Search code examples
springdockerkeycloakcamundacamunda-plugin

How do I make plugin.identity.keycloak from Camunda work in Docker (Desktop)?


About a month ago, I implemented camunda-bpm-identity-keycloak as described here to make my spring-camunda project work with keycloak. This week I tried dockerizing both keycloak and spring-camunda. While the former has been implemented without much hindrance, the latter I´m stuck on for days now.

The main problem is about the api calls seemingly not reaching keycloak, no matter if keycloak is dockerized or not. I could solve that issue for the SSO part. However, this problem is still remaining in the "plugin.identity.keycloak" part.

Here is the error code in docker.

2022-03-10 13:39:45.704 ERROR 1 --- [           main] org.camunda.bpm.extension.keycloak       : KEYCLOAK-01011 TOKEN request failed: I/O error on POST request for "https://localhost:8443/auth/realms/MyRealm/protocol/openid-connect/token"

Here are its properties in the .yaml file:

plugin.identity.keycloak:
  keycloakIssuerUrl: https://localhost:8443/auth/realms/MyRealm
  keycloakAdminUrl: https://localhost:8443/auth/admin/realms/MyRealm
  clientId: myrealm-client
  clientSecret: insertsecret
  useUsernameAsCamundaUserId: true
  useGroupPathAsCamundaGroupId: true
  administratorGroupName: camunda-admin
  disable-s-s-l-certificate-validation: true

Here is the Dockerfile:

FROM adoptopenjdk/openjdk11:alpine-jre
EXPOSE 8080
ARG JAR_FILE=target/testdockerforspringcamunda-1.0.0-SNAPSHOT.jar
ADD ${JAR_FILE} app.jar
ENTRYPOINT ["java","-jar","/app.jar"]

Edit:

I have no docker compose to share. I just used that Dockerfile. The strange thing is that it gets an error during the POST request for the token instead of during the Get request for the configuration. When I start the dockerized project while keycloak is offline, the latter happens.

Here are the configured keycloak ports of the non dockerized keycloak standalone server:

<socket-binding name="http" port="${jboss.http.port:8180}"/>
<socket-binding name="https" port="${jboss.https.port:8443}"/>

Edit2:

After using the containername instead the localhost, I get a slightly different error:

2022-03-14 10:28:13.651 ERROR 1 --- [           main] org.camunda.bpm.extension.keycloak       : KEYCLOAK-01011 TOKEN request failed: I/O error on POST request for "https://keycloak3:8181/auth/realms/MyRealm/protocol/openid-connect/token": keycloak: System error; nested exception is java.net.UnknownHostException: keycloak: System error

Edit3:

I somehow solved this new error. I assume restarting the keycloak container did that.


Solution

  • When you are working in containers, localhost resolves to the local container. In your case invoking keycloak using localhost from camunda container wont reach anywhere. The problem with the service name is, that it works fine in container-to-container communication. But when it comes to browser redirection, it wont work. Use your system IP address it works fine.