Keycloak IdmIdentityService

I’m writing a Spring boot application using Keycloak for Authorization/Authentication and managed to integrate Flowable successfully.
As I understand, the users are retrieved from the flowable IdmIdentityService and I would like to create a custom KeycloakIdmIdentityService that will read the users and groups from Keycloak.

public class KeycloakIdmIdentityService implements IdmIdentityService {

This will avoid to duplicate users data.
To get the users and roles from Keycloak, I setup the keycloak-admin-client library and manage to query the users.

To tell Flowable to use my custom class, I’m injecting an instance of KeycloakIdmIdentityService into the IdmEngineConfiguration


IdmIdentityService getKeycloakIdentityService( KeycloakAdminService keycloakAdminService) {
return new KeycloakIdmIdentityService(keycloakAdminService);

Dear Flowable developers, I’m just wondering if it’s the best approach and if anybody already implement such custom IdmIdentityService.



Please, read the following thread, and it seems the mentioned links are useful:

Did you use one of the Flowable Spring Boot starters to embed one of engines (i.e., BPMN, DMN and CMMN)?

See: Flowable OAuth2 Resource Server

Based on the documentation I think you should follow how the LDAP identity service was integrated. This is by creating a custom EngineConfigurationConfigurer

Check out the source code of two classes to have an idea about that


Yes, I’m using Flowable Spring-Boot starter.

Hi Douglas,
Thank you very much for sharing your article. Really interesting.
Does it mean that to use Flowable with Keycloak, I need to use OpenLDAP to get the user from it ?


Then you don’t need to use the Flowable IDM you can store your user’s credentials in a directory server (e.g. OpenLDAP or AD).

For example: Keycloak, Flowable and OpenLDAP

Thanks for you answers,
But my question is about using Keycloak alone as “user repository”.
Is it possible to use Flowable with Keycloak and without LDAP?

Hey @nouhouari,

Everything is possible with some code. You will need to provide your own implementation of the IdmIdentityService. Have a look at the LDAPIdentityServiceImpl to see what needs to be done.


1 Like