camunda-platform-7-keycloak: KeycloakPlugin freezes Camunda Platform when user claims task

Hi,

Running:

Camunda Platform Run 7.15.0 KeycloackIdentifyProviderPlugin 2.1.0 Keycloak 13

I am not sure anymore that the refresh token thing has something to do with this, so we can probably close #68 as it is only a finding while actually investigating this issue: Everything is fine, until I claim my first user task. The UI does not respond to the claim, but in database, I can verify that I am the assigne. Also in camunda cockpit I am the assignee: image

Also in Task Authorization, I can see that I have ALL rights to the task. image

But I cannot work on the task. From that time on, opening the task list crashes the database access after 30 seconds:

2021-07-14T19:17:46.097265933Z org.springframework.transaction.CannotCreateTransactionException: Could not open JDBC Connection for transaction; nested exception is java.sql.SQLTransientConnectionException: HikariPool-1 - Connection is not available, request timed out after 30000ms.
2021-07-14T19:17:46.097270122Z 	at org.springframework.jdbc.datasource.DataSourceTransactionManager.doBegin(DataSourceTransactionManager.java:309) ~[spring-jdbc-5.3.4.jar!/:5.3.4]
2021-07-14T19:17:46.097274053Z 	at org.springframework.transaction.support.AbstractPlatformTransactionManager.startTransaction(AbstractPlatformTransactionManager.java:400) ~[spring-tx-5.3.4.jar!/:5.3.4]
2021-07-14T19:17:46.097277851Z 	at org.springframework.transaction.support.AbstractPlatformTransactionManager.getTransaction(AbstractPlatformTransactionManager.java:373) ~[spring-tx-5.3.4.jar!/:5.3.4]
2021-07-14T19:17:46.097281325Z 	at org.springframework.transaction.support.TransactionTemplate.execute(TransactionTemplate.java:137) ~[spring-tx-5.3.4.jar!/:5.3.4]
2021-07-14T19:17:46.097284797Z 	at org.camunda.bpm.engine.spring.SpringTransactionInterceptor.execute(SpringTransactionInterceptor.java:70) ~[camunda-engine-spring-7.15.0.jar!/:7.15.0]
2021-07-14T19:17:46.097288112Z 	at org.camunda.bpm.engine.impl.interceptor.ProcessApplicationContextInterceptor.execute(ProcessApplicationContextInterceptor.java:70) ~[camunda-engine-7.15.0.jar!/:7.15.0]
2021-07-14T19:17:46.097291475Z 	at org.camunda.bpm.engine.impl.interceptor.CommandCounterInterceptor.execute(CommandCounterInterceptor.java:35) ~[camunda-engine-7.15.0.jar!/:7.15.0]
2021-07-14T19:17:46.097294805Z 	at org.camunda.bpm.engine.impl.interceptor.LogInterceptor.execute(LogInterceptor.java:33) ~[camunda-engine-7.15.0.jar!/:7.15.0]
2021-07-14T19:17:46.097310237Z 	at org.camunda.bpm.engine.impl.IdentityServiceImpl.isReadOnly(IdentityServiceImpl.java:85) ~[camunda-engine-7.15.0.jar!/:7.15.0]
2021-07-14T19:17:46.097314066Z 	at org.camunda.bpm.webapp.impl.engine.ProcessEnginesFilter.needsInitialUser(ProcessEnginesFilter.java:247) ~[camunda-webapp-7.15.0-classes.jar:7.15.0]
2021-07-14T19:17:46.097318850Z 	at org.camunda.bpm.webapp.impl.engine.ProcessEnginesFilter.serveIndexPage(ProcessEnginesFilter.java:175) ~[camunda-webapp-7.15.0-classes.jar:7.15.0]
2021-07-14T19:17:46.097322545Z 	at org.camunda.bpm.webapp.impl.engine.ProcessEnginesFilter.applyFilter(ProcessEnginesFilter.java:127) ~[camunda-webapp-7.15.0-classes.jar:7.15.0]
2021-07-14T19:17:46.097325836Z 	at org.camunda.bpm.webapp.impl.filter.AbstractTemplateFilter.doFilter(AbstractTemplateFilter.java:58) ~[camunda-webapp-7.15.0-classes.jar:7.15.0]
2021-07-14T19:17:46.097329121Z 	at org.camunda.bpm.spring.boot.starter.webapp.filter.LazyDelegateFilter.doFilter(LazyDelegateFilter.java:60) ~[camunda-bpm-spring-boot-starter-webapp-core-7.15.0.jar:7.15.0]

After a few minutes, camunda platform recovers, but as soon as I open the task list, the db connection crashes again.

If I remove the assigne from the task (either through direct DB access or cockpit), I can again open the complete tasklist. But as soon as I claim a task, weirdness starts all over.

And this only happens, when I have the KeycloakPlugin installed. It works fine without it. This is so confusing 😕

Regards, Markus

About this issue

  • Original URL
  • State: closed
  • Created 3 years ago
  • Comments: 19

Most upvoted comments

Hmmm… Just thinking out aloud: It says “2021-07-14T19:17:46.097265933Z org.springframework.transaction.CannotCreateTransactionException: Could not open JDBC Connection for transaction; nested exception is java.sql.SQLTransientConnectionException: HikariPool-1 - Connection is not available, request timed out after 30000ms.” So there are no database connections available any more. The plugin does nothing special with transactions. All REST queries against Keycloak might be part of an overal Camunda transaction, ok. The plugin might query authorization information which is still part of the database and not Keycloak. By setting authorizationCheckEnabled to false this is disabled.

What database do you use for Camunda? Have you configured the connection pool? What is your min size and max size?

Setting

 logging.level.org.camunda.bpm.extension.keycloak: DEBUG
 logging.level.org.springframework.web.client.RestTemplate: DEBUG

might give you further debug info on the queries against the Identity Provider Plugin and the ones sent to Keycloak. Would be interesting to see what happens once you try to open the task list.

+1
VonDerBeck on Jul 19, 2021

The snapshot seems to have missing dependencies:

│ Caused by: java.lang.ClassNotFoundException: com.github.benmanes.caffeine.cache.Ticker                                                                                                                                                                                                                                    ││     at java.base/java.net.URLClassLoader.findClass(URLClassLoader.java:471) ~[na:na]                                                                                                                                                                                                                                      ││     at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:589) ~[na:na]                                                                                                                                                                                                                                           ││     at org.springframework.boot.loader.LaunchedURLClassLoader.loadClass(LaunchedURLClassLoader.java:151) ~[camunda-bpm-run-core.jar:7.15.0]                                                                                                                                                                               ││     at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:522) ~[na:na]

Sorry for that. So we currently can’t test it using the supposed new cache feature. The build process started to have problems with the maven shade plugin here on the community hub - which should not affect you and is a different story. So the cache feature is sadly not near to be released and will take some time. It would have been a quick identication that your Keycloak server is not that responsive…

+1
VonDerBeck on Jul 19, 2021
Read more comments on GitHub
← camunda-platform-7-keycloak: Always got 403 at Camunda startup
rx-player: INCOMPATIBLE_KEYSYSTEMS error using DASH/Widevine on Panasonic 2019 →