Exact configuration for authorization with Azure AD

A_T · November 5, 2024, 6:10pm

I have been trying to enable authorization using the temporal helm chart with no success so far, the configuration I provide:
server

server:
  config:
    authorization:
      jwtKeyProvider:
       keySourceURIs:
          - https://login.microsoftonline.com/${tenant_id}/discovery/v2.0/keys
        refreshInterval: 1m
      permissionsClaimName: roles
      authorizer: default
      claimMapper: default

   additionalEnv:
     - name: TEMPORAL_JWT_PERMISSIONS_CLAIM
       value: "roles"
    - name: TEMPORAL_AUTH_AUTHORIZER
      value: "default"
    - name: TEMPORAL_AUTH_CLAIM_MAPPER
      value: "default"
    - name: TEMPORAL_JWT_KEY_SOURCE1
      value: "https://login.microsoftonline.com/${tenant_id}/discovery/v2.0/keys"
    - name: TEMPORAL_JWT_KEY_REFRESH
      value: "1m"
    - name: USE_INTERNAL_FRONTEND
      value: "true"

Web UI

 additionalEnv:
    - name: TEMPORAL_AUTH_ENABLED
      value: "true"
    - name: TEMPORAL_AUTH_PROVIDER_URL
      value: "https://login.microsoftonline.com/${tenant_id}/v2.0"
    - name: TEMPORAL_AUTH_ISSUER_URL
      value: "https://login.microsoftonline.com/${tenant_id}/v2.0"
    - name: TEMPORAL_AUTH_CALLBACK_URL
      value: "https://$my_url/auth/sso/callback"
    - name: TEMPORAL_AUTH_SCOPES
      value: 'openid,email,profile'

On the azure side I configure a write access to a namespace for a group.

So far, both web ui and workers return unauthorized without much context.

Would be nice to get some support.

OhMyDeera · November 6, 2024, 9:10am

I’ve recently been working on getting auth working with azure and have mostly gotten there, albeit I’m not using helm charts but creating my k8s resources by hand. What roles have you assigned to the user trying to login?

A_T · November 8, 2024, 4:49pm

system:read and namespace:read only to my user, this works in web login, but I the internal workers actually failing which is expected, but I am not sure about internal workers or whether because my client doesn’t have this added yet

msg":"error starting temporal-sys-tq-scanner-workflow workflow","service":"worker","error":"Request unauthorized."

Thanks in advance!

OhMyDeera · November 11, 2024, 9:47am

Are you using the internal-frontend service? Release v1.20.0 · temporalio/temporal · GitHub

A_T · November 17, 2024, 8:49pm

I am using it, that’s what makes me even more confused.

A_T · December 3, 2024, 5:26pm

system:read
and mynamespace:write
btw, solved the internal frontend issue, so only web authorisation is not working

Stimo · December 7, 2024, 5:40pm

Hi @A_T, I’m struggling to make Azure AD work, getting Request unauthorized from Web UI as well as my workers. Would it be possible to post the list of env variables and any other relevant config here please?

Thanks in advance.

OhMyDeera · January 8, 2025, 12:36pm

Did you ever figure out what this issue was? As in why the web authorisation wasn’t working? I’ve just gone back to working on getting the auth set up and I’m facing this issue still.

I think what is confusing me is figuring out exactly what roles I need to have on the token for a user. Is it system:read? temporal-system:read? namespace:read/write?

A_T · January 14, 2025, 9:15am

hello Stimo, nothing fancy

# server
authorization:
  jwtKeyProvider:
    keySourceURIs:
      - https://login.microsoftonline.com/{tenant_id}/discovery/v2.0/keys
    refreshInterval: 1m
  permissionsClaimName: roles
  authorizer: default
  claimMapper: default

 internalFrontend:
    enabled: true
    service:
      type: ClusterIP
      port: 7236
      membershipPort: 6936
      httpPort: 7246
    metrics:
      annotations:
        enabled: true

# web
additionalEnv:
    - name: TEMPORAL_AUTH_ENABLED
      value: "true"
    - name: TEMPORAL_AUTH_PROVIDER_URL
      value: "https://login.microsoftonline.com/{tenant_id}/v2.0"
    - name: TEMPORAL_AUTH_ISSUER_URL
      value: "https://login.microsoftonline.com/{tenant_id}/v2.0"
    - name: TEMPORAL_AUTH_CLIENT_ID
      valueFrom:
        secretKeyRef:
          name: "temporal-creds"
          key: "TEMPORAL_AUTH_CLIENT_ID"
    - name: TEMPORAL_AUTH_CLIENT_SECRET
      valueFrom:
        secretKeyRef:
          name: "temporal-creds"
          key: "TEMPORAL_AUTH_CLIENT_SECRET"
    - name: TEMPORAL_AUTH_CALLBACK_URL
      value: "https://{myurl}/auth/sso/callback"
    - name: TEMPORAL_AUTH_SCOPES
      value: 'openid,email,profile,api://{client_id}/default'

internal workers are fine, web authorization still not working knowing that on the azure side roles configured are:
system:write
default:write

A_T · January 14, 2025, 9:24am

nope, love the documentation and every guide out there, so helpful. I guess it is system not temporal-system based on the release notes you shared earlier if you read in the authorization section

OhMyDeera · January 20, 2025, 11:42am

I’ve been doing more work on it on my side and have managed to get it working with temporal-system:read and namespace:write. Though this doesn’t seem right to me because now users will have access to see all namespaces. I tried with system:read and it wouldn’t let me authenticate via the web ui.

Topic		Replies	Views
Web UI SSO with Azure AD - not working Community Support web-ui , sso	6	1678	May 16, 2024
Missing Configuration for Internal-Frontend Feature in Temporal Helm-Chart Server Deployment	3	580	December 18, 2024
Enable Authorization in Temporal Server Deployment	1	225	July 18, 2024
How to configure SSO with GitHub Community Support helm , auth , sso	1	68	December 10, 2024
Temporal-UI: Security Server Deployment web-ui	3	1044	June 29, 2024

Exact configuration for authorization with Azure AD

Related topics