OAuth2 login keeps redirecting back to login page with cibseven 2.0.0 / 2.1.0-alpha

Hi,
I’m trying to get OAuth2 working on cibseven with the latest version. I followed the official documentation here:
https://docs.cibseven.org/manual/latest/user-guide/spring-boot-integration/spring-security/

I did everything exactly as described, but the result was always the local login page showing up instead of the OIDC login.

When I started digging deeper, I found that there is still a Spring Security chain configured for the old Camunda URL in
org.cibseven.bpm.spring.boot.starter.security.oauth2.CamundaSpringSecurityOAuth2AutoConfiguration#filterChain.

So the next step was: I excluded that configuration and created my own filter chain that protects the current endpoints.
With this change, I was finally able to see the login page from the OIDC provider.

After logging in, I could see in the console that the groups were mapped correctly from the token.
But right after that, the login page appeared again and I was stuck in that loop.

Here is an example of the log output at that point (shortened):

DEBUG … OAuth2GrantedAuthoritiesMapper : Authorities mapped from [OIDC_USER, SCOPE_email, SCOPE_fsa-scope, SCOPE_openid, SCOPE_profile] to [STUDENT, camunda-admin, default-roles-fsa, offline_access, uma_authorization]
DEBUG … AuthorizeTokenFilter   : Authorize successful for ‘556a177b-67a9-473a-a831-6041c40eb4f7’, access token expiry: 2025-09-29T12:49:37.035579Z

So I went further and further, and at some point I managed to log in, but then another problem showed up:
Some backend calls re-initialize the REST API again, specifically the authorization check. At this point a custom token is created that only contains the userId. On the receiving side, the request processing expects to find a user in the DB based on this userId, but of course there is no such record because all information is inside the token. And that ends up with a 403 Forbidden.

This can be easily reproduced with this project (originally built on Camunda 21, also worked after upgrading to 23):
https://github.com/amardeep2006/camunda-okta-oidc-sso/tree/main

As soon as I migrated to the cibseven namespace with version 2.0.0 and later 2.1.0-alpha, I could not get it working anymore.

For reference, these are the versions where it worked fine for me:

<properties>
    <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
    <maven.compiler.source>17</maven.compiler.source>
    <maven.compiler.target>17</maven.compiler.target>
    <!-- Camunda certified 7.21.0 with spring 3.x.x only -->
    <spring.boot.version>3.5.4</spring.boot.version>
    <db.h2.version>2.2.224</db.h2.version>
    <camunda.version>7.23.0</camunda.version>
    <version.graal.js>24.0.1</version.graal.js>
    <version.postgresql>42.7.3</version.postgresql>
</properties>

Summary

  • With Camunda 21 and 23 this project works fine.

  • With cibseven 2.0.0 and 2.1.0-alpha, it always ends up in the login loop or 403 on backend authorization.