Skip to content

[ISSUE] [Question] NullPointerException when starting Camunda Identity with Keycloak #4484

New issue
New issue
Open
Open
[ISSUE] [Question] NullPointerException when starting Camunda Identity with Keycloak#4484
Assignees
eamonnmoloney
Labels
kind/issueUnidentified issue, it could be a bug, misconfig, or anything in betweenkind/medicTasks for the medic
@gulinhnv

Description

@gulinhnv
gulinhnv
opened on Oct 16, 2025

Describe the issue:

Installed Camunda 8.8 (Helm Chart v13.0.0) — self-managed deployment using external Keycloak.
The camunda-identity pod fails to start with the following error:

java.lang.NullPointerException: Cannot invoke "String.isBlank()" because the return value of "io.camunda.identity.impl.keycloak.config.record.KeycloakClient.secret()" is null
    at io.camunda.identity.impl.keycloak.initializer.service.ClientInitializationService.validateClientSecret(ClientInitializationService.java:203)

It looks like the Identity initializer crashes when trying to validate a client secret that is not set (null).

Actual behavior:
camunda-identity pod fails immediately on startup with NullPointerException.

Expected behavior:
Identity should start successfully or provide a clear configuration error message instead of crashing.

How to reproduce:
Deploy Camunda 8.8 with Helm Chart 13.0.0
global.identity.keycloak.internal = false
identityKeycloak.enabled = false

Logs:

:: Spring Boot :: (v3.4.10)
java.lang.NullPointerException: Cannot invoke "String.isBlank()" because the return value of "KeycloakClient.secret()" is null

Environment:
Platform | Kubernetes
Helm CLI | v3.19.0
Chart version | 13.0.0
Camunda version | 8.8.0
Keycloak | External (self-managed)
Valua.yml:

global:
  identity:
    service:
      url: 'https://camunda.nv.io/identity'
    keycloak:
      url:
        protocol: https
        host: keycloak.nv.io
        port: 443
      internal: false
      contextPath: /
      realm: "camunda-platform"
      auth:
        adminUser: admin
        existingSecret: dev-secrets
        existingSecretKey: dev-keycloak-admin-password
    auth:
      enabled: true
      issuer: 'https://keycloak.nv.io/realms/camunda-platform'
      issuerBackendUrl: 'https://keycloak.nv.io/realms/camunda-platform'
      type: KEYCLOAK
      publicIssuerUrl: 'https://keycloak.nv.io/realms/camunda-platform'

Additional context:
Might be caused by missing client secret configuration when using external Keycloak — or a bug in the Identity Keycloak client initializer (ClientInitializationService.validateClientSecret).

Metadata

Metadata

Assignees

Labels

kind/issueUnidentified issue, it could be a bug, misconfig, or anything in betweenkind/medicTasks for the medic

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions