Skip to main content
The Task Management plugin is available as a Docker image and serves as a dedicated microservice within the FlowX platform ecosystem.

Dependencies

Before setting up the plugin, ensure you have the following dependencies:
  • A MongoDB database for task storage
  • A connection to the RuntimeDB for operational data
  • Access to the database used by the FlowX Engine
  • Connection to the Kafka instance used by the FlowX Engine
  • A Redis instance for caching and performance optimization
While many configuration properties come pre-configured, several environment variables must be explicitly set for proper functionality.

Authorization configuration & access roles

The Task Management plugin validates incoming tokens with the JWT public key mechanism and authenticates to other FlowX services with a dedicated service account (the mainIdentity client registration) in the service-accounts realm:
Environment VariableDescriptionDefault Value
SECURITY_TYPEToken validation mechanism (JWT public key validation)jwt-public-key
SECURITY_OAUTH2_BASESERVERURLBase URL of the Keycloak server
SECURITY_OAUTH2_SAREALMService-accounts realm ID00000002-0002-4002-8002-000000000002
FLOWX_LIB_SECURITY_SERVICES_ORGANIZATIONMANAGER_BASEURLURL of the organization-manager service, used by the security libraryhttp://organization-manager:80
SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_MAINIDENTITY_CLIENTIDService account client IDflowx-task-management-plugin-sa
SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_MAINIDENTITY_CLIENTSECRETService account client secret (Keycloak-issued)
SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_ANONYMOUSIDENTITY_CLIENTIDAnonymous service account client ID, used for anonymous runtime accessflowx-anonymous-sa
SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_ANONYMOUSIDENTITY_CLIENTSECRETAnonymous service account client secret
SPRING_SECURITY_OAUTH2_CLIENT_PROVIDER_MAINAUTHPROVIDER_TOKENURIProvider token URI, resolved against the service-accounts realm${SECURITY_OAUTH2_BASESERVERURL}/realms/${SECURITY_OAUTH2_SAREALM}/protocol/openid-connect/token
Starting with 5.9.0, the Task Management plugin no longer connects to the identity provider for user lookup. Task operations resolve users through FlowX runtime authorization instead. The previously required view-users, query-users, and query-groups realm-management roles on the service account, the OPENID_PROVIDER / OPENID_ENTRA_* settings, and the openid: Helm values block are obsolete and can be removed from your deployment.
Upgrading from 5.1.x? Remove the legacy opaque-token env vars: SECURITY_OAUTH2_REALM, SECURITY_OAUTH2_CLIENT_CLIENTID, SECURITY_OAUTH2_CLIENT_CLIENTSECRET, and SECURITY_OAUTH2_SERVICEACCOUNT_ADMIN_*. These belong to the removed introspection model and prevent the service from starting on 5.9.x. See the authentication and IAM migration guide for the full list.
For more detailed information about configuring the service account:

Task Management Service Account

FlowX Engine datasource configuration

The service needs access to process instance data from the engine database. Configure these connection parameters:
Environment VariableDescriptionDefault Value
SPRING_DATASOURCE_URLJDBC URL for the engine databasejdbc:postgresql://onboardingdb:5432/onboarding
SPRING_DATASOURCE_USERNAMEDatabase usernamepostgres
SPRING_DATASOURCE_PASSWORDDatabase passwordpassword

MongoDB configuration

Configure access to the primary MongoDB instance:
Environment VariableDescriptionDefault Value
SPRING_DATA_MONGODB_URIMongoDB connection URImongodb://${DB_USERNAME}:${DB_PASSWORD}@mongodb-0.mongodb-headless,mongodb-1.mongodb-headless,mongodb-arbiter-0.mongodb-arbiter-headless:27017/task-management-plugin
DB_USERNAMEMongoDB usernametask-management-plugin
DB_PASSWORDMongoDB passwordpassword
Task Manager requires a runtime connection to function correctly. Starting the service without a configured and active runtime MongoDB connection is not supported.

Runtime MongoDB configuration

Task Manager requires a runtime connection to function correctly. Starting the service without a configured and active runtime MongoDB connection is not supported.
Enable the Runtime MongoDB connection:
Environment VariableDescriptionDefault Value
SPRING_DATA_MONGODB_RUNTIME_ENABLEDEnable runtime MongoDB connectiontrue
SPRING_DATA_MONGODB_RUNTIME_URIURI for connecting to MongoDB Runtimemongodb://${RUNTIME_DB_USERNAME}:${DB_PASSWORD}@mongodb-0.mongodb-headless,mongodb-1.mongodb-headless,mongodb-arbiter-0.mongodb-arbiter-headless:27017/app-runtime?retryWrites=false
RUNTIME_DB_USERNAMEUsername for runtime databaseapp-runtime
RUNTIME_DB_PASSWORDPassword for runtime databasepassword

Redis configuration

Task Management Plugin uses Redis for caching. Configure Redis connection using the standard Redis environment variables. Quick reference:
Environment VariableDescriptionExample ValueStatus
SPRING_DATA_REDIS_HOSTRedis server hostnamelocalhostRecommended
SPRING_DATA_REDIS_PORTRedis server port6379Recommended
SPRING_DATA_REDIS_PASSWORDRedis authentication password-Recommended
REDIS_TTLCache TTL in milliseconds5000000Optional
Both SPRING_DATA_REDIS_* and SPRING_REDIS_* variable prefixes are supported. The SPRING_DATA_REDIS_* prefix is the modern Spring Boot standard and is recommended for new deployments.
For advanced Redis deployment modes (Sentinel, Cluster) and SSL/TLS setup, see the Redis Configuration guide. Note that Sentinel and Cluster modes are only supported by the Events Gateway service.

Kafka configuration

Configure the Kafka integration using these environment variables:

Core Kafka settings

Environment VariableDescriptionDefault Value
SPRING_KAFKA_BOOTSTRAPSERVERSAddress of the Kafka server(s)localhost:9092
SPRING_KAFKA_SECURITY_PROTOCOLSecurity protocol for Kafka connectionsPLAINTEXT
SPRING_KAFKA_CONSUMER_GROUPIDConsumer group identifiertask-management-plugin-consumer
KAFKA_MESSAGE_MAX_BYTESMaximum message size (bytes)52428800 (50 MB)
KAFKA_AUTHEXCEPTIONRETRYINTERVALRetry interval after authorization exceptions (seconds)10
KAFKA_CONSUMER_THREADSNumber of consumer threads3
KAFKA_CONSUMER_EXCLUDEUSERSTHREADSNumber of threads for processing user exclusion events3

OAuth authentication (when using SASL_PLAINTEXT)

Environment VariableDescriptionDefault Value
KAFKA_OAUTH_CLIENT_IDOAuth client IDkafka
KAFKA_OAUTH_CLIENT_SECRETOAuth client secretkafka-secret
KAFKA_OAUTH_TOKEN_ENDPOINT_URIOAuth token endpointkafka.auth.localhost
When using the kafka-auth profile, the security protocol will automatically be set to SASL_PLAINTEXT and the SASL mechanism will be set to OAUTHBEARER.

Topic naming configuration

Environment VariableDescriptionDefault Value
KAFKA_TOPIC_NAMING_SEPARATORPrimary separator for topic names.
KAFKA_TOPIC_NAMING_SEPARATOR2Secondary separator for topic names-
KAFKA_TOPIC_NAMING_PACKAGEPackage prefix for topic namesai.flowx.
KAFKA_TOPIC_NAMING_ENVIRONMENTEnvironment segment for topic names
KAFKA_TOPIC_NAMING_VERSIONVersion suffix for topic names.v1

Kafka topics

Process management topics

Environment VariableDescriptionDefault Value
KAFKA_TOPIC_PROCESS_START_OUTTopic for running hooksai.flowx.core.trigger.start.process.v1
KAFKA_TOPIC_PROCESS_OPERATIONS_OUTTopic for task operations (assign, unassign, etc.)ai.flowx.core.trigger.operation.v1
KAFKA_TOPIC_PROCESS_OPERATIONS_BULKOUTTopic for bulk operations on tasksai.flowx.core.trigger.operations.bulk.v1

Scheduling topics

Environment VariableDescriptionDefault Value
KAFKA_TOPIC_PROCESS_SCHEDULE_INTopic for receiving scheduler messages for hooksai.flowx.plugin.tasks.trigger.run.hook.v1
KAFKA_TOPIC_PROCESS_SCHEDULE_OUT_SETTopic for setting schedulesai.flowx.core.trigger.set.schedule.v1
KAFKA_TOPIC_PROCESS_SCHEDULE_OUT_STOPTopic for stopping schedulesai.flowx.core.trigger.stop.schedule.v1

User management topics

Environment VariableDescriptionDefault Value
KAFKA_TOPIC_EXCLUDEUSERS_SCHEDULE_INTopic for user exclusion eventsai.flowx.plugin.tasks.trigger.exclude.users.v1

Task operations topics

Environment VariableDescriptionDefault Value
KAFKA_TOPIC_TASK_INTopic for incoming task creation messagesai.flowx.plugin.tasks.trigger.save.task.v1

Events and integration topics

Environment VariableDescriptionDefault Value
KAFKA_TOPIC_EVENTSGATEWAY_OUT_MESSAGETopic for Events Gateway messagesai.flowx.eventsgateway.receive.taskmanager.commands.message.v1
KAFKA_TOPIC_RESOURCESUSAGES_REFRESHTopic for resource usage refresh eventsai.flowx.application-version.resources-usages.refresh.v1
The Engine listens for messages on topics with specific naming patterns. Ensure you use the correct outgoing topic names when configuring the Task Management plugin to maintain proper communication with the engine.

CAS lib configuration

Environment VariableDescriptionDefault Value
FLOWX_SPICEDB_HOSTSpiceDB server hostnamespicedb
FLOWX_SPICEDB_PORTSpiceDB server port50051
FLOWX_SPICEDB_TOKENSpiceDB authentication tokenspicedb-token

Logging configuration

Control logging verbosity with these environment variables:
Environment VariableDescriptionDefault Value
LOGGING_LEVEL_ROOTRoot Spring Boot microservice logs-
LOGGING_LEVEL_APPApplication-level logsDEBUG
LOGGING_LEVEL_MONGO_DRIVERMongoDB driver logsINFO
LOGGING_LEVEL_REDISRedis/Lettuce client log levelOFF

Ingress and CORS

The Task Management plugin is exposed on both the admin and public hosts. Routing is configured through the FlowX Helm chart, which renders either a Kubernetes Ingress (default) or a Gateway API HTTPRoute per service. CORS handling lives in the service code; only the allowed-origins list is deployment-specific.

Service routes

Host groupExternal pathBackend receives
admin/task/
public/task/
Paths are set through services.task-management-plugin.ingress.admin.path / services.task-management-plugin.ingress.public.path (or the corresponding gateway.<key>.paths) in the chart values.

CORS configuration

Environment VariableDescriptionDefault Value
APPLICATION_CORS_ALLOW_ORIGINComma-separated list of origins allowed to call this service from the browser. Supports wildcard subdomains. Must include every Designer, runtime renderer, and integration domain that calls Task Management.-
Allowed methods, allowed headers (including Authorization, Content-Type, Fx-Workspace-Id), and credential handling are baked into the service’s application.yaml with safe defaults. Override these only if you have a non-standard requirement. For the complete route reference, Gateway API HTTPRoute configuration, and route customization, see the ingress configuration guide.

Filtering feature

Environment VariableDescription
FLOWX_ALLOW_USERNAME_SEARCH_PARTIALEnables filtering possible assignees by partial names

Scheduled jobs

Configure scheduled maintenance jobs:
Environment VariableDescriptionDefault Value
SCHEDULER_USERSCACHESCLEANUP_CRONEXPRESSIONCron expression for user cache cleanup0 0 0 * *? (daily at midnight)

Resource usage monitoring

The plugin includes a resource usage monitoring feature that can be configured:
Environment VariableDescriptionDefault Value
FLOWX_LIB_RESOURCESUSAGES_ENABLEDEnable resource usage trackingtrue
FLOWX_LIB_RESOURCESUSAGES_REFRESHLISTENER_ENABLEDEnable refresh listenertrue
FLOWX_LIB_RESOURCESUSAGES_REFRESHLISTENER_COLLECTOR_THREADCOUNTNumber of threads for resource collection5
FLOWX_LIB_RESOURCESUSAGES_REFRESHLISTENER_COLLECTOR_MAXBATCHSIZEMaximum batch size for collection1000
FLOWX_LIB_RESOURCESUSAGES_KAFKA_CONSUMER_GROUPID_RESOURCESUSAGES_REFRESHConsumer group for resource usage refresh eventstaskMgmtResourcesUsagesRefreshGroup
FLOWX_LIB_RESOURCESUSAGES_KAFKA_CONSUMER_THREADS_RESOURCESUSAGES_REFRESHNumber of threads for processing resource usage events3

Database migration

The Task Management plugin uses Mongock for MongoDB migrations:
Environment VariableDescriptionDefault Value
MONGOCK_CHANGELOGSSCANPACKAGEPackage to scan for database change logsai.flowx.task.management.config.mongock
Last modified on June 4, 2026