Support passing a JWT token for authorization

[nithinssabu]

SDK Component

OAuth provider

Expected Behavior

Calls to APIs can be authorized using a JWT token that is directly passed in the configuration.

Current Behavior

Calls to APIs can be authorized using

• basic auth
• OAuth - using a token that is obtained via a client id/secret pair exchange

Possible Solution

• Add additional choice BEARER to the configuration option CAMUNDA_AUTH_STRATEGY
• When using the above choice, pass the bearer token using an additional configuration option CAMUNDA_OAUTH_TOKEN
• Use this token as the bearer token for authorizing requests

Context (Environment)

In Web Modeler, we are simplying the deployment experience for the self-managed product context by allowing users to simply select a cluster and deploy. The available clusters are part of the configuration. Epic: https://github.com/camunda/web-modeler/issues/10217

Previously the behaviour was that the users enter the client information including the credentials (client ID and secret) to be able to deploy.

With the new experience and the clusters moving to the configuration, we cannot have the credentials as part of the configuration. For a simplified experience, we also do not want to make the users type in the credentials for the cluster, instead just use the user token for authorizing deployments. This change was implemented in https://github.com/camunda/web-modeler/issues/11337 and we will now also remove the fields for the credentials from the UI.

We use the sdk for the Play mode in Web Modeler and since we will not have the option to get the credentials going forward, we want to support authorizing the requests using the user token.

See also the additional context in this comment.

[jwulf]

When you say "we also do not want to make the users type in the credentials for the cluster, instead just use the user token for authorizing deployments", where does the user get this token?

[nithinssabu]

When you say "we also do not want to make the users type in the credentials for the cluster, instead just use the user token for authorizing deployments", where does the user get this token?

The idea is that the token would be a pre-existing user access token which is obtained when the user logs into the Web Modeler. This token is then used to authorize deployments without needing to enter a client ID/secret pair for the target cluster. This is already implemented. What we are now trying to do is to also make this possible for Play.

The Play component in Web Modeler makes use of the sdk to make requests. This is where the initialization is done. This is within the webapp component in Web Modeler which is a Node.js server. Instead of passing the client id and secret here, we want to pass the JWT token, like this:

const c8 = new Camunda8({
    CAMUNDA_AUTH_STRATEGY: 'BEARER',
    CAMUNDA_OAUTH_TOKEN: 'mysecrettoken',
});

See also the middleware used to validate the token.

[nithinssabu]

Please also have a look at the linked epic in the issue description (especially the authorization slice) for a more detailed explanation of the changes in Web Modeler.
Link to the relevant discussion in the project channel.

[ingorichtsmeier]

Hey @jwulf,

where does the user get this token?

Magically with the login into an app like Web Modeler.
Manually like here: https://docs.camunda.io/docs/apis-tools/camunda-api-rest/camunda-api-rest-authentication/#generate-a-token

I have a customer that request to restrict deployment permissions per user. Currently (I'm still on 8.5) you can only hide the client ID/client Secret from people, that should not deploy.

But for testing your BPMN diagram, you have to share the client ID/client secret (with other people). This sounds not logical and is a security risk.

[jwulf]

Released in 8.6.16