A quickstart project shows very typical user task orchestration. It comes with two tasks assigned to human actors via group assignments - managers. So essentially anyone who is a member of that group can act on the tasks. Though this example applies four eye principles which essentially means that the user who approved the first task cannot approve the second one. So there must always be at least two distinct managers involved.
This example shows
You will need:
This quickstart provides a docker compose template that starts all the required services. This setup ensures that all services are connected with a default configuration.
You should start all the services before you execute any of the Approvals example, to do that please execute:
For Linux and MacOS:
startServices.sh scriptsh ./startServices.sh
Once all services bootstrap, the following ports will be assigned on your local machine:
NOTE: This step requires the project to be compiled, please consider running a
mvn clean install -Pcontainercommand on the project root before running thestartServices.shscript for the first time or any time you modify the project.-Pcontainerwill create a local docker image of the example and will be run by docker-compose with all required services.
Once started you can simply stop all services by executing the docker-compose stop.
All the created containers can be removed by executing the docker-compose rm.
In this Quickstart we'll be using Keycloak as Authentication Server. It will be started as a part of the project Infrastructure Services, you can check the configuration on the project docker-compose.yml in docker-compose folder.
It will install the Kogito Realm that comes with a predefined set of users: | Login | Password | Roles | | ------------- | ---------- | ------------------- | | admin | admin | admin, managers | | alice | alice | user | | jdoe | jdoe | managers |
Once Keycloak is started, you should be able to access your Keycloak Server at localhost:8480/auth with admin user.
This Quickstart is taking advantage of the Quarkus OIDC extension that allows an easy integration between the Kogito runtime, Kogito consoles and Keycloak.
This example enables authentication Kogito Management Console & Kogito Task Console using OpenID Connect, to do that you must start the consoles using the keycloak quarkus profile as a parameter (-Dquarkus.profile=keycloak). You can check the configuration on the project docker-compose.yml in docker-compose folder.
NOTE: For more information about how to secure Kogito Management Console with OpenID Connect, please refer to Kogito Documentation.
For more information about how to secure Kogito Task Console with OpenID Connect, please refer to Kogito Documentation
NOTE: If you don't want to run the example inside docker compose. You can stop the service container by running below commands.
docker stop process-usertasks-with-security-oidc-springboot-with-console
mvn clean compile spring-boot:run
mvn clean package
To run the generated native executable, generated in target/, execute
java -jar target/process-usertasks-with-security-oidc-springboot-with-console.jar
We can navigate to http://localhost:8080 to verify the Kogito runtime is running
You can take a look at the OpenAPI definition - automatically generated and included in this service - to determine all available operations exposed by this service. For easy readability you can visualize the OpenAPI definition file using a UI tool like for example available Swagger UI.
In addition, various clients to interact with this service can be easily generated using this OpenAPI definition. We can access to deployed http://localhost:8080/swagger-ui even the current example has the security enabled and some endpoint will require authenication.
The application is using bearer token authorization and the first thing to do is obtain an access token from the Keycloak Server in order to access the application resources. Obtain an access token for user john.
export access_token=$(\ curl -X POST http://localhost:8480/auth/realms/kogito/protocol/openid-connect/token \ --user kogito-app:secret \ -H 'content-type: application/x-www-form-urlencoded' \ -d 'username=jdoe&password=jdoe&grant_type=password' | jq --raw-output '.access_token' \ )
To make use of this application it is as simple as putting a sending request to http://localhost:8080/approvals
{ "traveller" : { "firstName" : "John", "lastName" : "Doe", "email" : "jon.doe@example.com", "nationality" : "American", "address" : { "street" : "main street", "city" : "Boston", "zipCode" : "10005", "country" : "US" } } }
Complete curl command can be found below, passing the token as Authorization header :
curl -X POST -H "Authorization: Bearer "$access_token -H 'Content-Type:application/json' -H 'Accept:application/json' -d '{"traveller" : { "firstName" : "John", "lastName" : "Doe", "email" : "jon.doe@example.com", "nationality" : "American","address" : { "street" : "main street", "city" : "Boston", "zipCode" : "10005", "country" : "US" }}}' http://localhost:8080/approvals
To access the Kogito Management Console just open your browser and navigate to http://localhost:8280. You'll be redirected to the Keycloak log in page.
Once there, log in using any of the users specified in the Using Keycloak as Authentication Server
NOTE: For more information about how to work with Kogito Management Console, please refer to the Kogito Documentation page.
To access the Kogito Task Console just open your browser and navigate to http://localhost:8380. You'll be redirected to the Keycloak log in page.
Once there, log in with an managers user (for example admin) and you should be redirected to the user Task Inbox:
There you'll see all the tasks assigned to the user or to any of the group he belongs to.
To access the Kogito Management Console just open your browser and navigate to http://localhost:8280.
NOTE: For more information about how to work with Kogito Management Console, please refer to the Kogito Documentation page.
Check the process instance details to see where is the execution path
To access the Kogito Task Console just open your browser and navigate to http://localhost:8380 and you should be redirected to the Task Inbox. Ensure you are logged as a user with role manager to be able to see the First Line approval (i.e: jdoe / jdoe)
NOTE: For more information about how to work with Kogito Task Console, please refer to the Kogito Documentation page.
Access to ‘First Line approval’ task and complete
Check the process instance details at Kogito Management Console to see the execution path reflects the completed task
Access the Kogito Task Console and ensure you are logged as a user with role manager to be able to see the Second Line approval following the second eye principle (i.e: admin / admin)
Access to ‘Second Line approval’ task and complete
Check the process instance details at Kogito Management Console, and verify the execution path is reflected in the diagram.