Blank Screen after updating to 6.7.1

Hi @yvo

we trying to upgrade 6.6.0 to 6.7.1 with keycloak authentication
after the login page gets blank

Flowable-Keycloack993×1002 32.6 KB

the keys we are using is

docker run -it -p 8080:8080 \
-e SERVER_PORT="8080" \
-e SPRING_DATASOURCE_DRIVER-CLASS-NAME="org.postgresql.Driver" \
-e SPRING_DATASOURCE_URL="jdbc:postgresql://url:5432/dbname" \
-e SPRING_DATASOURCE_USERNAME="dbuser" \
-e SPRING_DATASOURCE_PASSWORD="password" \
-e FLOWABLE_COMMON_APP_IDM-ADMIN_USER="admin" \
-e FLOWABLE_COMMON_APP_IDM-ADMIN_PASSWORD="test" \
-e SPRING.SECURITY.OAUTH2.RESOURCESERVER.JWT.ISSUER-URI="https://url/auth/realms/Flowable" \
-e SPRING.SECURITY.OAUTH2.CLIENT.REGISTRATION.KEYCLOAK.CLIENT-ID="flowable-client" \
-e SPRING.SECURITY.OAUTH2.CLIENT.REGISTRATION.KEYCLOAK.CLIENT-SECRET="5a63612b-c419-40fe-8d01-2f91689bb4c0" \
-e SPRING.SECURITY.OAUTH2.CLIENT.REGISTRATION.KEYCLOAK.AUTHORIZATION-GRANT-TYPE="authorization_code" \
-e SPRING.SECURITY.OAUTH2.CLIENT.PROVIDER.KEYCLOAK.ISSUER-URI="https://url/auth/realms/Flowable" \
-e SPRING.SECURITY.OAUTH2.CLIENT.PROVIDER.KEYCLOAK.USER-NAME-ATTRIBUTE="preferred_username" \
-e FLOWABLE_IDM_APP_KEYCLOAK_ENABLED=true \
-e FLOWABLE_IDM_APP_KEYCLOAK_SERVER="https://url" \
-e FLOWABLE_IDM_APP_KEYCLOAK_AUTHENTICATION-REALM="master" \
-e FLOWABLE_IDM_APP_KEYCLOAK_AUTHENTICATION-USER="keycloakUserName" \
-e FLOWABLE_IDM_APP_KEYCLOAK_AUTHENTICATION-PASSWORD="keycloakpassword" \
-e FLOWABLE_IDM_APP_KEYCLOAK_REALM="Flowable" \
-e FLOWABLE.COMMON.APP.SECURITY.TYPE="OAUTH2" \
-e FLOWABLE.COMMON.APP.SECURITY.OAUTH2.AUTHORITIES-ATTRIBUTE="groups" \
-e FLOWABLE.COMMON.APP.SECURITY.OAUTH2.GROUPS-ATTRIBUTE="userGroups" \
-e logging.level.org.flowable="DEBUG" \
flowable/flowable-ui:6.7.1

Hi,

it’s a bit hard to give an analysis based on the given configuration (with a lot of obfuscated urls).
One thing that comes to mind. Did you do the additional configuration to make the redirect work on a local environment? (The hostfile modification)

Yvo

@yvo thanks for the quick reply, we missed out one newly added environment variable
“SPRING.SECURITY.OAUTH2.CLIENT.REGISTRATION.KEYCLOAK.SCOPE”

now its working fine

great!

Regards,

Yvo

To complete @hegde89’s answer, you should value the spring.security.oauth2.client.registration.keycloak.scope with openid,email,profile,microprofile-jwt

Explanation:
The recommended configuration is to set the flowable.common.app.security.oauth2.authorities-attribute value to groups.
Without any additionnal scope provided, the only ones returned would be openid,email,profile.
In these scopes, there is no mapper to map the User Realm Role to a groups attribute in the access token (the roles are mapped to a realm_access.roles claim). I tried to replace the groups value with realm_access.roles but this hierarchical notation doesn’t work with the flowable attribute flowable.common.app.security.oauth2.authorities-attribute

So your only choices are :

• to target a scope with a already builtin mapper to provides roles in the groups claim (this is the builtin microprofile-jwt scope)
• or to add a specific custom mapper in your client configuration in the keycloak server. In this case, you don’t have to add spring.security.oauth2.client.registration.keycloak.scope to your flowable configuration

I suggest the scope usage, I think it’s cleaner since you could have several flowable application configured as different clients in keycloak