Error using OIDC

Community Support
1

Hi I am running temporal on docker-compose (v1.14.0 web) and currently trying to use hashicorp vault as an OIDC provider (Vault as an OIDC Identity Provider | Vault - HashiCorp Learn).
I can see temporal home page redirecting to http://localhost:8088/signin but ends up with the below message (as seen in docker compose logs)

temporal                | {"level":"info","ts":"2022-04-21T14:43:43.583Z","msg":"Get dynamic config","name":"history.shardUpdateMinInterval","value":300,"default-value":300,"logging-call-at":"config.go:79"}
temporal                | {"level":"info","ts":"2022-04-21T14:43:43.585Z","msg":"Get dynamic config","name":"history.emitShardDiffLog","value":false,"default-value":false,"logging-call-at":"config.go:79"}
temporal-web            | [2022-04-21T14:43:45.130Z] Error: Request unauthorized. method: getVersionInfo, req: undefined
temporal-web            |     at buildGrpcMetadata (/usr/app/server/temporal-client/with-auth-metadata.js:43:13)
temporal-web            |     at async Proxy.<anonymous> (/usr/app/server/temporal-client/with-auth-metadata.js:20:24)
temporal-web            |     at async TemporalClient.getVersionInfo (/usr/app/server/temporal-client/temporal-client.js:294:15)
temporal-web            |     at async Proxy.<anonymous> (/usr/app/server/temporal-client/with-error-converter.js:30:18)
temporal-web            |     at async /usr/app/server/routes.js:395:15
temporal-web            |     at async initialize (/usr/app/server/auth/index.js:47:3)
temporal-web            |     at async session (/usr/app/node_modules/koa-session/index.js:41:7)
temporal-web            |     at async bodyParser (/usr/app/node_modules/koa-bodyparser/index.js:95:5)
temporal-web            |     at async /usr/app/server/index.js:43:9

Chrome dev tools shows the below error

vue-router.esm.js:1958 Uncaught (in promise) NavigationDuplicated: Avoided redundant navigation to current location: "/signin".
    at createRouterError (http://localhost:8088/temporal.ccf42fcdf96a0e6e3cff.js:110502:15)
    at createNavigationDuplicatedError (http://localhost:8088/temporal.ccf42fcdf96a0e6e3cff.js:110487:15)
    at HTML5History.confirmTransition (http://localhost:8088/temporal.ccf42fcdf96a0e6e3cff.js:110761:18)
    at HTML5History.transitionTo (http://localhost:8088/temporal.ccf42fcdf96a0e6e3cff.js:110696:8)
    at HTML5History.push (http://localhost:8088/temporal.ccf42fcdf96a0e6e3cff.js:111028:10)
    at http://localhost:8088/temporal.ccf42fcdf96a0e6e3cff.js:111450:22
    at new Promise (<anonymous>)
    at VueRouter.push (http://localhost:8088/temporal.ccf42fcdf96a0e6e3cff.js:111449:12)
    at VueComponent.redirectIfApplicable (http://localhost:8088/temporal.ccf42fcdf96a0e6e3cff.js:77009:22)
    at _callee$ (http://localhost:8088/temporal.ccf42fcdf96a0e6e3cff.js:76914:21)
createRouterError @ vue-router.esm.js:1958
createNavigationDuplicatedError @ vue-router.esm.js:1928
confirmTransition @ vue-router.esm.js:2222
transitionTo @ vue-router.esm.js:2152
push @ vue-router.esm.js:2519
(anonymous) @ vue-router.esm.js:2950
push @ vue-router.esm.js:2949
redirectIfApplicable @ App.vue:113
_callee$ @ App.vue:72
tryCatch @ runtime.js:65
invoke @ runtime.js:303
prototype.<computed> @ runtime.js:117
asyncGeneratorStep @ App.vue:22
_next @ App.vue:22
Promise.then (async)
asyncGeneratorStep @ App.vue:22
_next @ App.vue:22
(anonymous) @ App.vue:22
(anonymous) @ App.vue:22
created @ App.vue:70
invokeWithErrorHandling @ vue.esm.js:1863
callHook @ vue.esm.js:4228
Vue._init @ vue.esm.js:5017
VueComponent @ vue.esm.js:5163
createComponentInstanceForVnode @ vue.esm.js:3292
init @ vue.esm.js:3123
createComponent @ vue.esm.js:5989
createElm @ vue.esm.js:5936
patch @ vue.esm.js:6527
Vue._update @ vue.esm.js:3954
updateComponent @ vue.esm.js:4075
get @ vue.esm.js:4488
Watcher @ vue.esm.js:4477
mountComponent @ vue.esm.js:4082
Vue.$mount @ vue.esm.js:9063
Vue.$mount @ vue.esm.js:11974
Vue._init @ vue.esm.js:5027
Vue @ vue.esm.js:5094
(anonymous) @ main.js:292
__webpack_require__ @ bootstrap ccf42fcdf96a0e6e3cff:19
(anonymous) @ temporal.ccf42fcdf96a0e6e3cff.js:101151
__webpack_require__ @ bootstrap ccf42fcdf96a0e6e3cff:19
(anonymous) @ bootstrap ccf42fcdf96a0e6e3cff:62
(anonymous) @ bootstrap ccf42fcdf96a0e6e3cff:62
http.js:42          GET http://localhost:8088/api/cluster/version-info 500 (Internal Server Error)

Below is my temporal config file

auth:
  enabled: true
  providers:
        - label: 'vault'                        # for internal use; in future may expose as button text
          type: oidc                                  # for futureproofing; only oidc is supported today
          issuer: https://temporal-vault-dev.mycom.net:8200/v1/identity/oidc/provider/temporal1
          client_id: T258grwetuoBcibuSjYMwLwoJl2miwwP
          client_secret: hvo_secret_ojo6IiVW1GHi0Jl1c0WDxdTs1WssN4vckvxD7Ac0V2cTLWLVdW1RSyaVAL71gVWf
          scope: openid profile email groups

OIDC provider config as below

{
  "issuer": "https://temporal-vault-dev.mycom.net:8200/v1/identity/oidc/provider/temporal1",
  "jwks_uri": "https://temporal-vault-dev.mycom.net:8200/v1/identity/oidc/provider/temporal1/.well-known/keys",
  "authorization_endpoint": "https://temporal-vault-dev.mycom.net:8200/ui/vault/identity/oidc/provider/temporal1/authorize",
  "token_endpoint": "https://temporal-vault-dev.mycom.net:8200/v1/identity/oidc/provider/temporal1/token",
  "userinfo_endpoint": "https://temporal-vault-dev.mycom.net:8200/v1/identity/oidc/provider/temporal1/userinfo",
  "request_uri_parameter_supported": false,
  "id_token_signing_alg_values_supported": [
    "RS256",
    "RS384",
    "RS512",
    "ES256",
    "ES384",
    "ES512",
    "EdDSA"
  ],
  "response_types_supported": [
    "code"
  ],
  "scopes_supported": [
    "email",
    "groups",
    "profile",
    "openid"
  ],
  "subject_types_supported": [
    "public"
  ],
  "grant_types_supported": [
    "authorization_code"
  ],
  "token_endpoint_auth_methods_supported": [
    "none",
    "client_secret_basic"
  ]
}

i can also confirm that the entity against which i generated the client id are part of groups system:admin,temporal-system:admin etc

2

does the page itself renders blank or you can see the SSO button? If you see the button, can you still log in?

Regarding the logged errors, both are somewhat expected (if not yet logged in)

  • getVersionInfo may fail as your Temporal Service authorizer plugin may reject the call that doesn’t have proper permissions/token. After the user logs in, i would expect your authorizer plugin implementation to allow the request. Even if not, this failure shouldn’t block the UI
  • NavigationDuplicated is a known issue in Web UI v1/vue. You can just ignore this error, it doesn’t affect the UI functionality
1 Like
3

Thanks for your quick resoponse @Ruslan . I started debugging more on this and can see that its failing with this error from vault and redirects back to SSO

secrets.identity.identity_e7699e9d: client failed to authenticate with invalid client secret: client_id=rjtQZdIhEspKmMhBDCfz6ve02luEDiYX

Same i tested with GitHub - dexidp/dex: OpenID Connect (OIDC) identity and OAuth 2.0 provider with pluggable connectors and it went through fine.Seems like it has to do something with the way temporal talks to the OIDC backend? I will share more details on it soon

4

Ohh i just saw your comments in slack changing web/oidc.js at master · temporalio/web · GitHub to to client_secret_basic seems to have fixed the problem