How to configure SSO for temporal in helm chart

Bharat_A1234 · March 17, 2022, 1:13am

Hi @Ruslan @santhoshrajs
I am trying to enable auth for temporal with our internal OIDC and getting 404 error while loading page on redirect uri which is http://localhost:8088/auth/sso_callback

AggregateError: 
temporal-web_1          |     OPError: expected 200 OK, got: 404 Not Found
temporal-web_1          |         at processResponse (/usr/app/node_modules/openid-client/lib/helpers/process_response.js:48:11)
temporal-web_1          |         at /usr/app/node_modules/openid-client/lib/issuer.js:262:20

After debugging the js file i see temporal web is trying to access the resource at https://org-auth-url.dev/as/authorization.oauth2/.well-known/openid-configuration. which is not valid in our case.
Our auth server providing resource like https://org-auth-url.dev/.well-known/openid-configuration

Did you guys face any such issues? Do we have any properties to configure these urls? Please help.

Bharat_A1234 · March 17, 2022, 5:08pm

Please Ignore this. my source url is the issue in config.yml

Bharat_A1234 · March 19, 2022, 5:46am

Hi @santhoshrajs @Harshwardhan_Kakra
I followed helm charts and did the same setup for sso the way you mentioned here to deploy, but config.yml is not override in the mount location.
Could you please share the fix you did to solve this? It will be helpful to check my side if i am making same mistake
Thanks in advance

Tony_Sargent · June 30, 2023, 6:28pm

I am stuck with the same question. Temporal is deployed on AKS and i can’t even enable the auth screen to show up.

from values.yaml

web:
  enabled: true
  config:
    # server/config.yml file content
    auth:
      enabled: true
      providers:
        - label: 'Ping Auth'                        # for internal use; in future may expose as button text
          type: oidc                                  # for futureproofing; only oidc is supported today
          issuer: https://url
          client_id: Temporal_Test
          client_secret: secret
          scope: openid profile email
          audience: # identifier of the audience for an issued token (optional)
          callback_base_uri: https://temporal.mycluster
          pass_id_token: false

The pod does have the config map mapped:

Volumes:
  temporal-web-config:
    Type:      ConfigMap (a volume populated by a ConfigMap)
    Name:      temporal-web-config
    Optional:  false

Configmap does look ok:


Data
====
config.yml:
----
auth:
  enabled: true
  providers:
  - audience: null
    callback_base_uri: https://temporal.mycluster
    client_id: Temporal_Test
    client_secret: secret
    issuer: https://url
    label: Ping Auth
    pass_id_token: false
    scope: openid profile email
    type: oidc
routing:
  issue_report_link: https://github.com/temporalio/web/issues/new/choose


BinaryData
====

Topic		Replies	Views
Sso with new temporal ui is not working Community Support helm , web-ui	3	2098	April 5, 2024
Not able to integrate sso with new temporal ui Community Support web-ui , sso	26	1670	June 22, 2023
Missing Configuration for Internal-Frontend Feature in Temporal Helm-Chart Server Deployment	0	220	November 16, 2023
Temporal Web Custom Config with Oauth fails Community Support web-ui	5	697	May 29, 2021
Issue in Enabling SSO for Web Community Support web-ui	9	1533	October 4, 2021

How to configure SSO for temporal in helm chart

Related Topics