How do I make plugin.identity.keycloak from Camunda work in Docker (Desktop)?

Question

About a month ago, I implemented camunda-bpm-identity-keycloak as described here to make my spring-camunda project work with keycloak. This week I tried dockerizing both keycloak and spring-camunda. While the former has been implemented without much hindrance, the latter I´m stuck on for days now.

The main problem is about the api calls seemingly not reaching keycloak, no matter if keycloak is dockerized or not. I could solve that issue for the SSO part. However, this problem is still remaining in the "plugin.identity.keycloak" part.

Here is the error code in docker.

2022-03-10 13:39:45.704 ERROR 1 --- [           main] org.camunda.bpm.extension.keycloak       : KEYCLOAK-01011 TOKEN request failed: I/O error on POST request for "https://localhost:8443/auth/realms/MyRealm/protocol/openid-connect/token"

Here are its properties in the .yaml file:

plugin.identity.keycloak:
  keycloakIssuerUrl: https://localhost:8443/auth/realms/MyRealm
  keycloakAdminUrl: https://localhost:8443/auth/admin/realms/MyRealm
  clientId: myrealm-client
  clientSecret: insertsecret
  useUsernameAsCamundaUserId: true
  useGroupPathAsCamundaGroupId: true
  administratorGroupName: camunda-admin
  disable-s-s-l-certificate-validation: true

Here is the Dockerfile:

FROM adoptopenjdk/openjdk11:alpine-jre
EXPOSE 8080
ARG JAR_FILE=target/testdockerforspringcamunda-1.0.0-SNAPSHOT.jar
ADD ${JAR_FILE} app.jar
ENTRYPOINT ["java","-jar","/app.jar"]

Edit:

I have no docker compose to share. I just used that Dockerfile. The strange thing is that it gets an error during the POST request for the token instead of during the Get request for the configuration. When I start the dockerized project while keycloak is offline, the latter happens.

Here are the configured keycloak ports of the non dockerized keycloak standalone server:

<socket-binding name="http" port="${jboss.http.port:8180}"/>
<socket-binding name="https" port="${jboss.https.port:8443}"/>

Edit2:

After using the containername instead the localhost, I get a slightly different error:

2022-03-14 10:28:13.651 ERROR 1 --- [           main] org.camunda.bpm.extension.keycloak       : KEYCLOAK-01011 TOKEN request failed: I/O error on POST request for "https://keycloak3:8181/auth/realms/MyRealm/protocol/openid-connect/token": keycloak: System error; nested exception is java.net.UnknownHostException: keycloak: System error

Edit3:

I somehow solved this new error. I assume restarting the keycloak container did that.

@AbrarAnsari Any link on how to do that? I´m just a beginner in Docker. — User8201038439285, Mar 10 '22 at 15:51
Do you have a docker compose or helm to share? How about the network config? is the keycloak container exposing the right ports, e.g. https://localhost:8443? — rob2universe, Mar 11 '22 at 01:34
https://docs.docker.com/engine/reference/commandline/exec/. check this out — Abrar Ansari, Mar 11 '22 at 12:03
@AbrarAnsari thx. I tested it and my container has no problem pinging the keycloak server. My edit describes the specific problem. — User8201038439285, Mar 11 '22 at 12:45
instead of localhost:port try with containername:port in your config file, also create a network group and add both container on same network — Abrar Ansari, Mar 11 '22 at 15:51
@AbrarAnsari I tried it out. Now the error is slightly different. I will put a second edit. — User8201038439285, Mar 14 '22 at 10:30
can you share the minimum working project so I can recreate and check, it seems container's not able to communicate with each other. — Abrar Ansari, Mar 14 '22 at 13:23
@AbrarAnsari I somehow solved it. I assume restarting keycloak did that. Still thank you very much for helping me. — User8201038439285, Mar 14 '22 at 14:06
Take a look at this project - https://github.com/AOT-Technologies/forms-flow-ai/tree/master/forms-flow-bpm, we made the keycloak and comunda containarized and the communication works fine. — John, Jun 15 '22 at 10:11

John · Accepted Answer · 2022-06-15T10:24:47.950

1

When you are working in containers, localhost resolves to the local container. In your case invoking keycloak using localhost from camunda container wont reach anywhere. The problem with the service name is, that it works fine in container-to-container communication. But when it comes to browser redirection, it wont work. Use your system IP address it works fine.

edited Jun 15 '22 at 10:24

answered Jun 15 '22 at 10:14

John

666
1
9
22

How do I make plugin.identity.keycloak from Camunda work in Docker (Desktop)?

1 Answers1