Afternoon!
I have been trying to deploy the temporal server, ui and admin tools locally using docker compose and all seems to have been fine until I enabled SSO.
Starting up the server now results in the following error message being displayed:
temporal | Temporal server started.
temporal | Registering default namespace: default.
temporal | time=2024-08-13T11:08:58.412 level=WARN msg="Passing the namespace as an argument is now deprecated; please switch to using -n instead"
temporal | time=2024-08-13T11:08:58.415 level=ERROR msg="unable to describe namespace default: Request unauthorized."
temporal | Default namespace default not found. Creating...
temporal | time=2024-08-13T11:08:58.438 level=WARN msg="Passing the namespace as an argument is now deprecated; please switch to using -n instead"
temporal | time=2024-08-13T11:08:58.442 level=ERROR msg="unable to create namespace default: Request unauthorized."
Here is my docker compose:
version: "3.5"
services:
postgresql:
container_name: temporal-postgresql
environment:
POSTGRES_PASSWORD: temporal
POSTGRES_USER: temporal
image: postgres:${POSTGRESQL_VERSION}
networks:
- temporal-network
expose:
- 5432
volumes:
- /var/lib/postgresql/data
temporal:
container_name: temporal
depends_on:
- postgresql
environment:
- SERVICES=frontend:matching:history:internal-frontend:worker
- USE_INTERNAL_FRONTEND=true
- DB=postgres12
- DB_PORT=5432
- POSTGRES_USER=temporal
- POSTGRES_PWD=temporal
- POSTGRES_SEEDS=postgresql
# Enable default authorizer and claim mapper
- TEMPORAL_AUTH_AUTHORIZER=default
- TEMPORAL_AUTH_CLAIM_MAPPER=default
# specify the permissions source property in jwt token
- TEMPORAL_JWT_PERMISSIONS_CLAIM=roles
# JWKS containing the public keys used to verify access tokens
- TEMPORAL_JWT_KEY_SOURCE1=https://login.microsoftonline.com/<TENANT_ID>/discovery/v2.0/keys
- TEMPORAL_JWT_KEY_REFRESH=30m
image: temporalio/auto-setup:${TEMPORAL_VERSION}
networks:
- temporal-network
ports:
- 7233:7233
temporal-admin-tools:
container_name: temporal-admin-tools
depends_on:
- temporal
environment:
- TEMPORAL_ADDRESS=temporal:7233
- TEMPORAL_CLI_ADDRESS=temporal:7233
image: temporalio/admin-tools:${TEMPORAL_ADMINTOOLS_VERSION}
networks:
- temporal-network
stdin_open: true
tty: true
temporal-ui:
container_name: temporal-ui
depends_on:
- temporal
environment:
- TEMPORAL_ADDRESS=temporal:7233
- TEMPORAL_CORS_ORIGINS=http://localhost:3000
# Enable authorization
- TEMPORAL_AUTH_ENABLED=true
# Specify authorization server and issuer
- TEMPORAL_AUTH_PROVIDER_URL=https://login.microsoftonline.com/<TENANT_ID>/v2.0
- TEMPORAL_AUTH_ISSUER_URL=https://login.microsoftonline.com/<TENANT_ID>/v2.0
# Specify client ID and secret
- TEMPORAL_AUTH_CLIENT_ID=<CLIENT_ID>
- TEMPORAL_AUTH_CLIENT_SECRET=<CLIENT_SECRET>
# Specify callback URL which is the redirect URI in the app registration
- TEMPORAL_AUTH_CALLBACK_URL=http://localhost:8080/auth/sso/callback
# Specify the authentication scope
- TEMPORAL_AUTH_SCOPES=openid,api://<CLIENT_ID>/default
build:
context: .
dockerfile: ui.Dockerfile
networks:
- temporal-network
ports:
- 8080:8080
networks:
temporal-network:
driver: bridge
name: temporal-network
I have also noticed that when trying to login via SSO, I get an error saying:
temporal | {"level":"error","ts":"2024-08-13T11:16:53.382Z","msg":"Authorization error","error":"RSA key not found for key ID: <KEY_ID>" ...
Any help is greatly appreciated
EDIT: The ui.Dockerfile simply uses the temporal ui docker image but also adds our root CA and updates the certificates.