Docker Compose with SSO Unable to create namespace default: Request Unauthorized

Afternoon!

I have been trying to deploy the temporal server, ui and admin tools locally using docker compose and all seems to have been fine until I enabled SSO.

Starting up the server now results in the following error message being displayed:

temporal              | Temporal server started.
temporal              | Registering default namespace: default.
temporal              | time=2024-08-13T11:08:58.412 level=WARN msg="Passing the namespace as an argument is now deprecated; please switch to using -n instead"
temporal              | time=2024-08-13T11:08:58.415 level=ERROR msg="unable to describe namespace default: Request unauthorized."
temporal              | Default namespace default not found. Creating...
temporal              | time=2024-08-13T11:08:58.438 level=WARN msg="Passing the namespace as an argument is now deprecated; please switch to using -n instead"
temporal              | time=2024-08-13T11:08:58.442 level=ERROR msg="unable to create namespace default: Request unauthorized."

Here is my docker compose:

version: "3.5"
services:
  postgresql:
    container_name: temporal-postgresql
    environment:
      POSTGRES_PASSWORD: temporal
      POSTGRES_USER: temporal
    image: postgres:${POSTGRESQL_VERSION}
    networks:
      - temporal-network
    expose:
      - 5432
    volumes:
      - /var/lib/postgresql/data
  temporal:
    container_name: temporal
    depends_on:
      - postgresql
    environment:
      - SERVICES=frontend:matching:history:internal-frontend:worker
      - USE_INTERNAL_FRONTEND=true
      - DB=postgres12
      - DB_PORT=5432
      - POSTGRES_USER=temporal
      - POSTGRES_PWD=temporal
      - POSTGRES_SEEDS=postgresql
      # Enable default authorizer and claim mapper
      - TEMPORAL_AUTH_AUTHORIZER=default
      - TEMPORAL_AUTH_CLAIM_MAPPER=default
      # specify the permissions source property in jwt token
      - TEMPORAL_JWT_PERMISSIONS_CLAIM=roles
      # JWKS containing the public keys used to verify access tokens
      - TEMPORAL_JWT_KEY_SOURCE1=https://login.microsoftonline.com/<TENANT_ID>/discovery/v2.0/keys
      - TEMPORAL_JWT_KEY_REFRESH=30m
    image: temporalio/auto-setup:${TEMPORAL_VERSION}
    networks:
      - temporal-network
    ports:
      - 7233:7233
  temporal-admin-tools:
    container_name: temporal-admin-tools
    depends_on:
      - temporal
    environment:
      - TEMPORAL_ADDRESS=temporal:7233
      - TEMPORAL_CLI_ADDRESS=temporal:7233
    image: temporalio/admin-tools:${TEMPORAL_ADMINTOOLS_VERSION}
    networks:
      - temporal-network
    stdin_open: true
    tty: true
  temporal-ui:
    container_name: temporal-ui
    depends_on:
      - temporal
    environment:
      - TEMPORAL_ADDRESS=temporal:7233
      - TEMPORAL_CORS_ORIGINS=http://localhost:3000
      # Enable authorization
      - TEMPORAL_AUTH_ENABLED=true
      # Specify authorization server and issuer 
      - TEMPORAL_AUTH_PROVIDER_URL=https://login.microsoftonline.com/<TENANT_ID>/v2.0
      - TEMPORAL_AUTH_ISSUER_URL=https://login.microsoftonline.com/<TENANT_ID>/v2.0
      # Specify client ID and secret
      - TEMPORAL_AUTH_CLIENT_ID=<CLIENT_ID>
      - TEMPORAL_AUTH_CLIENT_SECRET=<CLIENT_SECRET>
      # Specify callback URL which is the redirect URI in the app registration
      - TEMPORAL_AUTH_CALLBACK_URL=http://localhost:8080/auth/sso/callback
      # Specify the authentication scope
      - TEMPORAL_AUTH_SCOPES=openid,api://<CLIENT_ID>/default
    build:
        context: .
        dockerfile: ui.Dockerfile
    networks:
      - temporal-network
    ports:
      - 8080:8080
networks:
  temporal-network:
    driver: bridge
    name: temporal-network

I have also noticed that when trying to login via SSO, I get an error saying:

temporal              | {"level":"error","ts":"2024-08-13T11:16:53.382Z","msg":"Authorization error","error":"RSA key not found for key ID: <KEY_ID>" ...

Any help is greatly appreciated

EDIT: The ui.Dockerfile simply uses the temporal ui docker image but also adds our root CA and updates the certificates.