Integrating Imixs-Workflow with Apereo CAS (OIDC, Opaque Tokens, and Role Propagation)

[vishnumurali7793]

Hello everyone,

I’m working on a microservice-based application where I plan to use Imixs-Workflow as the workflow engine. I would like some guidance on integrating it with our existing authentication and authorization setup.

---

Current Architecture

• IAM / Authentication Server: Apereo CAS

  • OIDC is enabled and already used by other services

  • CAS issues opaque access tokens (not JWT)

  • Token validation is performed using token introspection

  • OIDC best practice followed: claims are not embedded in the access token

    • User attributes are fetched via the /oidc/profile endpoint

• Resource Services: Spring Boot 3.x microservices

• Workflow Engine: Imixs-Workflow (microservice setup)

• Database:

  • Centralized User and User–Role master tables
  • These users and roles are already reused across multiple services

---

Requirement

• Users authenticate via CAS login

• The same authenticated user should:

  • Access Imixs-Workflow
  • Perform workflow-related tasks

• User identity and roles/groups must be consistently available to the workflow engine

• We want to reuse the existing user & role master data, or minimally adapt it for Imixs-Workflow

• The same opaque access token issued by CAS should be used by all services, including the workflow engine

---

Understanding So Far

• Imixs-Workflow microservices support OIDC-based authentication

• CAS already functions as an OIDC provider for other services

• Other Spring Boot resource servers:

  • Accept the opaque access token
  • Validate it via introspection
  • Fetch user attributes (including roles/groups) via /oidc/profile

---

Key Questions

1. Authentication Integration

   • How should Imixs-Workflow be configured to trust Apereo CAS as its OIDC provider?
   • Does Imixs require a JWT, or can it work with opaque tokens + introspection?

2. User & Role Propagation

   • Since claims are not embedded in the access token:

     • How can Imixs-Workflow retrieve user identity and roles/groups?
     • Is it recommended for Imixs to call the /oidc/profile endpoint using the access token?

   • Alternatively:

     • Should roles be resolved from the existing user/role master tables using the user identifier returned by CAS?

3. Authorization in Imixs

   • How does Imixs consume externally provided roles or groups for:

     • Task assignment
     • Access control
     • Workflow transitions

   • Is there a supported or recommended way to map CAS roles/groups to Imixs roles?

4. Best Practices & References

   • Has anyone integrated Imixs-Workflow with:

     • Apereo CAS
     • OIDC using opaque tokens
     • Centralized user/role management

   • Are there reference configurations or implementation examples available?

---

Goal

The ultimate goal is to enable single sign-on via CAS, where:

• The user logs in once using CAS credentials

• The same authenticated identity (with roles/groups fetched via /oidc/profile) is seamlessly used by:

  • Spring Boot resource services
  • Imixs-Workflow engine

• Without duplicating user or role management logic

---

Any guidance, configuration examples, or architectural suggestions would be greatly appreciated.

Thanks in advance!

[rsoika]

Hi @vishnumurali7793

Imixs-Workflow does not depend on a single authentication mechanism. Imixs-Workflow supports all common authentication methods – including OIDC, which is supported by all Jakarta EE servers. Therefore, you can also freely configure Imixs-Microservice.
There are two things you need to consider:

On the one hand, the application server provides the possibility to connect different security realms with your application. This means it depends on whether you are using, for example, Wildfly or Payara. The configuration is done in the application server.
OIDC is a good choice to use a modern authentication method.
Imixs-Security-OIDC is a module that offers both - the OIDC user flow and bearer token authentication. We use this, for example, in conjunction with Keycloak or ForgeRock.
You will find configuration details in the project.

The other aspect is the User Role mapping. As Imixs-Workflow is sitting on top of the Jakarta EE framework there is no proprietary mechanism in the workflow engine itself. Which means things like the principal name or the roles are provided by the application container transparent for the Worklfow engine.
Of course roles are important for Imixs-Workflow - without correct roles, you can't access the workflow engine - as a user or as a backend service. At least make sure your user is mapped to one of the roles:

• org.imixs.ACCESSLEVEL.READACCESS
• org.imixs.ACCESSLEVEL.AUTHORACCESS
• org.imixs.ACCESSLEVEL.EDITORACCESS
• org.imixs.ACCESSLEVEL.MANAGERACCESS

You can find details here

In most IAM Servers you can map the user roles to application specific roles if needed. So I think this is also possible in Apereo CAS which I do not know. Even if this is not possible, Jakarta EE App Servers allow you to map the roles on application side. But I do not think this is necessary.

So how to go:

If you are running Docker, first make sure you are using the Wildfly Image 29.0.1.Final-jdk17. I just added a actual configuration here: https://github.com/imixs/imixs-microservice/tree/master/docker/configuration/wildfly/29.0.1.Final-jdk17
This includes already the OIDC support

In you application you just need to add the maven dependcy

				<dependency>
					<groupId>org.imixs.security</groupId>
					<artifactId>imixs-oidc</artifactId>
					<version>${org.imixs.security.version}</version>
					<type>jar</type>
					<scope>compile</scope>
				</dependency>

With this module you can configure your server according to the setup guide: https://github.com/imixs/imixs-security/tree/main/imixs-oidc

Let me know if this helps you. We can also set up a Keycloak example.