We are already using Keycloak for User and Group store , is it possible to integrate Flowable to third party IDM like Keycloak.
Hi,
Yes sure. The IdentityService is pluggable so you can create a Keycloak implementation of the IdentityService and use that implementation instead of the default simple db one.
Best regards,
Tijs
thanks Tijs
Is RemoteIdmService is the right interface to implement for custom idm ?
Hi,
RemoteIdmService is used within the Flowable Task application to get IDM information from the IDM app. If you want to integrate Keycloak you need to integrate it into the IdmEngineConfiguration with a custom implementation of the IdmIdentityService.
Best regards,
Tijs
Yes we were able to implement Flowable Engine as bearer client.
FYI, I figured out, that you could theoretically build a IdmIdentityService using the Resource Owner Password Credentials Grant flow of OAuth2, also known as Direct Access Grant in Keyloak to validate Credentials. In addition, Keycloak allows Service Accounts to access user and group lists and other properties of the Keycloak instance via it’s Admin rest API Keycloak Docs. In this configuration a IdmIdentityService could just work like the LDAP one without duplicated user storage.
1 Like
@derEisele, do you have some code to share?
I am developing sync from KeyCloak (via REST API) to flowable-idm db similar to how KeyCloak LDAP sync works (on demand, when flowable-idm doesn’t know the user, it looks him/her up in KeyCloak and saves to db configured in Flowable)