Keycloak for Task assignment

Hello I am implementing a SpringBoot app which has flowable 7.0.1.
I want to use Keycloak to assign the tasks that I create.
I have extended IdmIdentityServiceImpl and I have managed to query keycloak instead of flowable for users, groups, etc but when I can set any user I want by setting taskService.setAssignee. Isn’t this handled by identity service? Shouldn’t I get an exception?
From the documentation:

For example, a task could be assigned to any user, but the engine doesn’t verify whether that user is known to the system. This is because the Flowable engine can also be used in conjunction with services such as LDAP, Active Directory, and so on.

So, isn’t this checked? I have to check it at my code somehow before setting the assignee?

Indeed Flowable does not check if the user exists when doing taskService.setAssignee. You’ll have to handle that before invoking the Flowable API.

So, I could also disable idm service in general and use keycloak for user queries and task assignment. The only problem with this would be:

This means that no user and group queries can be used, and candidate groups in a task query can not be retrieved for a user.

So, I can fetch tasks of a user if they are directly assigned to him but I can’t fetch the tasks that are assigned to some candidate group that the user belongs, right?

Hi @desp.kaz,

you can also search tasks by the candidate group.

Valentin

Then what is meant by the documentation here:

This means that no user and group queries can be used, and candidate groups in a task query can not be retrieved for a user.

What are the consequences if I disable idm?

Hi @desp.kaz,

it would be nice when you link the source of a quote, which helps other people to understand the context and from where you copied that text.

When you provide a candidateUser and do not provide candidate groups, then it automatically tries to look up the candidate groups for that particular user. This functionality won’t work anymore (and is disabled), when you disable IDM since in this case it can’t lookup the user obviously.

Valentin

Thanks a lot for the quick response @valentin
You are right, the quote comes from here : Identity management · Flowable Open Source Documentation

So, it searches for the groups of the user by using idm service. So, if I keep idm and extend it for keycloak it will search user’s groups from my implementation.

Are there any other points that I should consider about if I disable idm service?

Hi @desp.kaz,

you can also disable the idm service and provide the candidate groups manually when you call the task query.

Valentin

1 Like