Migrate workflow service accounts to client credentials authentication
Learn how to migrate workflow service accounts to client credentials authentication.
System users are typically accounts used by clients, without the intervention of a human user, to execute tasks automatically like approving or rejecting actions in workflows. With the change to client credentials these system users won't be able to authenticate automatically anymore. Therefore workflow tasks can only be assigned to users, not clients, and only the user assigned to a task can execute actions on it.
When creating and assigning workflow tasks, it's important to follow certain practices for both security and efficiency. First, for any machine-to-machine interactions, such as automated or system-generated tasks, it is recommended to utilize client credentials. Tasks that require human input, like approvals or rejections, should always be assigned to individual users who have valid user credentials. It's also crucial to avoid assigning tasks, intended to be decided by humans, to system users or service accounts. Workflows should be designed to distinguish between tasks meant for automated systems (handled through client credentials) and those that need human involvement, such as user tasks.
To ensure your workflow tasks keep functioning without interruptions replace workflow system users with workflow client credentials. The workflow system user name can contain only English letters, numbers, and special characters (_, -, and &).
Keep the system user account with its current name and permissions, as tasks can only be assigned to users with sufficient permissions. Deactivating or restricting the system user, or modifying Client ID permissions without updating corresponding system user roles, may disrupt workflow operations and cause inconsistencies.
Keep the workflow configuration the same, with its current tasks still assigned to the system user. The actions will then be executed using the clients credentials instead.
- Identify the system user used for a workflow task assignment.
- Create client credentials for this workflow system user (using the same roles and permissions as the previous system user and the previous system username as the
clientID) in either of the following methods:Option Description Console Client Credentials application Follow the instructions in topic Add new client, selecting Client Credentials in the Authorization Grant Type field. Application Client Management Follow the instructions in topic Create a customer client, specify client_credentials in the authorizedGrantTypes . - Test that the workflow task assigned to the system user is still being processed without interruption.
Example
testTenant:[
{
"clientId": "dcrTaskReviewer",
"scope": [],
"authorities": [],
"resourceIds": [],
"authorizedGrantTypes": [
"client_credentials"
],
"clientDescription": null,
"clientName": null,
"clientEmail": null,
"redirectUri": [],
"accessTokenValidity": 3600,
"refreshTokenValidity": null,
"clientAuthenticationMethods": [
"client_secret_post",
"client_secret_basic"
],
"clientPermissions": {
"roles": {
"ROLE_API": [
"testTenant"
],
"ROLE_USER": [
"testTenant"
],
"ROLE_WORKFLOW": [
"testTenant"
],
"ROLE_REVIEWER": [
"testTenant"
]
}
}
}
]