Exact configuration for authorization with Azure AD

A_T · November 5, 2024, 6:10pm

I have been trying to enable authorization using the temporal helm chart with no success so far, the configuration I provide:
server

server:
  config:
    authorization:
      jwtKeyProvider:
       keySourceURIs:
          - https://login.microsoftonline.com/${tenant_id}/discovery/v2.0/keys
        refreshInterval: 1m
      permissionsClaimName: roles
      authorizer: default
      claimMapper: default

   additionalEnv:
     - name: TEMPORAL_JWT_PERMISSIONS_CLAIM
       value: "roles"
    - name: TEMPORAL_AUTH_AUTHORIZER
      value: "default"
    - name: TEMPORAL_AUTH_CLAIM_MAPPER
      value: "default"
    - name: TEMPORAL_JWT_KEY_SOURCE1
      value: "https://login.microsoftonline.com/${tenant_id}/discovery/v2.0/keys"
    - name: TEMPORAL_JWT_KEY_REFRESH
      value: "1m"
    - name: USE_INTERNAL_FRONTEND
      value: "true"

Web UI

 additionalEnv:
    - name: TEMPORAL_AUTH_ENABLED
      value: "true"
    - name: TEMPORAL_AUTH_PROVIDER_URL
      value: "https://login.microsoftonline.com/${tenant_id}/v2.0"
    - name: TEMPORAL_AUTH_ISSUER_URL
      value: "https://login.microsoftonline.com/${tenant_id}/v2.0"
    - name: TEMPORAL_AUTH_CALLBACK_URL
      value: "https://$my_url/auth/sso/callback"
    - name: TEMPORAL_AUTH_SCOPES
      value: 'openid,email,profile'

On the azure side I configure a write access to a namespace for a group.

So far, both web ui and workers return unauthorized without much context.

Would be nice to get some support.

OhMyDeera · November 6, 2024, 9:10am

I’ve recently been working on getting auth working with azure and have mostly gotten there, albeit I’m not using helm charts but creating my k8s resources by hand. What roles have you assigned to the user trying to login?

A_T · November 8, 2024, 4:49pm

system:read and namespace:read only to my user, this works in web login, but I the internal workers actually failing which is expected, but I am not sure about internal workers or whether because my client doesn’t have this added yet

msg":"error starting temporal-sys-tq-scanner-workflow workflow","service":"worker","error":"Request unauthorized."

Thanks in advance!

OhMyDeera · November 11, 2024, 9:47am

Are you using the internal-frontend service? Release v1.20.0 · temporalio/temporal · GitHub

A_T · November 17, 2024, 8:49pm

I am using it, that’s what makes me even more confused.

A_T · December 3, 2024, 5:26pm

system:read
and mynamespace:write
btw, solved the internal frontend issue, so only web authorisation is not working

Stimo · December 7, 2024, 5:40pm

Hi @A_T, I’m struggling to make Azure AD work, getting Request unauthorized from Web UI as well as my workers. Would it be possible to post the list of env variables and any other relevant config here please?

Thanks in advance.

Topic		Replies	Views
Web UI SSO with Azure AD - not working Community Support web-ui , sso	6	1528	May 16, 2024
Missing Configuration for Internal-Frontend Feature in Temporal Helm-Chart Server Deployment	3	471	December 18, 2024
Enable Authorization in Temporal Server Deployment	1	133	July 18, 2024
How to configure SSO with GitHub Community Support helm , auth , sso	1	33	December 10, 2024
Temporal-UI: Security Server Deployment web-ui	3	919	June 29, 2024

Exact configuration for authorization with Azure AD

Related topics