `yaml`, you need to update your properties to match the new values in this guide.

When using an OIDC provider, the following features are not currently available: User permissions tab in collections, digests, `Alerts` tab in collections. | -| Tasklist | **Microsoft Entra ID:**
`https:///identity-callback`

**Helm:**
`https://` | | -| Web Modeler | **Microsoft Entra ID:**
`https:///login-callback`

**Helm:**
`https://` | Web Modeler requires two clients: one for the internal API, and one for the external/public API.

Using a different OIDC provider than Keycloak currently disables all checks of the permissions claim both for using Web Modeler via the UI and via the public API.

Required configuration variables for webapp:
`OAUTH2_CLIENT_ID=[client-id]`
`OAUTH2_JWKS_URL=[provider-jwks-url]`
`OAUTH2_TOKEN_AUDIENCE=[client-audience]`
`OAUTH2_TOKEN_ISSUER=[provider-issuer]`
`OAUTH2_TYPE=[provider-type]`

Required configuration variables for restapi:
`CAMUNDA_IDENTITY_BASEURL=[identity-base-url]`
`CAMUNDA_IDENTITY_TYPE=[provider-type]`
`CAMUNDA_MODELER_SECURITY_JWT_AUDIENCE_INTERNAL_API=[client-audience]`
`CAMUNDA_MODELER_SECURITY_JWT_AUDIENCE_PUBLIC_API=[publicapi-audience]` (for security reasons, use a different value here than for `CAMUNDA_MODELER_SECURITY_JWT_AUDIENCE_INTERNAL_API`)
`SPRING_SECURITY_OAUTH2_RESOURCESERVER_JWT_ISSUER_URI=[provider-issuer]` | -| Zeebe | no redirect URI | Instead, include `tokenScope:" /.default "`. This refers to the Helm value `global.identity.auth.zeebe.tokenScope`, which should be set to the displayed value. "` | -| Connectors | | Connectors act as a client in the OIDC flow.

For outbound-only mode (when `CAMUNDA_CONNECTOR_POLLING_ENABLED` is `false`), only Zeebe client properties are required:
`ZEEBE_CLIENT_ID=[client-id]`
`ZEEBE_CLIENT_SECRET=[client-secret]`
`ZEEBE_AUTHORIZATION_SERVER_URL=[provider-issuer]`
`ZEEBE_TOKEN_AUDIENCE=[Zeebe audience]`
`ZEEBE_TOKEN_SCOPE=[Zeebe scope]` (optional)

For inbound mode, Operate client properties are required:
`CAMUNDA_IDENTITY_TYPE=[provider-type]`
`CAMUNDA_IDENTITY_AUDIENCE=[Operate audience]`
`CAMUNDA_IDENTITY_CLIENT_ID=[client-id]`
`CAMUNDA_IDENTITY_CLIENT_SECRET=[client-secret]`
`CAMUNDA_IDENTITY_ISSUER_BACKEND_URL=[provider-issuer]` | +| Component | Redirect URI | Notes/Limitations | +| ----------- | -------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Operate | **Microsoft Entra ID:**
`https:///identity-callback`

**Helm:**
`https://` | | +| Optimize | **Microsoft Entra ID:**
`https:///api/authentication/callback`

**Helm:**
`https://` | There is a fallback if you use the existing ENV vars to configure your authentication provider, if you use a custom `yaml`, you need to update your properties to match the new values in this guide.

When using an OIDC provider, the following features are not currently available: User permissions tab in collections, digests, `Alerts` tab in collections, accessible user names for Owners of resources - instead the `sub` claim value is displayed . | +| Tasklist | **Microsoft Entra ID:**
`https:///identity-callback`

**Helm:**
`https://` | | +| Web Modeler | **Microsoft Entra ID:**
`https:///login-callback`

**Helm:**
`https://` | Web Modeler requires two clients: one for the internal API, and one for the external/public API.

Using a different OIDC provider than Keycloak currently disables all checks of the permissions claim both for using Web Modeler via the UI and via the public API.

Required configuration variables for webapp:
`OAUTH2_CLIENT_ID=[client-id]`
`OAUTH2_JWKS_URL=[provider-jwks-url]`
`OAUTH2_TOKEN_AUDIENCE=[client-audience]`
`OAUTH2_TOKEN_ISSUER=[provider-issuer]`
`OAUTH2_TYPE=[provider-type]`

Required configuration variables for restapi:
`CAMUNDA_IDENTITY_BASEURL=[identity-base-url]`
`CAMUNDA_IDENTITY_TYPE=[provider-type]`
`CAMUNDA_MODELER_SECURITY_JWT_AUDIENCE_INTERNAL_API=[client-audience]`
`CAMUNDA_MODELER_SECURITY_JWT_AUDIENCE_PUBLIC_API=[publicapi-audience]` (for security reasons, use a different value here than for `CAMUNDA_MODELER_SECURITY_JWT_AUDIENCE_INTERNAL_API`)
`SPRING_SECURITY_OAUTH2_RESOURCESERVER_JWT_ISSUER_URI=[provider-issuer]` | +| Zeebe | no redirect URI | Instead, include `tokenScope:" /.default "`. This refers to the Helm value `global.identity.auth.zeebe.tokenScope`, which should be set to the displayed value. "` | +| Connectors | | Connectors act as a client in the OIDC flow.

For outbound-only mode (when `CAMUNDA_CONNECTOR_POLLING_ENABLED` is `false`), only Zeebe client properties are required:
`ZEEBE_CLIENT_ID=[client-id]`
`ZEEBE_CLIENT_SECRET=[client-secret]`
`ZEEBE_AUTHORIZATION_SERVER_URL=[provider-issuer]`
`ZEEBE_TOKEN_AUDIENCE=[Zeebe audience]`
`ZEEBE_TOKEN_SCOPE=[Zeebe scope]` (optional)

For inbound mode, Operate client properties are required:
`CAMUNDA_IDENTITY_TYPE=[provider-type]`
`CAMUNDA_IDENTITY_AUDIENCE=[Operate audience]`
`CAMUNDA_IDENTITY_CLIENT_ID=[client-id]`
`CAMUNDA_IDENTITY_CLIENT_SECRET=[client-secret]`
`CAMUNDA_IDENTITY_ISSUER_BACKEND_URL=[provider-issuer]` | diff --git a/versioned_docs/version-8.5/self-managed/setup/guides/connect-to-an-oidc-provider.md b/versioned_docs/version-8.5/self-managed/setup/guides/connect-to-an-oidc-provider.md index bb7f4854c9..06684af09c 100644 --- a/versioned_docs/version-8.5/self-managed/setup/guides/connect-to-an-oidc-provider.md +++ b/versioned_docs/version-8.5/self-managed/setup/guides/connect-to-an-oidc-provider.md @@ -236,12 +236,12 @@ Follow the [Microsoft Entra instructions](https://learn.microsoft.com/en-us/entr ### Component-specific configuration -| Component | Redirect URI | Notes | -| ----------- | ------------------------------------------------------------------------------------------------------------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| Identity | **Microsoft Entra ID:**
`https:///auth/login-callback`

**Helm:**
`https://` | | -| Operate | **Microsoft Entra ID:**
`https:///identity-callback`

**Helm:**
`https://` | | -| Optimize | **Microsoft Entra ID:**
`https:///api/authentication/callback`

**Helm:**
`https://` | There is a fallback if you use the existing ENV vars to configure your authentication provider, if you use a custom `yaml`, you need to update your properties to match the new values in this guide.

When using an OIDC provider, the following features are not currently available: User permissions tab in collections, digests, `Alerts` tab in collections. | -| Tasklist | **Microsoft Entra ID:**
`https:///identity-callback`

**Helm:**
`https://` | | -| Web Modeler | **Microsoft Entra ID:**
`https:///login-callback`

**Helm:**
`https://` | Web Modeler requires two clients: one for the internal API, and one for the external/public API.

Required configuration variables for webapp:
`OAUTH2_CLIENT_ID=[client-id]`
`OAUTH2_JWKS_URL=[provider-jwks-url]`
`OAUTH2_TOKEN_AUDIENCE=[client-audience]`
`OAUTH2_TOKEN_ISSUER=[provider-issuer]`
`OAUTH2_TYPE=[provider-type]`

Required configuration variables for restapi:
`CAMUNDA_IDENTITY_BASEURL=[identity-base-url]`
`CAMUNDA_IDENTITY_TYPE=[provider-type]`
`CAMUNDA_MODELER_SECURITY_JWT_AUDIENCE_INTERNAL_API=[client-audience]`
`CAMUNDA_MODELER_SECURITY_JWT_AUDIENCE_PUBLIC_API=[publicapi-audience]` (for security reasons, use a different value here than for `CAMUNDA_MODELER_SECURITY_JWT_AUDIENCE_INTERNAL_API`)
`SPRING_SECURITY_OAUTH2_RESOURCESERVER_JWT_ISSUER_URI=[provider-issuer]` | -| Zeebe | no redirect URI | Instead, include `tokenScope:" /.default "`. This refers to the Helm value `global.identity.auth.zeebe.tokenScope`, which should be set to the displayed value. | -| Connectors | | Connectors act as a client in the OIDC flow.

For outbound-only mode (when `CAMUNDA_CONNECTOR_POLLING_ENABLED` is `false`), only Zeebe client properties are required:
`ZEEBE_CLIENT_ID=[client-id]`
`ZEEBE_CLIENT_SECRET=[client-secret]`
`ZEEBE_AUTHORIZATION_SERVER_URL=[provider-issuer]`
`ZEEBE_TOKEN_AUDIENCE=[Zeebe audience]`
`ZEEBE_TOKEN_SCOPE=[Zeebe scope]` (optional)

For inbound mode, Operate client properties are required:
`CAMUNDA_IDENTITY_TYPE=[provider-type]`
`CAMUNDA_IDENTITY_AUDIENCE=[Operate audience]`
`CAMUNDA_IDENTITY_CLIENT_ID=[client-id]`
`CAMUNDA_IDENTITY_CLIENT_SECRET=[client-secret]`
`CAMUNDA_IDENTITY_ISSUER_BACKEND_URL=[provider-issuer]` | +| Component | Redirect URI | Notes/Limitations | +| ----------- | -------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Identity | **Microsoft Entra ID:**
`https:///auth/login-callback`

**Helm:**
`https://` | | +| Operate | **Microsoft Entra ID:**
`https:///identity-callback`

**Helm:**
`https://` | | +| Optimize | **Microsoft Entra ID:**
`https:///api/authentication/callback`

**Helm:**
`https://` | There is a fallback if you use the existing ENV vars to configure your authentication provider, if you use a custom `yaml`, you need to update your properties to match the new values in this guide.

When using an OIDC provider, the following features are not currently available: User permissions tab in collections, digests, `Alerts` tab in collections, accessible user names for Owners of resources - instead the `sub` claim value is displayed . | +| Tasklist | **Microsoft Entra ID:**
`https:///identity-callback`

**Helm:**
`https://` | | +| Web Modeler | **Microsoft Entra ID:**
`https:///login-callback`

**Helm:**
`https://` | Web Modeler requires two clients: one for the internal API, and one for the external/public API.

Required configuration variables for webapp:
`OAUTH2_CLIENT_ID=[client-id]`
`OAUTH2_JWKS_URL=[provider-jwks-url]`
`OAUTH2_TOKEN_AUDIENCE=[client-audience]`
`OAUTH2_TOKEN_ISSUER=[provider-issuer]`
`OAUTH2_TYPE=[provider-type]`

Required configuration variables for restapi:
`CAMUNDA_IDENTITY_BASEURL=[identity-base-url]`
`CAMUNDA_IDENTITY_TYPE=[provider-type]`
`CAMUNDA_MODELER_SECURITY_JWT_AUDIENCE_INTERNAL_API=[client-audience]`
`CAMUNDA_MODELER_SECURITY_JWT_AUDIENCE_PUBLIC_API=[publicapi-audience]` (for security reasons, use a different value here than for `CAMUNDA_MODELER_SECURITY_JWT_AUDIENCE_INTERNAL_API`)
`SPRING_SECURITY_OAUTH2_RESOURCESERVER_JWT_ISSUER_URI=[provider-issuer]` | +| Zeebe | no redirect URI | Instead, include `tokenScope:" /.default "`. This refers to the Helm value `global.identity.auth.zeebe.tokenScope`, which should be set to the displayed value. | +| Connectors | | Connectors act as a client in the OIDC flow.

For outbound-only mode (when `CAMUNDA_CONNECTOR_POLLING_ENABLED` is `false`), only Zeebe client properties are required:
`ZEEBE_CLIENT_ID=[client-id]`
`ZEEBE_CLIENT_SECRET=[client-secret]`
`ZEEBE_AUTHORIZATION_SERVER_URL=[provider-issuer]`
`ZEEBE_TOKEN_AUDIENCE=[Zeebe audience]`
`ZEEBE_TOKEN_SCOPE=[Zeebe scope]` (optional)

For inbound mode, Operate client properties are required:
`CAMUNDA_IDENTITY_TYPE=[provider-type]`
`CAMUNDA_IDENTITY_AUDIENCE=[Operate audience]`
`CAMUNDA_IDENTITY_CLIENT_ID=[client-id]`
`CAMUNDA_IDENTITY_CLIENT_SECRET=[client-secret]`
`CAMUNDA_IDENTITY_ISSUER_BACKEND_URL=[provider-issuer]` | diff --git a/versioned_docs/version-8.6/self-managed/setup/guides/connect-to-an-oidc-provider.md b/versioned_docs/version-8.6/self-managed/setup/guides/connect-to-an-oidc-provider.md index 0ef9906879..4be8b002de 100644 --- a/versioned_docs/version-8.6/self-managed/setup/guides/connect-to-an-oidc-provider.md +++ b/versioned_docs/version-8.6/self-managed/setup/guides/connect-to-an-oidc-provider.md @@ -243,11 +243,11 @@ Follow the [Microsoft Entra instructions](https://learn.microsoft.com/en-us/entr ### Component-specific configuration -| Component | Redirect URI | Notes | +| Component | Redirect URI | Notes/Limitations | | ----------- | -------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Identity | **Microsoft Entra ID:**
`https:///auth/login-callback`

**Helm:**
`https://` | | | Operate | **Microsoft Entra ID:**
`https:///identity-callback`

**Helm:**
`https://` | | -| Optimize | **Microsoft Entra ID:**
`https:///api/authentication/callback`

**Helm:**
`https://` | There is a fallback if you use the existing ENV vars to configure your authentication provider, if you use a custom `yaml`, you need to update your properties to match the new values in this guide.

When using an OIDC provider, the following features are not currently available: User permissions tab in collections, digests, `Alerts` tab in collections. | +| Optimize | **Microsoft Entra ID:**
`https:///api/authentication/callback`

**Helm:**
`https://` | There is a fallback if you use the existing ENV vars to configure your authentication provider, if you use a custom `yaml`, you need to update your properties to match the new values in this guide.

When using an OIDC provider, the following features are not currently available: User permissions tab in collections, digests, `Alerts` tab in collections, accessible user names for Owners of resources - instead the `sub` claim value is displayed . | | Tasklist | **Microsoft Entra ID:**
`https:///identity-callback`

**Helm:**
`https://` | | | Web Modeler | **Microsoft Entra ID:**
`https:///login-callback`

**Helm:**
`https://` | Web Modeler requires two clients: one for the internal API, and one for the external/public API.

Required configuration variables for webapp:
`OAUTH2_CLIENT_ID=[client-id]`
`OAUTH2_JWKS_URL=[provider-jwks-url]`
`OAUTH2_TOKEN_AUDIENCE=[client-audience]`
`OAUTH2_TOKEN_ISSUER=[provider-issuer]`
`OAUTH2_TYPE=[provider-type]`

Required configuration variables for restapi:
`CAMUNDA_IDENTITY_BASEURL=[identity-base-url]`
`CAMUNDA_IDENTITY_TYPE=[provider-type]`
`CAMUNDA_MODELER_SECURITY_JWT_AUDIENCE_INTERNAL_API=[client-audience]`
`CAMUNDA_MODELER_SECURITY_JWT_AUDIENCE_PUBLIC_API=[publicapi-audience]` (for security reasons, use a different value here than for `CAMUNDA_MODELER_SECURITY_JWT_AUDIENCE_INTERNAL_API`)
`SPRING_SECURITY_OAUTH2_RESOURCESERVER_JWT_ISSUER_URI=[provider-issuer]` | | Console | **Microsoft Entra ID:**
`https://`

**Helm:**
`https://` | |