Authentication application PHP + Camunda BPM Rest API

[Julio Valdés]

Hello,

I'm new to the Camunda BPM. I need to integrate BPM with a PHP Web application. I have not clear how to manage users and roles from the PHP application. What is best in terms of design to integrate authentication to this application?

Best Regards,

Julio

[stefan.h...@camunda.com]

Hi Julio,

the most efficient way to manage user with our camunda BPM platform is to authenticate against our rest-api with basic authentication.
See http://docs.camunda.org/latest/api-references/rest/#overview-configuring-authentication

for this purpose. You could then use our rest-api for all the tasks you want to perfom. If you want to know how to use the rest-api via php you could have a look into our php sdk project (http://camunda.github.io/camunda-bpm-php-sdk/). This project will show you an basic way to interact with our rest-api via php. I have to warn you that the sdk is more in an alpha state than a release version. You will miss some features that are in our currently GA release.

For basic authentication with PHP you could have a look in the PHP cUrl documentation or this thread: http://stackoverflow.com/questions/2140419/how-do-i-make-a-request-using-http-basic-authentication-with-php-curl

I hope this answers your question :-)

Cheers,

Stefan

[Julio Valdés]

Hi Stefan,

Thanks for your help. I fully understand your answer and helped me.

Reading the documentation I have the following doubts:

1. The BPM engine not check users and roles at runtime, then authentication is only to manage permissions on resources (as create or delete process definitions) and not to authenticate users running process tasks?

2. How to maintain the integrity of users and roles from my PHP application and BPM engine? Is necessary?

Best Regards,

Julio

[stefan.h...@camunda.com]

Hi Julio,

if I get it right:

1.) If you are not authenticated you can't start any process instance or get any task. The only request you could do without authentication on the REST-API is a GET request for /engine to get all engine names. If you use more than 1 engine (e.g. for a cluster system) you have to select the engine to authenticate against. For all other requests you have to authenticate with an user which you have created before (See: http://docs.camunda.org/latest/api-references/rest/#user-create-user or use our admin-tool which is delivered with our pre-packaged distribution)

2.) To maintain the integrity you could use the database tables of the engine for users and roles/groups. If you use our pre-packaged engine there will be a h2 database but you could also configure a MySQL, PostgreSQL, Oracle, DB2 or Microsoft SQL in the application server so that you can easily get access via PHP to the database. Another way to get the integrity is to create and/or update the users with REST-API calls.

For the database way: you could have a look into our installation guide (http://docs.camunda.org/latest/guides/installation-guide/) and in the installation guides of the application server.

For the REST-API way (I would recommend this way): you could have a look into our PHP SDK project and this REST-API documentation for users and groups
(
-- users: http://docs.camunda.org/latest/api-references/rest/#user
-- groups: http://docs.camunda.org/latest/api-references/rest/#group
)

I hope this is all clear :-)
Feel free to ask if you have any question.

Cheers,

Stefan

[Julio Valdés]

Hello Stefan,

I have seen the new version of the PHP SDK and I see that it has changed considerably. Happy new version =).

Your answer is clear and fully understand but the case is: I have a database with thousands of users that can start a process, then the user management (users CRUD), the authentication and business logic is done in the application (Symfony2).

So, how to maintain the integrity of users and roles from my PHP application and BPM engine?

Is it possible to indicate to BPM engine that search to users elsewhere in configuration?

Would I have to disable authentication in the BPM engine in this case?

Sorry if it's something simple but I read the documentation and do not understand how to do :s

Best Regards,

Julio

[Daniel Meyer]

Hi Julio,

Stefan is on vacation right now. I am not sure whether he checks the forum. He will probably answer your question next week.

Cheers,

Daniel

[Daniel Meyer]

Hi Julio,

I see two possibilities to solve this scenario:

1) you could implement a syncing mechanism and replicate the user database maintained in Symfony2 into the process engine database. This could probably be achieved using some kind of batch job.

2) you could write a custom IdentityProvider implementation (plugin for the process engine) and directly access the Symfony2 user database from the process engine. Here is some documentation on the IdentityProvider: http://docs.camunda.org/latest/guides/user-guide/#process-engine-identity-service

We implement LDAP support in the same way ourselves: https://github.com/camunda/camunda-bpm-platform/tree/master/identity

Cheers,

Daniel Meyer

[Julio Valdés]

Hello Daniel,

Thank you very much for your answer. I will check the solution #2. Meanwhile I'm using engine-rest without authentication

Best Regards.

Julio

[lvije...@gmail.com]

Hello,

Please help me to authenticating my php application with camunda.

as suggested Julio used curl and I am able to validate the username and password.

From curl I can validate the user with 401(unauthorized) status.

What should be done to authenticate the same so that I can retrieve the task list?

Regards
Vijetha

[lvije...@gmail.com]

Hello,

This link helped me to solve my problem,

https://groups.google.com/d/msg/camunda-bpm-users/8y_GfRwhAXU/92Key2jv8PYJ

Thank you