How to make a secure connection between TemporalWorker and Self hosted Temporal Service

Community Support
1

Hi Team,

We are running a self-hosted Temporal instance behind SSO authentication, which requires every request to include a valid JWT token. We have successfully completed the integration, and it is working as expected in general.

We are using the Temporal .NET SDK and attempting to connect a hosted Temporal worker to the Temporal service. Since authentication requires a valid JWT token, we explored multiple approaches to inject or refresh the token for outgoing requests. Below is a summary of what we tried and observed:

  1. We attempted to override ClientOutboundInterceptor and WorkflowOutboundInterceptor. However, these interceptors do not expose the TemporalClient headers, so there is no way to attach a bearer token using this approach.

  2. We explored intercepting gRPC requests directly. Unfortunately, the .NET SDK does not provide a way to register gRPC interceptors when configuring either the TemporalClient or the TemporalHostedWorker.

  3. We then came across documentation suggesting that the token can be set during client registration. This approach works initially, but it is not a robust solution because JWT bearer tokens are short-lived. Since the TemporalClient is long-lived, it continues using the same token for all subsequent calls, which eventually leads to authentication failures in long-running workers.

  4. To address this, we implemented a hosted background service that periodically refreshes the JWT token and updates the TemporalClient’s RpcMetadata. This solution works, but it introduces additional complexity. It requires running and monitoring an extra background service, and if token acquisition fails, the worker starts failing due to authentication errors. Although we have implemented retries, all of this logic is custom and increases operational risk.

Given the above, our question is: does the Temporal .NET SDK provide any built-in mechanism to dynamically refresh or supply JWT tokens for the Temporal client, so that we do not need to maintain an additional background service solely for token refresh?

Please let us know if any additional details are required from me.

2

Hi @Chad_Retz , I’m implementing JWT auth in the .NET SDK for self hosted instance. I’m stuck between manually updating the RpcMetadata via background service or recreating the TemporalClient when token expires. Does the SDK support more native way to supply dynamic tokens (like interceptor hook for headers), or is the background refresh service is the recommended way .NET?